On 12/8/07, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
> when replying there's no need to send directly to me - I get the
> message from the mailing list and then a second copy direct!
Sorry, habit from other lists. My MDA (procmail, actually) discards
duplicates so I don't see that them.
I've not edited out most of the detail so that this post will act as
documentation of a sort.
> In message
> <ae0fb5cd0712061814s63185aa5hcea2b4b95237d0e5 at mail dot gmail dot com>, William
> F. Dudley Jr. <wfdudley at gmail dot com> writes
> >Thanks very much for your time on this. I have a few additional questions,
> >assuming you've got more patience.
> >On 12/6/07, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
> >> In message
> >> <ae0fb5cd0712061423s63ad20acr1145b26bb21eca99 at mail dot gmail dot com>,
> >> F. Dudley Jr. <wfdudley at gmail dot com> writes
> >> >
> >> >Here's the setup I have with my current LRP firewall/router:
> >> >
> >> >static IP /28 block from my ISP (also, conveniently, my employer)
> >> >sss.sss.sss.16/28
> >> >Pipeline 130 T1 interface is sss.sss.sss.17
> >> >WAN side of my LRP box: sss.sss.sss.18
> >> >
> >> >LAN side of my LRP box: 192.168.1.0/24, router/gateway is 192.168.1.254
> >> >The 192 lan is where the Windows machines that my wife uses are quarantined.
> >> >
> >> >The Third port of my LRP box is for the routable IPs: sss.sss.sss.18.
> >> >Attached are machines (a mix of Linux and FreeBSD) responding to
> >> >sss.sss.sss.19-30 (31 is broadcast, obviously).
> >> >
> >> >So the first questions are:
> >> >
> >> >1. What should I set the address of the WAN port on the m0n0wall to:
> >> >I'd expect it to be: sss.sss.sss.18 / 28? 32?
> >> >I have the gateway set to sss.sss.sss.17, the Pipeline 130.
> >> Correct: WAN = sss.sss.sss.18 / 28, gateway = sss.sss.sss.17
> >> >2. What should I set the address of the ROUTABLE port m0n0wall to:
> >> >I'd expect, based on the LRP box, to set it to sss.sss.sss.18/28.
> >> I'm not entirely sure what the 'routable port' is. Do you mean the
> >> third interface? If so, set it to bridged to WAN - it won't have an IP
> >> address.
> >Yes, the third interface to the machines with routable IPs, what some call
> >the DMZ though I'm not sure that's really correct here.
> DMZ is the correct term if you have the 'enable filtered bridge' option
That's what I've been calling it, but because the machines had WAN
accessible ports, I didn't know if they met the strict definition.
> >> >3. Will I have to reboot all the machines on the inside so they
> >> >work when I switch firewalls, or can I just configure this and drop
> >> >it in?
> >> As you are swapping machines with the same IP address then you'll need
> >> to clear the ARP caches on the client machines or wait for them to
> >> expire. You will also need to clear the ARP cache on your T1 router,
> >> otherwise it will be attempting to talk to the LRP box which is no
> >> longer there.
> >> >4. If I ping the WAN address from the outside world, should I expect to
> >> >get a response?
> >> No. By default all access from WAN is dropped.
> >Is there any way to turn on icmp response from the WAN port? Or is that
> >really a bad idea? I like to be able to verify the link to the router, is all.
> OK, you need to understand the direction of the requests. By default
> pinging out from the LAN is allowed (all traffic from LAN is allowed)
> and from m0n0wall itself as is any traffic generated in reply to the
> original request.
> You will only need to add a firewall rule to the WAN interface if you
> want to accept traffic the originates from a device on the WAN.
I understand all that, I wanted to know if it was a) possible and b) "bad"
to write a rule to allow the WAN port to answer icmp from the WAN side.
> In this case you shouldn't need to do anything.
> >> >5. Do I need to set any static routes? I'm guessing not.
> >> No.
> >> >6. What are minimum rules that I need to put in the firewall ruleset to get
> >> >some traffic through? I've added some, but obviously have no idea what
> >> >I'm doing or I wouldn't be writing this. Once I have something basic
> >> >running, I'm confident I can add a rule to open a port for, say, ssh
> >> >to a particular machine on my "routable IP" segment.
> >> The default rule will allow all access from LAN so you should be able
> >> access the Internet from a machine on your LAN.
> >> >7. What NAT settings should I be using? I've chosen:
> >> >"Enable advanced outbound NAT" and then added a "rule" that says:
> >> >Interface=WAN, Source=192.168.1.0/24, Dest=*, Target=*
> >> OK. That would be the default if you'd have left advanced NAT disabled.
> >> What you'll need (so you can access the devices on your DMZ) is:
> >> Interface: WAN
> >> Source: 192.168.1.0/24
> >> Destination: NOT Network sss.sss.sss.16/28
> >> and leave all other options alone (but feel free to enter a
> >> description)!
> >So do I need this rule in *addition* to the one I had:
> >Interface=WAN, Source=192.168.1.0/24, Dest=*, Target=*
> >Or does your rule replace it? And do I want advanced NAT enabled or
> >disabled? The docs suggested to me that I did want it, because (I think)
> >my gateway address is inside of my block of IPs, and not separate.
> Remove all your other rules and just use the one I listed. All it does
> is ensure that any requests from you LAN to devices on your WAN / DMZ
> subnet aren't NAT'd, otherwise you won't be able to connect to those
> devices from LAN.
Well, that's what I did, and it "works a treat" as you might say. I added my
rules to allow ssh/http/smtp traffic from WAN port to the public IP machines,
and all seems to work as it did with the Linux Router Project box. LRP box
drew 40Watts, new Alix board is 5W, so there's a little bit I've saved 24/7.
> >> >8. What Proxy ARP settings should I be using? I have no idea here,
> >> >after reading Proxy ARP stuff on the m0n0wall site and also other places
> >> >online. LRP just had "on/off" as a choice, so I'm mystified here.
> >> >(And please tell me exactly what to put on the form, as I've not
> >> >been able to match up what people write in the m0n0wall mailing list
> >> >archives with the actual values that one would put in the web form.)
> >> None. You shouldn't need any.
> >> You will probably want to tick 'Enable filtering bridge' under System |
> >> Advanced. You will then need to add relevant rules to m0n0wall to allow
> >> access to / from the devices in your DMZ.
> >> I have this type of configuration (albeit with a /29) and it works a
> >> treat.
> >I'm trying it out now, even as I write this.
> Please post here to let us know how you get on. I've had this setup
> working for quite a while now. Since the last reboot my m0n0wall has
> been up 318 days (and it's a home m0n0wall!)
Are you running the "production" version? I'm running the beta only because
of the need for the drivers for the new-ish NIC ports on the new Alix board.
Thanks for your time,
P.S. I think it might be fruitful to create one or more documentation files that
illustrate how to set up "common" configurations. How can I contribute "our"
example to such a repository?
> Hope this helps,
Oh, it has, it has.
> Neil A. Hillard