[ previous ] [ next ] [ threads ]
 
 From:  Matchstick <matchstick at oofg dot com>
 To:  Scott Wendrick <scooter at uplogon dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Transparent with firewall
 Date:  Thu, 21 Oct 2004 16:56:54 +0100
Thursday, October 21, 2004, 3:08:59 PM, Scott Wendrick (scooter at uplogon dot com) wrote:

It sounds like you might be looking to run M0n0wall in filtered bridge
mode.

Basically how I've set up my M0n0 to do this is: (absolutely no
guarantee I've done it correctly, but it does seem to have been working
fine for around a year now)

1) set up the Hardware with 3 NICs, and assign them as LAN, WAN and
OPT1 in the initial set-up console and assign the LAN interface a
private IP address and CIDR range (eg 10.0.0.1 /24)

And give any PCs you want to be able to admin the M0n0wall box an IP
address in the same range.

(In this scenario the LAN interface is purely used for controlling the
M0n0wall box, but you can also use it to provide NAT in conjunction
with the filtered bridge by assigning a PC an IP address in the same
private range as the LAN interface and setting the default gateway for
the client to the m0n0wall LAN interface. Which when combined with the
DHCP server is very useful when temporarily adding PCs to the network
without having to assign them a "real" IP address. Though Firewall
rules will need to be set up on the LAN interface to allow this
traffic).

2) In the GUI WAN Interface screen I've set the type as Static, and in the
Static IP configuration set the IP Address to the external IP
address I want the router to use and the CIDR block assigned and the
Gateway to the address of my ADSL modem (or whatever is being used
instead).

3) In the OPT1 Interface screen I've ensured that the interface is
active and set the Bridge With option to WAN. This sets up the bridge
so traffic should now now be able to travel over it but the firewall
rules don't filter the traffic yet.

4) Next up I've gone into System/Advanced screen and set Enable Filtered
Bridging on. This enables the firewall rules on the bridged traffic.

5) Finally I went in an set up the firewall rules I needed. By
default there is a DENY ALL rule in both directions so initially
nothing will be allowed through until you explicitly create some
rules.

I'm not sure if it's strictly necessary but I create incoming (source
internet, destination local network) firewall rules on the WAN
interface and outgoing firewall (source local network, destination
internet) rules on the OPT1 interface.

That might not be strictly necessary but it certainly does make the
rules easier to read.

Hopefully that should be enough to get you started.

(If you want I can provide a copy of my basic config file if that'll be
any help)

Paul Browning

-- 
Matchstick
matchstick at oofg dot com

SW> Is there a way the M0n0wall can be setup as a transparent firewall with
SW> real ip addresses on both sides of the interfaces(NO NAT).  I am very new
SW> to the project and hopefully you guys/girls can point me in the right
SW> direction.

SW> Thanks

SW> Scott


SW> ---------------------------------------------------------------------
SW> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
SW> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch