[ previous ] [ next ] [ threads ]
 From:  "William F. Dudley Jr." <wfdudley at gmail dot com>
 To:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] basic help needed configuring m0n0wall
 Date:  Thu, 6 Dec 2007 21:14:59 -0500

Thanks very much for your time on this.  I have a few additional questions,
assuming you've got more patience.

On 12/6/07, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
> In message
> <ae0fb5cd0712061423s63ad20acr1145b26bb21eca99 at mail dot gmail dot com>,

> F. Dudley Jr. <wfdudley at gmail dot com> writes
> >
> >Here's the setup I have with my current LRP firewall/router:
> >
> >static IP /28 block from my ISP (also, conveniently, my employer)
> >sss.sss.sss.16/28
> >Pipeline 130 T1 interface is sss.sss.sss.17
> >WAN side of my LRP box: sss.sss.sss.18
> >
> >LAN side of my LRP box:, router/gateway is
> >The 192 lan is where the Windows machines that my wife uses are quarantined.
> >
> >The Third port of my LRP box is for the routable IPs: sss.sss.sss.18.
> >Attached are machines (a mix of Linux and FreeBSD) responding to
> >sss.sss.sss.19-30 (31 is broadcast, obviously).
> >
> >So the first questions are:
> >
> >1. What should I set the address of the WAN port on the m0n0wall to:
> >I'd expect it to be: sss.sss.sss.18 / 28? 32?
> >I have the gateway set to sss.sss.sss.17, the Pipeline 130.
> Correct: WAN = sss.sss.sss.18 / 28, gateway = sss.sss.sss.17
> >2. What should I set the address of the ROUTABLE port m0n0wall to:
> >I'd expect, based on the LRP box, to set it to sss.sss.sss.18/28.
> I'm not entirely sure what the 'routable port' is.  Do you mean the
> third interface?  If so, set it to bridged to WAN - it won't have an IP
> address.

Yes, the third interface to the machines with routable IPs, what some call
the DMZ though I'm not sure that's really correct here.
> >3. Will I have to reboot all the machines on the inside so they
> >work when I switch firewalls, or can I just configure this and drop
> >it in?
> As you are swapping machines with the same IP address then you'll need
> to clear the ARP caches on the client machines or wait for them to
> expire.  You will also need to clear the ARP cache on your T1 router,
> otherwise it will be attempting to talk to the LRP box which is no
> longer there.
> >4. If I ping the WAN address from the outside world, should I expect to
> >get a response?
> No.  By default all access from WAN is dropped.

Is there any way to turn on icmp response from the WAN port?  Or is that
really a bad idea?  I like to be able to verify the link to the router, is all.
> >5. Do I need to set any static routes?  I'm guessing not.
> No.
> >6. What are minimum rules that I need to put in the firewall ruleset to get
> >some traffic through?  I've added some, but obviously have no idea what
> >I'm doing or I wouldn't be writing this.  Once I have something basic
> >running, I'm confident I can add a rule to open a port for, say, ssh
> >to a particular machine on my "routable IP" segment.
> The default rule will allow all access from LAN so you should be able
> access the Internet from a machine on your LAN.
> >7. What NAT settings should I be using?  I've chosen:
> >"Enable advanced outbound NAT" and then added a "rule" that says:
> >Interface=WAN, Source=, Dest=*, Target=*
> OK.  That would be the default if you'd have left advanced NAT disabled.
> What you'll need (so you can access the devices on your DMZ) is:
> Interface:      WAN
> Source:
> Destination:    NOT Network sss.sss.sss.16/28
> and leave all other options alone (but feel free to enter a
> description)!

So do I need this rule in *addition* to the one I had:
Interface=WAN, Source=, Dest=*, Target=*

Or does your rule replace it?  And do I want advanced NAT enabled or
disabled?  The docs suggested to me that I did want it, because (I think)
my gateway address is inside of my block of IPs, and not separate.
> >8. What Proxy ARP settings should I be using?  I have no idea here,
> >after reading Proxy ARP stuff on the m0n0wall site and also other places
> >online.  LRP just had "on/off" as a choice, so I'm mystified here.
> >(And please tell me exactly what to put on the form, as I've not
> >been able to match up what people write in the m0n0wall mailing list
> >archives with the actual values that one would put in the web form.)
> None.  You shouldn't need any.
> You will probably want to tick 'Enable filtering bridge' under System |
> Advanced.  You will then need to add relevant rules to m0n0wall to allow
> access to / from the devices in your DMZ.
> I have this type of configuration (albeit with a /29) and it works a
> treat.

I'm trying it out now, even as I write this.

Thanks again,
Bill Dudley
> HTH,
>                                 Neil.
> --
> Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk