Smoothwall GNS3 step by step Lab setup

VirtualBox and GNS3 (Smoothwall Virtual Test Labs)

GNS3 Test Labs (Smoothwall Labs):
Lab Scenarios:
(Please add more Lab scenarios that you think could be useful)

1. Cisco IOS Router (7200 series) with NATTing connected to the internet (ACLs configured for specific subnets being used behind the Smoothwall).

2. Smoothwall UTM Master and Failover with Multiple External connections (Primary/Secondary) to test HA and LLB

3. Apache Server on an internal Windows 7 machine to test port-forwarding rules from the internet facing VM.

4. VLANs using NM-16ESW (3725 series router network module) trunk linked to the Smoothwall (VLANs 10, 20 and 1)

5. Child node (bridged) for a Windows 7 machine getting replication from a parent node.

6. Windows 7 machine externally connected to the UTM (between the external router and the Master UTM ) to test L2TP, SSL VPNs, Global Proxy, Mobile Proxy and Syslog server.

7. Solarwinds Real-time SNMP bandwidth monitoring tool for testing SNMP.

8. Hardware WAP (TPLink) connected to virtual switch (NM-16ESW 3725 series) configured with RADIUS (802.1x//WPA Enterprise/BYOD) to test iOS (iPads and iPhones) or android devices (Installed Openwrt firmware on my TPLink that supports not only authentication but also accounting i.e. ports 1812 and 1813)(Smoothwall configured as a DHCP Server)(Will try to find a WAP that support framed IPs to test further RADIUS scenarios)

9. Using two Windows 2012 VMs for testing multi domains AD connection on the Smoothwall.

10. Other VMs include Win 7, Win 8, Win 10, Ubuntu, Mac OS X and Chromium.

11. Wireshark is already integrated in GNS3 and you can capture traffic on any connected links for troubleshooting.

12. Separate lab for testing IPSec VPN connectivity between two Smoothwalls or Smoothwall and ASA.

13. It will be easier with VMs on GNS3 to test further features like IDS/IPS, Upstream Proxy, Bandwidth Management (You might notice some latency), Upstream Firewall, F5 Load Balancer VMs.
14. For Cisco devices you can also use CCP (Cisco Configuration Professional) software to configure using a wizard based GUI instead of CLI.


Install GNS3 1.3.0 on Ubuntu 14.10 and 14.04 LTS :

— GNS3 CLI installation —

– After opening a terminal, I recommend changing to your user home directory.

$ cd ~

– Run apt-get update

$ sudo apt-get  update

$ sudo apt-get  upgrade

$ sudo apt-get  dist-upgrade

– Install GNS3 Python dependencies

$ sudo apt‐get install python3‐setuptools

$ sudo apt‐get install python3‐pyqt4

$ sudo apt‐get install python3‐ws4py

$ sudo apt‐get install python3‐netifaces

– Install Dynmips dependencies

$ sudo apt-get install cmake

$ sudo apt‐get install libelf‐dev

$ sudo apt‐get install uuid‐dev

$ sudo apt‐get install libpcap‐dev

 – Download and unzip GNS3 Linux source files (Download )

$ unzip

 – Build and Install Dynamips

$ unzip

$ cd  dynamips-0.2.14

$ mkdir build

$ cd build

$ cmake ..

$ make

$ sudo make install

$ sudo setcap cap_net_admin,cap_net_raw=ep /usr/local/bin/dynamips

$ cd ../..

 – Install GNS3 Server

$ unzip

$ cd gns3-server-1.3.7

$ sudo python3 install

$ cd ..

 – Install GNS3 GUI

$ unzip

$ cd gns3-gui-1.3.7

$ sudo python3 install

$ cd ..

 – Install VPCS

$ unzip

$ cd vpcs-0.6/src

$ ./

$ sudo cp vpcs /usr/local/bin/

$ cd ../..

 – Install VirtualBox

$ sudo apt-get install virtualbox

 – Install Wireshark

$ sudo apt-get install wireshark

 – Install QEMU – method 1

$ sudo apt-get install qemu

 – Install QEMU – method 2 (x86 arch. only)

$ sudo apt-get install qemu-system-x86

$ sudo apt-get install qemu-utils

 – Install cpulimit

$ sudo apt-get install cpulimit

 – Start GNS3

$ gns3


Script to grab all the domain groups for a user on a Linux system with Active Directory connection






#Reseting String storage veribles




echo “command line to usergroup checker

please supply the domain you wish to check”

read DOM

DOMAIN=$(echo $DOM | tr [a-z] [A-Z])


echo “What username do you wish to list groups for?”



USERSID=$(WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –name-to-sid=$USERNAME &> $USIDTEMP)

echo “check Remote Proceedure Call (RPC) connection to domain”

echo ” “

WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo -t

echo ” “

echo “———————————————————“

echo ” “

echo “Current Domain Controller Bound To”

echo ” “

WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –dc-info=$DOMAIN

echo ” “

echo “———————————————————“

echo ” “

echo “Check All List Domain In $DOMAIN current Status: “

echo ” “

WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –online-status

echo ” “

echo “———————————————————“

echo ” “

echo ” “

#Save the username sid to a tmp file

WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –name-to-sid=$USERNAME &> $USIDTEMP

#Read in the USID

cat $USIDTEMP | while read LINE


USERSID=$(echo $LINE | gawk ‘{print $1}’)

echo ” “

echo “Groups found for $USERNAME are:”

echo ” “

GROUPSID=$(WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –user-sids=$USERSID &> $GSIDTEMP )

cat $GSIDTEMP | while read GLINE



TEST=$(WINBINDD_SOCKET_DIR=/var/samba/$DOMAIN/ wbinfo –sid-to-name=$GLINE &> $NAMETEMP)

cat $NAMETEMP | gawk ‘BEGIN{FS=”\\”}{print $1″,”$2}’ | while read NLINE


T=$(echo $NLINE | rev | cut -c1)

if [ $T = 2 ]; then

echo $NLINE | gawk ‘BEGIN{FS=”,”}{print $1″\\”$2}’|sed ‘s/.$//’





Distributing Smoothwall’s (https) mitm self-signed CA certificate to BYOD (mobile) client devices (unmanaged device other than Windows clietns)

If you wish to use ‘decrypt and inspect’ for BYOD devices, the users will need to have the Smoothwall’s HTTPS MiTM CA cert sent out to them so that they can install it on their systems.

The best ways to get this CA to the clients is to either:

– Email the CA to them directly
– Provide a download link to the CA so the users can download it themselves directly.

Then, according to their devices instructions, they need to install the CA so it can be trusted.

(It isn’t possible to use a normal real world certificate for the MiTM as this requires a full certificate authority)

Smoothwall IPSec (Openswan) VPN to Microsoft Azure (Site-to-Site VPN)

Smoothwall can only be set to use Diffie Hellman group 5 in Phase 1 when initiating the VPN, however when offered by the other device the smoothwall can downgrade to DH2.

All the other encryption settings can be done on the smoothwall. So when setting up the connection on the smoothwall’s end, it would look something like this:

Authenticate by: preshared key
Use comrpession – off
Initiate the connection – off
Perfect forward secrecy – off
Authentication type: ESP
Phase 1 cryptograhic algo: AES256
Phase 1 hash algo: SHA
Phase 2 cryptograhic algo: AES256
Phase 2 hash algo: SHA

Key life: 480 mins
IKE lifetime: 60 mins

These settings would need to be set the same on the Azure gateway, and it would need to be set up as the initiator

Block a single domain through DNS on windows server 2003/2008/2012

We just got a phishing attempt and I felt really bad that I could not stop people from accessing a domain. Isn’t there a way to override a domain in our DNS just for a while so I can stop people from accessing a domain?

Yes, you could create a zone for that domain. No need to create any records, unless you want to point them to a webserver explaining why they are there. Having a DNS zone will make you authoritative for it. When people click on the phishing links, their computers will try to resolve the name with your DNS, and of course, will not be able to access the malware site.

Configure DNS forwarders in Windows Server 2012 R2

In the first article in our series on DNS forwarders, we looked at some best practices for DNS forwarding. In this second article I’ll show you how to configure a DNS server with forwarders in Windows Server 2012 R2.

As always with Windows, you can change, add, and remove forwarders by using either the Windows GUI or the command prompt. I’ve listed steps on how to configure a DNS server to use forwarders using both the Windows GUI and the command prompt below.

Configure a DNS server to use forwarders using the Windows GUI

1. Click Start, point to Administrative Tools, and then click DNS.

Note: You can also type “DNS” without the quotes in the Start page, and it will find it for you.

Opening DNS Manager in Windows Server 2012 R2

2. Open DNS Manager.

Note: To use DNS Manager (and other administrative tools) on a server that does not have the DNS role installed on it, you must install the Remote Server Administration Tools (RSAT) suitable for your OS (the equivalent of adminpak.msi in Windows Server 2003/XP). See our articles on how to install RSAT for Windows 7 and Windows 8 for more information on how to download, install, and configure the RSAT tools on those clients.

