[ previous ] [ next ] [ threads ]
 From:  "Michael Mee" <mm2001 at pobox dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: suggested config for dumb wireless bridge?
 Date:  Wed, 4 Feb 2004 18:45:51 -0800
> I'd like to set up two computers running m0n0wall connected via ethernet.
> One ('relay') will pick up a wireless signal (BSS mode) from a distant AP,
> while the 2nd ('AP') will be an AP. I.e., together they will extend the
> range of an existing wireless network.

I'm a bit further along with this - and learning lots about networking and
m0n0wall configurations as I go!  In case someone else can benefit, I've put
together the steps. Feel free to copy for use elsewhere.

For those who understand this stuff, I configured one m0n0wall so the WAN
port is the wireless link back to the remote base station. On the eth0 side
it provides a new subnet and dhcp services on that net, with Advanced NAT
set to do pass-through of IPs (i.e. no NAT). The 2nd radio is the AP and
simply bridges from LAN to OPT1 (wireless) and leaves the WAN unused. I
welcome any comments on this design!

Below is the step by step config (prettier version at

thanks! michael

In our standard Access Point, m0n0wall will run on each of two radios. The
basic configuration we're trying to achieve is: separate subnet, local dhcp.
Through trial and error it seems the best way to assign these roles in
m0n0wall is as follows

Radio 1 - Relay
One radio provides the relay back to 'home base'. This radio also provides
DHCP services and routing. We use the WAN port to communicate to the "Home
AP" and LAN is hardwired to the local AP radio. Here are the configuration
Start with a default configuration of m0n0wall. This has an IP of and has DHCP enabled. Hook up a standalone computer set to DHcP
to the first LAN port (for Soekris anyway). Connect to m0n0wall via a
browser as usual.
Click on Interfaces (assign). For WAN, choose wi0, Save.
Click on Interfaces -> WAN. Change Type to static. In Static IP
Configuration set the IP to an unused IP in the Home AP's range (e.g. Set the mask to match the destination network (e.g. 24), not
31. Likewise set the Gateway (e.g.
Under Wireless Configuration, set Mode to BSS, SSID to the Home AP's SSID
(e.g. socalfreenet.org).
Uncheck "Block private networks" at the bottom of that page. Click Save.
In Interfaces -> LAN, change the IP to reflect the local subnet desired.
E.g. Common practice is to end it in 1. Make sure the mask is set
appropriately (e.g. 24) as it may change automagically. Click Save.
In Services -> DHCP, update the allocated range to match your LAN IP (e.g. - Click Save.
Go to Diagnostics -> Reboot System. Answer Yes and wait. With luck your
computer will get a new IP in the LAN range.
Log back in via the new LAN IP address you set above (e.g.
Go to System->General Setup. Enter the DNS server addresses. Set the
timezone. Click Save.
In Firewall -> NAT, click on Outbound and then "Enable advanced outbound
Click on the '+' (plus) symbol. For internal subnet, enter the LAN subnet
(e.g. For External subnet, set Type to Network and address to
your WAN net (e.g. / 24). Enter a description (e.g. map
Check the Enable advanced outband NAT box. Click Save. (This will
effectively disable NAT so the addresses are passed through). Click Apply
Changes if prompted.
At this stage your LAN computer should be able to ping the gateway computer
beyond the WAN port (e.g. It may even be able ping external links
(e.g. www.yahoo.com). A couple of issues may stop this from happening. My
gateway to the internet box (at is also running m0n0wall and I had
to make two changes to its config before Radio 1 traffic could get to the
I needed to add a static route so traffic could be sent back to the
subnet. Using the values above, I did this in: System->Static Route click
'+' to add new route, then enter OPT1 (wireless) for Interface,
for destination network and for gateway (i.e. the WAN address of
the wireless radio).
I had to expand the subnet from to (i.e. I'm not sure exactly why this was necessary. At first it was
because of a default rule blocking non-LAN IPs internally (i.e. block
!10.0.0/24), but that later went away (perhaps because of the static rule
above. Perhaps it was because without a wider net, no NAT was performed for
the subnet. Anyhow, expanding the subnet mask made everything work.

Radio 2 - Access Point

The AP radio is configured as a bridge. I.e. virtually none of the m0n0wall
features are used.
step by step configuration to follow.