[ previous ] [ next ] [ threads ]
 From:  "Bob Young" <bob at lavamail dot net>
 To:  <leesharp at hal dash pc dot org>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Remote access
 Date:  Mon, 27 Aug 2007 02:22:00 -0400
Hi Lee:


I had several follow-up questions if I may.  I put the >> marks next to what
you said earlier.  Hope I did it right.

I apologize for some of my elementary networking questions.as I'm still
learning much of this.


> I have also been trying to set up remote access  on my M0n0wall, using

> Dyndns like you do.

> I have the client in my M0n0wall set up.  And I have my Dyndns account set

> up.

> The thing that held me back was I didn't know how to open up the firewall

> a relatively secure way, so I could remote in.


>>This is a judgment call.  I figure ssl with a strong password is enough. 

>>Some do not.


When you say "ssl", I assume you mean https, since I read that https uses

I see I need to pick "https" in the System: General Setup page?

When you say "strong password", I assume you mean a complicated password for
logging into M0n0wall?


> I assume you set rules up only in the  Firewall: Rules: WAN  section?  I

> wasn't sure if I needed to set something up in the  Firewall:NAT: Inbound

> section.


>>NAT is to transverse the firewall.  Not to reach it.  No need.


That's nice to know I only have to set up rules in Firewall: Rules: WAN


> Is there a reason you used port 443 to remote in on?  I think I heard saw

> somewhere where port 443 is used to remote into sometimes.  But from what

> you are saying, I don't have to use port 443.  Does it matter which port I

> pick?  Any ports I should stay away from?  If I don't specify a particular

> port, won't it come in on port 80?  Is that bad?


>>Port 443 is the default https.  You can use any port you wish.  It is 

>>configurable in the firewall.  Just remember what port you chose.


If I would have picked "http" on the System: General Setup page, then would
I be going through Port 80 by default?  

I understand https is better, since it encrypts the data that is sent.  So
if I choose "https" (which I probably will), I understand that I will have
to go to Firewall: Rules, to put in 443 as the port?


Since I'm using Dyndns, is this what I would type into my IE address window
to remote into my M0n0wall?:

https://username.dyndns.org   ?  I understand this whole thing is called my
"host name".


Assuming I'm going to use https (port 443) to remote into my M0n0wall, I'll
try to give you what I think I might need to use. By the way my ISP hands
out dynamic IP addresses.  

First I would go to: Firewall: Rules .  Click on the WAN tab.  Click on the
"+" sign, to add a new rule.  Be sure to pick the "WAN" interface, and click
on "Pass".

      Protocol    Source      Port        Destination       Port

Pass  TCP         ????        Any         ????              443         See
next few lines for description


On the WAN interface Pass: 

"TCP" incoming Protocol, coming from ???? Source, using "any" Port, 


 ???? Destination, on HTTPS (port 443).

I don't know what to use for Source and Destination.  

I'm thinking for destination I should use x.x.x.0/24 (with x.x.x being the
first three dynamic IP numbers of my ISP).  I assume the subnet mask is   Since it's dhcp,  my ISP didn't need to tell me.

I hope "443" for the destination port is correct.

Please let me know if I am wrong, or if there is a better way to do it.

> Assuming I am lucky enough to be able to remote into my M0n0wall, will I

> also be able to remote into my access point, which is connected to my

> M0n0wall?  And to the CPE, which is wirelessly connected to my AP?  Or

> Dyndns only allow me to remote into my M0n0wall, and nothing else on the

> side of my M0n0wall?


>>For this you can either use NAT, or VPN to reach the APs.  Since I 

>>remotely monitor my APs I inbound NAT each one to an unusual port. 

>>Strong passwords again.  When you set up your inbound NAT, make sure 

>>your check "Auto add firewall rule" to finish it off.  I also have NAT 

>>to my ssh ports.  However, I leave the firewall rule off until I need 

>>it.  To much port scanning for ssh.


From what you say, it looks like Dyndns only allows me to get into my
M0n0wall, and not to my AP or CPEs, which are connected to my AP.without
doing something that you called "inbound NAT".


From what you are saying it looks like I should go to.

Firewall: NAT: Inbound to set up the NAT rules that you speak of?


I think I will first try to remote into my M0n0wall, and after I get that
working, I will try to do this Inbound NAT you are talking about.



Thanks much Lee for your help.and also to anyone else that might want to
help me out.