The Linux operating system has long been used as a firewall system because it has the flexibility and capabilities to perform both excellent firewalling and routing. With Linux, you can transform your old 486 computer into a powerful gateway computer, protecting your internal network from outside intrusion and providing IP masquerading and routing capabilities that will put your entire LAN on the Internet with a single IP address. Linux does this efficiently and well with low-end hardware. All you really need is a small hard drive, two network cards, and a 486 machine with about 8 MB of RAM. You can even get away with not having a hard drive and using one of the many Linux-based floppy distributions available, such as the Linux Router Project. The cost for all of this? Realistically, you should spend under $100. And for that, you have an efficient firewall to protect your sensitive LAN.

There has been a surge of firewall appliances aimed at home users and small businesses. While powerful routers such as those from Cisco have always been available, they are quite expensive and not at all ideal for the home user. Recently, many companies, such as 3com, Linksys, and D-Link have released a number of firewall/gateway appliances for home users. The rise of these appliances is due to the greater availability of high-speed Internet access through ADSL and cable access, which is cheap enough for the home end user to afford.

Many people have wondered about these products and where they might fit into their network. You may already have a Linux machine acting as a dedicated gateway for your firewall and might be wondering why an appliance such as this would be of any interest, much less of benefit, to you.

I recently purchased a D-Link DI-704 cable/DSL gateway, and I’ll explain the benefits of such an item. I’ll also give you an overview of the features and configuration of the appliance, as well as the speed with which I installed it.

The network
Let me first describe the network into which I needed to insert this product. Because I run a consulting business that provides domain-hosting solutions, I had a few computers to protect. My network includes three server machines that need to be accessible by the outside world. All three act primarily as Web servers and e-mail servers, and they provide a number of other services to the general public. Two of those machines are DNS servers as well. All three computers run Linux-Mandrake.

On the inside, I have two desktop machines and one laptop. One of the desktop machines runs Windows 98, while the other two machines run Linux-Mandrake. Finally, I have one internal print server that also runs Linux-Mandrake. So in my scenario, I have three computers that must be accessible by the public and four that should not be. It’s not a large network, but it’s larger than that of the average home user and a little more complex.

Until now, I have relied on separate firewalls for each machine, located on the server. The Windows 98 machine used a native firewall product, so each computer had a firewall installed, but on the machine itself. This was not an ideal situation, but it has worked for me so far. However, being ever security-conscious, I decided to take steps to further protect my LAN. The three servers are quite secure despite the lack of a removed firewall. Because of this, I decided to set up the three servers in a DMZ, or Demilitarized Zone, and protect the rest of the LAN with the D-Link gateway.

The D-Link DI-704
The D-Link DI-704 is a switching gateway that provides four 10/100 Ethernet ports. It can handle cable and DSL modems via an RJ45 port at the back, or it can connect to a PSTN/ISDN network via the COM port, also at the back of the device. Here’s a brief rundown of the features as described by D-Link:

  • Protects your computer from intruders
  • Shared cable/DSL modem
  • Acts as a firewall
  • Easy to set up Web-based configuration
  • Broadband router
  • Four-port Ethernet switch
  • External modem port
  • Web-based management
  • Advanced security features

Quite a nice little feature list. The only annoying thing I found about this product was that the four Ethernet ports were located at the front of the box instead of at the back. Because of this, I could not easily hide my network cables, but this is more of an aesthetic problem than anything else.

The cost of the D-Link DI-704 was $230 Canadian, and the D-Link Web site sells it for $149 U.S. It also sells a single-port edition, called the D-Link DI-701, for $99 U.S. The two devices are relatively similar in the look and size of the appliance itself and the number of Ethernet ports for the internal LAN.

Hardware installation
Previously, I had my ADSL modem connected to a D-Link DSS-8+ eight-port 10/100 switch. My computers were then plugged directly into the switch and shared the Internet directly. My ISP provides me with seven static IP addresses, so each machine had its own IP address and was reachable through the Internet. I don’t mind saying that this setup bothered me. Not so much for security reasons, although that was definitely a factor, but because I needed those IP addresses for the other machines so that I could have more than one SSL-enabled Web site available, since each SSL-enabled Web site requires its own IP address. Using this router, I could free up three of those IP addresses for that purpose.

This time, I connected my ADSL modem to a D-Link DE-809TC 10-MB hub, an older hub I used when my network was only 10 MB. I connected the three servers and the DI-704 router into the hub, where I had my DMZ. I connected my DSS-8+ 10/100 switch into the DI-704 router, and I connected the computers belonging to my internal LAN into the switch. Each of the three servers retained their old static IP address, and I assigned another static IP address to the router.

I chose to use the older 10-MB hub for the DMZ instead of purchasing another 10/100 switch for a simple reason: The uplink port on the DI-704 is only 10 MB because you will never find (yet) a residential cable or DSL modem that will give you greater than a 10-MB Ethernet connection. Because of this, the value of a 10/100 switch is negligible, as only the three machines would be able to connect to each other at 100 MB. Since the three servers do not talk to each other very often, having a 100-MB connection between them would provide no greater performance than a 10-MB connection. And since my local network would be able to connect to those computers with only a 10-MB connection anyway, due to the limitation of the uplink port, I decided to reuse some old hardware and save myself some money.

At this point, the network was connected the way I wanted it. The three servers had an open road to the Internet, so to speak, and were quickly up and running. The time it took was the time I spent plugging everything into the various hubs, so the downtime on those servers was less than five minutes.

Configuring the DI-704
Next I had to reconfigure my TCP/IP settings on the local network. The D-Link gateway gives you two choices: You can assign each machine a static IP address, or you can allow the gateway to act as a DHCP server as well. Since I had only four computers behind the firewall, and since I would be sharing printers and hard drives among them, I decided to assign each computer a static IP address.

First, however, I needed to configure the gateway. I decided to use the Windows machine to do this, so I went into the TCP/IP properties and deleted the existing settings, which included the static IP address, the subnet mask, the gateway address, and the DNS settings. I had to reboot the computer in order for the settings to take effect, but once it was back up, I could fire up Internet Explorer and point it to the default IP address of the router, which is It was slow to load, but once it did load, it greeted me with a nice Web page and asked for an administrator password. After entering the default password, I was at the main configuration screen.

The first screen you will see is the information screen, which shows you the internal and external IP addresses of the gateway, as well as the firmware revision number and the MAC address. Click the Tools link, where you can change the default administrator password. Make sure it is something good and something you will remember. The steps to reset the password are annoying at best and involve pulling out a null modem cable and firing up a terminal dialer. Once you’ve changed the password, you can begin to configure the rest of the appliance.

Now click the Setup link, where you must indicate whether you have a dynamic or static IP address for the external connection. If you use DHCP with your provider, which most residential cable and DSL services do, you’ll want to leave it at the default. In my case, I receive static IP addresses from my ISP, so I changed the WAN type to static IP. I also modified the LAN IP address to suit my needs, changing it from to There is not much of a difference, but I try to avoid the defaults as much as possible. You can also use other private network classes here, including 10.x.x.x addresses. I could have just as easily made the IP address if I had wanted to. On this screen, you also define the WAN subnet mask, the WAN gateway, and the primary and secondary DNS servers, providing you use a static IP address. If you have a dynamic IP address, the DHCP client in the gateway will automatically determine this information from the DHCP server of your ISP. Once you’ve finished with these settings, commit your changes.

Next, click the DHCP link, where you determine whether the DI-704 will also act as a DHCP server for the internal LAN. If you enable DHCP, you needn’t worry about assigning static IP addresses to each computer on the LAN, but if you disable it, you’ll need to configure the IP address on each computer behind the firewall. If you enable the DHCP server, you can define the starting and ending addresses for the IP pool. By default, these start at 100 and end at 199. You can also define a domain name for the LAN. This means that if you chose a LAN IP address of and you kept the default settings, your internal LAN would be assigned an IP address between and With this default setting, you can have 100 computers running behind the gateway. The maximum number of computers that can be sitting behind the firewall is 253, and to use them all you would set your starting range at 2 and your ending range at 254. You cannot use 1 because that should be the IP address for the gateway, and you cannot use 255 because that is the broadcast address for the LAN. But you can freely use any IP address in between, up to that maximum of 253 addresses.

This high number of available addresses means that you can use the DI-704 for very large networks if you wish. Because the gateway has four 10/100 switching ports, you can connect any number of 10/100 switches below it in such a way that you can easily have a full network of 253 computers connecting to each other at 100 MB. This makes the DI-704 quite scalable and useful for many networks, ranging from small to large.

At this point, you should save all of the changes and return to the Tools settings. Click the Reboot button to reboot the gateway and commit all of your changes permanently. This is necessary to make further use of the gateway with your settings. Once you’ve rebooted the gateway, close your browser.

Configuring the operating systems
Since I had done all the work using Windows, I decided to configure Windows first. Opening the TCP/IP properties, I gave Windows a new static IP address. In this case, I gave it with a subnet mask of The IP address may differ in your settings, but the subnet mask will remain the same. If you enabled the DHCP server on the DI-704, tell Windows to obtain the IP address automatically. If you did not, go to the Gateway tab and enter the IP address of the gateway; in my case, it was Finally, go to the DNS tab and enter the DNS servers you wish to use. Again, if you have the gateway serving the IP addresses, you needn’t change anything here.

Finally, reboot Windows once again. When it comes back up, you should be able to connect to the Internet without a problem.

Linux is just as simple to reconfigure. On both machines, I used the linuxconf tool and changed the previous static IP addresses to 192.168.5.x and changed the subnet mask to These settings are available under Networking | Host Name And IP Network Devices. Then go into Networking | Routing And Gateways and enter your new gateway address: Our DNS information hadn’t changed, so we left that alone. Again, if you have the DI-704 serving the IP addresses, you’ll need to change the manual IP address to a DHCP address and leave the IP address, subnet, gateway, and DNS information blank.

Once you exit linuxconf, it will ask you if you wish to perform the actions based on your changes. If you tell linuxconf to activate the changes, when you return to the command line, you should be able to ping an outside machine. You may also want to issue /sbin/ifconfig just to ensure that your settings are correct. I’ve found that some versions of linuxconf do not properly reset the settings when you tell it to activate the changes.

And that’s it! You should now be able to connect to the outside world through your DI-704 gateway. The only steps left are to change IP addresses anywhere you may have previously defined them. For example, you might want to edit your /etc/smb.conf file if you use Samba, or your /etc/hosts file. If you run Apache and plan to use it for an intranet Web server, you’ll need to change your IP address there as well. You may also want to rewrite or remove some of your ipchains rules. I found that on one machine I could not connect to the Internet because my ipchains rules were dependent on the old IP address. If you find that you cannot connect to any sites on the Internet—or even to your LAN or the gateway—try issuing ipchains –F to flush all of your ipchains rules, and you should be up and running.

Advanced DI-704 configuration
Now you may want to set up some of the advanced configuration options. Remember, the DI-704 is more than just a simple gateway and firewall product. You’ll need to connect to the local IP address of the gateway again (if you changed it, you’ll need to connect to the new address). In my case, I now must connect to Once you do this and enter your new administrator password, click the Advanced link.

The first items you’ll see are the Virtual Server settings. Here you can forward certain ports to various machines; you can specify up to 10 ports to forward. You can use the convenient Well-Known Services button to inject certain ports into the configuration, such as FTP, HTTP, or DNS. This allows your machines behind the firewall to be reached via certain definable ports. In my case, I forwarded port 22 to my primary Linux workstation to allow SSH access into the LAN. I also forwarded port 113 to the Linux machine for AUTH connections, and I forwarded port 21 for FTP to the same machine. Note that you cannot have the same port forwarded to different machines since you can specify only one IP address per port.

If you click the Special AP link, you’ll be able to define special applications, allowing you to use special programs such as video conferencing, Internet games, and so on that require multiple ports. You can use the special Popular Applications pull-down list to copy a series of ports to one of the five definable IDs, or you can specify your own port ranges. You can also use it to open up a series of ports to a particular machine. Please note, however, that these ports will be available and open to all machines behind the firewall even though only one computer at a time can use the application. For instance, you can only have one machine doing video conferencing at a time, but if you define the application here, any computer can make use of it, so it isn’t as restricted as with the Virtual Server settings.

Under the Access Control link, you can define access control for the internal network making outbound connections. With this, you can restrict certain groups of IP addresses from being able to access certain outbound ports. You could restrict all machines behind the firewall or just a specific group from using applications such as telnet and FTP, if you so desire.

Finally, under the Misc Settings link, you can define two important settings. The first is the address of your DMZ host. If you want, you could connect your cable or DSL modem directly to the router and have one machine behind the firewall act as your Web server or e-mail server. Here you would enter the local IP address for that machine, and the router would allow all connections to any port on that machine. This capability is useful only if you have one server that needs open access to the Internet, which is what the DMZ allows. In my case, having three servers, it isn’t very useful, which is why I opted to use the 10-MB hub between the ADSL modem and the DI-704 to establish my gateway.

The final option on this page is the Remote Administrator Host. This option allows you to configure the gateway from a remote IP address. Unless you have a pressing need to allow this, I strongly suggest you leave this setting disabled. Enabling this setting allows a point of entry into your gateway security. When this is disabled, the Web server embedded in the application listens to port 80 on the internal IP address. When you enable it, it will listen to port 88 on both the internal and external IP addresses but will allow connections only from the specified host on the external IP address. If you leave the IP address set to, then any host on the Internet can connect to the server on port 88 to configure the gateway, providing they know the administrator password.

The D-Link DI-704 is, in my eyes, a gem. As I’ve pointed out in this Daily Drill Down, it’s slightly more expensive than some other similar solutions, but the fact that it provides four switching 10/100 ports is worth the cost if performance is important. Other gateway appliances that cost less act as a simple hub, without the benefit of switching ports. And while it may cost more than a Linux-based alternative on old hardware, the benefit is worth the additional expense. With this simple appliance, you don’t have to deal with a complete operating system if anything does go wrong. Also, in terms of long-term costs, you’ll save on energy consumption since the power usage of this appliance is far less than the power requirements of a computer.

All in all, this is a wonderful piece of hardware. The total time it took me to configure my LAN to use it was perhaps half an hour. Indeed, it took me longer to write about it than it did to configure it.

One final piece of advice: Once you have everything configured the way you want it, print out all of your settings and retain a hard copy. At this time, there’s no firmware upgrade for the DI-704, but there is for the DI-701. Some ill-behaved appliances may wipe out your settings when you attempt to upgrade the firmware. A quick hard copy “backup” of your settings will save you some time in the unlikely event that this happens to you. One product that apparently suffers from this problem is the Linksys cable/DSL gateway product.

For more information on the D-Link DI-704, read about it on the D-Link Web page, and if you are interested in the one-port model, the DI-701, you can read about it on its own home page on the D-Link site.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.