[ previous ] [ next ] [ threads ]
 
 From:  David Carlin <djc6 at eecs dot cwru dot edu>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Migrating from OpenBSD to m0n0wall
 Date:  Fri, 20 Oct 2006 11:19:40 -0400
Hello,

I'm currently using an OpenBSD bootable CD firewall solution:

http://www.jtan.com/jtanoss/cdboot/

but I am interested in trying out m0n0wall.  I've installed a system  
with m0n0wall, but I'm confused about how a few things work.  This is  
my current setup:

We have a small Cisco router managed by the local telephone company  
for our T1 connection.  The OpenBSD machine has two 3c905B NICs in  
it.  One NIC uses a crossover cable to uplink to FastEthernet0/1 on  
the Cisco Router (apparently the 3c905B isn't auto sensing) and the  
other NIC has a cable run to the uplink on our unmanaged switch.  On  
the OpenBSD firewall, I simply bridged the devices, and setup dhcpd  
to pass out IPs from the block of IPs assigned by our ISP.  I then  
configured pf to block everything by default and opened up just the  
services we need.  So far, everything is working fine - but I'd like  
to use m0n0wall so others who aren't comfortable with a command line  
have a chance of making configuration changes.

So, I looked into bridging in m0n0wall, but I'm confused about the  
interfaces.  I enabled the filtering bridge, but why do I need to  
assign an IP to the WAN interface?  I set the LAN Interface to be  
x.x.x.2/25 (1 is the cisco router) and used the /25 CIDR notation  
since we have a partial class C block of IPs with a subnet mask of  
255.255.255.128. As soon as I do this (and reboot the machine) I  
can't connect to the m0n0wall web interface for some reason.  On my  
current OpenBSD solution, neither NIC needs to be configured with an  
IP address, since the bridge operates at Layer 2.  I did configure  
one NIC with an IP however for remote administration.

I'm also confused about having the m0n0wall DHCP server pass out IPs  
from our partial class C IP block (I don't want to NAT anything). I  
turned on "advanced outbound NAT", but none of the machines were  
getting IP addresses - but I suspect it was because of the  
configuration problems above.

Anyone have any insight about how I should configure the interfaces  
so they are bridged properly?

Thanks!