3. In the console tree, click on the applicable DNS server, usually it’s the same as the server you’re logged on to.

4.Right-click and select “Properties”.

Note: You may also double-click on the “Forwarders” item in the right pane.

Editing DNS Forwarders in Windows Server 2012 R2

5. On the Forwarders tab click “Edit”.

Note: If you already have existing forwarders, you can choose to edit these as well.

Editing DNS Forwarders in Windows Server 2012 R2

6. In the selected forwarder IP address list, type the IP address of a forwarder, and then click Enter.

Note: You do not need to enter the FQDN of the host, unless you want to. If name resolution traffic is not blocked the name will automatically be resolved.

Note: In this example I’ve used Google’s DNS servers. In most cases you’d want to use your own ISP’s DNS servers. However, in some cases you may want to add internal DNS servers as forwarders, depending on your routing topology.

Editing DNS Forwarders in Windows Server 2012 R2

In Windows Server 2012/R2, by default the DNS server waits 3 seconds for a response from one forwarder IP address before it tries to query the next forwarder’s IP address. This is configurable, if needed.

7. Repeat with additional forwarders, if needed.

Editing DNS Forwarders in Windows Server 2012 R2

8. When done, click “Ok” twice.

Editing DNS Forwarders in Windows Server 2012 R2

Note: In some cases you may want to configure your DNS server to only use forwarders, and if they fail to respond, you may want it not to attempt further recursion. To do so, un-select the “Use root hints if no forwarders are available”.

If you want to remove one or more forwarders in the future, repeat these steps and simply delete the entry.

To configure a DNS server to use forwarders using the Command Prompt:

1. Open the Command Prompt window with elevated permissions (Run as Administrator).

Configure a DNS server to use forwarders using the Command Prompt

2. If you want to add the same DNS forwarders used in my previous example, in the Command Prompt window type the following command:

dnscmd <DNS_server_name_or_IP>/ResetForwarders /timeout 3 /noslave

Using DNSCMD to configure a DNS server

Some Final Notes:

  • Separate the DNS IP addresses by a space.
  • You cannot add individual entries one after the other, you must add all forwarders at the same time in one command. But you can add or change existing entries from DNS Manager.
  • The /timeout switch specifies the amount of time that your DNS server waits for the forwarder to respond.
  • The /slave switch indicates that the DNS server will not attempt to perform its own iterative queries if the forwarder fails to resolve the query.
  • The /noslave switch means that the DNS server will use its root hints file if no forwarders are available to resolve the query.

Configure a DNS Server on Windows Server 2012 or 2012 R2 to use OpenDNS

First, make sure that your clients are pointing to your Windows DNS server. I know this sounds pretty obvious, but you’d be surprised how many people miss this step. If you’re in an Active Directory (AD) environment, your clients really need to be pointing to DNS that is running on your Domain Controller (DC). If you only have one Domain Controller (DC), that’s the IP address you want to use; if you have more than one, use both. (Just don’t forget to make this change on all of your DNS servers!).

On your Windows Server 2012/2012 R2 server, bring up the Start Menu and click on Administrative Tools.

When the Administrative Tools open, double-click the DNS console icon.

This will open the DNS Manager. In the DNS Manager, double-click on Forwarders.

You should be taken to the Forwarders tab in the server’s Properties. Click the Edit… button.

This will open the Edit Forwarders dialog. Type in the IP addresses for OpenDNS: and208.67.220.220.

It should look something like this when you’re done. Click OK to close the dialog box.

After clicking OK, you’ll be taken back to the DNS server’s Properties. It should look something like the screenshot below.


By default, the Use root hints if no forwarders are available will be checked. This option is a double-edged sword: If you leave it checked, your DNS server may consult with the root hints servers to resolve a DNS entry and could bypass OpenDNS. If you don’t check it, you could have DNS timeouts that could result in DNS timeouts.

So, what option do you choose? Well, it really depends on how you’re using OpenDNS. If you’re using OpenDNS as a filter in a situation where the filter always has to work like a school, church, etc., uncheck the box. If it is more important that clients always get timely DNS responses, check the box.

When you’re done, click OK.

Now that you’ve updated your Forwarders. You’ll need to clear the DNS cache. Click the View menu and then Advanced. This will enable you to see the Cached Lookups section in the DNS console.

Right-click on Cached Lookups in the DNS Manager and choose Clear Cache.


You’re done! Remember, if you have more than one Windows Server 2012/2012 R2 DNS server, you’ll need to perform this change on each one. You’ll also need to run an ipconfig.exe /flushdns on your clients if you want this to start using OpenDNS immediately. Otherwise, you can wait and they’ll move over on their own as items in the DNS cache expire.