[ previous ] [ next ] [ threads ]
 
 From:  "Dmitry Kononov" <ddk at krasn dot ru>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  monowall patches
 Date:  Mon, 19 Mar 2007 15:12:45 +0700
Hi!

I use monowall as a router for my home network.
It is very helpful tool. Thanks a lot!
But I found 3 issues missing in monowall.

The first is DHCP + PPTP.
Our ISP uses PPTP to connect to Internet.
But in base (ethernet) network address is received via DHCP.
('Local IP address' in PPTP configuration tab)
After that PPTP connection can be made.
I did not find any workaround for it, so I spend some time to write a patch.
'Local IP address' is left blank and received dynamically.
It is under testing now. Seems working.
Searching info I found many users wanting this feature.
It is easy to adopt this patch to handle PPPoE mode, but I have no PPPoE 
server in the neighbourhood to test.

The second issue is accessing base ethernet network when PPTP or PPPoE 
connection established.
Out ISP has a lot of resources placed in local network (not through PPTP 
connection).
Setting WAN to PPTP leads to inability of these resources, because all the 
traffic goes via ng0 and ethernet interface is blocked.
I have made another patch that adds appropriate ipfilter rules for ethernet 
WAN interface.
Also automatic NAT rules are generated for ethernet interface based on 
network address (standard 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8).
This patch works fine but I want to add checkbox to disable this feature 
(default monowall behavior).
It should be admitted that this feature can be very helpful for many users 
at least in Russian Internet.

And the third issue is connected with previous.
I realize that automatic network detection for NAT may not work fine under 
some circumstances.
For example, networks could have different masks than listed above.
In this case NAT should be specified manually by setting rules and mark 
'advanced outbound NAT' checkbox.
But for all the NAT rules only WAN interface is available.
For PPTP mode it is ng0, and no opportunity to assign ethernet interface.
I think patch should be written allowing users to choose desired interface 
when tunnel is created (WAN ng0, WAN em0).
I have skills and will to do it.
BUT!
According to this fix firewall should be fixed in the same manner to keep 
consistency.
It is additional work and should be coordinated with main developers (hi, 
Manuel :)).

Finally, I made these two patches for 1.23 version.
I know this branch is closed, but described features are required by many 
people using 1.2x as a stable solution.
1.3 is still beta. AFAIK there are still problems.
Today I've received letter from Manuel about new concept. This is great!
I do not know German but browsing pictures I was excited about new ideas.
This new monowall generation will be excellent but it will take some time to 
release stable version.

I want to suggest releasing 1.24 version with the following features:
1) DHCP + PPTP (already done, needs testing)
2) DHCP + PPPoE (can be ported easily but needs testing)
3) additional NAT and firewall WAN interface features described above 
(partially done)

I am ready to spend my time to release these features.

Current patches can be obtained here (applies to rootfs):
ftp://icm.krasn.ru/pub/stuff/ddk/patch-dhcp_pptp-1.23.patch
ftp://icm.krasn.ru/pub/stuff/ddk/patch-wan-1.23.patch

What do you think?


WBR,
Dmitry Kononov
Russia