Gentoo Wiki


This article is part of the Hardware series.
Laptops TV Tuner Cards Wireless Servers Storage Other Hardware Motherboards Related



The EPIA PD is a Mini-ITX format motherboard with VIA Nehemiah CPU, 2 ethernet ports and Padlock hardware encryption and security suite. The fanless PD6000E has an Eden processor clocked at 600 Mz and the PD10000 a C3 at 1 GHz. Newer kernels (i used 2.6.11-r5) have support for Padlock included.


Basic Gentoo Installation

The installation is a normal gentoo installation, but with additional kernel options specifically for the Epia PD.
I recommend installing gentoo according to the official installation handbook, and not worry about the kernel until you have a running system. It's quite handy to have a working kernel you can use if you mess up the configuration of a PD-specific option.
The PD6000E has a Samuel 2 core and should not base on stages containing i686 instructions, as stated in the Gentoo Safe Cflags Safe Cflags for Eden C3/Ezra (Via EPIA) page. Safe flags are:

File: /etc/make.conf
CFLAGS="-march=i586 -m3dnow -Os -pipe -fomit-frame-pointer"

PD-Specific Kernel Config Options

I compiled the kernel with the following config file.

This works fine. The only thing I didn't manage to do is to have a better console screen resolution. I tried some vga=..., but it didn't work.

EDIT(19.02. 2006):

Linux Kernel Configuration: Framebuffer
Device Drivers ---> 
  Graphics Support ---> 
    <*> VESA VGA graphics support ---> 
          VESA driver type () ---> 
            (X) vesafb

Alternativ Kernel Configuration

Linux Kernel Configuration: Full Epia PD configuration
 Processor type and features  --->
   Processor family (CyrixIII/VIA-C3)  --->
 Device Drivers  --->
   ATA/ATAPI/MFM/RLL support  --->
     <*>         VIA82CXXX chipset support
   Network device support  ---> 
     <*> VIA Rhine support


for lilo: edit /etc/lilo.conf to read something like this:

File: /etc/lilo.conf


tested for the 2.6.15 kernel

Administrative tools

Additionally, one can emerge other administrative tools such as at, screen, ddclient, proftpd, apache, ntp, ...


The 2 ethernet ports makes the EPIA PD an excellent candidate for working as a router. The Gentoo documentation site provides a well written article on this topic: Home Router Guide.

As described in this article, we shall use eth1, the connector on the left side, connected to the internet Wide Area Network (WAN) and eth0, on the right side, connected to the Local Area Network (LAN).

Network interfaces

Configuring the network interfaces is done by editing /etc/conf.d/net. (See also Gentoo Handbook: Networking Information.)

File: /etc/conf.d/net
 config_eth0=( " netmask broadcast" )
 config_eth1=( "dhcp" )


 config_eth1=( " netmask broadcast" )
 routes_eth1=( "default gw" )

Then, the network interfaces have to be started and added at system boot.

# /etc/init.d/net.eth0 start
# rc-update add net.eth0 default
# ln -s net.lo /etc/init.d/net.eth1
# /etc/init.d/net.eth1 start
# rc-update add net.eth1 default

If you want to test this base configuration, connect eth1 to an ethernet hub or switch and ping an internet server. Connect a computer with an ethernet crossover cable to the EPIA PD router on port eth0. Give that computer a fixed ethernet address. You should be able to ping the router from the computer.


The router will have to provide Dynamic Host Configuration Protocol (DHCP) to clients sitting behind the router (See also Dynamic Host Configuration Protocol at Wikipedia).

# emerge dnsmasq
# nano /etc/dnsmasq.conf
# rc-update add dnsmasq default
# /etc/init.d/dnsmasq start

Click here for a dnsmask.conf example.

Again, you can test this configuration with a computer connected with an ethernet crossover cable to the EPIA PD router on port eth0. Configure that computer to use DHCP. Restart its network and check if it has been assigned an IP configuration. At this point, you are still capable of pinging the router, but you cannot go any futher to the web.

Router services

As a first thing, your router directly connects to the internet. You shall first have to decide which services are allowed and wich are blocked if you want to remain the sole and only manager of your router...

Basic configuration

Create /etc/ with 700 permissions:

File: /etc/
# Flush current rules
iptables -F
iptables -t nat -F

# Default policies
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP

# Define ports

# Limit services to the LAN only
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

# Allow selected access from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

# Drop packets to priviledged ports
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

# Source NAT
iptables -I FORWARD -i ${LAN} -d -j DROP
iptables -A FORWARD -i ${LAN} -s -j ACCEPT
iptables -A FORWARD -i ${WAN} -d -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Allow IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

Run the script:

# /etc/

There you are. You should be able to ping any machine on the internet from behind the router. Start a web browser: again, you should have access to the world.

From the outside, you are only able to start an ssh session on the router.

Get a list of possible services:

# cat /etc/services

Save your configuration:

# /etc/init.d/iptables save
# /etc/init.d/iptables start
# rc-update add iptables default

If you modify /etc/ (see further points), I think you should best:

# /etc/init.d/iptables stop
# /etc/
        (test the configuration)
# /etc/init.d/iptables save
# /etc/init.d/iptables start

FTP to the router

To allow an active FTP access from the WAN side to the router, add the following lines to /etc/

File: /etc/
iptables -A INPUT -p TCP --sport 1024:65535 --dport ftp -i ${WAN} -j ACCEPT
iptables -A OUTPUT -p TCP --sport ftp --dport 1024:65535 -o ${WAN} -j ACCEPT
iptables -A OUTPUT -p TCP --sport ftp-data --dport 1024:65535 -o ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --sport 1024:65535 --dport ftp-data -i ${WAN} -j ACCEPT

The explanation is given in Active FTP vs. Passive FTP, a Definitive Explanation.

To allow a more precise control, with connection tracking, complete the preceeding lines as follows:

File: /etc/
iptables -A INPUT -p TCP --sport 1024:65535 --dport ftp -i ${WAN} -m state \
                                                       --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p TCP --sport ftp --dport 1024:65535 -o ${WAN} -m state \
                                                           --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p TCP --sport ftp-data --dport 1024:65535 -o ${WAN} -m state \
                                                       --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --sport 1024:65535 --dport ftp-data -i ${WAN} -m state \
                                                           --state ESTABLISHED -j ACCEPT

The two last lines allow active FTP data transmission. Passive FTP data transmission is already allowed by the preceeding base iptables setup, as it only uses ports higher than 1024.

HTTP to the router

To allow an HTTP access from the WAN side to the router, add the following lines to /etc/

File: /etc/
iptables -A INPUT -p TCP --dport http -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport https -i ${WAN} -j ACCEPT

/etc/services also describes UDP accesses to these ports, but I don't think they are relevant.


For a LAN with a single internet connexion, Network Address Translation (NAT) enables the LAN machines to share a same internet connexion.

When they try to get a service (web pages, e-mail, ...) from the internet, their private address is replaced by the shared address. If a machine on the internet inquires the shared address for a service, the NAT redirects it to one of the LAN machines based on a service list.

HTTP to a machine behind the router

To allow an HTTP access from the WAN side to the machine sitting behind the router, add the following lines to /etc/

File: /etc/
iptables -t nat -A PREROUTING -p TCP --dport http -i ${WAN} -j DNAT --to

Making an HTTP access to your router will no longer return you the router's web pages but the web pages instead. If you want to access both machines, you can set to listen on a different port:

# nano -w /etc/apache2/conf/apache2.conf
        add <listen 8080> after the line <listen 80>
# apache2ctl restart

Now, change /etc/

File: /etc/
iptables -t nat -A PREROUTING -p TCP --dport 8080 -i ${WAN} -j DNAT --to

With this, making an HTTP access to <your_router> will return you the router's web pages and an access to <your_router>:8080 will return's web pages.

Alternatively, you can keep's HTTP server listening on port 80 only. Change /etc/

File: /etc/
iptables -t nat -A PREROUTING -p TCP --dport 8080 -i ${WAN} -j DNAT --to

With this, making an HTTP access to <your_router> will return you the router's web pages and an access to <your_router>:8080 will return's web pages (served on port 80).


The Domain Name System (DNS) is used mostly to translate machine names into IP addresses.

DNS forwarding

If you have followed this guide, you have already installed dnsmasq for DHCP. This service also provides DNS forwarding: you can ask your router for IP addresses outside your network, and the router will in turn ask the name servers defined in its /etc/resolv.conf.

On the machines behind the router, edit /etc/resolv.conf:

File: /etc/resolv.conf
domain mynet

Then try

anyMachine$ ping

With this, you only have to configure (and update) the name servers in the router's /etc/resolv.conf.

Local hosts definition

You can also manage all the machine names of your local network from the router.

On the router, edit /etc/hosts:

File: /etc/hosts
# /etc/hosts:  This file describes a number of hostname-to-address
#              ...       localhost     router.nynet       router    machine1.mynet     machine1    machine2.mynet     machine2
# IPV6 versions of localhost and co
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

With the Gentoo install, dnsmasq polls /etc/hosts, but I don't know at what rate. So let's restart the service:

router# /etc/init.d/dnsmasq restart

And test it:

machine1$ ping machine2

Works? Should!


NTP (Network Time Protocol) is used to synchronize the machine's time with an online server. As we are mounting a router, we can synchronize it to a time server and use it as a time server to synchronize the machines behind the router.

The complete setup is well explained in Gentoo howto NTP. Gentoo emerge does a fine job installing the files and I here describe the limited things I had to do to have NTP running on the EPIA-PD router.

Synchronizing to a server

Install NTP:

# emerge ntp

Edit /etc/conf.d/ntp-client to specify the servers:

File: /etc/conf.d/ntp-client
NTPCLIENT_OPTS="-bu firstserver secondserver thirdserver"

Start the NTP client and, if it works, add it to the startup list.

# /etc/init.d/ntp-client start
# rc-update add ntp-client default

For better clock accuracy at startup time, Edit /etc/conf.d/clock :

File: /etc/conf.d/clock

Serving the time to machines behind the router

Start the server:

# /etc/init.d/ntpd start

With a pace of minutes, test the stratum until is gets below 16:

# ntpq -c rv | grep stratum

Test the service from another machine:

anotherMachine# ntpdate

If everything works, add the time server to the default runlevel:

# rc-update add ntpd default


So you just installed an EPIA PD to serve as a router. With a big disk for it to act as a file server. Well, for the same price you have a CD collection player.

The above config options already configure the kernel with the Advanced Linux Sound Architecture (ALSA) drivers as modules.

Add the following line to your /etc/make.conf:

File: /etc/make.conf

And install ALSA following the Gentoo guide.

Here the /etc/modprobe.d/alsa for the EPIA PD:

File: /etc/modprobe.d/alsa
# Alsa 0.9.X kernel modules' configuration file.

# ALSA portion
alias char-major-116 snd
alias snd-card-0 snd-via82xx
options snd-via82xx dxs_support=3

# OSS/Free portion
alias char-major-14 soundcore
alias sound-slot-0 snd-card-0

# OSS/Free portion - card #1
alias sound-service-0-0 snd-mixer-oss
alias sound-service-0-1 snd-seq-oss
alias sound-service-0-3 snd-pcm-oss
alias sound-service-0-8 snd-seq-oss
alias sound-service-0-12 snd-pcm-oss

alias /dev/mixer snd-mixer-oss
alias /dev/dsp snd-pcm-oss
alias /dev/midi snd-seq-oss

# Set this to the correct number of cards.
options snd cards_limit=1

Afterwards run update-modules.


You prefer to manage your router using a desktop interface? Follow the Gentoo guides.

Xorg X11

Here my xorg.conf.


KDE is best installed as split packages. Here some packages to install, in order of importance.

# emerge kdebase-startkde kicker kmenuedit kcontrol
# emerge kate knetattach konqueror konsole
# emerge tightvnc mozilla-firefox kbear acroread

Last modified: Thu, 28 Aug 2008 22:13:00 +0000 Hits: 15,874