[ previous ] [ next ] [ threads ]
 From:  "Rodman Frowert" <frowertr at i dash 1 dot net>
 To:  "Dana Spiegel" <dana at sociableDESIGN dot com>, "Kevin Coleman" <kevin at gabu dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Setting up HotSpot
 Date:  Tue, 31 Aug 2004 16:16:55 -0500
I went ahead and changed everything over like you guys suggested.  My LAN is
now on the LAN interface and my ADSL is now on the WAN interface and my
access point is now on the OPT1 interface.  Now the configuration is as

WAN - IP is DHCP assigned by DSL provider
LAN - IP is
OPT - IP is and DHCP is enabled to give wireless clients IP
addresses in a range of -

But I can't get the OPT 1 interface working with my wireless laptop.  I
doesn't even give out an IP address when I turn the laptop computer on (yes,
it is configured to get an IP automatically).  I am guessing it is because I
needed to make a firewall rule,  but for the life of me I can't figure out
the right rule I guess.  All I need is the OPT 1 to access the WAN and NOT
the LAN.

Any ideas or hints on what I am missing?


From: "Dana Spiegel" <dana at sociableDESIGN dot com>
To: "Kevin Coleman" <kevin at gabu dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, August 31, 2004 8:59 AM
Subject: Re: [m0n0wall] Setting up HotSpot

> I would also rethink your rules below. Only allowing those ports will
> make the hotspot very unusable.
> People put web servers on ports other than 80 and 443
> People use IMAP
> People use SMTP (and NYCwireless has a totally unrestricted network
> where we've never seen a spammer send out millions of spam messages)
> People use S/POP and S/IMAP
> People use PPTP and IPSEC vpns (this is a big one, especially since
> wireless hotspots are inherently insecure)
> People use SSH (and SSH on ports other than 22)
> People use other applications that make use of other ports
> Really your best bet is to put up the Captive Portal page, and set up
> your network as Kevin recommends below.
> Dana Spiegel
> Director, NYCwireless
> dana at nycwireless dot net
> www.nycwireless.net
> <mailto:dana at sociableDESIGN dot com>
> Kevin Coleman wrote:
> >I'd take out the Linksys, put your network on the LAN
> >interface, your DSL/cable modem on the WAN interface, and connect your
> >Wi-Fi AP to the DMZ interface.
> >
> >Then create a firewall rule that enables the DMZ to access the WAN. By
> >default, LAN will be able to access the internet and DMZ will not be
> >able to access the LAN.
> >
> >(K)
> >
> >-----Original Message-----
> >From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> >Sent: Monday, August 30, 2004 9:16 PM
> >To: m0n0wall at lists dot m0n0 dot ch
> >Subject: [m0n0wall] Setting up HotSpot
> >
> >Hello.  After many hours of labor, I finally got m0n0 running today.  I
> >guess it pays to make sure you actually have a NIC chipset supported by
> >FreeBSD...
> >
> >Anyway, I have a question or two about using m0n0 with a hotspot I am
> >installing in my business.  I have a LAN behind my Linksys Nat
> >router/switch
> >with an IP/subnet range of  Only 3 computers connected
> >to
> >the switch.  What I am wanting to do is connect m0n0 right to the switch
> >on
> >my LAN (through m0n0 WAN device).  Then I want to connect my wireless AP
> >to
> >the m0n0 box.  The problem is, I don't know if I should use the DMZ/OPT1
> >interface or the LAN interface.  I won't need anything connected to the
> >LAN
> >interface on the m0n0 box so could I actually just connect the AP to the
> >LAN
> >interface and my hotspot becomes "another lan" in effect?
> >
> >I then need to make sure m0n0 blocks all access to my actually "real"
> >wired
> >lan since all I want the wireless clients to do is surf and not sniff my
> >network.  Would I simply need to setup a rule for the LAN interface that
> >would block all outgoing traffic that had a destination of
> >
> >
> >Lastly, I need m0n0 to block access to everything the wireless clients
> >can
> >do except pop3, http, and https.  Would I simply add a set of allow
> >rules to
> >the LAN interface again something to the idea of this:
> >
> >Proto    Source    Port       Destination    Port
> >
> >TCP      LAN net   *           *              80  (HTTP)
> >TCP      LAN net   *           *              110 (POP3)
> >TCP      LAN net   *           *              443 (HTTPS)
> >
> >Then at the bottom of those 3 rules have one that blocks EVERYTHING
> >else?
> >
> >Thanks in advance for any help, guys!
> >
> >Rodman Frowert
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >