News: This forum is now permanently frozen.
Pages: [1]
Topic: Living with a net5501-60  (Read 8048 times)
« on: September 10, 2007, 23:59:48 »
CJan_NH *
Posts: 12

As always, thanks for looking Smiley

I thought it might be useful to pass along my initial impressions of our new Soekris net5501-60, with 4-port lan1641 card and vpn1411 card.

As advised from this forum, we used the generic PC m0n0 image. The first stumbling block was setting the console speed of the Soekris box to 9600 to match m0n0-the net5501 uses 19,200 baud as the default speed. To change the speed in the Soekris ComBios, hit Ctrl+P on boot when connected with your null modem cable, and then use the following command:

set conspeed = 9600

Before changing the Soekris console speed, we'd get garbage characters instead of POST (if hyper term was set to 9600), or garbage characters after POST (if hyper term was set to 19,200, or once m0n0 took over and downshifted the console speed).

Once that was done I enabled the initial interfaces, and accessed the GUI. One really nice touch with the net5501 is that you no longer need a crossover cable to connect directly to it from your PC or laptop (like you do with the net4801). Our interfaces are setup as follows:

vr0: LAN                              192.168.1.x
vr1: WAN                             64.140.x.x
vr2: Stats server                 192.168.3.x
vr3: PBX and VoIP gateway 192.168.2.x
sis0: Admin subnet              192.168.4.x
sis1: LAN2                            192.168.9.x
sis2: LAN3                            192.168.8.x
sis3: Admin2 and wireless   10.10.11.x

One mistake I made was not renaming the interfaces (vr0, vr1 etc) when I tried to import the XML config file from our old net4801. Because of this, the Router locked up and I had to start over again.

We've been running for about a month, with no major issues so far (That is, no issues that I didn't cause). One thing that was very different for us this time around is that we have the entire Internet blocked on our LAN interface, with about 20 websites and domains white listed. This was a much bigger challenge to set up than originally anticipated, simply because most websites need more than one IP address opened to work properly. A website that has third party stats tracking might need 2 or 3 other IPs opened up. If images are called from another IP, that IP needs to be opened up as well. It was a pain to get it all sorted out, but using WallWatcher with verbose logging enabled on the default block rule was extremely helpful.

All in all, we're pretty happy so far with our new net5501. We have 85 employees, 14 servers of various flavors, a dozen printers, a PBX, and a VoIP gateway all running happily on m0n0wall. I think I need to figure out how to turn off unneeded interfaces on the Soekris (like the USB port for example), because we're seeing a "scheduling overrun" error on WallWatcher. Another nice thing about the net5501 is that GUI access (even remotely) is lightning fast. Our old net4801 was getting quite a workout, but the net5501 doesn't seem to be breaking a sweat.


Chris
New Hampshire


 
« Last Edit: September 11, 2007, 00:01:40 by CJan_NH »
« Reply #1 on: September 11, 2007, 10:17:32 »
markb ****
Posts: 331

Hi Chris,
Interesting post.  Would it not be easier for you to control your Internet access via a transparent proxy like Squid.  This way you can run your white list very simply, also it has the benefit of using hostnames to control the access, thus eliminating the need to add rules for loads of IP addresses.  Also, modifying the list would be a piece of cake and would give you a much wider range of features to control access.

Regards.

Mark.
« Reply #2 on: September 11, 2007, 21:06:40 »
CJan_NH *
Posts: 12

Hi Chris,
Interesting post.  Would it not be easier for you to control your Internet access via a transparent proxy like Squid.  This way you can run your white list very simply, also it has the benefit of using hostnames to control the access, thus eliminating the need to add rules for loads of IP addresses.  Also, modifying the list would be a piece of cake and would give you a much wider range of features to control access.

Regards.

Mark.
Hi mark, thank you for your input!

I'd love to have a transparent proxy instead of the convoluted mess I have now. Is there a "dummies" guide somewhere to set one up? I've heard of Squid, but never used it.

Thanks again for your help Smiley
« Reply #3 on: September 12, 2007, 00:29:33 »
lonnie *
Posts: 24

...I think I need to figure out how to turn off unneeded interfaces on the Soekris (like the USB port for example), because we're seeing a "scheduling overrun" error on WallWatcher...
Chris,
Like you, I have a net5501-70 with many subnets, but I am using VLANs instead of multiple NIC's in the Soekris. (with an Intel/1000 GT PCI card and HP Procurve 1800 switches)

Question, are you using 1.231 or 1.3B4?  I noticed what appeared to be vr0 and USB conflicts with 1.231.  1.3B4 fixed the problem.

Lonnie
« Reply #4 on: September 12, 2007, 06:38:56 »
CJan_NH *
Posts: 12

...I think I need to figure out how to turn off unneeded interfaces on the Soekris (like the USB port for example), because we're seeing a "scheduling overrun" error on WallWatcher...
Chris,
Like you, I have a net5501-70 with many subnets, but I am using VLANs instead of multiple NIC's in the Soekris. (with an Intel/1000 GT PCI card and HP Procurve 1800 switches)

Question, are you using 1.231 or 1.3B4?  I noticed what appeared to be vr0 and USB conflicts with 1.231.  1.3B4 fixed the problem.

Lonnie
Hi Lonnie,

We are indeed using 1.231 on our 5501, as well as on both of our 4801s. I am noticing the exact same issues that you mentioned. Heck, if 1.3B4 will fix the problem I'll upgrade immediately.

Thank you very, very much for your input Grin
« Reply #5 on: September 12, 2007, 10:28:03 »
markb ****
Posts: 331

I'd love to have a transparent proxy instead of the convoluted mess I have now. Is there a "dummies" guide somewhere to set one up? I've heard of Squid, but never used it.
Hi Chris,
I know what you mean.  I am still a noobie to Linux, though I managed to set up squid. I use Ubuntu as my Linux flavour for the server because it is quite friendly for the uninitiated in Linux.  It has the apt package manager which is a utility that helps you install packages and their dependencies. For me, I started by following some of the how to guides on http://www.howtoforge.com this gave me a basic grounding in how to set up the OS and get used to installing the packages using apt. Squid is on the repositories for Ubuntu, so when you are comfortable with setting up the OS, you can install it with the simple command "apt-get install squid"  The best place to start with squid is http://www.squid-cache.org The documentation isn't the simplest, but the mailing lists are great and the guys there very helpful.  I think squid is a great product, it isn't complicated to get a basic system up and running with the default config and it is so customiseable.  I would suggest though, that you don't try for transparent proxy to start with though, otherwise you will have to point all your traffic through the proxy, easier to simply block http, https & ftp traffic for all addresses other than the proxy and config machines to use the proxy, very easy if you have a windows domain environment.

Feel free to email me if you need advice, my address is in my profile.

Regards

Mark.
« Reply #6 on: September 13, 2007, 00:29:25 »
CJan_NH *
Posts: 12

Thank you for your guidance Mark. We are running Ubuntu on a couple of desktop PCs here, as well as Ubuntu Server on our development machines. I'll check it out!

Lonnie, upgrading to 1.3B made our problems vanish! Thanks again for your help as well.


Chris
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines