[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] basic help needed configuring m0n0wall
 Date:  Thu, 6 Dec 2007 22:59:24 +0000
In message
<ae0fb5cd0712061423s63ad20acr1145b26bb21eca99 at mail dot gmail dot com>, William
F. Dudley Jr. <wfdudley at gmail dot com> writes
>I've been running a LRP (Linux Router Project) router for several years
>now (in an old Pentium 75 box) but decided that lowering my power consumption
>was good, so I'm trying to move my firewall to an ALIX.2C3 board, which
>has 3 NICs.
>I've got the board, I've installed m0n0wall 1.3b5 on a CF card (the
>1.2something production version won't bring up the NICs, I think),
>and can talk to the m0n0wall web server on the LAN interface.
>But for the life of me I cannot get either of the other ports to pass
>any traffic, in either direction.
>The LRP box was fairly easy to configure.  Just edit the shell script
>to set the WAN IP, the LAN IP range, turn on Proxy Arp (choice is: yes/no),
>edit a few other lines if you need to cut a hole for some inbound
>traffic, and you're up.
>I've been reading the m0n0wall docs for quite a few hours now (spread over
>several days) but no matter what I try, I can't get any traffic in or
>out of the WAN port.  Pings from m0n0wall box out the WAN port say
>"no route to host".   I can ping out the LAN port to the machine
>I'm using to access the m0n0wall web server, as one would expect.
>Here's the setup I have with my current LRP firewall/router:
>static IP /28 block from my ISP (also, conveniently, my employer)
>Pipeline 130 T1 interface is sss.sss.sss.17
>WAN side of my LRP box: sss.sss.sss.18
>LAN side of my LRP box:, router/gateway is
>The 192 lan is where the Windows machines that my wife uses are quarantined.
>The Third port of my LRP box is for the routable IPs: sss.sss.sss.18.
>Attached are machines (a mix of Linux and FreeBSD) responding to
>sss.sss.sss.19-30 (31 is broadcast, obviously).
>So the first questions are:
>1. What should I set the address of the WAN port on the m0n0wall to:
>I'd expect it to be: sss.sss.sss.18 / 28? 32?
>I have the gateway set to sss.sss.sss.17, the Pipeline 130.

Correct: WAN = sss.sss.sss.18 / 28, gateway = sss.sss.sss.17

>2. What should I set the address of the ROUTABLE port m0n0wall to:
>I'd expect, based on the LRP box, to set it to sss.sss.sss.18/28.

I'm not entirely sure what the 'routable port' is.  Do you mean the
third interface?  If so, set it to bridged to WAN - it won't have an IP

>3. Will I have to reboot all the machines on the inside so they
>work when I switch firewalls, or can I just configure this and drop
>it in?

As you are swapping machines with the same IP address then you'll need
to clear the ARP caches on the client machines or wait for them to
expire.  You will also need to clear the ARP cache on your T1 router,
otherwise it will be attempting to talk to the LRP box which is no
longer there.

>4. If I ping the WAN address from the outside world, should I expect to
>get a response?

No.  By default all access from WAN is dropped.

>5. Do I need to set any static routes?  I'm guessing not.


>6. What are minimum rules that I need to put in the firewall ruleset to get
>some traffic through?  I've added some, but obviously have no idea what
>I'm doing or I wouldn't be writing this.  Once I have something basic
>running, I'm confident I can add a rule to open a port for, say, ssh
>to a particular machine on my "routable IP" segment.

The default rule will allow all access from LAN so you should be able
access the Internet from a machine on your LAN.

>7. What NAT settings should I be using?  I've chosen:
>"Enable advanced outbound NAT" and then added a "rule" that says:
>Interface=WAN, Source=, Dest=*, Target=*

OK.  That would be the default if you'd have left advanced NAT disabled.
What you'll need (so you can access the devices on your DMZ) is:

Interface:      WAN
Destination:    NOT Network sss.sss.sss.16/28

and leave all other options alone (but feel free to enter a

>8. What Proxy ARP settings should I be using?  I have no idea here,
>after reading Proxy ARP stuff on the m0n0wall site and also other places
>online.  LRP just had "on/off" as a choice, so I'm mystified here.
>(And please tell me exactly what to put on the form, as I've not
>been able to match up what people write in the m0n0wall mailing list
>archives with the actual values that one would put in the web form.)

None.  You shouldn't need any.

You will probably want to tick 'Enable filtering bridge' under System |
Advanced.  You will then need to add relevant rules to m0n0wall to allow
access to / from the devices in your DMZ.

I have this type of configuration (albeit with a /29) and it works a



Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk