m0n0wall Handbook

Chris Buechler

Manuel Kasper

m0n0wall written by Manuel Kasper. Most documentation written by Chris Buechler. Additional Contributors listed in Contributors and Credits

m0n0wall Version 1.2 and 1.3b

All rights reserved.

Redistribution and use in any form, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Neither the name of the m0n0wall Documentation Project nor the names of its contributors may be used to endorse or promote products derived from this documentation without specific prior written permission.

THIS DOCUMENTATION IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION OR THE ASSOCIATED SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

June 2008

Abstract

A freely-redistributable complete embedded firewall software package.


Table of Contents

1. Introduction
1.1. What m0n0wall is
1.2. What m0n0wall is not
1.3. History
1.4. Features
1.5. Software Copyright and Distribution (Licenses)
1.6. Contributors and Credits
2. Hardware Compatibility
2.1. Supported Hardware Architectures
2.2. Supported Standard PC-Based Hardware
2.3. Supported Embedded Devices
2.4. Virtualization
2.5. Hardware Sizing
2.6. Wireless Cards
2.7. Ethernet Cards
3. Setup
3.1. Getting the Software
3.2. Installing the Software
3.3. Booting m0n0wall
4. Configuration
4.1. The Console Menu
4.2. The Web GUI
4.3. The System Screens
4.4. The Interfaces Screens
4.5. The Services Screens
4.6. The Status Screens
4.7. The Diagnostics Screens
5. The Firewall Screens
5.1. Rules
5.2. Aliases
6. Network Address Translation
6.1. NAT Primer
6.2. Inbound NAT
6.3. Outbound NAT
6.4. Server NAT
6.5. 1:1 NAT
6.6. Choosing the appropriate NAT for your network
7. Traffic Shaper
8. IPsec
8.1. Preface
8.2. Prerequisites
8.3. Configuring the VPN Tunnel
8.4. What if your m0n0wall isn’t the main Internet Firewall?
9. PPTP
9.1. Preface
9.2. Audience
9.3. Assumptions
9.4. Subnetting and VLAN routing
9.5. Setup of m0n0wall software
9.6. PPTP User Setup
9.7. PPTP Firewall Rules
9.8. Setting up a PPTP Client on Windows XP™
9.9. Some things I have found not to work over the PPTP Connection
10. OpenVPN
11. Wireless
11.1. Adding A Wireless Interface
11.2. Wireless Parameters 1.2.x
11.3. Wireless Parameters 1.3.x
11.4. Wireless Status
12. Captive Portal
12.1. Connection Management
12.2. Authentication Management
12.3. Custom Pages And Files
12.4. Vouchers
12.5. Limitations
12.6. Additional Information
A. Reference
A.1. IP Basics
A.2. IP Filtering
A.3. NAT
A.4. Traffic Shaping
A.5. DNS
A.6. Encryption (PPTP/IPsec)
A.7. Logging (syslog)
13. Example Configurations
13.1. Configuring a DMZ Interface Using NAT
13.2. Locking Down DMZ Outbound Internet Access
13.3. Configuring a filtered bridge
14. Example IPSec VPN Configurations
14.1. Cisco PIX Firewall
14.2. Smoothwall
14.3. FreeS/WAN
14.4. Sonicwall
14.5. Nortel
14.6. Mobile User VPN with IPsec?
15. FAQ
15.1. How do I setup mobile user VPN with IPsec?
15.2. How can I prioritize ACK packets with m0n0wall?
15.3. Why isn't it possible to access NATed services by the public IP address from LAN?
15.4. I enabled my PPTP server, but am unable to pass traffic into my LAN
15.5. I just added a new interface to my m0n0wall box, and now it doesn't show up in the webGUI!
15.6. Does m0n0wall support MAC address filtering?
15.7. Does m0n0wall support SMP systems?
15.8. Why can't hosts on a NATed interface talk to hosts on a bridged interface?
15.9. What were the goals behind the m0n0wall project?
15.10. How do I setup multiple IP addresses on the WAN interface?
15.11. Can I filter/restrict/block certain websites with m0n0wall?
15.12. Why are some passwords stored in plaintext in config.xml?
15.13. Are there any performance benchmarks available?
15.14. What about hidden config.xml options?
15.15. Why can't I query SNMP over VPN?
15.16. Can I use m0n0wall's WAN PPTP feature to connect to a remote PPTP VPN?
15.17. Can I use multiple WAN connections for load balancing or failover on m0n0wall?
15.18. Can I access the webGUI from the WAN?
15.19. Can I access a shell prompt?
15.20. Can I put my configuration file into the m0n0wall CD?
15.21. How can I monitor/graph/report on bandwidth usage per LAN host?
15.22. Will there ever be translated versions of m0n0wall? Can I translate m0n0wall into my language?
15.23. Does m0n0wall support transparent proxying?
15.24. Should I use m0n0wall as an access point?
15.25. Why am I seeing traffic that I permitted getting dropped?
15.26. How can I route multiple subnets over a site to site IPsec VPN?
15.27. How can I block/permit a range of IP addresses in a firewall rule?
15.28. Why does my MSN Messenger transfer files very slowly when using traffic shaper?
15.29. Can I forward broadcasts over VPN for gaming or other purposes?
15.30. How can I use public IP's on the LAN side? Or how can I disable NAT?
15.31. Are PCMCIA cards supported?
15.32. Are there any tweaks for systems that will need to support large loads?
15.33. Can I add MRTG or some other historical graphing package to m0n0wall?
15.34. Can Captive Portal be used on a bridged interface?
15.35. Can I run Captive Portal on more than one interface?
15.36. Why do my SSH sessions time out after two hours?
15.37. Why isn't the reply address of the list set to the list?
15.38. Why am I seeing "IP Firewall Unloaded" log/console messages?
15.39. Why can't my IPsec VPN clients connect from behind NAT?
15.40. Why doesn't m0n0wall have a log out button?
15.41. Can I have more than 16 simultaneous PPTP users?
15.42. Can I sell m0n0wall (or use it in a commercial product)?
15.43. Where can I get a high-resolution version of the m0n0wall logo?
15.44. When will m0n0wall be available on a newer FreeBSD version?
15.45. Is there any extra Captive Portal RADIUS functionality available?
15.46. How can I increase the size of the state table?
16. Other Documentation
16.1. Installation
16.2. VPN/IPsec/PPTP
16.3. Wireless
B. Third Party Software
B.1. Introduction
B.2. Installing SVG Viewer on Mozilla Firefox
B.3. Collecting and Graphing m0n0wall Interface Statistics with ifgraph
B.4. Updating more than one Dynamic DNS hostname with ddclient
B.5. Using MultiTech's Free Windows RADIUS Server
B.6. Configuring Apache for Multiple Servers on One Public IP
B.7. Opening Ports for BitTorrent in m0n0wall
B.8. Automated config.xml backup solutions
B.9. Historical Interface Graphing Using MRTG on Windows
17. Troubleshooting
17.1. Interfaces are not detected
17.2. After replacing my current firewall with m0n0wall using the same public IP, m0n0wall cannot get an Internet connection.
17.3. No Link Light
17.4. Cannot Access webGUI
17.5. Cannot Access Internet from LAN after WAN Configuration
17.6. Troubleshooting Firewall Rules
17.7. Troubleshooting Bridging
17.8. Troubleshooting IPsec Site to Site VPN
17.9. Troubleshooting Solid Freezes
18. Bibliography
18.1. Books
18.2. Newspapers
18.3. Magazines
18.4. Television
18.5. Popular Websites
18.6. Conferences
Glossary
C. License
C.1. The FreeBSD Copyright
C.2. The PHP License
C.3. mini_httpd License
C.4. ISC DHCP Server License
C.5. ipfilter License
C.6. MPD License
C.7. ez-ipupdate License
C.8. Circular log support for FreeBSD syslogd License
C.9. dnsmasq License
C.10. racoon License
C.11. General Public License for the software known as MSNTP
C.12. ucd-snmp License
C.13. choparp License
C.14. bpalogin License
C.15. php-radius License
C.16. wol License
Index

List of Figures

4.1. The General Setup screen
4.2. The Firmware screen
4.3. The System Status screen
4.4. The Traffic Graph screen
8.1. Example: m0n0wall behind a router
13.1. Example Network Diagram
13.2. Filtered Bridge Diagram
14.1. Network diagram
14.2. Example of Sonicwall configuration
17.1. Trobleshooting Internet Access
11. Typical DMZ Network

List of Tables

4.1. General Setup parameters
4.2. Advanced System Options
4.3. SIP Proxy Parameters
4.4. Log Settings Parameters
4.5. The two entries for each VPN connection are as follows:
11.1. Wireless 1.2 Parameters
11.2. Wireless 1.3 Parameters
12.1. Connection Parameters
12.2. Secure Authentication Parameters
12.3. User Parameters
12.4. Radius Server Parameters
12.5. Voucher Parameters
12.6. Voucher Roll Parameters