ImageStream CPE device configuration

The ImageStream router (http://www.imagestream.com) is a Linux based router that offers all the flexibility of any other Linux system with the added advantage of ImageStream's special driver component architecture and management interface called "Inetics".  I won't go into the details of the Inetics platform (that'll be another article some day), but it should be sufficient to say that it is a trememdous feature in ImageStream's router platforms. This article will detail the steps needed to successfully configure an ImageStream router as a replacement for a consumer grade CPE device such as a Linksys, Dlink or even the higher end Cisco Pix.  This article will deal only with the configuration of a router with ethernet ports.  We will see all the steps needed to get the customer online and functional.  Items such as VPN and firewall will also be covered at a later time. First up, the default configuration for an ImageStream router sets the Ethernet0 port with an IP address of 10.10.199.199/8 (netmask is 255.0.0.0).  You will need to set your PC to communicate with that IP.  For the purpose of this article, we will assume that you set your PC with the following IP information:
IP Address: 10.10.199.198 Netmask:  255.255.255.0 <-- That's the mask you should use, even though it is different Gateway:  UNIMPORTANT <-- You can set this to anything you want, or leave it blank
An alternative method to connect to and communicate with a new ImageStream router is via the serial console port.  In order to communicate with the router via this terminal, you will need to use a terminal emulator such as HyperTerminal or (better yet) putty.exe.  Set your terminal emulator to communicate at 9600 baud, 8 data bits, 1 stop bit, no parity and no flow control.  Use a NULL MODEM cable to connect to the router's serial console port.  Once you have the terminal emulator running and the NULL MODEM cable connected you can proceed as shown below.  NOTE: You may have to hit "ENTER" once or twice to see the terminal screen in your emulator software. Consider the following network diagram:

Network Diagram

At this point, you can use your favorite ssh client (I like putty) to connect to IP 10.10.199.199. Go to the configuration menu, then select the "Network Interface Configuration" menu.  This puts you in the editor for the WAN.conf file. We will change the configuration first for Ethernet0.  Here is the default value for this interface:
! interface Ethernet0 ip address 10.10.199.199 255.0.0.0 !
Note that the bang characters (!) are separators and are needed in your configuration file.  We need to change Ethernet0 to match our network's configuration.  If we have a DHCP server running on the portion of the network labled "ISP Network", then we can simply do this:
! interface Ethernet0 #Upstream Interface uses DHCP ip address dhcp !
Note that we can add inline comments by putting a "#" character at the beginning of the line.  Assigning a static IP would be as simple as changing the "default" IP address line from "10.10.199.199 255.0.0.0" to the appropriate IP and netmask for our network.  The DHCP server should provide us with:
  1. An IP address and netmask
  2. A default gateway
  3. DNS Servers
  4. Other optional information
Next, we need to add lines such as the following to the WAN.conf file:
! interface Ethernet1 # LAN connection description LAN side interface ip address 192.168.7.1 255.255.255.0 !
Here, we have introduced another feature of the WAN.conf file.  The "description" keyword allows us to add a bit of text that will describe the interface for us in the "stats" view (described below).  We can, also, add another parameter here which will help us to determine how much of the client's available bandwidth is being used.  If we assume that the client has 1500k (1.5Meg) of available bandwidth, then we would use the "bandwidth" keyword as follows:
! interface Ethernet1 # LAN connection description LAN side interface bandwidth 1500000 ip address 192.168.7.1 255.255.255.0 !
Note that the bandwidth is in bits per second.  It is important to understand that the bandwidth keyword does not actually limit the bandwidth, but is simply used by the "stats" program to calculate utilization percentages. Next, we need to set up the DHCP server for the LAN.  That is done as follows:
! ip dhcp pool 0 network 192.168.7.0 255.255.255.0 ip dhcp excluded-address 192.168.7.1 192.168.7.10 dns-server 4.2.2.2 4.2.2.3 default-router 192.168.7.1 lease 2 hours !
The "dhcp pool" entry sets up the address pool.  The "network" entry tells the router that it should be "listening" on the port that has the network address as indicated.  In our example, that is Ethernet1.  If you don't, yet, know how to determine the network address for a given IP address and netmask, be patient, as this will be discussed in a future article.  The line with the "excluded address" ensures that the router does not "hand out" a specific range of IP addresses.  The 192.168.7.1 address is already assigned to the Ethernet1 interface and cannot be used again.  With this example, we are reserving a RANGE of IP addresses (192.168.7.1 through 192.168.7.10).  If you leave off the second IP, then just one IP address will be reserved.  This keyword can be used multiple times.  For example, let's suppose we wanted to reserve "192.168.7.1" and "192.168.7.254" (not the range, but just those 2 IPs).  In that case, the configuration would look like this:
! ip dhcp pool 0 network 192.168.7.0 255.255.255.0 ip dhcp excluded-address 192.168.7.1 ip dhcp excluded-address 192.168.7.254 dns-server 4.2.2.2 4.2.2.3 default-router 192.168.7.1 lease 2 hours !
The "dns-server" entry is the set of dns-servers we will tell our clients to use and the "default-router" line tells the clients to use 192.168.7.1 as their default gateway.  Finally, the "lease 2 hours" line tells the clients that their lease is valid for 2 hours (duh!).  You can use keywords "hours" or "minutes" here. We now have the following configuration for WAN.conf, which is now complete:
! interface Ethernet0 #Upstream Interface uses DHCP description WAN side interface bandwidth 1500000 ip address dhcp ! interface Ethernet1 # LAN connection description LAN side interface bandwidth 1500000 ip address 192.168.7.1 255.255.255.0 ! ip dhcp pool 0 network 192.168.7.0 255.255.255.0 ip dhcp excluded-address 192.168.7.1 ip dhcp excluded-address 192.168.7.254 dns-server 4.2.2.2 4.2.2.3 default-router 192.168.7.1 lease 2 hours !
Once you have this in your WAN.conf file, just type CTRL-X and it will ask you to save the configuration and restart the network.  Let's review what we have configured so far.
  1. We have set up the WAN side IP address
  2. We have set up the LAN side IP address
  3. We have configured a DHCP server for the LAN
  4. We have configured the appropriate bandwidth statements on the interfaces, so that we will be able to accurately determine utilization percentages
Our only remaining requirement is to configure NAT so that our customer can reach the internet.  We are already in the Configuration menu, so just select option "4. Firewall and QOS Configuration", then option "2. Firewall (iptables)" then "1. Configure Firewall Rules". There is a default firewall included, but most of this is commented out (it has the "#" as the first character of the line).  We will be simply uncommenting several lines and altering one or two lines. You will need to find the following lines and uncomment as shown:
###################################################### # Flushing all rules.                                                                                          # # Do not uncomment these lines unless you have NAT rules that require them.   # ##################################################### modprobe ip_nat_ftp modprobe ip_nat_irc
By default the "ip_nat_ftp" and "ip_nat_irc" lines are commented.  Just remove the "#" and then look for the lines below:
################################################ # Do not uncomment this line unless you have NAT rules below.           # ################################################ iptables -F -t nat
This line tells the router to prepare the nat table by flushing (clearing) the rules currently in that chain.  You will see the next lines just below this one in the default firewall script:
######################################################## # If you have NAT rules and get a "ip_conntrack: table full, dropping packet."         # # message in your kernel message log (dmesg), increase the maximum number of # # connections that can be tracked by uncommenting the line below                        # #                                                                                                                         # # Each connection uses ~ 350 bytes of memory.  16384 = 5.7 MB                         # ####################################################### #echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max
Generally speaking it will be safe to leave the above line commented.  If you have a customer that has lots of computers behind the router, you may have to uncomment this line.  This line controls how many CONCURRENT connections the router can handle.  As I said, the default is fine for most CPE configurations.
#################################################### # Use this line to masquerade for the 172.16 class B network as 1.2.3.4.       # #################################################### #iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -j SNAT --to 1.2.3.4 iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE
That last line is the one that actually accomplishes the MASQUERADE.  The "-s 192.168.7.0/24" option tells the rule to match only if the source IP address in the packet is in the 192.168.7.0/24 network range.  The "-o eth0" option (by the way, that first character is the letter "o" - lower case) tells iptables to only masquerade traffic that is leaving the router on the interface "eth0" (that's the number "0").  Again, you just type CTRL-X and save and load the firewall rules. At this point in your configuration, you should have a functional CPE router.  You have only a couple further things to do to complete the process.  First, you need to ensure that the router loads the firewall rules each time it is powered up.  You do this by selecting option "2. Enable firewall on boot" from the firewall configuration menu.  All that remains now is to save your configuration so it is retained.  That is done back on the Configuration menu.  Just type "q" until you are on that menu and select option "7. Save configuration to flash".  Once this is done, your router is ready to deploy. I hope you find this article useful.  Please leave comments with your feedback.  I truly appreciate your readership.

Leave a Reply

You must be logged in to post a comment.