Sharing your Internet safely.

I wanted to share my Internet access in order to facilitate anyone that needs an Internet connection. The obvious and easiest way would be to enable my ADSL router’s WiFi with no security option selected. This would give access to strangers to my local network. Not a nice thing. It would be really easy for someone to access files, sniff for other information etc. So… No. I quickly rejected this option.

I own two Thomson TG858 v8 ADSL routers. I knew that Thomson routers offer Telnet access through witch you can extensively configure it. After some reading, searching around and testing various options I found out that one can bind a specific Ethernet port to a new VLAN (DMZ). You can also apply Firewall rules for this VLAN. I could connect the second router to this Ethernet port. The second router would only act as a WiFi interface (it could be anything, not a TG585 router specifically).

It seemed that I could do what I wanted with my existing equipment. The first thing I had to do was to enable my Thomson’s Telnet access.

This is a representation of what I wanted to accomplish.

Internet_Sharing

As I wanted to use OpenDNS for the free WiFi, to filter various web pages like pornography, I created an OpenDNS account. After the OpenDNS account creation I configured a filter (image bellow).

OpenDNS Filter

In order to make the router notify OpenDNS for IP changes I had also to set up a DNS-O-Matic account. Just go to the page and login with the credentials of the OpenDNS account.

Select Add a service.

DNS-O-Matic-1

Add OpenDNS and any other service you need (like Dyndns).

DNS-O-Matic-2

Connect to the router using Telnet (with your favorite client. E.g. putty) and issue the following commands.

  • dyndns service modify name=custom server=updates.dnsomatic.com updateinterval=10800
  • saveall
  • Open the Web interface of the router. Go to Toolbox > Dynamic DNS > Configure. Select Enabled, enter your OpenDNS user name and password to the Username: and Password:/Confirm password: text boxes. Select custom from the Service: drop down list and enter all.dnsomatic.com to the Host: text box. Press Apply. If everything is ok you must see something like the following images.

    DNS-O-Matic-3
    DNS-O-Matic-4

    We can now create the new VLAN with name DMZ and attach Ethernet port 4 to it. Connect to the router through Telnet.

    VLAN-1

  • eth bridge vlan iflist
  • eth vlan add name=DMZ vid=2
  • eth bridge vlan ifadd name=DMZ intf=OBC untagged=disabled
  • eth bridge vlan ifadd name=DMZ intf=ethport4 untagged=enabled
  • eth bridge vlan ifdelete name=default intf=ethport4
  • saveall
  • eth bridge vlan iflist
  • VLAN-2

    The following commands will create an Ethernet interface (eth_DMZ, bridged to the DMZ VLAN) and an IP interface (LocalDMZ, 192.168.2.1/24) that is added to the dmz group. Finally NAT is enabled.

  • eth ifadd intf=eth_DMZ
  • eth ifconfig intf=eth_DMZ dest=bridge vlan=DMZ
  • eth ifattach intf=eth_DMZ
  • ip ifadd intf=LocalDMZ dest=eth_DMZ
  • ip ifconfig intf=LocalDMZ group=dmz
  • ip ifattach intf=LocalDMZ
  • ip ipadd intf=LocalDMZ addr=192.168.2.1 netmask=24
  • ip ipconfig addr=192.168.2.1 preferred=enabled primary=enabled
  • nat ifconfig intf=LocalDMZ translation=transparent
  • saveall
  • ip iflist
  • VLAN-3

    Setting up DHCP server (192.168.2.2 to 192.168.2.12) with OpenDNS DNS (208.67.222.222, 208.67.220.220).

  • dhcp server pool add name=DMZ_private
  • dhcp server pool config name=DMZ_private intf=LocalDMZ poolstart=192.168.2.2 poolend=192.168.2.12 netmask=24 gateway=192.168.2.1 server=192.168.2.1 primdns=208.67.222.222 secdns=208.65.220.220 leasetime=86400
  • dhcp relay ifconfig intf=LocalDMZ relay=enabled
  • dhcp relay add name=LocalDMZ_to_127.0.0.1
  • dhcp relay modify name=LocalDMZ_to_127.0.0.1 addr=127.0.0.1 intf=LocalDMZ giaddr=192.168.2.1
  • saveall
  • The web interface should look like the images bellow.

    LocalDMZ
    LocalDMZ_Infos

    Last we are setting up a Firewall to prevent communication between the LAN and DMZ. We are also preventing users from using their own DNS servers in order to by-pass various restriction filters (e.g. pornography).

  • firewall level add name=MyRules readonly=disabled udptrackmode=loose service=enabled proxy=enabled policy=default
  • firewall rule add chain=forward_level_MyRules index=1 name=Block_DNS_0 srcintf=dmz dstintf=wan dstip=208.67.222.222 serv=dns state=enabled action=accept
  • firewall rule add chain=forward_level_MyRules index=2 name=Block_DNS_1 srcintf=dmz dstintf=wan dstip=208.67.220.220 serv=dns state=enabled action=accept
  • firewall rule add chain=forward_level_MyRules index=3 name=Block_DNS_2 srcintf=dmz dstintf=wan serv=dns state=enabled action=deny
  • firewall rule add chain=forward_level_MyRules index=4 name=DMZtoWAN srcintf=dmz dstintf=wan state=enabled action=accept
  • firewall rule add chain=forward_level_MyRules index=5 name=WANtoDMZ srcintf=wan dstintf=dmz state=enabled action=accept
  • firewall rule add chain=forward_level_MyRules index=6 name=DMZtoDMZ srcintf=dmz dstintf=dmz state=enabled action=accept
  • firewall rule add chain=forward_level_MyRules index=7 name=FromLAN srcintf=lan state=enabled action=accept
  • firewall level set name=MyRules
  • saveall
  • The web interface should look like the images bellow.

    Firewall Rules

    After that we can connect our second router (We must disable it’s DHCP server, and remove any encryption from the WiFi) through one of it’s Ethernet ports to Ethernet port 4 of the TG585.

    If everything went as expected users connected to the free WiFi can now browse the Internet with out being able to access some pages (pornography). The following image is an attempt to access a pornography page.

    Forbiden
    Free-WiFi

    Extra infos for Thomson routers: http://npr.me.uk/

    Advertisements
    This entry was posted in Internet, Miscellaneous, Science and tagged , , , , , , , , , , , , , , , , . Bookmark the permalink.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s