Making a Low cost, high power router/Firewall with m0n0wall…

Every penny counts when you’re deploying networks on a minimal budget. And since I usually use a gateway running m0n0wall running on an SBC (single board computer) like those produced by Soekris or PCEngines WRAP, that £80-170 is a significant chunk of the total network price.

So for cost reasons, and to be honest also for the fun of it, I’m exploring using the Nokia IP-110. This device also holds the promise that it might be able to run pfSense which builds from m0n0wall, but assumes a hard disk and thus has many more features, like Squid caching support.

The Nokia 110 is a firewall device with the following features:

  • Geode processor – National GX1 300 MHz
  • 64 MB RAM (IP110), 128 MB RAM (IP120)
  • 5 GB laptop hard drive
  • Three 10/100 Ethernet ports
  • Two serial ports (console and auxiliary)

Missing Power Supply

Many Ebay items do not include a power supply. This makes them cheap to buy, but leaves you with a problem to solve. The Nokia power supply uses a DIN-like 5 pin plug. When looking at the plug from the back, the pins from left to right, i.e. counterclockwise, are used as follows:

Pins Voltage
1,2 5V
3,4,5 Ground

The power supply that comes with the Nokia is labelled 5V @ 5A. It has part number UP02521050.

Fortunately the power supply problem was easy to solve, and relatively cheap too. Someone was selling them on EBay as an unbranded power supply. Two with shipping and tax came to £13 (though without the AC cords).

Funky MAC addresses

The Nokia box reports the MAC addresses for all three ports as FF:FF:FF:FF:FF:FF. Fortunately, m0n0wall provides a way to assign aMAC address using the <spoofmac> tag.

The IP330 had weirdness in the NIC configs – mainly they all defaulted to
a MAC address of ff:ff:ff:ff:ff:ff. To fix this what I did was write the image
to a drive (a smaller one than the 8GB one that came with it BTW) and then boot
it on another PC with a couple of fxp (intel) nics and get the initial NIC config
done. THen I rebooted into FreeBSD on the same box and mounted the m0n0wall drive
onto the freebsd box. Once mounted I edited config.xml and added a statement to
each NIC of <spoofmac> (make up a MAC address here) </spoofmac>. As long as the
made up MAC address is unique on your LAN you’re OK.

Once this was written out I put the drive back in the IP330 and proceeded as normal.

Replacing the HD with a CF

“PC Engines”: makes a card called the CFDISK.2F. As you can see from the picture at right, this is a perfect physical replacement for the hard disk – right down to the screw mounts.

The power supply arrived and I was able to boot the Nokia after loading a CF card with the generic version of m0n0wall.

Step by Step

I managed to confuse myself when I came back to this later and wasted a good hour getting this working again. Here is the order and gotchas:

  1. Write a CF with a generic PC image (but not 1.2b5, 1.2b6 or 1.2b7 as they’re FreeBSD 5.x based and don’t boot for some reason)
  2. Using the serial port console, assign interfaces for LAN and WAN. They are called fxp0, fxp1 and fxp2 respectively. (Or you can use Auto assign.)
  3. Save and reboot, but stop the process when you see that its started to reboot, power down and pull the CF card

Now you need to modify the config.xml file on the CF card to add the spoofmac tags referenced above. When I forgot this step, I had weird behaviour. I could get a lease via DHCP, but could never ping the m0n0wall or log in via http. Later releases could ping my computer from m0n0wall using the console ping command but not vice versa.

I found that the easiest way to modify the config.xml file was to boot a FreeSBIE “Live CD”, plug in a CF reader, plug in the CF card, mount the card and then modify the config.xml file directly. This happens somewhat as follows:

  1. create a bootable CD from
  2. boot it with the CF reader unplugged (assuming USB)
  3. I used the tcsh option because I had low RAM on an old machine. You could likely go for a GUI version if you have more RAM and avoid some of the noodling that follows.
  4. when you’re in the command line, plug in the CF reader with the card already inserted. If you’re lucky, a bunch of stuff will fly by on the console. This is telling you that it recognised the CF reader (and possibly other card readers if its a multi-reader device)
  5. use the command dmesg | more to page through what went by in more detail. Look specfically for “CF” or similar and then find the device name, such as da1.
  6. create a mount point using mkdir /mnt/cf
  7. mount the CF with mount /mnt/cf /dev/da1 where you found the device name above
  8. if you’re lucky you didn’t get any errors and you can now cd /mnt/cf and then view the files with an @ls@ command
  9. if so, change to the config directory with cd conf and do another ls to reveal the config.xml file
  10. edit this file with your favorite editor (e.g. vi config.xml or ee config.xml)
  11. find the <lan> tags and add <spoofmac>01:02:03:04:05:00</spoofmac> below the <if> tag and do likewise for the <wan> tag, but change the mac, e.g. end in 01.
  12. save the file and exit the editor
  13. change back to the root directory with cd /
  14. unmount the CF to ensure it gets updated with umount /mnt/cf
  15. unplug the CF

Now you’re ready to boot the Nokia ‘for real’ this time. Put the CF back in the Nokia and it should boot normally, provide a lease, and you should be able to login via the gui and continue the config.

Note that I tried to cheat and do the OPT1 interface also by creating that section in the XML file myself. It didn’t obviously confuse m0n0wall, but it didn’t respond to pings either.

All in all, pretty frustrating as I recalled it ‘just worked’ the first time around. In hindsight I must have got it just right – beginner’s luck in action!

Good luck!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS
This entry was posted in How To Guides, Little Guides and tagged , , , , , , , , , , , , , . Bookmark the permalink.

Comments are closed.