[ previous ] [ next ] [ threads ]
 
 From:  Scott Myers <scott at paperstreettech dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Creating Secondary Interface Firewall rules
 Date:  Tue, 17 Oct 2006 12:22:48 -0400
Chris,

Thanks for taking the time to assist me with this small, probably pebkac 
based error. Below is my config.xml. I have edited out any security risk 
based fields, so as to make it "Google Friendly".

My overall goal is to have the WIFI interface be on a seperate subnet 
with firewall rules blocking any interaction between it and the LAN 
subnet, (along with some basic subnet masking to ensure a client doesn't 
just try to change their IP address to the LAN subnet, 192.168.1.0.)

I basically copied the default LAN firewall rule to the WIFI rule list, 
with the important areas (specifically where the interfaces are defined 
in the rule) set to WIFI instead of LAN.  I suspect the incoming rule 
needed to allow webservers,etc. to communicate back to the WIFI 
interface is missing. (usually on the return web port, some random high 
end port number). If so, does the m0n0wall just assume that LAN needs 
this rule, but doesn't list it in the config? If this is the case, could 
you give me a reasonable rule to allow the return packet data to cross 
the firewall to the WIFI interface?


Thank you again,

Scott

<?xml version="1.0"?>
<m0n0wall>
	<version>1.6</version>
	<lastchange>1160601938</lastchange>
	<system>
		<hostname>firewall</hostname>
		<domain>firewall.lan</domain>
		<username>admin</username>
		<password>password</password>
		<timezone>Etc/UTC</timezone>
		<time-update-interval>300</time-update-interval>
		<timeservers>pool.ntp.org</timeservers>
		<webgui>
			<protocol>http</protocol>
			<port/>
		</webgui>
		<dnsserver>64.203.254.30</dnsserver>
		<dnsserver>64.203.254.31</dnsserver>
	</system>
	<interfaces>
		<lan>
			<if>sis0</if>
			<ipaddr>192.168.1.1</ipaddr>
			<subnet>24</subnet>
			<media/>
			<mediaopt/>
		</lan>
		<wan>
			<if>sis1</if>
			<mtu/>
			<media/>
			<mediaopt/>
			<spoofmac/>
			<ipaddr>pppoe</ipaddr>
		</wan>
		<opt1>
			<descr>WIFI</descr>
			<if>wi0</if>
			<wireless>
				<standard></standard>
				<mode>hostap</mode>
				<ssid>wifi</ssid>
				<stationname/>
				<channel>2</channel>
				<wep>
				</wep>
			</wireless>
			<ipaddr>192.168.2.1</ipaddr>
			<subnet>24</subnet>
			<bridge>lan</bridge>
		</opt1>
	</interfaces>
	<staticroutes/>
	<pppoe>
		<username>user</username>
		<password>password</password>
		<provider/>
		<timeout/>
	</pppoe>
	<pptp/>
	<bigpond/>
	<dyndns>
		<type>dyndns</type>
		<username/>
		<password/>
		<host/>
		<mx/>
		<server/>
		<port/>
	</dyndns>
	<dnsupdate/>
	<dhcpd>
		<lan>
			<enable/>
			<range>
				<from>192.168.1.100</from>
				<to>192.168.1.199</to>
			</range>
		</lan>
		<opt1>
			<range>
				<from>192.168.2.100</from>
				<to>192.168.2.250</to>
			</range>
			<defaultleasetime/>
			<maxleasetime/>
			<enable/>
		</opt1>
	</dhcpd>
	<pptpd>
		<mode/>
		<redir/>
		<localip/>
		<remoteip/>
	</pptpd>
	<dnsmasq/>
	<snmpd>
		<syslocation/>
		<syscontact/>
		<rocommunity>public</rocommunity>
	</snmpd>
	<diag>
		<ipv6nat>
			<ipaddr/>
		</ipv6nat>
	</diag>
	<bridge/>
	<syslog/>
	<nat/>
	<filter>
		<rule>
			<type>pass</type>
			<interface>opt1</interface>
			<source>
				<network>opt1</network>
			</source>
			<destination>
				<any/>
			</destination>
			<descr>Default Wifi --&gt; ANY</descr>
		</rule>
		<rule>
			<type>block</type>
			<interface>opt1</interface>
			<source>
				<network>opt1</network>
			</source>
			<destination>
				<network>lan</network>
			</destination>
			<disabled/>
			<descr>Block WIFI traffic from LAN Subnet</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>lan</interface>
			<source>
				<network>lan</network>
			</source>
			<destination>
				<any/>
			</destination>
			<descr>Default LAN -&gt; any</descr>
		</rule>
	</filter>
	<shaper/>
	<ipsec/>
	<aliases/>
	<proxyarp/>
	<wol/>
</m0n0wall>



On 10/12/06, Scott Myers <scott at paperstreettech dot com> wrote:
> Sorry, I know this seems trivial but I have setup a  secondary interface
> on a m0n0wall box, and having little success in creating the proper
> firewall rules.
> I have duplicated (almost except the two fields where I switched LAN
> with OPT1) the default rule for the LAN interface, as well as tried to
> simply bridge the connections. No matter what I try, the OPT1 interface
> acts up, and the firewall log show numerous blocked packets, but only
> when using the OPT1 interface.
>
> What am I missing?
>

Sufficient detail to be able to tell you want the problem is.  ;)

Easiest thing would be to post the entire interfaces and rules parts
of your config.xml.  Or if you don't want them forever archived by
Google, you can email it to me offlist.

-Chris