m0n0wall Handbook

Chris Buechler Manuel Kasper m0n0wall written by Manuel Kasper. Most documentation written by Chris Buechler. Additional Contributors listed in Contributors and Credits

m0n0wallVersion1.2and1.3b Copyright2008m0n0wallDocumentationProject Allrightsreserved. Redistributionanduseinanyform,withorwithoutmodification,arepermittedprovidedthatthe followingconditionsaremet: Redistributionsmustretaintheabovecopyrightnotice,thislistofconditionsandthefollowing disclaimer. Neitherthenameofthem0n0wallDocumentationProjectnorthenamesofitscontributors maybeusedtoendorseorpromoteproductsderivedfromthisdocumentationwithoutspecific priorwrittenpermission. THISDOCUMENTATIONISPROVIDEDBYTHECOPYRIGHTHOLDERSAND CONTRIBUTORS"ASIS"ANDANYEXPRESSORIMPLIEDWARRANTIES,INCLUDING, BUTNOTLIMITEDTO,THEIMPLIEDW ARRANTIESOFMERCHANTABILITYAND FITNESSFORAPARTICULARPURPOSEAREDISCLAIMED.INNOEVENTSHALLTHE COPYRIGHTOWNERORCONTRIBUTORSBELIABLEFORANYDIRECT,INDIRECT, INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING, BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOF USE,DATA,ORPROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDON ANYTHEORYOFLIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT (INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISDOCUMENTATIONORTHEASSOCIATEDSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE. June2008 Abstract Afreelyredistributablecompleteembeddedfirewallsoftwarepackage.

TableofContents 1.Introduction 1.1.Whatm0n0wallis 1.2.Whatm0n0wallisnot 1.3.History 1.4.Features 1.5.SoftwareCopyrightandDistribution(Licenses) 1.6.ContributorsandCredits 2.HardwareCompatibility 2.1.SupportedHardwareArchitectures 2.2.SupportedStandardPCBasedHardware 2.3.SupportedEmbeddedDevices 2.4.Virtualization 2.5.HardwareSizing 2.6.WirelessCards 2.7.EthernetCards 3.Setup 3.1.GettingtheSoftware 3.2.InstallingtheSoftware 3.3.Bootingm0n0wall 4.Configuration 4.1.TheConsoleMenu 4.2.TheWebGUI 4.3.TheSystemScreens 4.4.TheInterfacesScreens 4.5.TheServicesScreens 4.6.TheStatusScreens 4.7.TheDiagnosticsScreens 5.TheFirewallScreens 5.1.Rules 5.2.Aliases 6.NetworkAddressTranslation 6.1.NATPrimer 6.2.InboundNAT 6.3.OutboundNAT 6.4.ServerNAT 6.5.1:1NAT 6.6.ChoosingtheappropriateNATforyournetwork 7.TrafficShaper 8.IPsec 8.1.Preface 8.2.Prerequisites 8.3.ConfiguringtheVPNTunnel

8.4.Whatifyourm0n0wallisntthemainInternetFirewall? 9.PPTP 9.1.Preface 9.2.Audience 9.3.Assumptions 9.4.SubnettingandVLANrouting 9.5.Setupofm0n0wallsoftware 9.6.PPTPUserSetup 9.7.PPTPFirewallRules 9.8.SettingupaPPTPClientonWindowsXP 9.9.SomethingsIhavefoundnottoworkoverthePPTPConnection 10.OpenVPN 11.Wireless 11.1.AddingAWirelessInterface 11.2.WirelessParameters1.2.x 11.3.WirelessParameters1.3.x 11.4.WirelessStatus 12.CaptivePortal 12.1.ConnectionManagement 12.2.AuthenticationManagement 12.3.CustomPagesAndFiles 12.4.Vouchers 12.5.Limitations 12.6.AdditionalInformation A.Reference A.1.IPBasics A.2.IPFiltering A.3.NAT A.4.TrafficShaping A.5.DNS A.6.Encryption(PPTP/IPsec) A.7.Logging(syslog) 13.ExampleConfigurations 13.1.ConfiguringaDMZInterfaceUsingNAT 13.2.LockingDownDMZOutboundInternetAccess 13.3.Configuringafilteredbridge 14.ExampleIPSecVPNConfigurations 14.1.CiscoPIXFirewall 14.2.Smoothwall 14.3.FreeS/WAN 14.4.Sonicwall 14.5.Nortel 14.6.MobileUserVPNwithIPsec?

15.FAQ 15.1.HowdoIsetupmobileuserVPNwithIPsec? 15.2.HowcanIprioritizeACKpacketswithm0n0wall? 15.3.Whyisn'titpossibletoaccessNATedservicesbythepublicIPaddressfromLAN? 15.4.IenabledmyPPTPserver,butamunabletopasstrafficintomyLAN 15.5.Ijustaddedanewinterfacetomym0n0wallbox,andnowitdoesn'tshowupinthe webGUI! 15.6.Doesm0n0wallsupportMACaddressfiltering? 15.7.Doesm0n0wallsupportSMPsystems? 15.8.Whycan'thostsonaNATedinterfacetalktohostsonabridgedinterface? 15.9.Whatwerethegoalsbehindthem0n0wallproject? 15.10.HowdoIsetupmultipleIPaddressesontheWANinterface? 15.11.CanIfilter/restrict/blockcertainwebsiteswithm0n0wall? 15.12.Whyaresomepasswordsstoredinplaintextinconfig.xml? 15.13.Arethereanyperformancebenchmarksavailable? 15.14.Whatabouthiddenconfig.xmloptions? 15.15.Whycan'tIquerySNMPoverVPN? 15.16.CanIusem0n0wall'sWANPPTPfeaturetoconnecttoaremotePPTPVPN? 15.17.CanIusemultipleWANconnectionsforloadbalancingorfailoveronm0n0wall? 15.18.CanIaccessthewebGUIfromtheWAN? 15.19.CanIaccessashellprompt? 15.20.CanIputmyconfigurationfileintothem0n0wallCD? 15.21.HowcanImonitor/graph/reportonbandwidthusageperLANhost? 15.22.Willthereeverbetranslatedversionsofm0n0wall?CanItranslatem0n0wallintomy language? 15.23.Doesm0n0wallsupporttransparentproxying? 15.24.ShouldIusem0n0wallasanaccesspoint? 15.25.WhyamIseeingtrafficthatIpermittedgettingdropped? 15.26.HowcanIroutemultiplesubnetsoverasitetositeIPsecVPN? 15.27.HowcanIblock/permitarangeofIPaddressesinafirewallrule? 15.28.WhydoesmyMSNMessengertransferfilesveryslowlywhenusingtrafficshaper? 15.29.CanIforwardbroadcastsoverVPNforgamingorotherpurposes? 15.30.HowcanIusepublicIP'sontheLANside?OrhowcanIdisableNAT? 15.31.ArePCMCIAcardssupported? 15.32.Arethereanytweaksforsystemsthatwillneedtosupportlargeloads? 15.33.CanIaddMRTGorsomeotherhistoricalgraphingpackagetom0n0wall? 15.34.CanCaptivePortalbeusedonabridgedinterface? 15.35.CanIrunCaptivePortalonmorethanoneinterface? 15.36.WhydomySSHsessionstimeoutaftertwohours? 15.37.Whyisn'tthereplyaddressofthelistsettothelist? 15.38.WhyamIseeing"IPFirewallUnloaded"log/consolemessages? 15.39.Whycan'tmyIPsecVPNclientsconnectfrombehindNAT? 15.40.Whydoesn'tm0n0wallhavealogoutbutton? 15.41.CanIhavemorethan16simultaneousPPTPusers?

15.42.CanIsellm0n0wall(oruseitinacommercialproduct)? 15.43.WherecanIgetahighresolutionversionofthem0n0walllogo? 15.44.Whenwillm0n0wallbeavailableonanewerFreeBSDversion? 15.45.IsthereanyextraCaptivePortalRADIUSfunctionalityavailable? 15.46.HowcanIincreasethesizeofthestatetable? 16.OtherDocumentation 16.1.Installation 16.2.VPN/IPsec/PPTP 16.3.Wireless B.ThirdPartySoftware B.1.Introduction B.2.InstallingSVGVieweronMozillaFirefox B.3.CollectingandGraphingm0n0wallInterfaceStatisticswithifgraph B.4.UpdatingmorethanoneDynamicDNShostnamewithddclient B.5.UsingMultiTech'sFreeWindowsRADIUSServer B.6.ConfiguringApacheforMultipleServersonOnePublicIP B.7.OpeningPortsforBitTorrentinm0n0wall B.8.Automatedconfig.xmlbackupsolutions B.9.HistoricalInterfaceGraphingUsingMRTGonWindows 17.Troubleshooting 17.1.Interfacesarenotdetected 17.2.Afterreplacingmycurrentfirewallwithm0n0wallusingthesamepublicIP,m0n0wall cannotgetanInternetconnection. 17.3.NoLinkLight 17.4.CannotAccesswebGUI 17.5.CannotAccessInternetfromLANafterWANConfiguration 17.6.TroubleshootingFirewallRules 17.7.TroubleshootingBridging 17.8.TroubleshootingIPsecSitetoSiteVPN 17.9.TroubleshootingSolidFreezes 18.Bibliography 18.1.Books 18.2.Newspapers 18.3.Magazines 18.4.Television 18.5.PopularWebsites 18.6.Conferences Glossary C.License C.1.TheFreeBSDCopyright C.2.ThePHPLicense C.3.mini_httpdLicense C.4.ISCDHCPServerLicense C.5.ipfilterLicense

C.6.MPDLicense C.7.ezipupdateLicense C.8.CircularlogsupportforFreeBSDsyslogdLicense C.9.dnsmasqLicense C.10.racoonLicense C.11.GeneralPublicLicenseforthesoftwareknownasMSNTP C.12.ucdsnmpLicense C.13.choparpLicense C.14.bpaloginLicense C.15.phpradiusLicense C.16.wolLicense Index ListofFigures 4.1.TheGeneralSetupscreen 4.2.TheFirmwarescreen 4.3.TheSystemStatusscreen 4.4.TheTrafficGraphscreen 8.1.Example:m0n0wallbehindarouter 13.1.ExampleNetworkDiagram 13.2.FilteredBridgeDiagram 14.1.Networkdiagram 14.2.ExampleofSonicwallconfiguration 17.1.TrobleshootingInternetAccess 11.TypicalDMZNetwork ListofTables 4.1.GeneralSetupparameters 4.2.AdvancedSystemOptions 4.3.SIPProxyParameters 4.4.LogSettingsParameters 4.5.ThetwoentriesforeachVPNconnectionareasfollows: 11.1.Wireless1.2Parameters 11.2.Wireless1.3Parameters 12.1.ConnectionParameters 12.2.SecureAuthenticationParameters 12.3.UserParameters 12.4.RadiusServerParameters 12.5.VoucherParameters 12.6.VoucherRollParameters

Chapter 1. Introduction
TableofContents 1.1.Whatm0n0wallis 1.2.Whatm0n0wallisnot 1.3.History 1.4.Features 1.4.1.Components 1.4.2.Specifications 1.5.SoftwareCopyrightandDistribution(Licenses) 1.5.1.OtherSoftwarePackages 1.6.ContributorsandCredits 1.6.1.Code 1.6.2.Documentation

1.1. What m0n0wall is

m0n0wallisacompleteembeddedfirewallsoftwarepackagethat,whenusedtogetherwithan embeddedPC,providesalltheimportantfeaturesofcommercialfirewallboxes(includingeaseofuse) atafractionoftheprice(freesoftware).m0n0wallisbasedonabarebonesversionofFreeBSD, alongwithawebserver(thttpd),PHPandafewotherutilities.Theentiresystemconfigurationis storedinonesingleXMLtextfiletokeepthingstransparent. m0n0wallisprobablythefirstUNIXsystemthathasitsboottimeconfigurationdonewithPHP, ratherthantheusualshellscripts,andthathastheentiresystemconfigurationstoredinXMLformat.

1.2. What m0n0wall is not

m0n0wallisafirewall,andthepurposeofafirewallistoprovidesecurity.Themorefunctionalityis added,thegreaterthechancethatavulnerabilityinthatadditionalfunctionalitywillcompromisethe securityofthefirewall.Itistheopinionofthem0n0wallfounderandcorecontributorsthatanything outsidethebaseservicesofalayer3and4firewalldonotbelonginm0n0wall.Someservicesthat maybeappropriateareveryCPUintensiveandmemoryhungry,andm0n0wallisfocusedtowards embeddeddeviceswithlimitedCPUandmemoryresources.Thenonpersistantfilesystemduetoour focusonCompactFlashinstallationsisanotherlimitingfactor.Lastly,imagesizeconstraints eliminateotherpossibilities. Wefeeltheseservicesshouldberunonanotherserver,andareintentionallynotpartofm0n0wall: IntrusionDetection/PreventionSystem ProxyServer Packetinspectionatanylayersotherthan3and4 Ageneralpurposewebserver AnFTPserver Anetworktimeserver Alogfileanalyzer Forthesamereason,m0n0walldoesnotallowlogins:thereisnologinpromptattheconsole(it displaysamenuinstead),andnotelnetorsshdaemon.

1.3. History

ManuelKasper,m0n0wall'sauthor,says: EversinceIstartedplayingwithpacketfiltersonembeddedPCs,Iwantedtohaveanice

webbasedGUItocontrolallaspectsofmyfirewallwithouthavingtotypeasingleshell command.Therearenumerouseffortstocreatenicefirewallpackageswithwebinterfaces ontheInternet(mostofthemLinuxbased),butnonemetallmyrequirements(free,fast, simple,cleanandwithallthefeaturesIneed).So,Ieventuallystartedwritingmyown webGUI.ButsoonIfiguredthatIdidn'twanttocreateanotherincarnationofwebmin?I wantedtocreateacomplete,newembeddedfirewallsoftwarepackage.Itallevolvedto thepointwhereonecouldpluginthebox,settheLANIPaddressviatheserialconsole, logintothewebinterfaceandsetitup.ThenIdecidedthatIdidn'tliketheusualbootup systemconfigurationwithshellscripts(IalreadyhadtowriteaCprogramtogeneratethe filterrulessincethat'salmostimpossibleinashellscript),andsincemywebinterfacewas basedonPHP ,itdidn'ttakemelongtofigureoutthatImightusePHPforthesystem configurationaswell.Thatway,theconfigurationdatawouldnolongerhavetobestored intextfilesthatcanbeparsedinashellscript?ItcouldnowbestoredinanXMLfile.So Icompletelyrewrotethewholesystemagain,notchangingmuchinthelookandfeel,but quitealot"underthehood". Thefirstpublicbetareleaseofm0n0wallwasonFebruary15,2003.Version1.0wasreleasedexactly oneyearlater,onFebruary15,2004.Betweenthosetwowereanadditional26publicbetareleases,an averageofonereleaseeverytwoweeks.Version1.1wasreleasedinAugust2004,with1.11released withasecurityupdateform0n0wall'sdynamicDNScomponentezipupdateonNovember11,2004. Version1.2hasbeeninbetasince,withafinalreleaseinOctober2005.Acompletelistofchangesfor eachversioncanbefoundonthem0n0wallwebsiteunderChangeLog.

1.4. Features
m0n0wallprovidesmanyofthefeaturesofexpensivecommercialfirewalls,andsomeyouwon'tfind inanycommercialfirewalls,including: webinterface(supportsSSL) serialconsoleinterfaceforrecovery setLANIPaddress resetpassword restorefactorydefaults rebootsystem wirelesssupport(accesspointwithPRISMII/2.5cards,BSS/IBSSwithothercardsincluding Cisco) statefulpacketfiltering block/passrules logging NAT/PAT(including1:1) DHCPclient,PPPoEandPPTPsupportontheWANinterface IPsecVPNtunnels(IKE;withsupportforhardwarecryptocardsandmobileclients) PPTPVPN(withRADIUSserversupport) staticroutes DHCPserver cachingDNSforwarder DynDNSclient SNMPagent

1.4.1. Components

trafficshaper firmwareupgradethroughthewebbrowser configurationbackup/restore host/networkaliases

m0n0wallcontainsthefollowingsoftwarecomponents: FreeBSDcomponents(kernel,userprograms) ipfilter PHP(CGIversion) thttpd MPD ISCDHCPserver ezipupdate(forDynDNSupdates) Dnsmasq(forthecachingDNSforwarder) racoon(forIPsecIKE)

1.4.2. Specifications

Them0n0wallsystemcurrentlytakesuplessthan5MBonaCompactFlashcardorCD ROM. Onanet4501,m0n0wallprovidesaWAN<>LANTCPthroughputofabout17Mbps, includingNAT,whenrunwiththedefaultconfiguration.Onfasterplatforms(likenet4801or WRAP),throughputinexcessof50Mbpsispossible(anduptogigabitspeedswithnewer standardPCs). Onanet4501,m0n0wallbootstoafullyworkingstateinlessthan40secondsafterpowerup, includingPOST(withaproperlyconfiguredBIOS).

1.5. Software Copyright and Distribution (Licenses)

m0n0wallisCopyright20022008byManuelKasper.Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1.Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditionsandthe followingdisclaimer. 2.Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistofconditionsand thefollowingdisclaimerinthedocumentationand/orothermaterialsprovidedwiththedistribution. THISSOFTWAREISPROVIDED"ASIS''ANDANYEXPRESSORIMPLIED WARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOF MERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEARE DISCLAIMED.INNOEVENTSHALLTHEAUTHORBELIABLEFORANYDIRECT, INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES (INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSOR SERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESSINTERRUPTION) HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHERINCONTRACT, STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE)ARISING INANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE

POSSIBILITYOFSUCHDAMAGE.

1.5.1. Other Software Packages

m0n0wallisbasedupon/includesvariousfreesoftwarepackages,listedbelow.Theauthorof m0n0wallwouldliketothanktheauthorsofthesesoftwarepackagesfortheirefforts. FreeBSD(http://www.freebsd.org)Copyright19942003FreeBSD,Inc.Allrightsreserved. ThisproductincludesPHP,freelyavailablefromhttp://www.php.net.Copyright19992003The PHPGroup.Allrightsreserved. mini_httpd(http://www.acme.com/software/mini_httpd)Copyright1999,2000byJefPoskanzer <jef@acme.com>.Allrightsreserved. ISCDHCPserver(http://www.isc.org/products/DHCP)Copyright19962003InternetSoftware Consortium.Allrightsreserved. ipfilter(http://www.ipfilter.org)Copyright19932002byDarrenReed. MPDMultilinkPPPdaemonforFreeBSD(http://www.dellroad.org/mpd)Copyright19951999 WhistleCommunications,Inc.Allrightsreserved. ezipupdate(http://www.gusnet.cx/proj/ezipupdate)Copyright19982001AngusMackay.All rightsreserved. CircularlogsupportforFreeBSDsyslogd(http://software.wwwi.com/syslogd)Copyright2001Jeff Wheelhouse(jdw@wwwi.com) DnsmasqaDNSforwarderforNATfirewalls(http://www.thekelleys.org.uk)Copyright2000 2003SimonKelley Racoon(http://www.kame.net/racoon)Copyright19952002WIDEProject.Allrightsreserved. beforeversionpb23:watchdogd(watchdog)Copyright20022003DirkWillemvanGulik.All rightsreserved.ThisproductincludessoftwaredevelopedbytheStichtingWirelessLeiden (http://www.wirelessleiden.nl).SeeLICENSEformorelicensinginformation. msntp(http://www.hpcf.cam.ac.uk/export)Copyright1996,1997,2000N.M.Maclaren,University ofCambridge.Allrightsreserved. UCDSNMP(http://www.ece.ucdavis.edu/ucdsnmp)Copyright1989,1991,1992byCarnegie MellonUniversity.Copyright1996,19982000TheRegentsoftheUniversityofCalifornia.All rightsreserved.Copyright20012002,NetworkAssociatesTechnology,Inc.Allrightsreserved. Portionsofthiscodearecopyright20012002,CambridgeBroadbandLtd.Allrightsreserved. choparp(http://choparp.sourceforge.net)Copyright1997TakamichiTateoka (tree@mma.club.uec.ac.jp)Copyright2002ThomasQuinot(thomas@cuivre.fr.eu.org)

1.6. Contributors and Credits 1.6.1. Code

m0n0wallwaswrittenbyManuelKasper. Thefollowingpersonshavecontributedcodetom0n0wall: BobZoller(bobatkludgeboxdotcom):Diagnostics:Pingfunction;WLANchannelautoselect;DNS forwarder MichaelMee(m0n0wallatmikemeedotcom):TimezoneandNTPclientsupport MagneAndreassen(magned otandreassenatbluezonedotno):Remotesyslog'ing;somecodebitsfor DHCPserveronoptionalinterfaces RobWhyte(robatglabsdotcom):Idea/codebitsforencryptedwebGUIpasswords;minimalized SNMPagent

PetrVerner(verneratippsdotcz):AdvancedoutboundNAT:destinationselection BruceA.Mah(bmahatacmdotorg):Filteringbridgepatches JimMcBeath(monowallatjdotjimmcdotorg):Filterrulepatches(ordering,block/pass,disabled); betterstatuspage;webGUIassignnetworkportspage ChrisOlive(chrisattechnologEasedotcom):enhanced"executecommand"page PaulineMiddelink(middelinkatpolywaredotnl):DHCPclient:sendhostnamepatch BjrnPlsson(bjornatnetworksabdotcom):DHCPleaselistpage PeterAllgeyer(allgeyeratwebdotde):"reject"typefilterrules ThierryLechat(devatlechatdotorg):SVGbasedtrafficgrapher StevenHonson(stevenathonsondotorg):peruserIPaddressassignmentsforPPTPVPN KurtIngeSmdal(kurtatemspdotno):NATonoptionalinterfaces DineshNair(dineshatalphaquedotcom):captiveportal:passthroughMAC/IPaddresses,RADIUS authenticationHTTPserverconcurrencylimit JustinEllison(justinattechadvisedotcom):trafficshaperTOSmatching;magicshaper;DHCPdeny unknownclients;IPsecuserFQDNs FredWright(fwatwelldotcom):ipfilterwindowscalingfix;ipnatICMPchecksumadjustmentfix

1.6.2. Documentation

m0n0wallwaswrittenbyManuelKasper. Thefollowingpersonshavecontributeddocumentationtom0n0wall: ChrisBuechler(m0n0wallatchrisbuechler.com):Editor,numerouscontributionsthroughout. ShawnGiese(shawngieseatgmaildotcom):numerouscontributionsthroughout. JimMcBeath(monowallatjdotjimmcdotorg):UsersGuideoutline,editing RudivanDrunen(r.van.drunenatxs4alldotnl)withthankstoManuelKasper,EdwinKremer, PicoBSD,MattSimersonandJohnVoight:m0n0wallHackersGuide,usedasthebasisfortheold Developmentchapter,nowpartofthem0n0wallDevelopers'Handbook. FranciscoArtes(falcoratnetassassin.com):IPsecandPPTPchapters. FredWright(fwatwelldotcom):Suggestionsandreview. AxelEble(axel+m0n00001atbalrogdotde):Helpwiththewiki,ddclienthowtocontribution. BrianZushi(brianatriceragedotorg):LinuxCDburninginstructions,documentationreviewand suggestions. DinoBijedic(dino.bijedicateracomtechdotcom):SonicwallexampleVPNcontribution.

Chapter 2. Hardware Compatibility

TableofContents 2.1.SupportedHardwareArchitectures 2.2.SupportedStandardPCBasedHardware 2.2.1.MinimumRequirements 2.2.2.RecommendedSystemBIOSChanges 2.2.3.StorageMedium 2.3.SupportedEmbeddedDevices 2.3.1.SoekrisEngineering 2.3.2.PCEnginesWRAP 2.3.3.NokiaIPxxxboxes 2.3.4.NexComNexGateAppliances 2.4.Virtualization 2.5.HardwareSizing 2.5.1.EmbeddedDevices 2.5.2.NetworkCards 2.5.3.Processor 2.5.4.RAM 2.5.5.StorageMedium 2.5.6.HighThroughputEnvironments 2.6.WirelessCards 2.6.1.UnsupportedCards 2.6.2.ReadilyAvailableCards 2.6.3.Discontinued/DifficulttoObtain 2.7.EthernetCards 2.7.1.SupportedCards 2.7.2.ISANetworkCards

2.1. Supported Hardware Architectures

m0n0wallissupportedonlyonthex86architecture.Thetypesofdevicessupportedrangefrom standardPC'stoavarietyofembeddeddevices.Itistargetedatembeddedx86basedPCs . Thisexcludesnonx86devicesliketheMIPSbasedLinksysdevices,ARMbasedDLinkdevices, etc.FreeBSDdoesnotsupporttheMIPSorARMplatforms.ForalistofFreeBSDsupported platforms,seethispage.Someshowntherearenotyetfunctional(likeMIPS,forexample).Theonly platformsupportedbym0n0wallatthispointisx86.

2.2. Supported Standard PC-Based Hardware 2.2.1. Minimum Requirements

m0n0wallwillrunonanystandardx86PCthatsupportsatleasttwonetworkinterfaces. 486processorAny486orhigherprocessorissufficientform0n0wall.Exactlyhowmuchprocessor youwillneedforyourparticularimplementationvariesdependingonyourInternetconnection bandwidth,numberofsimultaneousconnectionsrequired,whatfeaturesyouwilluse,etc.Formost deployments,a486orPentiumprocessorissufficient. 64MBofRAM64MBRAMistheofficialsuggestedminimum.TheCDversionofm0n0wallhas beenreportedtoworkfineforsomepeoplewithonly32MB.WhenusingtheCompactFlashorhard

driveversionsofm0n0wall,expectupgradestofailwithlessthan64MB.Thisisbecausem0n0wall storeseverythinginRAMandusesnoswapspacewhenitrunsoutofRAM,ithasnothingtofall backon.

2.2.2. Recommended System BIOS Changes

TherearesomeBIOSsettingsthatmayneedtobechangedform0n0walltofunctionproperly. PlugandPlayOS MostsystemBIOShaveasettingfor"PlugandPlayOS"orsomethingsimilar.Thisshouldalwaysbe setto"no"or"disable".Withthissettingturnedoff,theBIOSassignssystemresourcesratherthan leavingthatuptotheOS.FreeBSD(andhencem0n0wall)worksbestwhentheBIOShandlesthis task. DisablingUnnecessaryDevices Youmostlikelywon'thavetoworryaboutthis,butifyouhavehardwarerelatedissues,we recommenddisablingallunnecessarydevicesintheBIOS,suchasonboardsound,andinsomecases parallelports,serialports,andotherunuseddevices.Ifyouaren'tusingit,itissafetodisableit.

2.2.3. Storage Medium

m0n0wallwillrunoffofaCompactFlashcard,harddrive,orCDwithfloppytostorethe configuration. CompactFlash Atleastan8MBCompactFlashcardisrequired. HardDrive AnyIDEorSCSI(withsupportedcontroller)harddrivewillworkfinewithm0n0wall. CD/floppysetup AnyIDEorSCSI(withsupportedcontroller)CDROMorDVDdrivewillworkwithm0n0wall.Also requiredforthissetupisa1.44MBfloppydrivewithblankfloppydiskformattedwithMSDOS/FAT filesystem.Anystandardfloppydrivewillwork.Forthissetup,youmusthaveaPCthatsupports bootingfromCDROM. Zipdrivesetup Startingwith1.2b3,m0n0wallcanruntheharddriveimagefromaZipdrive.Writethediskthesame wayyouwouldwriteaharddrive.

2.3. Supported Embedded Devices

Thefollowingembeddedx86machineswillrunm0n0wall.

2.3.1. Soekris Engineering

AllSoekrisdevicesarefullycompatiblewithm0n0wall.Forthenet4501andother45xxmodels,use thenet45xximage.Forthenet4801andnet4826,usethenet48xximage. Specifications

net4501-30: 133 Mhz CPU, 64 Mbyte SDRAM, 3 Ethernet, 2 Serial, CF socket, 1 Mini-PCI socket, 3.3V PCI connector. net4511-30: 100 Mhz CPU, 64 Mbyte SDRAM, 2 Ethernet, 1 Serial, CF socket, 1 Mini-PCI socket, Single PC-Card socket, PoE. net4521-30: 133 Mhz CPU, 64 Mbyte SDRAM, 2 Ethernet, 1 Serial, CF socket, 1 Mini-PCI socket, Dual PC-Card socket, PoE. net4526-20: 100 Mhz CPU, 32 Mbyte SDRAM, 1 Ethernet, 1 Serial, 16 Mbyte CF Flash, 2 Mini-PCI sockets, PoE. net4526-30: 133 Mhz CPU, 64 Mbyte SDRAM, 1 Ethernet, 1 Serial, 64 Mbyte CF Flash, 2 Mini-PCI sockets, PoE. net4801-50: 266 Mhz CPU, 128 Mbyte SDRAM, 3 Ethernet, 2 serial, USB connector, CF socket, 44 pins IDE connector, 1 Mini-PCI socket, 3.3V

PCI connector.

Foradetailedwalkthroughofgettingupandrunningwithm0n0wallonSoekrishardware,seethe m0n0wallSoekrisQuickStartGuide.

2.3.2. PC Engines WRAP

WirelessRouterApplicationPlatform(WRAP) PCEnginesWRAPboardsarefullycompatiblewithm0n0wall.UsetheWRAPimagesavailableon thedownloadpage.

2.3.3. Nokia IPxxx boxes

TheNokiaIPxxxboxeswerebuilttorunCheckPoint,buttheyarestandardPChardwareandwillrun m0n0wall. YoucanpickupausedIP110orIP120foraround$100USDoneBay. IP110,120and130 Three10/100Ethernetinterfaces NationalGX1300MHzprocessor 64MBRAMon110,128MBon120,256MBon130 5GBharddrive Twoserialports(auxiliaryandconsole) Quietharddriveisonlymovingcomponent,nofans IP330 Three10/100Ethernetinterfaces NationalGX1300MHzprocessor RAMtypicallybetween64MBand256MB Harddrivetypicallyrangingfrom420GB Twoserialports(auxiliaryandconsole) Hascasefans,sonotquietliketheIP1xx IP440,530,650,740 Evenintheusedmarket,theseboxesareusuallyoutofthepricerangeforatypicalm0n0wall installation,andyoucanbuyorassembleacomparablestandardPCforfarcheaper.But,ifyouhave onelayingaroundorcanfindonecheaply,thesewillrunm0n0wall.Someoftheoptionalinterfaces likeHSSI,T1CSU/DSU,V.35andX.21serial,OC3ATM,FDDI,etc.willnotwork,butthe Ethernetwillworkfine.

Note
Therearesometrickstogettingm0n0wallworkingonNokiahardwarebecausethe NIC'sinitiallyshowMACaddressff:ff:ff:ff:ff:ff.Forpicturesandcomplete instructions,seethispage.

2.3.4. NexCom NexGate Appliances

NexCom'sNexgatelineofappliancesallsupportm0n0wall.Thesearemuchmorehighendthanthe WRAPandSoekrisplatforms,andhencearemuchmorecostly.Thereareanumberofdifferent configurationsavailable,withpricesstartingover$500USDforthemostbasicmodel.Contact NexComforpricing.

2.4. Virtualization

m0n0wallworksfinewithmostvirtualizationsoftwarelikeVMwareWorkstation,GSX,andESX, andMicrosoftVirtualPCandVirtualServer. Whilethesetypesofconfigurationswork,wedon'trecommendrunninganyproductionfirewalls

underanysortofvirtualization.m0n0wallasavirtualmachineisverywellsuitedtotestingand developmentenvironments.Infactmuchofthem0n0walldocumentationiswrittenbyChrisBuechler usingVMwareWorkstationteamswith1015virtualmachines. Ifyouplantousem0n0wallinVMwarefortestingpurposes,wesuggestusingChrisBuechler'spre configuredm0n0wallVMwareimages. Forusingm0n0wallinMSVPCorVS,youmaywanttocheckoutthepreconfiguredm0n0wall imagesforMicrosoftVirtualPCandVirtualServerfordownloadfromChrisBuechler'ssite,makeby ChrisNottingham.

2.5. Hardware Sizing

Determiningtheexacthardwaresizingforyourm0n0walldeploymentcanbedifficultatbest,because networkenvironmentsdifferdramatically.Thefollowingwillprovidesomebaseguidelineson choosingwhathardwareissufficientforyourinstallation.Statedthroughputnumbersarevery conservativeformostenvironments,leavingsomeroomforerrorandfutureexpandability.

2.5.1. Embedded Devices

Thefollowingcanbeusedasaroughguidetodeterminingwhichembeddedplatform,ifany,is suitableforyourenvironment. 2.5.1.1. Soekris 45xx TheSoekris45xxlineissufficientforanyInternetconnectionunder10Mbps.IfIPsecVPN'swillbe used,a45xxissufficientuptoaround3MbpsofsustainedIPsecthroughput.Otherfeatureswillnot causeenoughofaperformancehittomakeasubstantialdifference. Onethingtokeepinmindisthemaximumthroughputbetweeninterfaces,ifyouplanonutilizinga DMZsegmentorsecondLANsegment.A45xxmaxesoutataround17Mbps.Ifyouneedmorethan 17Mbpsofthroughputbetweenyourinternalnetworks,youwillneedtogowithafasterplatform. 2.5.1.2. Soekris 48xx TheSoekris48xxlineissufficientformostInternetconnectionslessthan30Mbps.IfIPsecVPN's willbeused,a48xxissufficientuptoaround Onethingtokeepinmindisthemaximumthroughputbetweeninterfaces,ifyouplanonutilizinga DMZsegmentorsecondLANsegment.A48xxmaxesoutataround40Mbps.Ifyouneedmorethan 40Mbpsofthroughputbetweenyourinternalnetworks,youwillneedtogowithafasterplatform. 2.5.1.3. WRAP WRAPboardsaresufficientformostInternetconnectionslessthan30Mbps.IfIPsecVPN'swillbe used,aWRAPissufficientuptoaround Onethingtokeepinmindisthemaximumthroughputbetweeninterfaces,ifyouplanonutilizinga DMZsegmentorsecondLANsegment.A48xxmaxesoutataround40Mbps.Ifyouneedmorethan 40Mbpsofthroughputbetweenyourinternalnetworks,youwillneedtogowithafasterplatform.

2.5.2. Network Cards Note

ThisisonlyapplicabletoPCbasedinstallations Yourselectionofnetworkcards(NIC's)isthesinglemostimportantperformancefactorinyoursetup. CheapNIC'swillkeepyourCPUverybusywithinterrupthandling,causingyourCPUtobethe bottleneckinyourconfiguration.AqualityNICcanincreaseyourmaximumthroughputasmuchas twotothreefold,ifnotmore. FreeBSDreferstonetworkcardsbytheirdrivernamefollowedbytheinterfacenumber.Forexample, ifyouhavetwoIntelPro/100cards(fxpdriver)andone3Com3C905card(xldriver),youwillhave

interfacesfxp0,fxp1,andxl0respectively. IntelPro/100andPro/1000cardstendtobethebestperformingandmostreliableonm0n0wall. CheapcardslikethosecontainingRealtekchipsets(FreeBSDrldriver)areverypoorperformersin comparison.IfyouarepurchasingNIC'sforyourm0n0wallinstallation,westronglyrecommend purchasingIntelcards.Youcanfindthemonebayforlessthan$30USDfor35cardsinabulklot. Forlowthroughputenvironments,likeanytypicalbroadbandconnection6Mbpsorless,anyNICwill suffice.Ifyourequirefastthroughput(morethan3040Mbps)betweeninterfacesformultipleLAN networks,orbetweenaDMZandyourLAN,thenusingqualityNIC'sbecomesmuchmoreimportant.

2.5.3. Processor

YourCPUwillgenerallybethebottleneckinyoursystem.NetworkthroughputwithcheapNIC'swill maxoutyourCPUlongbeforeitwillgetmaxedoutwithqualityNIC's,sothemostimportantfactor withCPUsizingisthequalityofyourNIC's. IfyouareusinggoodqualityNIC'slikeIntelcards,asageneralmeasure,aPentiumwillsufficeupto 3040Mbps,aPentiumIIIwilldo100Mbatwirespeed,andforgigabitwirespeedsyouwillneeda 2.8+GHzPentium4.

2.5.4. RAM

Thestockm0n0wallimageswillnotusemorethan64MBRAMunderanycircumstance.Youcan installasmuchmemoryasyoulike,butevenwithallfeaturesenabledandheavyloads,youwillnot exhaust64MB.

2.5.5. Storage Medium

m0n0wallwillworkfineonanyharddriveorcompactflashcardatleast8MBinsize.Atboot, m0n0wallisloadedintoRAMandrunsfromRAM,sothespeedandtypeofstoragemediumusedis notafactorinsystemperformance. Slowerstoragemediumslikecompactflashwilltakeslightlylongertobootthanharddriveswill,but boottimeistheonlyperformancefactorinselectingyourstoragemedium.Compactflashissuggested formaximumreliabilitysinceitismuchlesslikelytofailthanaharddrive.

2.5.6. High Throughput Environments

Inenvironmentswhereextremelyhighthroughputthroughseveralinterfacesisrequired,especially withgigabitinterfaces,PCIbusspeedmustbetakenintoaccount.Whenusingmultipleinterfacesin thesamesystem,thebandwidthofthePCIbuscaneasilybecomeabottleneck.Mosttypical motherboardsonlyhaveoneortwoPCIbuses,andeachcanrunanabsolutemaximumof133MBps, or1064Mbps.That'slessthanonegigabitinterfacecantransfer.PCIXcantransferupto1056MBps, orabout8.25Gbps. Ifyouneedsustainedgigabitthroughputatwirespeed,youwillwantaserverclassmotherboardwith PCIXslotsandPCIXNIC's.

2.6. Wireless Cards

Beforeconsideringusingm0n0wallasanaccesspoint,readthisFAQentry. Thesecardsarebrokenintotwolistsreadilyavailablecards,anddiscontinued/difficulttoobtain cards.

2.6.1. Unsupported Cards

Currentlyallg,b/g,anda/b/gwirelesscardsareincompatiblewithm0n0wall.Theserequire driversthatareonlyfoundinFreeBSD5.xand6.x,whilem0n0wallison4.11.Theywillbesupported whenm0n0wallisonanewerversionofFreeBSD.

2.6.2. Readily Available Cards

Thefollowinglist,tothebestofourknowledge,is100%accurate.Pleasereportanyfindingstothe contrarytoChrisBuechler. Notallwirelesscardssupporthostapmode!(i.e.canfunctionasanaccesspoint)Thisisa limitationofthehardwareitself,notm0n0wallorFreeBSD.Ifthislistdoesnotsay"nohostap"next tothecard,itshouldsupporthostap.

Note
Them0n0wallDocumentationProjectdoesnotendorseanyvendorsyoumayfind throughfroogle.google.com.Wesimplylinkthereforyourconvenience.Thesearches providedmayalsobringupunrelatedhardwareinadditiontothecompatiblehardware. 3COM3crwe737AAirConnectWirelessLANPCCard CiscoSystemsAironet340nohostap CiscoSystemsAironet350nohostap CompaqWL100 CompaqWL110 DLinkDWL520NOTDWL520+asitusesadifferent,unsupported,chipset. DLinkDWL650RevisionsA1J3ONLY.K1,L1,M,andPrevisionsnotsupported. DellTrueMobile1150Seriesnohostap IntelPRO/Wireless2011LANPCCard LinksysInstantWirelessWPC11 NetgearMA311 NetgearMA401 SMC2632WPCCard SMC2602WPCI USRoboticsWirelessCard2410 NL2511CD miniPCI 2511MP DellTrueMobile1150Series

2.6.3. Discontinued / Difficult to Obtain Note

Someofthefollowingdonotsupporthostap.Todetermineiftheydo,searchGoogle forthecardnameandFreeBSD,todeterminewhichdriverthecarduses.Ifitis'wi',it willwork.Cardsthatusedriversotherthanwidonotsupporthostap. AcctonairDirectWN3301 AddtronAWA100 AdtecADLINK340APC Aironet4500/4800series(PCMCIA,PCI,andISAadaptersareallsupported) Airway802.11Adapter AvayaWirelessPCCard BayStack650and660 BlueConcentricCircleCFWirelessLANModelWL379F BreezeNETPCDS.11

BuffaloWLICFS11G CabletronRoamAbout802.11DS CoregaKKWirelessLANPCC11,PCCA11,PCCB11 ELECOMAir@Hawk/LDWL11/PCC ELSAAirLancerMC11 FarallonSkyline11MbpsWireless FarallonSkyLINEWireless ICOMSL1100 IcomSL200 IBMHighRateWirelessLANPCCard IODataWNB11/PCM LaneedWirelesscard LucentTechnologiesWaveLAN/IEEE802.11PCMCIAandISAstandardspeed(2Mbps)and turbospeed(6Mbps)wirelessnetworkadaptersandworkalikes LucentWaveLAN/IEEE802.11 MelcoAirconnectWLIPCMS11,WLIPCML11 MelcoWLIPCM NCRWaveLAN/IEEE802.11 NECWirelessCardCMZR TWP NECAtermWL11C(PCWL/11C) NECPKWL001 NELSSMagic NetwaveAirSurferPlusandAirSurferPro PLANEXGeoW ave/GWNS110 ProximHarmony,RangeLANDS RaytheonRaylinkPCCard SonyPCWAC100 TDKLAKCD011WL ToshibaWirelessLANCard WebgearAviator WebgearAviatorPro XircomWirelessEthernetadapter(rebadgedAironet) ZoomAir4000

2.7. Ethernet Cards

m0n0wallsupportsmostanyEthernetcard(NIC).Howeversomearemorereliable,lesstroublesome, andfasterthanothers.Ingeneral,you'llfindtheopinionofthem0n0wallcommunitytobethatcheap chipsets,suchasRealtekchipsets,aremoretroublesomeandslowerthanqualityNIC'slikeIntelno matterwhatsoftwareandOSyouarerunning.ItisespeciallyimportanttorunqualityNIC'sifyouare runningahightrafficfirewall.Thecheaperoneswillfloodyoursystemwithinterruptswhenunder load.BecauseinterruptscantakeupsubstantialamountsofCPUtimeandthefirstsystembottleneck onafirewallistypicallyCPU,goodqualityNIC'sareextremelyimportantinhigherthroughput environments. IwouldpersonallyrecommendIntelNIC'soveranyothers.TheIntelPRO/100cardsareeasytofind, andifyouhavetobuysome,they'recheap.Youcouldoutfityourfirewallwiththreeinterfacesforless

than$25USDoneBay.

2.7.1. Supported Cards

WerecommendjusttryingwhateverEthernetcardsyoualreadyhavewithoutbotheringwiththe compatibilitylistsinceitincludesvirtuallyeveryNIC.Onenotableexceptionissomenewergigabit cards.Forthisreason,wesuggestcheckingthelistbelowforgigabitcards,orjustgetIntelPro/1000 cardswhicharewellsupported. Ifyouhaveanyquestiononwhatcardsarecompatible,refertotheFreeBSD4.11RELEASE HardwareNotesforalistofsupportedEthernetcards.

2.7.2. ISA Network Cards

WhilealargenumberofISAEthernetcardsaresupported,werecommendyoustayawayfromthem ifpossible.Theycanbeverytimeconsuminganddifficulttogetworkingproperly.Thecostofafew PCInetworkcardsis,inmyopinion,wellworththeheadachesitwillprevent.Theonlytimeyou shoulduseISANIC'siswhenyoudon'thaveanyorenoughPCIslots. IfyouhaveISAcardsthatyou'dliketotry,byallmeansgivethemashot.Itmightworkoutofthe box,especiallyifyouonlyhaveoneISAcardalongwithsomePCIcards.Butifyouexperience problemsgettingthemtowork,you'vebeenwarned! IfyouneedtogetanISAcardworking,you'llprobablyneedtochangesomethings.First,mostISA NIC's,includingthecommon3ComISAcards,havea"plugandplay"modeonthecardthatis selectedbydefault.FreeBSDdoesn'talwaysplaynicelywithdevicesthataresettoplugandplay.In thecaseofthe3Comcards,3ComhasaDOSutilityontheirsupportsitethatyouwillhavetorunin DOStosetuptheresourcesonallofthecardsmanually.Checkyournetworkcardmanufacturer's supportsiteforinformationondisablinganyplugandplaysettingsonISAcards.Thisistypically jumpersonthecardorafirmwareutility. AnotherthingyoumayhavetodoistochangesomesettingsinthesystemBIOS.Forexampleyou mayneedtosettheIRQusedbytheNICtoISA/PnP.

Chapter 3. Setup
TableofContents 3.1.GettingtheSoftware 3.2.InstallingtheSoftware 3.2.1.PreparingabootableCD 3.2.2.PreparingaCompactFlashorIDEHardDisk 3.2.3.Alternativemeansofinstallation 3.3.Bootingm0n0wall Thischapteractsasaquickreferenceforthosewhoarefamiliarwithinstallingandconfiguring m0n0wall.IfyouneedmorethanaquickreferenceonwhatcommandstousetowriteaCD,CF,HD, etc.pleaseseetheQuickStartGuideappropriatetoyourplatform. SoekrisQuickStartGuide PCQuickStartGuide WRAPQuickStartGuide

3.1. Getting the Software

Therearereadymadebinaryimagesforthenet45xx/net48xxcommunicationcomputersfromSoekris EngineeringandtheWirelessRouterApplicationPlatform(WRAP)fromPCEngines,aCF/IDEHD imageformoststandardPCs(embeddedonesmaywork,too),aCDROM(ISO)imageforstandard PCsaswellasatarballoftherootfilesystem. Todownloadthesoftwareforyourplatform,pointyourwebbrowserat http://www.m0n0.ch/wall/downloads.phpandselecttheappropriatedownloadlinkfromthatpage. DownloadthefiletoyourworkingmachinefromwhichyouwillbewritingtoeitheraCDRora CompactFlashasdescribedinthenextsection.

3.2. Installing the Software

m0n0wallisdesignedtobootandrunfromeitheraCDimageoraCompactFlash(CF)cardorIDE harddisk.Afterdownloadingtheappropriateimagefile,preparetheCDorCF.

3.2.1. Preparing a bootable CD

Youcanrunm0n0wallonastandardPCwithaCDROMdriveandafloppydrive.Aharddiskisnot required.m0n0wallwillbootfromtheCDandrunfrommemory.Thefloppyisusedonlytostore yourm0n0wallconfiguration.Ifyouwanttorunm0n0wallonastandardPCwithaharddiskrather thanaCD,followthedirectionsinthenextsection. DownloadtheISOimageasdescribedinGettingtheSoftware. BurntheISOimageontoaCDR(orRW): FreeBSD(ATAPIrecorder):

burncd -s max -e data cdrom-xxx.iso fixate

Linux(ATAPIw/SCSIemulation): First,determineyourburningdevice'sSCSIID/LUNwiththefollowingcommand:
linuxbox# cdrecord --scanbus Cdrecord-Clone 2.01 (i686-pc-linux-gnu) Copyright (C) 1995-2004 Jrg Schilling Linux sg driver version: 3.1.25 Using libscg version 'schily-0.8'. scsibus0: 0,0,0 100) 'LITE-ON ' 'COMBO LTC-48161H' 'KH0F' Removable CDROM

NotetheSCSIID/LUNis0,0,0.Burntheimageasinthefollowingexample(replacing

<maxspeed>withthespeedofyourburner):
cdrecord --dev=0,0,0 --speed=<max speed> cdrom-xxx.iso

Windows:useyourfavoriteburningprogram(e.g.Nero)torecordtheISOimage (2048bytes/sector,Mode1) Formatastandard1.44MBdiskettewithMSDOS/FATfilesystem. FreeBSD:

fdformat -f 1440 /dev/fd0 && newfs_msdos -L "m0n0wallcfg" -f 1440 /dev/fd0

Note:youcanomitthefdformatstepifthefloppydiskisalready(lowlevel)formatted. Windows:
format A:

Makesureyourm0n0wallPCissettobootfromCDROMandnotfromfloppy.

3.2.2. Preparing a CompactFlash or IDE Hard Disk

Youcanrunm0n0wallonasystemwhichusesaCompactFlash(CF)cardasitsprimarydisk,suchas theSoekrisboxes,oronastandardPCwithanIDEharddisk.m0n0wallwillloadfromtheCFcardor diskandthenrunfrommemory.ItdoesnotswaptotheCFcardordisk,nordoesitwriteanythingto itexceptwhenyouchangeandsaveyourconfiguration. DownloadtheappropriaterawCF/IDEimageasdescribedinGettingtheSoftware. WritetheimagetoasufficientlylargeCFcardordisk(atleast5MB).ExtraspaceontheCF cardordiskisignored;thereisnobenefittousingonelargerthantheimagesize. FreeBSD:
gzcat net45xx-xxx.img | dd of=/dev/rad[n] bs=16k

wheren=theaddevicenumberofyourCFcardorIDEdisk(checkdmesg);use net48xxxxx.imgfornet4801,wrapxxx.imgforWRAP,andgenericpcxxx.imgforan IDEdiskonaPCinsteadofnet45xxxxx.img. Ignorethewarningabouttrailinggarbageit'sbecauseofthedigitalsignature. Linux:

gunzip -c net45xx-xxx.img | dd of=/dev/hdX bs=16k

whereX=theIDEdevicenameofyourCFcardorIDEdisk(checkwithhdparmi /dev/hdX)someadapters,particularlyUSB,mayshowupunderSCSIemulationas /dev/sdX. Ignorethewarningabouttrailinggarbageit'sbecauseofthedigitalsignature. Windows:

physdiskwrite [-u] net45xx-xxx.img

wherephysdiskwriteisv0.3orlaterofthephysdiskwriteprogramavailablefromthe m0n0wallwebsitephysdiskwritepage.Usetheuflag(withoutthesquarebrackets)if thetargetdiskis>800MBmakeverysureyou'veselectedtherightdisk!! Toensureyouhaveselectedtheappropriatedisk,runphysdiskwritepriortoinserting themediayou'replanningtowrite,andmakenoteofitsoutput.

physdiskwrite v0.5 by Manuel Kasper <mk@neon1.net> Searching for physical drives... Information for \\.\PhysicalDrive0: Windows: cyl: 14593 tpc: 255 spt: 63 C/H/S: 16383/16/63 Model: ST3120026A

Serial number: 3JT1V2FS Firmware rev.: 3.06

Younowknowthedrivescurrentlyinthesystem,soyouknowwhichyoudon'twantto use.Makenoteofthemodelandserialnumber.AddthedriveorCompactFlashcard youwishtowriteto,andrunphysdiskwriteagain.You'llnowseeanadditionaldrivein theoutput,andbyreferringbacktowhenyouranthecommandearlier,youwillknow byprocessofeliminationwhichdriveistheoneyouwanttowrite.

3.2.3. Alternative means of installation

Foralternativemeansofinstallingm0n0wall,seetheInstallationsectionoftheOtherDocumentation chapter.

3.3. Booting m0n0wall

Thefirsttimeyoubootyoursystemtorunm0n0wall,youmustconfigureit.Onceconfigured,itwill automaticallyrunm0n0wallwithyourconfigurationwhenbooted. Whenbootingyourm0n0wallsystemforthefirsttime: Insertthem0n0wallCD,CFordiskyoupreparedaccordingtotheinstructionsabove.Ona CDsystem,alsoinserttheformattedandblankfloppydisk.Makesurethefloppyiswritable (notwriteprotected)andformattedwiththeFATfilesystem. EnsurethatthesystembootsfromtheCD,CFordisk.YoumayneedtoentertheBIOSon yoursystemtoconfigurethis. Ensurethatthesystemconsoleisavailable.OnaPC,makesurekeyboardandmonitorare connectedtothesystem.OnaSoekrisbox,theserialportistheconsole;connectittoa terminal,oruseanullmodemcabletoconnectittoaserialportonanothercomputerrunning aterminalemulator. OnaSoekrisboxorWRAPboard,makesuretheconsolespeedissetto9600bpsintheBIOS (setConSpeed=9600forSoekrisboxes). Connectthesystemtothenetwork. Bootthesystemandwaitfortheconsolemenutoappear.Assignthenetworkinterfaceportsas describedinthefollowingchapter. Completetheconfigurationofyourm0n0wallsystembyusingthewebGUIasdescribed below.Saveyourconfigurationfiletoyourworkingcomputerasabackup.

Note

ItseemsthatsomeSoekrisnet45xx'shaveabugwheresometimesacharacterissent twiceovertheserialconsole,butanothercharacterisdroppedinstead.Thisissolved withaBIOSupgradefromSoekris(version1.15aorlater). Afteryouhavefinishededitingyourconfiguration,youarereadytogo.Youdonotneedtoreboot yourm0n0wallbox,althoughyoumaywishtodosotoseethatitbootsdirectlyintooperation.

Chapter 4. Configuration
TableofContents 4.1.TheConsoleMenu 4.2.TheWebGUI 4.3.TheSystemScreens 4.3.1.GeneralSetup 4.3.2.StaticRoutes 4.3.3.Firmware 4.3.4.Advanced 4.3.5.UserManager 4.4.TheInterfacesScreens 4.4.1.AssignInterfaces 4.4.2.LAN 4.4.3.WAN 4.4.4.OptionalInterfaces 4.4.5.WirelessInterfaces 4.5.TheServicesScreens 4.5.1.DNSForwarder 4.5.2.DynamicDNS 4.5.3.DHCP 4.5.4.SNMP 4.5.5.ProxyARP 4.5.6.CaptivePortal 4.5.7.WakeonLAN 4.5.8.SIPProxy 4.6.TheStatusScreens 4.6.1.System 4.6.2.Interfaces 4.6.3.TrafficGraph 4.6.4.Wireless 4.6.5.Thestatus.phppage 4.7.TheDiagnosticsScreens 4.7.1.SystemLogs 4.7.2.DHCPLeases 4.7.3.IPsec 4.7.4.Ping/Traceroute 4.7.5.ARPTable 4.7.6.FirewallState 4.7.7.ResetState 4.7.8.Backup/Restore 4.7.9.FactoryDefaults 4.7.10.RebootSystem Thischapterismeantasareferenceformostconfigurationoptions.Ifyoudon'tknowhowtogetup

andrunningwithabasictwointerfacesetupandgetintothewebGUI,pleaseseetheQuickStart Guideforyourplatform. SoekrisQuickStartGuide PCQuickStartGuide WRAP/ALIXQuickStartGuide

4.1. The Console Menu

Onboot,afterprintingthestandardBIOSmessagesandtheFreeBSDbootmessages,m0n0walldoes notshowaloginprompt,butinsteadshowsasimplemenuontheconsole. Usingtheconsolemenu,youcanassignthefunctionofeachnetworkport:LAN,WAN,orOPTfor additionaloptionalportssuchasaDMZ,additionalLANinterfaces,awirelessaccesspoint,etc.You onlyneedtoassigntheLANporthere,andprobablywanttoassigntheWANinterfaceaswell.The restcanbedoneinthewebGUIifdesired.ChangetheIPaddressoftheLANportasappropriatefor yournetwork,andyouarereadytoconnecttothewebGUItosetuptheremainderofyour configurationasdescribedinthenextsection.

4.2. The Web GUI

Toedityourm0n0wallconfiguration,pointyourwebbrowseratyourm0n0wallbox.m0n0wallrunsa webserveronthestandardwebport(80)ofitsLANconnection.Whenyoufirstconnecttoyour m0n0wallwebserver,itwillaskyouforausernameandpassword.Theusernameisadminandthe defaultpasswordismono.Toimprovesecurity,changethepasswordintheGeneralSetupscreen. Thedefaultm0n0wallconfigurationmaybesufficientforyou.Ifnot,lookthrougheachofthe screens,describedbelow,tofindthespecificitemsyouwanttochange.Afteryouhavemadeand savedyourchangesonthem0n0wallbox,remembertodownloadabackupcopyofyourconfiguration toanothermachineonyourLAN. Whenyoufirstaccessthem0n0wallwebGUIyouwillseetheSystemStatusscreen.Alongtheleft handsideofallscreensisamenutoallowyoutonavigatetootherscreens.Theitemsunderthe Interfacesmenuheadingmaybedifferentinyoursystem,dependingonhowmanynetworkinterfaces youhaveandhowyouhavenamedthem.Thedescriptionsinthefollowingsectionsareorganizedin thesamewayastheitemsinthenavigationmenu.

Note

4.3. The System Screens 4.3.1. General Setup

Someofthescreenshotsinthefollowingsectionsincludeblurredareas.Whenyou viewyourm0n0wallscreens,thesewillcontaininformationspecifictoyoursystem.

TheGeneralSetupscreenallowsyoutocontrolsomegeneralparametersofyourfirewall. Figure4.1.TheGeneralSetupscreen

TheGeneralSetupscreenallowsyoutochangethefollowingparameters: Table4.1.GeneralSetupparameters Parameter Hostname Domain DNSServers Username Description Theunqualifiedhostnameofyourfirewall. Thedomainnametoqualifyyourfirewallhostname. Example myfirewall Reference IPBasics

example.com IPBasics DNS

TheIPaddressofoneormoreDNSserversforusebythe 10.0.0.123 firewall. Theusernametousewhenconnectingtothem0n0wall webGUI. admin

Parameter

Description Thepasswordtousewhenconnectingtothem0n0wall webGUI.Thecurrentpasswordisnotdisplayed;thisfield isusedonlytochangethepasswordYoushouldchangethis whenyoufirstinstallm0n0wall. Theprotocolforthem0n0wallwebGUItouse.Ifyouselect HTTPS,youwillneedtosecurelyaccessyourwebGUI usingaURLthatstartswith"https:"andtoenterasigned certificateandkeyintheAdvancedSystempage. Theportforthem0n0wallwebGUItouse,ifnotthe default. Thetimezoneofyourfirewall.Thisaffectsthevalueof timesprintedtologs.

Example

Reference

Password

webGUI Protocol

webGUIPort Timezone

Logging Logging Logging

Timeupdate HowoftenyourfirewallshouldcontacttheNTPserverto interval updateitstime. NTPtime server ThenameoftheNTP(NetworkTimeProtocol)serverfor yourfirewalltouse.

4.3.2. Static Routes

Staticroutesarenecessarywhenyouhaveasubnetbehindanotherrouteronanyofyourinternal networks.Staticroutesareneverrequiredfordirectlyconnectednetworksorifthenetworkin questionisreachablethroughyourWANinterface'sdefaultgateway. TheStaticRoutessubsectionallowtheusertosetupstaticroutesinordertoreachnetworkthatmust useagatewaydifferentfromthedefaultone.Bypressingthe+icon,thesystemallowstheusertoadd newstaticroutes. Theparameterstosetupanewroutearethefollowing: Interface:selecttheinterfacetowhichtheroutemustbeapplied.Thisistheinterfaceoffof whichthedestinationnetworkislocated. DestinationNetwork:selectthenetworkthathavetobereachedwithClasslessInterDomain Routing(CIDR)codeforsubnetting(seeRFC1517,RFC1518,RFC1519,RFC1520formore details) Gateway:theIPaddressoftherouter/gatewaythatthefirewallmustuseinordertoreachthe definedDestinationNetwork Description:enteranoptionaldescriptionfortheinsertedroute

4.3.3. Firmware
TheFirmwarescreenallowsyoutoupgradeordowngradeyourm0n0wallversion(onlyavailableif youarerunningaharddriveorcompactflashinstallation). Figure4.2.TheFirmwarescreen

4.3.4. Advanced
TheoptionsontheAdvancedSystempageareintendedforusebyadvancedusersonly,andthere's NOsupportforthem. Table4.2.AdvancedSystemOptions Options IPv6tunneling Description AddtheIPaddresstoNATencapsulatedIPv6packets(IPprotocol41/RFC2893)to here.Don'tforgettoaddafirewallruletopermitIPv6packets! Thiswillcausebridgedpacketstopassthroughthepacketfilterinthesamewayas routedpacketsdo(bydefaultbridgedpacketsarealwayspassed).Ifyouenablethis option,you'llhavetoaddfilterrulestoselectivelypermittrafficfrombridged interfaces. Pasteasigned(firmware1.2)orcreateaselfsigned(firmware1.3b12+)certificate inX.509andaRSAprivatekeyinPEMformathere. Changestothisoptionwilltakeeffectafterareboot.

Filteringbridge

webGUISSL certificate/key Consolemenu

Firmwareversion Thiswillcausem0n0wallnottocheckfornewerfirmwareversionswhenthe check System:Firmwarepageisviewed. IPsecfragmented Thiswillcausem0n0walltoallowfragmentedIPpacketsthatareencapsulatedin packets IPsecESPpackets. IfatleastoneIPsectunnelhasahostname(insteadofanIPaddress)astheremote IPsecDNScheck gateway,aDNSlookupisperformedattheintervalspecifiedhere,andiftheIP interval addressthatthehostnameresolvedtohaschanged,theIPsectunnelis (firmware1.3) reconfigured.Thedefaultis60seconds. IdleTCPconnectionswillberemovedfromthestatetableafternopacketshave beenreceivedforthespecifiednumberofseconds.Don'tsetthistoohighoryour TCPidletimeout statetablecouldbecomefullofconnectionsthathavebeenimproperlyshutdown. Thedefaultis2.5hours.

Options Harddisk standbytime Navigation Staticroute filtering

Description Putstheharddiskintostandbymodewhentheselectedamountoftimeafterthe lastaccesshaselapsed.DonotsetthisforCFcards. Keepdiagnosticsinnavigationexpanded. Thisoptiononlyappliesifyouhavedefinedoneormorestaticroutes.Ifitis enabled,trafficthatentersandleavesthroughthesameinterfacewillnotbe checkedbythefirewall.Thismaybedesirableinsomesituationswheremultiple subnetsareconnectedtothesameinterface. Bydefault,accesstothewebGUIontheLANinterfaceisalwayspermitted, regardlessoftheuserdefinedfilterruleset.EnablethisfeaturetocontrolwebGUI access(makesuretohaveafilterruleinplacethatallowsyouin,oryouwilllock yourselfout!).Hint:the"setLANIPaddress"optionintheconsolemenuresets thissettingaswell. Bydefault,ifseveralSAsmatch,thenewestoneispreferredifit'satleast30 secondsold.SelectthisoptiontoalwayspreferoldSAsovernewones. Devicepollingisatechniquethatletsthesystemperiodicallypollnetworkdevices fornewdatainsteadofrelyingoninterrupts.ThiscanreduceCPUloadand thereforeincreasethroughput,attheexpenseofaslightlyhigherforwardingdelay (thedevicesarepolled1000timespersecond).NotallNICssupportpolling;see them0n0wallhomepageforalistofsupportedcards. MaximumnumberoffirewallstateentriestobedisplayedontheDiagnostics: Firewallstatepage.Defaultis300.Settingthistoaveryhighvaluewillcausea slowdownwhenviewingthefirewallstatespage,dependingonyoursystem's processingpower.

webGUIanti lockout

IPsecSA preferral

Devicepolling

Firewallstates displayed

4.3.4.1. IPv6 IPv6supportisincludedinthelatest1.3betarelease(v12orlater).Thebaseforthiswasactually contributedbyMichaelHanselmannwaybackin2005,andwithsomemodificationstoreflectthe changesinm0n0wallsincethen,aswellasafewfixes/improvements(mostnotablyeasytoconfigure 6to4support),itisnowfinallyinanofficialrelease.(Belated)Thanks,Michael! IPv6supportmustbeexplicitlyenabledontheSystem:Advancedsetuppagebeforeanyofthenew optionswillbecomeavailable.Also,bydefaulttherearenofirewallrulesforIPv6,soeverythingis blocked.MakesuretoaddatleastaruleonyourLANinterfaceforoutboundconnectionsifyouwant touseIPv6.

AfterIPv6isactivated,additionaloptionswillbecomeavailableinthemainmenuforroutingand firewallmanagement.InterfacepageswillalsoofferadditionalIPv6configurationoptions.Auseful optionundertheLANinterfacewillappeartosendIPv6RouterAdvertisements.Thisallowsother hostsontheLANtoautomaticallyconfiguretheirIPv6addressbasedontheprefixandgateway informationthattheFirewallprovidesthem.

Caution
Since1.3b12isthefirstreleasewithIPv6support,bugsintheimplementationare likely.Asalways,pleasepostonthemailinglistorintheforumifyou'vefound somethingodd(withadetaileddescriptionofwhatyoudid,please).Alsoletusknow ifeverythingworked"outofthebox".:) Ifyoudon'thavenativeIPv6connectivityyet,don'tworry:6to4tunnelingissupported,whichshould workanywhereyou'vegota(nonfirewalled)publicIPv4address.Simplychoose"6to4"fortheIPv6 modeonboththeWANandLANinterfacesnoneedtomanuallyconfigureanyIPv6addresses (checktheIPv6RAoptionontheLANinterfaceandyourLANhostswillbeabletoautomatically obtainanIPv6address).ItcanalsoworkwithdynamicWANIPv4addresses(LAN/OPTIPv6 subnetsareadjustedautomatically).NotethatsomeoperatingsystemsdonotuseIPv6when connectingtoahostthatsupportsbothIPv4andIPv6iftheyareconfiguredwitha6to4IPv6address (>RFC3484),souseanIPv6onlyhost(tryhttp://ipv6.m0n0.ch)forbrowsertesting,orsimplydoa "ping6". Ifyou'vegotnativeIPv6connectivity(overPPPoE/PPTPwith1.3b13orlater),rememberthatyou'll havetostaticallyrouteyourm0n0wall'sLANsubnetfromyourupstreamrouterthere'snoNATfor IPv6inm0n0wall(anditwouldbeprettypointlessinmostcasesanyway:). Also,ifyou'vegottenittoworkandneedsomeIPv6capablewebsitestotryitout,havealookat http://sixy.ch(orhttp://ipv6.sixy.ch),adirectoryofIPv6enabledwebsites.

Note

AlthoughmanyoperatingsystemssupportIPv6bydefaultsuchasMacOSX10.4+, WindowsVistaandmanyLinuxpackages,somesystemsneedittobeactivated(such asWindowsXP)andsomesystemsmaynotsupportitatall(suchastheAppleiPhone 2.0andolderversionsofWindows).Checkyouroperatingsystemdocumentationto seeifIPv6isavailable. FormoreinformationonIPv6checkoutsomeofthefollowingwebsites. IPv6SwissTaskForce WikipediaIPv6 MicrosoftTechnetIPv6 arstechna:EverythingyouneedtoknowaboutIPv6 IPv6TunnelBrokersWikipediaorLinuxReviews.org CoolIPv6Stufffromsixxs.net

4.3.5. User Manager

AdditionalwebGuiuserscanbeaddedhere.Userpermissionsaredeterminedbytheadmingroup theyareamemberof. AdditionalwebGuiadmingroupscanbeaddedhereaswell.Eachgroupcanberestrictedtospecific portionsofthewebGUI.Individuallyselectthedesiredwebpageseachgroupmayaccess.For example,atroubleshootinggroupcouldbecreatedwhichhasaccessonlytoselectedStatusand Diagnosticspages.

4.4. The Interfaces Screens 4.4.1. Assign Interfaces

TheAssignsubmenuallowstomapthesymbolicreferenceLANandWANtothephysicalinterfaces thatarepresentonthesystem.ClickontheSavebuttontoapplychanges,andrememberthatachange inthisassignmentwillrequireasystemrebootforthechangestotakeeffect.

4.4.2. LAN
IntheLANsection,itispossibletochangetheIPaddressandthenetmask(inCIDRnotation)ofthe firewallinternalinterface.Thesystemmustberebootedinordertoapplythechangesassuggested afterpressingthe"Save"button. 4.4.2.1. LAN IPv6 WhenIPv6isactivatedinfirmware1.3beta13orhigher,additionalIPv6optionswillbecome availableontheWANinterface.

4.4.3. WAN

IntheWANsubsection,itispossibletosetupalltheparametersforWANinterface.TheWAN InterfacecanbeaStaticIPaddress,aDHCPaddress,aPPPoEinterfaceoraPPTPconnection,as detailedinthefollowing.Onthebasisoftheconnectiontypeselected,therelatedsubpanelmustbe

filled. Adetaileddescriptionofallthefieldsfollows. Type:theconnectiontypethatmustbeused Static:AstaticIPaddressisassignedtotheinterfacewiththerelatednetmaskand gateway DHCP:adynamicaddressisassignedtothefirewallWANbyaDHCPserveronthe WANside PPPoE:PPPoverEthernet,thatisusefulforADSLconnection PPTP:allowstosetupPPTPfortheADSLprovidersthatrequiresthisprotocolforthe connection GeneralConfigurationPanel:allowtooverridedefaultMACaddressandMTU MACAddress:somecableconnectionsrequiretheMACspoofing.TheMACaddress mustbeintheformatxx:xx:xx:xx:xx:xx MTU:thevalueinthisfieldallowstosetupMSSclampingforTCPconnectionstothe valueenteredaboveminus40(TCP/IPheadersize).Ifthefieldisleftblank,anMTU of1492bytesforPPPoEand1500bytesforallotherconnectiontypeswillbeassumed StaticIPConfiguration:inthispanelthestaticIPandgatewayforWANinterfacemustbeset: IPAddress:thestaticIPwithrelatednetmaskissetinthisfield Gateway:thedefaultgatewayforthefirewallinsetinthisfield PPPoEConfiguration:TheUsernameandpasswordfortheADSLconnectionshouldbesetup there Username:theusernametheproviderassigntoyourconnection Password:thepasswordtheproviderassigntoyourconnection PPTPConfiguration:theparametersinsertedinthissubpanelallowstheusertoestablishthe tunnelrequiredbythePPTPADSLconnection Username:theusernametheproviderassigntoyourconnection Password:thepasswordtheproviderassigntoyourconnection LocalIPAddress:thelocalIPaddresstheproviderassigntoyourconnection RemoteIPAddress:theremoteIPaddresstheproviderassigntoyourconnection BlockPrivateNetworksThisoptionputsinrulestodroptrafficcominginontheWANfrom privateIPsubnets.Ifyouconfigureyourm0n0wallwiththeWANinterfaceonaprivate subnetofanotherLAN,forexample,youneedtodisablethisoption.Also,someISP'sassign customersprivateIP's,inwhichcaseyou'llalsoneedtodisablethisoption

Note
YoudonotneedtodisabletheBlockPrivateNetworksoptionifyouareusingIPsec VPNtunnelswithprivateIPaddresses.WhentheVPNpacketscomeintotheWAN interface,theywillbecomingfromsourceIPoftheWANinterfaceoftheremoteVPN device,notfromtheprivateIPsubnetontheremoteside. 4.4.3.1. WAN IPv6 WhenIPv6isactivatedinfirmware1.3beta13orhigher,additionalIPv6optionswillbecome availableontheWANinterface.

4.4.4. Optional Interfaces

Optionalinterfacescanbeusedforavarietyofpurposes.GenerallytheyareusedassecondLAN interfacesorDMZinterfaces.

4.4.5. Wireless Interfaces

Thewirelessinterfaceconfigurationscreenisonlypresentedifacompatiblewirelesscardisfoundat systemstartup.Optionswillbepresenteddependingonthefeaturessupportedforthewirelesscard. SeetheWirelesschapterformoreinformationonwirelessconfigurationoptions.

4.5. The Services Screens 4.5.1. DNS Forwarder

ThisserviceallowsyoutousethefixedIPaddressofyourm0n0wall'sLANethernetinterfaceto resolve/proxyallDNSqueriesonyourLANnetwork.Whenthem0n0wallDHCPserverassignsIP addresses,italsoassignstheLANIPaddressastheDNSservertouse.Otherwise,tobenefitfrom thisserviceyoumustmanuallyconfiguretheDNSIPaddressonyourcomputerstobetheLANIPof yourm0n0wall. IftheDNSforwarderisenabled,theDHCPservice(ifenabled)willautomaticallyservetheLANIP addressasaDNSservertoDHCPclientssotheywillusetheforwarder.TheDNSforwarderwilluse theDNSserversenteredinSystem:GeneralsetuporthoseobtainedviaDHCPorPPPonWANifthe "AllowDNSserverlisttobeoverriddenbyDHCP/PPPonWAN"ischecked.Ifyoudon'tusethat option(orifyouuseastaticIPaddressonWAN),youmustmanuallyspecifyatleastoneDNSserver ontheSystem:Generalsetuppage. ThisisimportantforinstanceifyouhaveyourDHCPclientsrenewingtheirIPaddressinformation every3days,buteverydayyourWANIPchangesfromyourISP.IfyourISPchangedtheDNS serversonyouthenitwouldbe2daysuntilyourDHCPclientsreceivedthecorrectinformation.By usingyourLANIPaddress,allLANnetworkclientsareassuredofaworkingDNSserveraslongas them0n0wallhasreceivedagoodDNSIPaddresstouse...evenifitjustreceivedthenewDNS informationaminuteago.Thisalsoallowsanetworkadministratortoeasilyredirectalltraffictoa newinternalDNSserver(maybewhiletransitioninganewserverintothenetwork). Setting"AllowDNSserverlisttobeoverriddenbyDHCP/PPPonWAN"isnecessaryifyourISP mightchangetheIPaddressoftheDNSserver.IfyouhaveastaticIPaddressonyourWANthanyou

wouldnotneedthisoptionset TheDNSforwarderscreencontainsconfigurationoptionsrelevanttotheDNSforwardingserveron yourm0n0wall.

EnablingtheDNSForwarderCheckthefirstcheckbox,"EnableDNSforwarder",toenablethe serviceontheLANinterface.Afterenablingthis,youwillneedtoconfigureyourclientmachinesto usetheLANIPaddressofyourm0n0wallastheirDNSserver. DNSHostNameRegistration Ifyourm0n0wallactsastheDHCPserverforyourLAN,andyouneednameresolutionbetweenhosts ontheLAN,checkthe"RegisterDHCPleasesinDNSforwarder"box.Itwillappendthedefault domaininSystem:GeneralsetuptothehostnameofthecomputerthatisrequestingaDHCPlease. Forexample,ifyourmachinenameismypcandyourdefaultdomainisexample.com,itwillregister mypc.example.comwiththeIPaddressassignedfromDHCP,sotheotherhostsonyourLANcan locateyourmachinebythatname.

Caution

Besurethatyourcomputershaveuniquenames. DNSForwarderOverrides IftherearecertainDNShostnamesyouwanttooverrideforyourinternalDNSclients,addthem underDNSoverridesonthispage.Forexample,ifyouwantwww.yourcompany.comtopointtoa differentsiteinternallythanitdoesfromtheInternet,enteranoverrideforwww.yourcompany.com withtheappropriateIPaddress.Thiscanalsobeusedasarudimentary(andeasytobypass)filteron websitesLANclientscanvisit,byassigningtheundesiredhostnametoaninvalidIPaddress.For example,toblockwww.example.com,putinanoverridetoredirectittoaninvalidIPaddress,suchas 1.2.3.4.NotethatusingadifferentDNSserveroreditingthehostsfileontheclientmachinegets aroundthisrestriction,butdoingthisissufficienttoblockthesiteforthevastmajorityofusers.

4.5.2. Dynamic DNS

DynamicDNSallowsyoutohaveapermanenthostnamethatcanbeusedtoaccessyournetwork, generallyusedwhenyourpublicIPaddressisassignedbyDHCPandsubjecttochange.Thisallows youtorunyourownwebserver,mailserver,etc.usingaDNShostname. ForlinkstoprovidersofdynamicDNSservices,visitthewebsiteofthedynamicDNSclientusedby m0n0wall,ezipupdate. AfteryouhavesignedupwithoneofthedynamicDNSproviderslisted,youcancontinue.

ConfiguringtheDynamicDNSClient Tostart,firstcheckthe"EnableDynamicDNSclient"boxatthetopofthepage. Inthe"Servicetype"dropdownbox,selecttheserviceyousignedupwithabove. SomeservicessupportMXDNSrecordsondynamicDNSsubdomains.Thishelpsensureyoucanget emailtoyourhostname.Ifyourservicesupportsthis(dyndns.orgisonethatdoes,othersdoaswell), fillinyourmailserver'shostnameinthatfield.IfyoudonotneedanMXrecordorifyourprovider doesnotsupportthem,justleavethefieldblank. WildcardsIfyouwanttoenablewildcardonyourdynamicDNShostname,checkthisbox.This meansallhostnamesnotspecificallyconfiguredareredirectedtoyourdynamicDNSname.Soif yourdynamicDNSisexample.homeip.net,andyouenablewildcards,www.example.homeip.net, mail.example.homeip.net,anything.example.homeip.net,etc.(i.e.*.example.homeip.net)willall resolvetoexample.homeip.net. Thenexttwoboxesareforyourusernameandpassword.Enteryouraccountinformationfromthe dynamicDNSprovider. ClickSave.YourdynamicDNShostnameshouldimmediatelybeupdatedwithyourWANIP address.Toverifythis,pingyourdynamicDNShostname.ItshouldresolvetotheIPaddressofthe WANinterfaceofyourm0n0wall.Ifnot,checkDiagnostics:Systemlogsforinformationonwhyit failed.

4.5.3. DHCP
ThisscreenallowsyoutoenabletheDHCPserveronenabledEthernetinterfacesotherthanWAN.

EnablingtheDHCPServer ToenabletheDHCPserveronaparticularinterface,clickontheappropriatetabfortheinterfaceand checkthe"EnableDHCPserveroninterface"box. Denyunknownclients ThisoptionallowsyoutoimplementamoresecureDHCPconfiguration.Manycompaniessuffer fromwormoutbreaksandrelatedsecurityissuesduetounauthorizedmachinesbeingpluggedinto theirnetwork.ThisoptionwillhelpensureonlyauthorizedhostscanreceivealeasefromyourDHCP server.Withthisoptionenabled,onlyhostsdefinedatthebottomofthispagewillreceivealease fromDHCP. Thedownsidetothisoptionisthatitcanbedifficulttomaintainwhenyouhavemorethanahandful ofhostsonyournetwork.Manywillfindtheincreasedsecurityworththeincreaseinmaintenance. Notethatthisisonlysufficienttostopthetypicaluserthatexpectstobeabletoplugintoyour networkandobtainaDHCPleasetogetontheInternet.Anyonewithnetworkand/orsecurity expertisecaneasilybypassthis.

Subnet,SubnetMask,andAvailablerangearefilledinfromtheIPandsubnetinformationfromthat particularinterface. Range Inthefirstbox,enterthestartingaddressofyourDHCPrange.Inthesecondbox,entertheending addressoftherange.Notethatyoudon'twanttomakethisthesameastheavailablerange,asthis includesthesubnetaddressandbroadcastaddress,whichareunusable,aswellastheaddressofyour m0n0wallinterfacewhichalsocannotbeintherange. WINSServers IfyouuseanNT4domain,orhavepreWindows2000clientsthatneedtoaccessanActiveDirectory domain,youwillneedtofillinyourWINSserverIPaddressesintheseboxes.Ifyouonlyhaveone WINSserver,leavethesecondboxblank. DefaultandMaximumLeaseTime ThedefaultleasetimeisthelengthoftheDHCPleaseonanyclientsthatdonotrequestaspecific expirationtimeontheirDHCPlease.Thedefaultis7200seconds,ortwohours.Forthevastmajority ofnetworkenvironments,thisistoolow.Iwouldgenerallyrecommendsettingthistoaweek,whichis 604,800seconds. Themaximumleasetimemustbemorethanthedefaultleasetime.Mostnetworkswillnotusethis valueatall.Inmostinstances,Isetthistoonesecondlongerthanthedefaultleasetime. ClickSavetosaveyourchanges,thenclickApplytoenabletheDHCPserver. StaticDHCPMappings StaticDHCPmappingscanbeusedtoassignthesameIPaddresseverytimetoaparticularhost.This canbehelpfulifyoudefineaccessrulesonthefirewalloronotherhostsonyourLANbasedonIP address,butstillwanttouseDHCP.Alternatively,youcankeeptheIPaddressboxblanktoassignan IPoutoftheavailablerange,whenyouareusingthe"Denyunknownclients"option. Clickthe+iconatthebottomoftheDHCPconfigurationpagetoaddastaticDHCPmapping.

IntheMACaddressbox,fillinthesystem'sMACaddressintheformatxx:xx:xx:xx:xx:xx.For WindowsNT/2000/XPclients,youcangetdeterminetheMACaddressbyopeningupacommand promptandtyping'ipconfig'.ForWindows95/98/MEclients,gotoStart,Run,winipcfg.ForUnix clients,useifconfig. IntheIPaddressbox,fillintheIPaddressyouwanttobeassignedtotheclient,orleaveitblankto automaticallyassignonefromtheavailableDHCPrange.IfyouputinastaticIPaddress,itmustnot bewithintherangeoftheDHCPserver. ItisrecommendedyoufillinadescriptionintheDescriptionboxtoremindyouwhatthisentryisfor, thoughthisisanoptionalvalue.

ClickSavewhenyouarefinishedandthemappingwillbeadded.

Note
TheDNSserversenteredinSystem:Generalsetup(ortheDNSforwarder,ifenabled) willbeassignedtoclientsbytheDHCPserver. TheDHCPleasetablecanbeviewedontheDiagnostics:DHCPleasespage.

4.5.4. SNMP

SNMPisaNetworkManagementProtocolthatallowsacentralmanagementsoftwaretoconsult informationondevicesrunninganSNMPagent.YoucanenableaSNMPagentonyourLAN interfaceonthisscreen.Thisisusefulifyouhaveanetworkmanagementormonitoringsystemthat takesadvantageofit.ThisserviceusesUDPport161.

Caution

Retrievinginformationfromam0n0wallSNMPagentisonlysecuredbythe communityname.Ifyouwantadditionalsecurityyouwillneedtoeitherusefiltersto limitwhohasaccesstothisportoraccessitoveranencryptedchannelsuchasPPTP orIPSec.

TheSystemlocationandSystemcontactboxescanbeleftblank,butcanassistyouindetermining whichdeviceyouaremonitoringifyouhaveseveralmonitoredhosts. TheCommunityisgenerallysetto"public",butifyouhaveanyregardforsecurityatall,youshould setthistosomethingdifficulttoguess,containingnumbersandletters.Thiscommunitynameisstill passedoverthenetworkincleartext,soitcouldbeintercepted,thoughthemostanyonecouldget withthatcommunitynameisinformationonthesetupandutilizationofyourfirewall.Inmost environments,thisislikelyoflittletonoconcern,butissomethingtokeepinmind. Aftersettingthevaluesasyoudesire,clickSaveandyourchangeswillbeapplied.

4.5.5. Proxy ARP

ProxyARPcanbeusedifyouneedm0n0walltosendARPrepliesontheWANinterfaceforotherIP addressesthanitsownWANIPaddress(e.g.for1:1,advancedoutboundorserverNAT).Itisnot necessaryifyouhaveasubnetroutedtoyouorifyouusePPPoE/PPTP,anditonlyworksiftheWAN interfaceisconfiguredwithastaticIPaddressorDHCP.

Ifyouenable1:1,server,oradvancedoutboundNAT,youmayneedtoenableproxyARPfortheIP address(es)beingusedbythosetranslations.Todoso,clickthe+onthispage.

EntereitherasingleIPaddress,orsubnetorrangeofaddresses,optionallyaddadescriptionto remindyouwhyyoumadethisentry,andclickSave.Thenclick"Applychanges"form0n0wallto enableproxyARP. FormoreinformationonwhenyoudoanddonotneedProxyARP,seethispage.

4.5.6. Captive Portal

WhatisCaptivePortal?fromwikipedia.org

ThecaptiveportaltechniqueforcesaHTTPclientonanetworktoseeaspecialwebpage(usuallyfor Authentication)beforesurfingtheInternetnormally.ThisisdonebyinterceptingallHTTPtraffic, regardlessofaddress,untiltheuserisallowedtoexittheportal.Youwillseecaptiveportalsinuseat mostWiFihotspots.Itcanbeusedtocontrolwiredaccess(e.g.apartmenthouses,businesscenters, "open"Ethernetjacks)aswell. Checkthe"Enablecaptiveportal"boxtoenable. InterfaceSelecttheinterfaceonwhichyouwanttoenablecaptiveportal.Itcanonlyrunonone interfaceatatime. IdletimeoutClientswillbedisconnectedafterthisamountofinactivity.Theymayloginagain immediately,though.Leavethisfieldblankfornoidletimeout. HardtimeoutClientswillbedisconnectedafterthisamountoftime,regardlessofactivity.They mayloginagainimmediately,though.Leavethisfieldblankfornohardtimeout(notrecommended unlessanidletimeoutisset). LogoutpopupwindowIfenabled,apopupwindowwillappearwhenclientsareallowedthrough thecaptiveportal.Thisallowsclientstoexplicitlydisconnectthemselvesbeforetheidleorhard timeoutoccurs.WhenRADIUSaccountingisenabled,thisoptionisimplied.

Note

Mostanypopupstopperwillblockthiswindow.Worse,youcannotexcludeaspecific site,asthispopupappearstocomefromwhateverservertheusertriedtogotopriorto authentication.Ifyouhaveapopupblocker,you'llneedtodisableitpriortologgingin, andthenreenableitafterthelogoffpopupappears. RADIUSserverEntertheIPaddressandportoftheRADIUSserverwhichusersofthecaptive portalhavetoauthenticateagainst.LeaveblanktodisableRADIUSauthentication.Leaveport numberblanktousethedefaultport(1812).LeavetheRADIUSsharedsecretblanktonotusea RADIUSsharedsecret.RADIUSaccountingpacketswillalsobesenttoport1813oftheRADIUS serverifRADIUSaccountingisenabled. PortalpagecontentsHereyoucanuploadanHTMLfilefortheportalpage(leaveblanktokeep thecurrentone,orthedefaultifyouhavenotuploadedonepreviously). AuthenticationerrorpagecontentsThecontentsoftheHTMLfilethatyouuploadhereare displayedwhenaRADIUSauthenticationerroroccurs(generallybecauseofanincorrectlogonor password).

4.5.7. Wake on LAN

Thisservicecanbeusedtowakeup(poweron)computersbysendingspecial"MagicPackets".The NICinthecomputerthatistobewokenupmustsupportWakeonLANandhastobeconfigured properly(WOLcable,BIOSsettings). Thismightbeuseful,forinstance,ifyouaccessyourhomeorcorporatenetworkremotelyviaVPN, andneedtoaccessamachinethatmaynotbepoweredonatalltimes.Youcanlogintothem0n0wall deviceatthatlocationandsendawakeuppacket. Topoweronamachine,justchoosetheappropriateinterface,puttheMACaddressofthemachine intotheMACaddressbox,andclick"Send". Ifyouusethisfeatureatall,youwillprobablywanttocreatealistofthemachinesyouwantto remotelypoweron.Ifyouclickthe+atthebottomofthescreen,youcanaddahosttothelistthatis displayed.Onceyouhaveaddedthehosttoyourlist,youcansimplyclickontheMACaddressto poweronthesystem.

4.5.8. SIP Proxy

ASIPproxyconfigurationpageisavailablestartinginfirmware1.3.Thispagesactivatesand configuresaSIPproxy/masqueradingservice.OnlyuseitwhenotherFirewalltraversaloptionslike usingSTUNoroutgoingSIPproxyservicesaren'tofferedbyyourSIPserviceprovider.Ifactivated, configureyourSIPUserAgents(phone)tousethisserverasoutboundproxy.

Table4.3.SIPProxyParameters Parameter EnableSIP Proxy Interface SIPUDPport EnableordisableSIPProxy SelecttheinterfacelocaltoyourSIPendpointslikeVOIPphones.Usuallyyour LANport. DefaultUDPportis5060.Ifleftatdefault,thisproxyalsoactsastransparentproxy byredirectingoutgoingSIPmessagestothisSIPproxy. Description

RTPUDPport Aportrangelargeenoughtoholdmultipleconcurrentcalls.Eachaudiocallneeds range 2ports,eachvideocallneeds4ports. Whenenabledonport5060,alloutgoingSIPmessagesareredirectedtothisSIPproxy.Firewallrules areaddedautomaticallytotheWANinterfacefortheUDPSIPsignalingandUDPRTPstreamstobe reachablefromtheoutsideworld.ItispossibletousethisserviceasaverysimpleSIPregistrar (withoutauthentication,butlimitedtothelocalLANsubnet).Usethesameserverforregistrationand outboundproxy.

4.6. The Status Screens 4.6.1. System

Figure4.3.TheSystemStatusscreen

4.6.2. Interfaces 4.6.3. Traffic Graph

Figure4.4.TheTrafficGraphscreen

Thetrafficscreenallowsyoutoselectaninterface,andviewrealtimethroughputgraphsonthat interface.Thisfeaturewasintroducedinversion1.1. TheAdobeSVGviewerisrequiredtoviewthegraphs.Thispagehasalinktotheinstallationforthis viewer.

4.6.4. Wireless

MoreinformationonwirelessfeaturescanbefoundintheWirelesschapter.

4.6.5. The status.php page

Theultimatepageshowingthestatusofyourm0n0walldeviceisactuallynotshownonthemenu.You simplyadd"/status.php"aftertheipaddressofyourm0n0walldevice,forexample http://10.0.0.1/status.php.Thispagewillshowstatisticsofthefollowinginformation.

Warning

Makesuretoremoveanysensitiveinformation(passwords,maybealsoIPaddresses) beforepostinginformationfromthispageinpublicplaces(likemailinglists)! Passwordsinconfig.xmlhavebeenautomaticallyremoved. Systemuptime Interfaces

4.7. The Diagnostics Screens 4.7.1. System Logs

Systemlogsareavailableforthefollowingservices: Systemlogs Firewall DHCP CaptivePortal PPTPVPN SIP(infirmware1.3andhigher)

Routingtables Networkbuffers Networkprotocolstatistics Kernelparameters Kernelmodulesloaded ipfwshow ipnatlv ipfstatv ipfstatnio ipfstat6nio unparsedipnatrules unparsedipfilterrules unparsedIPv6ipfilterrules unparsedipfwrules resolv.conf Processes dhcpd.conf ezipupdate.cache rtadvd.conf df racoon.conf SPD SAD last200systemlogentries last50filterlogentries ls/conf ls/var/run config.xml

Caution
ThelogsarelimitedtoavailableRAMandareerasedafterareboot.Tostorelogs permanentlyyoushouldenabletheuseofaremotesyslogserverontheDiagnostic LogSettingspage.

Systemlog(oftencalledsyslog)settingscanalsobeconfiguredonthispagebyclickingonthe Settingstab.WhensendingSyslogtoaremoteserverm0n0wallsendsUDPdatagramstoport514on thespecifiedremotesyslogserver.Besuretosetsyslogdontheremoteservertoacceptsyslog messagesfromm0n0wallandtonotblockthetrafficinanyinterveningfirewalls.

Caution

Becauseofthedetailedinformationthatthesemessagescancontainaboutyour networkitishighlyrecommendedtonotsendsyslogmessagesovertheInternetunless theyareinsideanencryptedtunnellikePPTPorIPSec. Table4.4.LogSettingsParameters Parameter Description Showlogentriesin optionallyshowlogswiththenewestontop reverseorder Numberoflog entries howmanylogentriestokeep

Hint:packetsthatareblockedbytheimplicitdefaultblockrulewillnotbe Logpacketsblocked loggedanymoreifyouuncheckthisoption.Perruleloggingoptionsarenot bythedefaultrule affected. Showrawfilterlogs Hint:Ifthisischecked,filterlogsareshownasgeneratedbythepacketfilter, withoutanyformatting.Thiswillrevealmoredetailedinformation.

ResolveIPaddresses Hint:Ifthisischecked,IPaddressesinfirewalllogsareresolvedtoreal tohostnames hostnameswherepossible.Warning:Thiscancauseahugedelayinloadingthe

Parameter

Description firewalllogpage!Thiscanoftenbedonebyaremotesyslogserver.

Enablesyslog'ingto Activatetheuseofaremotesyslogservertostorelogmessagesoutsideofthe remotesyslogserver m0n0walldevice. Remotesyslogserver TheIPaddressofremotesyslogserverandwhicheventsshouldbesenttothe syslogserver.

Itisrecommendedthatyoulogyourm0n0walltoaremotesyslogserverfordiagnosticsandforensic purposes.ThereareanumberoffreetoolsreceiveandstoresyslogmessagesforyouonWindows, Mac,andUnixbasedsystems.Thesesoftwarepackagesalsoofferadditionalfeaturessuchas automaticallysendingpages,emailsorSMSmessagesaswellasrunningsoftwareorcommands basedonthemessagesthatarereceived.Somesoftwarepackagesarelistedhere. Someoperatingsystemsthatarebydefaultusingsyslogmessages,suchasMacOSX,mayhave defaultconfigurationsthatlimitreceptionofsyslogmessagesfromexternalsources.Ifyouhav problemsreceivingmessagesverifythatyoursyslogserversoftwarecanreceiveexternalmessages.

4.7.2. DHCP Leases

Thisscreencanbeusedtoviewyouractiveand/orexpiredDHCPleases.Clickingthebuttononthis screenwillswitchbetweenshowingonlyactiveleasesandshowingbothactiveandexpiredleases.

ExpiredDHCPleasesshowupingraytext,whileactiveonesareblack.(thisscreenshotfromasystem withonlyexpiredleases)

4.7.3. IPsec

IPsecmaintainstwodatabaseswithconnectiondetails. SecurityAssociationDatabase FirstistheSecurityAssociationDatabase(SAD).ThisdatabasemaintainsalistofallcurrentIPsec SecurityAssociations(SA's). SecurityPolicyDatabase SecondistheSecurityPolicyDatabase(SPD).ThisdatabasemaintainsalistofalltheIPsecpolicies onthesystem.YouwillhavetwoSPDentriesforeachIPsecVPNconnectionyouhaveconfigured, regardlessofwhethertheconnectionisup.Thisdatabasetellsthesystemwhattrafficwillpassover VPN,andspecificallywhichtunnelittraverses.

Table4.5.ThetwoentriesforeachVPNconnectionareasfollows: Source localIPsubnetfor VPNconnection Destination remoteIPsubnetfor VPNconnection Direction Protocol ESPor AH ESPor AH TunnelEndpoints PublicIPaddressoflocal m0n0wallPublicIPaddressof remoteendpoint PublicIPaddressofremote endpointPublicIPaddressof localm0n0wall

remoteIPsubnetfor localIPsubnetfor VPNconnection VPNconnection

Atthisscreen,youwillseetwoentriesforeachIPsecconnectionthathasbeensuccessfully negotiated.OnefromthelocalpublicIPtotheremoteendpoint'spublicIP,andoneintheopposite direction.ThisindicatesthatIPsecnegotiationsweresuccessful,andthattrafficshouldnowbe passingyourVPNconnectionifeverythingelseisconfiguredappropriately. ByclickingontheX,youcandeletetheSA.m0n0wallwillattempttorecreateitafterdeletingit.If youhaveaVPNconnectionwithduplicateSA's(morethanonefromsamesrctosamedst)andthe connectionhasgonedown,deletealltheSA'sassociatedwiththeconnection.Itshouldrenegotiate andcomebackupwithinafewseconds.

4.7.4. Ping/Traceroute

ThisscreengivesyouaGUItoping(sendICMPechorequest)fromthem0n0wall.FillintheIP addressorhostnameofthemachinetoping,choosethenumberofpingsinthecountdropdown,and clickthePingbutton.

Note
Them0n0wallpingscreencannotpingoverVPNconnectionsforthesamereason SNMPdoesnotworkoverVPNoutofthebox.SeethisFAQentryformore information.SodonotusethisscreenasanindicatorofwhetheryourVPNisworking.

ThisscreengivesyouaGUItotraceroutefromthem0n0wall.FillintheIPaddressorhostnameof themachinewhoserouteyouwanttotrace,choosethemaximumnumberofhopsinthedropdown, andclicktheTraceroutebutton.

Note
Them0n0wallpingscreencannotmaketraceroutesoverVPNconnectionsforthe samereasonSNMPdoesnotworkoverVPNoutofthebox.SeethisFAQentryfor moreinformation.SodonotusethisscreenasanindicatorofwhetheryourVPNis working.

4.7.5. ARP Table

ThispageshowsthecurrentARPtableofthem0n0walldevice.

4.7.6. Firewall State

ThispageshowsthecurrentFirewallstatetable.Optionallytakeasnapshotofthestatestableand compareittothecurrenttable.

4.7.7. Reset State

Thisscreenallowsyoutoresetthestatetablesonyourm0n0wallfortheNATandfirewallstatetables. Justchecktheboxesforthetable(s)youwanttoclear,andclicktheResetbutton. Resettingthestatetableswillremoveallentriesfromthecorrespondingtables.Thismeansthatall openconnectionswillbebrokenandwillhavetobereestablished.Thismaybenecessaryafter makingsubstantialchangestothefirewalland/orNATrules,especiallyifthereareIPprotocol mappings(e.g.forPPTPorIPv6)withopenconnections. Thefirewallwillnormallyleavethestatetablesintactwhenchangingrules. NOTE:Ifyouresetthefirewallstatetable,thebrowsersessionmayappeartobehungafterclicking "Reset".Simplyrefreshthepagetocontinue.

4.7.8. Backup/Restore

Thisscreenallowsyoutobackupyourexistingconfiguration,orrestoreapreviousbackupfile.These filesaretextbasedXMLfiles. Tobackupyourm0n0wall,clickthe"Downloadconfiguration"button.Thiswilldownloadafile called(bydefault)config.xml. Ifyoueverneedtorestoreapreviousbackupfile,gotothispage,andunderthe"Restore configuration"section,clickBrowse.Locatetheconfig.xmlfileyoubackedupabove.

4.7.9. Factory Defaults

ClickingYesonthispagewillresetm0n0walltothedefaultoutoftheboxconfigurationoptionsand clearanyconfigurationyouhavedoneonthedevice. Ifallelsefailswhentryingtoconfiguresomethingonyourm0n0wall,sometimesitiseasiesttostart overfromscratchontheentireconfiguration.Inthatinstance,usethisfeaturetoreloadthedefault settings.

4.7.10. Reboot System

ClickYesonthispagetorebootthesystem. Asageneralruleofthumbinm0n0wallandFreeBSDingeneral,rebootingprobablyisn'tgoingtofix anyproblemsyouarehaving.Butitisworthashotinmanycircumstances. Unlikesomanysystems,rebootingisn'tasuggestedmaintenanceprocedureonm0n0wall.Thereisno needtorebootthesystemunlessyouhaveaspecificreasonfordoingso.

Chapter 5. The Firewall Screens

TableofContents 5.1.Rules 5.2.Aliases 5.2.1.AddinganAlias 5.2.2.UsingAliases

5.1. Rules 5.2. Aliases

YoumayhavenoticedthroughoutthewebGUItherearesomeaddressboxeswithabluebackground. Thisbluebackgroundindicatesyoucanusealiasesinthisfield.Thesourceanddestinationboxeson theFirewallRulesEditscreenaretwoexamplesofthis.

AliasesactasplaceholdersforrealIPaddressesandcanbeusedtominimizethenumberofchanges thathavetobemadeifahostornetworkaddresschanges.Youcanenterthenameofanaliasinstead ofanIPaddressinalladdressfieldsthathaveabluebackground.Thealiaswillberesolvedtoits currentaddressaccordingtothedefinedaliaslist.Ifanaliascannotberesolved(e.g.becauseyou deletedit),thecorrespondingelement(e.g.filter/NAT/shaperrule)willbeconsideredinvalidand skipped.

5.2.1. Adding an Alias

GototheFirewall>Aliasscreenandclickthe

toaddanalias.

1. 2. 3. 4. 5.

Name:Thenameofthealiasyou'llusethisintheblueboxesthroughoutthesystem. Type:Eitherareferencetoasinglehost,oranetwork. Address:ThisistheIPaddressorsubnetthatthisaliasrepresents. Description:Asalways,optional,butrecommended. Afterverifyingyourentries,clickSave,andApplychanges.

5.2.2. Using Aliases

Nowthatyouhaveenteredanalias,youcanuseitinanyoftheboxeswithbluebackgroundsby selectingtype"Singlehostoralias"andtypinginthealiasnameinthe"Address"box.

Chapter 6. Network Address Translation

TableofContents 6.1.NATPrimer 6.1.1.TypesofNAT 6.1.2.OtherResources 6.2.InboundNAT 6.3.OutboundNAT 6.4.ServerNAT 6.5.1:1NAT 6.6.ChoosingtheappropriateNATforyournetwork

6.1. NAT Primer

NetworkAddressTranslation(NAT)allowsyoutouseRFC1918privateIPaddressesforaddressing onyourinternalnetwork,andallowallhostsontheinternalnetworkstoaccesstheInternetusingone publicIPaddress. DuetothetypicalexpenseofobtainingpublicIPaddresses,mostnetworksdonotpurchaseonepublic IPaddressforeachnetworkhost.NATallowsmultiplemachinestoconnecttotheInternetusinga singlepublicIPaddress.Additionally,usingNATforInternetaccessprotectsinternalnetwork computersfromunwantedaccessattempts. Practically,thismeansthatNATallowsyoutoreceiveoneIPaddressfromyourInternetService ProviderandthateveryoneonyourlocalnetworkcanusethatIPaddresstoaccesstheInternet.Italso allowsyoutoselectoneormoresoftwareservices(webserver,fileserver,databaseserver)tomake accessiblefromtheInternetbuttolimitaccesstootherservicesorIPportnumbers. m0n0walloffers4typesofNAT: InboundNAT OutboundNAT ServerNAT 1:1NAT

Caution

6.1.1. Types of NAT

AlthoughaNATrulecanredirecttrafficintoyournetworkyoustillmustenabled filteringrulestoallowthetraffictopassthroughthestatefulpacketfirewall.

TherearetwomostcommonlyusedandmostfamiliartypesofNAT,bidirectionalor1:1(pronounced onetoone),andPortAddressTranslation,orPAT.Inbothcasesm0n0wallwillchangetheIPheader ofpacketsthattraversetheNATenabledinterfacebutNATandPATeachchangeadifferentpartof theIPheader. 6.1.1.1. NAT Explained NATtranslatetheIPaddressintheIPpackerheader.NATrulescanbeappliedtoTCPorUDP packetsthatareeitherincomingand/oroutgoingonanym0n0wallEthernetinterfacesexceptthe LANinterface.SomecommonNATusesinclude: sharinganInternetconnectionwithmultiplecomputers addingmultipleIPaddressestoaWANinterface translatingentireIPsubnetstoanother redirectoutgoingnetworktraffictoadifferentIPaddress redirectincomingnetworktraffictoadifferentIPaddressorportaddress

spooftheIPoriginofoutgoingtraffictoappearascomingfromadifferentIPaddress ForeachNATrule,m0n0wallbuildsandmaintainsatableofnetworkconnectionsthatareusingeach rule. 6.1.1.2. PAT Explained PATtranslatesportnumbersintheIPpacketheader.Forexampleyoucantranslateporttraffic arrivingontheWANatTCPport8080toinsteadberedirectedtoport80.WhenPATiscombined withNATyoucanprovideaccesstomultiplewebserverssuchastosendincomingInternettrafficfor port8001toaninternalwebserverat10.0.0.1port80andport8002toanotherwebserverat10.0.0.2 port80.

Note
SinceonlyTCPandUDPpacketsareusingportnumbers,onlythesepacketscan benefitfromPATbasedtranslationrules. PATconfigurationisincludedintheNATconfigurationpageswheneveryouchoosetouseport addressesorportranges.OtherusesforPATinclude: hidingcommonportstomakethemlessobviousforscriptbasedattacks makingdataappeartooriginatefromaparticularportaddress allowmultipleinstancesofaserveronthesamecomputer 6.1.1.3. Proxy ARP Normally,anEthernetinterfacewhichhasanIPaddressbeingrequestedonanetworkwillrespond firsttoanARPrequesttosaythattheIPaddressexistsandthattheEthernetinterfaceisaccepting trafficforit. WithoutProxyARPyoucanstillassignmultipleIPaddressestotheWANinterfacebutyourInternet ServiceProvidermustedittheirroutingtablestoredirectthetrafficaccordingly.

Note

PPPoEconnectionsdonotuseARPrequests.IfyouareassigningmultipleIP addressestoyPPPoEWANinterfacethentheserviceprovidermustroutethetraffic correctly.

6.1.2. Other Resources

RFC1918AddressAllocationforPrivateInternetsFebruary1996 RFC1631TheIPNetworkAddressTranslator(NAT)May1994 NetworkAddressTranslationatWikipedia

6.2. Inbound NAT

InboundNATallowsyoutoopenupTCPand/orUDPportsorportrangestohostsonnetworks protectedbym0n0wall.YoumayneedtoopenportstoallowcertainNATunfriendlyapplicationsand protocolstofunctionproperly.Alsoifyourunanyservicesorapplicationsthatrequireinbound connectionstoamachineonyourinternalnetwork,youwillneedinboundNAT. Inboundtrafficisincomingdatathatarrivsontheselectedm0n0wallNATinterfacethathasnot alreadytravelledthrougnthm0n0wallitself.Forexample,inboundtrafficontheWANinterface comingdirectlyfromtheInternetcanhaveinboundrulesappliedtoitbuttrafficfromtheLAN networkthatgoesthroughtheWANinterfacecannothaveinboundrulesappliedbecausethattraffic hadtopassthroughthem0n0walltoarriveattheWANinterface.

Caution
ItisnotpossibletoaccessNATedservicesusingtheWANIPaddressfromwithin LAN(oranoptionalnetwork).Onlyexternaltrafficincomingontheselectedinterface

willhaveInboundNATrulesappliedtoit.

6.3. Outbound NAT

Bydefault,m0n0wallautomaticallyaddsNATrulestoallinterfacestoNATyourinternalhoststo yourWANIPaddressforoutboundtraffic.Theonlyexceptionisforanyhostsforwhichyouhave configured1:1NATentries.Therefore,ifyouareusingpublicIPaddressesonanyoftheinterfaces behindyourm0n0wall(withtheexceptionofbridgedinterfaces)youneedtochangem0n0wall's defaultNATbehaviorbyenablingadvancedoutboundNAT. IfyouareusingpublicIPaddressesonalltheinterfacesbehindyourm0n0wall,checkthe"Enable advancedoutboundNAT"boxandclickSave.NownothingwillbeNAT'edbym0n0wall. IfyouhaveapublicIPsubnetoffoneofyourinterfacesbehindm0n0wallandaprivateIPsubnet behindanotherinterface,youwillneedtoenteryourownNATmappingsonthisscreen.Forexample, ifyouhaveaLANsubnetof192.168.1.0/24andaDMZsubnetwithpublicIPaddresses,youwillneed toenableadvancedoutboundNAT,andclicktheplusatthebottomofthistabtoaddaNATmapping foryourLANnetwork.Forthisscenario,youwillwanttoaddaruleforinterfaceWAN,source 192.168.1.0/24,destinationany,targetboxblank,andenteradescriptionofyourchoosing.

Note

IfadvancedoutboundNATisenabledinfirmware1.3orhigher,nooutboundNAT ruleswillbeautomaticallygeneratedanymore.Instead,onlythemappingsyouspecify belowwillbeused.WithadvancedoutboundNATdisabled,amappingis automaticallycreatedforeachinterface'ssubnet(exceptWAN)andanymappings specifiedbelowwillbeignored.IfyouusetargetaddressesotherthantheWAN interface'sIPaddress,thendependingonthewayyourWANconnectionissetup,you mayalsoneedproxyARP.

6.4. Server NAT

ServerNATgivesyoutheabilitytodefineextraIPaddresses,otherthantheWANIP,tobeavailable forInboundNATrules.ThiscanbeusedtoallowtwoormoreIPaddressestobeaccessiblefromthe selectednetworkinterface.

Note

DependingonthewayyourWANconnectionissetup,youmayalsoneedproxyARP.

6.5. 1:1 NAT

1:1NATmapsonepublicIPaddresstooneprivateIPaddressbyspecifyinga/32subnet.Thismeans havinganotherwiselocalnetworkcomputeraccessiblefromtheInternetthroughtheWANinterface ofyourm0n0walldevice.Fromasecurityperspectivethisalsomeansthatalltrafficarrivingatthe WANinterfaceisforwardedintoyournetworktothedesignatedinternalserver.Besurethatyouhave securedtheinternalserver. AdditionallyentiresubnetscanbepassedthroughtheNAT.Thiscouldbeusedforsituationswhen multipleconnectednetworksareusingthesamesubnet,suchastwositesusinga10.0.0.0/8subnet.

Note

DependingonthewayyourWANconnectionissetup,youmayalsoneedproxyARP. ForwardingtrafficforadditionalIPadresses(alsoknownasVirtualIPaddresses)thatarenottheIP addressoftheWANinterfaceispossiblebyfirstlistingtheseIPaddressesintheServerNATwindow. Then1:1NATisusedtoredirecttrafficfortheseIPaddressestointernalservers.Forexampleyou mayhave3IPaddressesregisteredwiththeInternetServiceProviderbutonlyoneofthesecanbe assignedtotheWANinterface.UsingServerNATand1:1NATyoucanassigntheadditional2IP

addressestotheWANinterfaceaswellandredirecttheirtraffictospecificservers.

6.6. Choosing the appropriate NAT for your network

Sobynowyoumaybethinking"sowhatkindofNATdoIneed?",towhichtheansweris"it depends." IfyoudonotmakeanyofyourinternalserversavailabletotheInternetthenyoudonotneedanything morethanthedefaultOutgoingNAT.Thisallowsallofthecomputersonyournetworktosharethe singleIPaddressthatisassignedbyyourInternetServiceProvider. IfyouwillbepublishingonormoreinternalserversontheInternetandonlyhaveonepublicIP,the onlyoptionisInboundNAT,sincethatpublicIPwillbeassignedtom0n0wall'sWANinterface. FornetworkswithmultiplepublicIPaddresses,thebestchoiceiseither1:1NAT,orServerand InboundNAT,oracombinationofboth.IfyouhavemoreserversthanpublicIPaddresses,youwill needtouseServerandInboundNAT,or1:1NATcombinedwithServerandInboundNAT.Ifyou havesufficientpublicIPaddressesforallofyourservers,youshoulduse1:1NATforthemall. InboundandServerNATismostsuitablewhenyouhavemoreserversthanpublicIPaddresses.For example,ifyouhavethreeservers,oneHTTP,oneSMTP,andoneFTP,andhaveonlytwopublicIP addresses,youmustuseServerandInboundNAT.Forsmalldeployments,thisisn'tbadtodealwith. Asthenumberofhostsincreases,thingsgetfarmorecomplicated.You'llenduphavingtoremember thingslikeforpublicIPaddress1.2.3.4,port80goestoserverA,port25goestoserverB,port21 goestoserverC,etc. IfyouareusingsoftwareapplicationsthatopenmanyrrandomportstotheInternet,suchascertain video/voiceIPsoftware,youmightneedtouse1:1NATtobesurethatwhateverportisneededcan getthroughtoyourcomputer. Ifyoucan'tclearlypictureanetworkinyourheadwhiletroubleshootingproblems,thingsbecome muchmoredifficult.Withportsgoingallovertheplacelikethis,onceyougetanumberofports forwardedit'sextremelydifficulttopicturethenetworkinyourhead.Giventhecomplexityintroduced bysuchaconfiguration,werecommendhavingonepublicIPaddressperpubliclyaccessiblehost.

Chapter 7. Traffic Shaper

m0n0wall'strafficshaperusesFreeBSD'sdummynetandipfw.Littledocumentationonthetraffic shaperexistsbecauseChrisBuechler,authorofthemajorityofthisdocumentation,hasnottakenthe timetofigureitouttotheextentthatitcanbedocumented.Documentationcontributionswouldbe muchappreciated.PleaseemailanycontributionstoChris. SuggestedResources AdamNellemann's"Trafficshaper'manual'(alpha)"posttothemailinglistbackinFebruary2004is theclosestthingtoanytrafficshapingdocumentationthatiscurrentlyavailable. Resourcesonipfwanddummynetmaybeuseful,fortheinformationtheyprovideonpipesand queues. DummynetpaperfromthePhilippinesDepartmentofScienceandTechnology BSDnewsUsingDummynetforTrafficShapingonFreeBSD(notcurrentlyavailable) Thefollowingfromthedummynetmanpagemayalsobehelpful.
dummynet operates by first using the firewall to classify packets and divide them into flows, using any match pattern that can be used in ipfw rules. Depending on local policies, a flow can contain packets for a single TCP connection, or from/to a given host, or entire subnet, or a protocol type, etc. Packets belonging to the same flow are then passed to either of two different objects, which implement the traffic regulation: pipe A pipe emulates a link with given bandwidth, propagation delay, queue size and packet loss rate. Packets are queued in front of the pipe as they come out from the classifier, and then transferred to the pipe according to the pipe's parameters. A queue is an abstraction used to implement the WF2Q+ (Worstcase Fair Weighted Fair Queueing) policy, which is an efficient variant of the WFQ policy. The queue associates a weight and a reference pipe to each flow, and then all backlogged (i.e., with packets queued) flows linked to the same pipe share the pipe's bandwidth proportionally to their weights. Note that weights are not priorities; a flow with a lower weight is still guaranteed to get its fraction of the bandwidth even if a flow with a higher weight is permanently backlogged.

queue

In practice, pipes can be used to set hard limits to the bandwidth that a flow can use, whereas queues can be used to determine how different flow share the available bandwidth.

Chapter 8. IPsec
TableofContents 8.1.Preface 8.1.1.SitetoSiteVPNExplained 8.1.2.RemoteAccessIPsecVPN 8.2.Prerequisites 8.3.ConfiguringtheVPNTunnel 8.4.Whatifyourm0n0wallisntthemainInternetFirewall? ThischapterwillgooverconfiguringasitetositeVPNlinkbetweentwom0n0walls,andwilldiscuss howtoconfiguresitetositelinkswiththirdpartyIPseccompliantdevices.TheExampleVPN Configurationschaptergoesover,indetail,howtoconfiguresitetositeIPseclinkswithsomethird partyIPsecdevices.Ifyouhavegottenm0n0wallworkinginasitetositeIPsecconfigurationwith somethirdpartyIPsecdevice,wewouldappreciateifyoucouldputtogetherashortwriteupofhow yougotitconfigured,preferablywithscreenshotswhereapplicable.

8.1. Preface

IPsec(IPsecurity)isastandardforprovidingsecuritytoIPprotocolsviaencryptionand/or authentication,typicallyemployingboth.Itsuseinm0n0wallisforVirtualPrivateNetworks(VPN's). TherearetwotypesofIPsecVPNcapabilitiesinm0n0wall,sitetositeandremoteaccess.

8.1.1. Site to Site VPN Explained

SitetositeVPN'sconnecttwolocationswithstaticpublicIPaddressesandallowtraffictoberouted betweenthetwonetworks.Thisismostcommonlyusedtoconnectanorganization'sbranchoffices backtoitsmainoffice,sobranchuserscanaccessnetworkresourcesinthemainoffice.Priorto VPN's,muchmoreexpensiveprivateWideAreaNetwork(WAN)linkslikeframerelay,pointtopoint T1lines,etc.werecommonlyusedforthisfunctionality.Someorganizationsaremovingtowards VPNlinksbetweensitestotakeadvantageofreducedcosts. SitetositeVPN'scanalsobeusedtolinkyourhomenetworktoafriend'shomenetwork,toprovide accesstoeachother'snetworkresourceswithoutopeningholesinyourfirewalls. WhilesitetositeVPN'sareagoodsolutioninmanycases,privateWANlinksalsohavetheir benefits.IPsecaddsprocessingoverhead,andtheInternethasfargreaterlatencythanaprivate network,soVPNconnectionsaretypicallyslower(whilemaybenotthroughputwise,theyatleast havemuchhigherlatency).ApointtopointT1typicallyhaslatencyofaround48ms,whileatypical VPNconnectionwillbe3080+msdependingonthenumberofhopsontheInternetbetweenthetwo VPNendpoints. WhendeployingVPN's,youshouldstaywiththesameISPforallsitesifpossible,orataminimum, staywithISP'sthatusethesamebackboneprovider.Geographicproximityusuallyhasnorelationto Internetproximity.AserverinthesamecityasyoubutonadifferentInternetbackboneprovider couldbeasfarawayfromyouinInternetdistance(hops)asaserverontheothersideofthecontinent. ThisdifferenceinInternetproximitycanmakethedifferencebetweenaVPNwith30mslatencyand onewith80+mslatency.

8.1.2. Remote Access IPsec VPN

m0n0wallprovidestwomeansofremoteaccessVPN,PPTPandIPsec(withOpenVPNavailablein betaversionsonlyfornow).m0n0wall'smobileIPsecfunctionalityhassomeseriouslimitationsthat hinderitspracticalityformanydeployments.m0n0walldoesnotsupportNATTraversal(NATT)for

IPsec,whichmeansifanyofyourclientmachinesarebehindNAT,IPsecVPNwillnotwork.This aloneeliminatesitasapossibilityformostenvironments,sinceremoteuserswillalmostalwaysneed accessfrombehindNAT.ManyhomenetworksuseaNATrouterofsomesort,asdomosthotspot locations,hotelnetworks,etc. Onegooduseofthem0n0wallIPsecclientVPNcapabilitiesistosecurealltrafficsentbyhostsona wirelessnetworkorotheruntrustednetwork.Thiswillbedescribedlaterinthischapter. FIXMEAsecondlimitationisthelackofanyreallygood,freeIPsecVPNclientsforWindows. MostofyourremoteuserswilllikelybeWindowslaptopusers,sothisisanothermajorhindrance. Formostsituations,PPTPisprobablythebestremoteaccessVPNoptioninm0n0wallrightnow.See thePPTPchapterformoreinformation.

8.2. Prerequisites

Beforegettingstarted,youneedtotakecareofthefollowing. 1. Yourm0n0wallmustbesetupandworkingproperlyforyournetworkenvironment. 2. BothlocationsmustbeusingnonoverlappingLANIPsubnets. i.e.ifbothsitesareusing192.168.1.0/24ontheLAN,nositetositeVPNwillwork.Thisisnot alimitationinm0n0wall,it'sbasicIProuting.Whenanyhostoneitherofyournetworkstries tocommunicatewith192.168.1.0/24,itwillconsiderthathosttobeonitslocalLANandthe packetswillneverreachm0n0walltobepassedovertheVPNconnection.Similarly,ifonesite isusing,forexample,192.168.0.0/16andoneusing192.168.1.0/24,thesesubnetsarealso overlappingandasitetositeVPNwillnotwork. Keepinmindthemorenetworksyoulinktogetherthemoreimportantthisbasicfactbecomes. Donotuseunnecessarilylargesubnetmasks.IfyousetupyourLANas10.0.0.0/8,butonly have100hostsonit,you'reunnecessarilylimitingyourabilitytoaddVPNnetworksanywhere inthe10.x.x.xspace. 3. Ifm0n0wallisnotthedefaultgatewayontheLANwhereitisinstalled,youmustaddstatic routestowhateversystemisthedefaultgateway,pointingtheremoteVPNsubnettotheLAN IPofm0n0wall. 4. Youwillneedtoeithercontrolorbeincontactwiththepersonwhodoescontroltheother VPNconcentrator.Ifitisanotherm0n0wallsystem,thensharethisdocumentwiththeother administrator.Ifitisn'tthenhavethemconsultthedocumentationthatcamewiththeIPsec devicetheyareusing. 5. Hostandapplicationlevelsecuritybecomemoreimportantwhenconnectingmultiple networks,howmuchdependingonhowmuchyoutrusttheothernetwork.TheVPNtunnel willnotrespondtofirewallrulesatthetimeofthiswriting,soyouwillnotbeabletolimit whichhostscanbeaccessedbyusersacrosstheVPNconnection.Ifawormwouldgetintothe networkyouareconnectedtoviaVPN,itcouldeasilyspreadtoyournetwork.Ifasystemon theremotenetworkiscompromizedbyanattacker,hecouldeasilyhopovertheVPNtoattack yoursystemswithoutanyfirewallprotection. 6. Payattentiontowhatyouaredoing!IfyouhaveaVPNtoyouroffice,andaVPNtoyour friend'shomenetwork,yourfriendcannowhopovertoyourcompany'snetworkfromyour network.Or,ifyourfriendgetsinfectedwithaworm,itcouldtheninfectyourmachinesand continuetopropagateovertheVPNconnectiontoyouroffice.Mostcompanieswould probablyfireyouifyourfriendwascaughtontheirnetwork.Bestbethereisifyouhaveasite tositeVPNintoyournetworkatwork,donotconnectwithfriends,oruseonenetworkand

firewallforaccessingworkandoneforaccessingyourfriend'snetwork. Oknowthatwehavethebasicslet'sgetstartedonthefirewallsettings.

8.3. Configuring the VPN Tunnel

Logintoyourm0n0wallandclickIPsec,underVPN.

OknowweneedtoaddaVPNconnection,todothisclickonthe icon. Youwillbepresentedwithagreatform,Iwillbepastingscreenshotsofeachsectionaswediscussit. ThefirstareaistheoneyouusetoestablishwhatnetworkrangeswillusethisIPSECtunnel.

Thisisthefirstsetoffieldsthatweneedtoconcentrateon.Later,whentestingyourtunnel,youcan

actuallyfailtoestablishlevel2connectionifthisdataisincorrect.Iwillnotewhattopayparticular attentiontoaswegoalong. 1. Mode,thisisahardsetoptionandfranklyyoudontneedtochangeit(norcanyou.) 2. Disabled,thisisagreaton/offbuttonifyouneedtodisablethetunnelforwhatever reason.Simplyselecttheeditor fromthemainVPN:IPsecwindowandclickthis checkboxelement,thenselectapplyatthebottomofthepage.Whenyouneedthetunnel again,reversetheprocess. 3. Interface,thisishowyoudeterminewhichpartofyournetworkwillbetheterminationpoint (endpoint)fortheVPNTunnel.Ifyouareconnectingtoaremoteserver,thenWANisyour option. 4. Localsubnet.Thisiswhereyoucansetwhichparts,hosts,ortheentireLANcanbeaccessed fromtheothersideoftheVPNtunnel.TheeasiestthingtodoistosettheLANsubnetasthe option;thismeansyourentireLANwillbeaccessiblefromtheremotenetwork. IMPORTANT:Theotherendofthetunnelhasthissamefield,wellitprobablyhas99%of thesefieldsactually,makesuretheotherendissetexactlyasyousetthisend.E.g.ifyousaid SinglehostinthissectionandenteredtheIPaddressofthathost,theotherpersonwouldset thathostinhisRemoteSubnetfield.Thesamegoesforyou,andwiththatmentionedwe movetothenextfield. 5. RemoteSubnet.Thisismorethanjustlabelingwhichhostsand/orhostyouwanttoaccesson theothernetwork,asmentionedinitem4itisparamountthatyousetthisexactlylikethe otherendslocalsubnetsection.Ifnot,level2oftheVPNconnectionwillfailandtraffic willnotpassfromoneVPNsegmenttotheother. 6. Description:Itisagoodpracticetoalwaysleavenotesaboutwhyyouaredoingsomething.I suggestyouentersomethingaboutwhatthisVPNtunnelisusedfor,orabouttheremoteend ofthetunneltoremindyourselfwho/whatitis. Okallthebasicfortheroutinghavebeenestablished.Nowwemoveontophase1oftheVPN authenticationprocess.

OkaytheeasypartoftheVPNtunnel.Thetrickhere,andeveninphase2,istomakesurethatboth VPNservershaveEXACTLYTHESAMESETTINGSforallofthesefields.Wellokay,theywill

havedifferentMyidentifierbutmakedarnsurethattheyknoweachothersnamesmoreonthat later. 1. Negotiationmode:Thisisthetypeofauthenticationsecuritythatwillbeused.Unlessyouare underclosewatchbysomeonewithparanormallikecraziness,justleavethisasaggressive.It isindeedfarfasterandwillinsurethatyourVPNtunnelwillrebuilditselfquicklyand probablywonttimeoutanapplicationifthetunnelwasdownwhentheresourceontheother endwasrequested.(moreaboutthatunderLifetime) 2. Myidentifier:Thisisthekeytoprobably90%oftheemailonthelistwherepeopleseemto notgettheVPNtunnelup,orwanttoknowhowtodothiswithdynamicIPaddresses,etc. Verysimple,setyouridentifiertosomethingthatisntgoingtochange.Soifyouleaveitas MyIPaddress(*ThiswillbetheIPaddressoftheinterfaceyoulistedinthefirstsection.*) thenmakesurethatIPisstaticandpersistent.IfyouuseaDHCPassignedaddressthenI wouldsuggestusingdomainnameinsteadThisisbecausedomainnamecanbecompletely yourownevenifyoudonotownthedomainname.Makeyourssexylovemonkey.comjustfor fun.;) 3. EncryptionAlgorithm:3DESistheworlddefactoifyouareconnectingtoanother m0n0wall,orasystemthatwillsupportit,changethistoBlowfish.Itisamoresecureand abouttwiceasfast!Nowofcourse,ifyouaretryingtoconnecttoaVPNdevicethatonly supportsDESthenyouwillneedtodowngradeandhopenoonedecryptsyourkeyexchange. MAKESUREBOTHVPNDEVICESAREUSINGTHESAMEENCRYPTION ALGORITHM. 4. HashAlgorithm:thisisthehashusedforchecksum.MD5isagoodchoice,SHA1isthenew upandcomeranditismorereliablethenMD5,butnotallthingssupportit.Againmakesure youareusingthesamesettingastheotherendofthetunnel,andifyoucanuseSHA1gofor it! 5. DHKeyGroup:Mostsystemswillsupportatleastupto1024bit.Thisisagoodplacetostick to,goingwithmorewilleatupmoreresourcesandlessmakesyourtunnellesssecure. 6. Lifetime:Thisfieldisfarmoreimportantthenitappears.Thislifetime,asopposedtotheone inphase2,ishowlongyourendwillwaitforphase1tobecompleted.Isuggestusing28800 inthisfield. 7. PreSharedKey:ContrarytosomesuggestionsthiskeymustbeexactlythesameonbothVPN routers.Itiscasesensitive,anditdoessupportspecialcharacters.Isuggestusingboth.E.x. f00m0nk3y@BubbaLand OkayifyoumanagedtocoordinateandgetbothVPNsystemssetthesameallshouldbegoodfor phase1.Wereallydontwanttostophere,soletsgorightintophase2.

Phase2iswhatbuildstheactualtunnel,setstheprotocoltouse,andsetsthelengthoftimetokeep thetunnelupwhenthereisnotrafficonit. 1. Protocol:ESPisthedefactoonwhatmostVPNsystemsuseasatransportprotocol.Isuggest leavingthisasis.Note:ThesystemshouldautogenerateafirewallruleforyoutoallowESP orAHtotheendpointoftheVPN.Wewillcheckthislater,ifitdoesnotyouwillneedto makeafirewallruleallowingESP(orAHifyouchangedthis)traffictotheinterfaceyou establishedasyourendpointofthetunnel.Iwilloutlinethatafterfigure5. 2. Encryptionalgorithms:Okhereisthedealonthis.Likebeforeinphase1,makesureyouare settingthealgorithmexactlyasitissetontheotherVPNserver.Youcanuseseveral;when youdosoeverythingyouselectisavailableforuse.HonestlyIliketokeepthingssimplesoI recommendonlycheckingtheoneyouaregoingtouse.Withm0n0walltom0n0walluse Blowfishforspeedandsecurityover3DES. 3. Hashalgorithms:againjustasinphase1youwanttomakesureyourselectedhashmatches theoneontheotherend.Andlikeinstep2,dontaddthingsyoudontneed.SHA1isthe suggestionifyoucan,butMD5isalwaysagoodalternative. 4. PFSkeygroup:thisworksexactlylikeitdoesinphase1.Isuggestusing1024bit,thedefault isoff. 5. Lifetime:Thisisthelifetimethenegotiatedkeyswillbevalidfor.Donotsetthistotoohighof anumber.E.g.morethanaboutaday(86400)asdoingsowillgivepeoplemoretimetocrack yourkey.Dontbeoverparanoideither;thereisnoneedtosetthisto20minutesorsomething likethat.Honestly,onedayisprobablygood. 6. ClickSave 7. ClickApplyChanges

8.4. What if your m0n0wall isnt the main Internet Firewall?

FIXMEInsomecasesyouhaveafirewallorrouterwithlayer2routing(protocolACLs)sittingin frontofyourm0n0wall.IfthisisthecaseyouwillneedtoportforwardESPorAH(dependingon whichoneyouchose)tothem0n0wall.(NOTE:ifyouarerunningNATonthatfirewallAHwillnot beanoption.) Figure8.1.Example:m0n0wallbehindarouter

Chapter 9. PPTP
TableofContents 9.1.Preface 9.2.Audience 9.3.Assumptions 9.4.SubnettingandVLANrouting 9.5.Setupofm0n0wallsoftware 9.6.PPTPUserSetup 9.7.PPTPFirewallRules 9.7.1.ExampleoffilteredPPTPRules 9.8.SettingupaPPTPClientonWindowsXP 9.8.1.TestingourPPTPConnectioninWindows 9.9.SomethingsIhavefoundnottoworkoverthePPTPConnection ThischapterisbasedonFranciscoArtes'm0n0wallPPTPdocument,usedwithpermission.

9.1. Preface

ThischapterisintendedtooutlineseveraldifferentPPTPVPNtypesetups,itincludesahowtoon settingupaWindowsXPPPTPclienttoconnecttothem0n0wallPPTPVPNserver.Laterversions ofthisdocumentwillincludeLinuxandotherclients. AllTradeMarksarerepresentedinthisdocument,andnointentionismadethatthisdocument, m0n0wall,ortheauthorareinanywayrelatedtoanyofthecompaniesholdingtheseTradeMarks. AllTradeMarksarecopywrittenbytheirrespectivecompanies. Thetermsfirewallandm0n0wallareusedsynonymouslyinthischapter.Thisismostlybecauseitis easiertosayandtypefirewall.

9.2. Audience
YouneedtohaveabasicunderstandingofTCP/IPandsubnettingtounderstandthisdocument.The authordoesmakeeveryefforttodescribetheitemsbeingdiscussed,butletsfaceitIcanonlygoso far.(AndIdidincludepictures,whichapparentlyareeachworth1,000words.Sothatmakesthisone HUGEdocument.) Ifyouhavecomments,questions,orsuggestionsinregardtothisdocumentpleaseemail <falcor@netassassin.com>.Iwilltrytogetbacktoyouasquicklyaspossible,butpleasedo readthisdocumentthoroughlybeforewriting.Youmayalsowanttocheckthem0n0wallwebsitefor emailarchivesonfrequently(orevenonetime)questions.

9.3. Assumptions

Okwearegoingtomakeseveralassumptionsinthisdocument,ifyoudonthavetheseassumptions donealreadyyouwillneedtogogetthemdonebeforePPTPwillworkcorrectly. 1. YourfirewallisalreadysetuptodobasicNATandyouhavetestedthis,oratleastitisdoing whateverkindofroutingyouwantedittodo. 2. Youhaveconfiguredatleastoneinterfaceonthefirewallsoitisworkingand: 1. TheClientMachine(s)canrouteto(access)oneoftheinterfacesofyourfirewall.Make sureofthis.IfitisaninterfacethatyouallowICMPtoaccessIsuggestpingingit. 3. YouhaveaclientmachinerunningsomeformofVPNclientthatsupportsPPTP. Oknowthatwehavethebasicsletsgetstartedonthefirewallsettings.

9.4. Subnetting and VLAN routing

OksothisisntquitetrueVLANrouting,butwewill(quitepossibly)beworkingwithavirtual networkthatdoesntexistuntilaPPTPconnectionismade.Ifyouhaveabettertermforthisletme knowandIwillchangeit.Wearehoweverdealingwithsomevirtualsubnets,forinstancethe RemoteAddressRangewillbea/28andPPTPclientswillreceiveasubnetof255.255.255.255 (ff.ff.ff.ffforallyouHEXpeopleoutthere.)JustignorethatandtrustinthemagicofthePPTP Tunnel. Youcanselect(asyouwillseelater)tosettheSeverAddressandRemoteAddressRangetoexist insideofthesubnetthatyoudefinedfortheLANonthefirewall.(e.g.IPAddressandsubnetbityou setfortheLANunderInterfaces LANonthem0n0wallmenu.)Ourexampleusesthissetup.Pros andCons?WellthemajorproisthatthefirewallwillallowtrafficfromthisVLANtoroutetothe WAN(inmostcasestheInternet.)anditisniceandeasy.Cons,itallowspeopletorouttotheWANif youdontwantthisthenreadthenextparagraph. YoucanalsosetupthesetwooptionstohaveanIPrangethatisoutsideofyourLANdesignation.E.g. LAN=192.168.1.1/24(reallythe192.168.1.0/24network)andthePPTPServerAddressand RemoteAddressRangearesetto192.168.2.254and192.168.2.16/28respectively.Thiswillbasically allowthoseusingthePPTPconnectiontoaccesstheLAN,butthefirewallwillnotroutetrafficfor themtotheWANconnection.OptandWiFinetworkswillalsobeisolateddependingonhowyouare routingtothosenetworksandiftheyareinthesamenetworksegment(subnet)astheLAN. Remember,thatwhenyousetupaPPTPconnection(especiallyonWindows)allnetworktrafficfrom thatworkstationisgoingtobesentviathePPTPtunnel.

9.5. Setup of m0n0wall software

Mostpeopleprobablyskippedrighttothispoint.Ifyoudid,itshouldbeeasyenoughwiththese examplesifyoudorunintosomethinggoreadthepartsyouskippedyoumayfindtheanswersthere youarelookingfor. 1. ThefirstthingwewanttodoissetupthePPTPserver.TodothisselectPPTPfromtheVPN sectionofthem0n0wallinterface.Ifyouclickedtherightthingyouwillhaveascreenthat lookssomethinglikeFigure1.

2. ThenextstepistoenablethePPTPserver.ClicktheEnablePPTPserverradiobutton.(It onlygetsharderfromhere.) 3. Nowwehavetotype.(seeharder)SoentertheServerAddressnext.Thiscanbeanunused IPonyourLAN,oranotherlocallyusableIPaddressinaseparatesubnet.ItMUSTbeinthe samenetworkingclassasthenextentry. 4. RemoteAddressrange.Thisisgoingtobetherangeof16IPaddressesthattheserverwill issuetoclients.Noticethe/28,itistheretoremindyoutherewillbe16hosts.Again,this MUSTbeinthesamesubnetclassastheIPlistedabove.(Notinthesame/28though.If youtrytooverlapthetwothefirewallwilltellyouthatyoumadeamistake.) Inourexampleweused192.168.1.254fortheServerAddressand192.168.1.192/28astheRemote addressrange.ThinkoftheSeverAddressasthedefaultroutefortheIPsyouaregoingtobe issuingtotheclients.ItisalsothevirtualinterfaceforthePPTPserver. Ifyouareconfusedhere,orinstep3,pleasegobackandreadthesectionnamedSubnettingand VLANroutingasitcoveredthisinmoredetail. 5. IfyouhaveaRADIUSserverofsomesortfeelfreetofillinthenextfewboxes.Idontsothey areblankonthisexampleandfranklygooutsideofthescopeofthisdocumentanyway. 6. Ifyouarereallysecurityconscious,andyourclientsoftwaresupportsit,checktheboxto require128bitencryption. 7. ClickSaveWearealldonesettinguptheserver.Nowletssetupsomeusers.

9.6. PPTP User Setup

IfyouhaveaRADIUSserverandyousetitupintheprevioussectionyoucaneitherchoosetoskip thisone,oraddusersherethatwillbefoundandusedbeforethePPTPServersendsarequesttothe RADIUSserver. Fortherestofus,thisstageisquiteimportantasweneedauseraccounttoauthenticatetothePPTP Server. 1. ClickonusersunderPPTPintheVPNsectionofthem0n0wallinterface. 2. Clickthe+iconandletsfillinsomeblanks! 3. EnteranameintheUsernamebox. 4. Enterandthenreenterthepasswordforthisaccount.(Youcantusespecialcharactersatthe timeofthisdocument,justFYI.) 5. ClickSave 6. WhenyougetbacktothenextwindowyouwillneedtoclickApplySettingsNOTE:This willdisconnectanyactivePPTPconnections.Beingaswearejustsettingthisupforthefirst time,andthisisourfirstuser,letshopetherearentanytodisconnect. 7. IfeverythingwentwellyoushouldhaveascreenthatlookssomethinglikeFigure2.

NowweneedtosetupafirewallrulesopeopleusingthePPTPconnectioncandosomethingwithit whentheyconnect.

9.7. PPTP Firewall Rules

Yepyouneedtodothisifyouwantthedarnthingtowork.ButjustlikeyourLANrule,youcanmake thisasopenorasrestrictiveasyouwant.HereyoucanlimitthePPTPuserstoaccessingonlyspecific hostsonspecificports,oropenitallup.WearegoingtoassumeyouwantfullaccessforyourPPTP userssowearegoingtosetupafirewallrulethatisexactlylikethedefaultLANrule. 1. StartbyclickingRulesunderthefirewallsectionofthem0n0wallinterface. 2. Nextclickanyofthe+Iconsonthescreensowecanaddanewrule.

AsstatedwearegoingtoallowallourPPTPuserstoaccessallpartsoftheLAN,WAN,etc.Ifyou wishtolimitthisaccessthenyouwillneedtomodifythingsaccordingly.Iwillpresentoneexample ofsucharuleafterthisdefaultsection. 3. SimplygototheInterfacesectionandselectPPTPfromthedropdown.IntheDescription putsomethingmeaningfullikeDefaultPPTP>any. 4. ClickSave 5. YouwillhavetoApplythechangesonthenextscreen. YouarenowdonesettingupthePPTPServer!

9.7.1. Example of filtered PPTP Rules

Insomecases,mostforthosepeoplewhoaregrantingPPTPaccesstootherstheydonotfullytrust, youwillwanttolimitaccess(SpecificAllowRules)ormitigatespecificaccesswithDenyRules. Withspecificallowuserswouldbegrantedexplicitpermissiontoaccesshosts,andsometimes specificports,andallothertrafficisdenied.ThelatterwouldbedoneifyouwantedthePPTPclients toaccesstheLAN&WANbutdidnotwantthemtoaccessyourSAMBAserverforinstance. OurexampleisanallowrulegrantingpermissionforpeopleonthePPTPnetworktouseSSHona LANserverwiththeIPaddress192.168.1.151:

SaveandApplytheserulesasneeded.Testthemalltomakesuretheyareworkingasdesigned.Most networksarecompromisedbecausenoonecheckedtheACLswereactivatedorevenworking properly.

9.8. Setting up a PPTP Client on Windows XP

Thisissupereasy,andyouonlyhavetotypeonepieceofinformationtheentiretime!

StartbyaccessingtheNetworkConnectionsPanel.(dothishoweveryoulike,Iprefertorightclick NetworkPlacesandselectProperties.) 1. ClickCreateNewConnectioninthelefthandcolumnoftheNetworkConnections window. 2. YouarenowpresentedwithaWizard.ClickNexttocontinue.

3. SelectConnecttotheNetworkatmyWorkplacefromthemenu. 4. SelectVirtualPrivateNetworkconnectionfromthenextpanel. 5. Nametheconnection. 6. NowentertheIPorFQDNofthePPTPServer.(Thiscanbeanyoftheconfiguredinterfaces.) 7. Ifyouarethesystemadminyouwillbeaskedifyouwantthistobeforyouruseonlyorfor anyonesuse.IsuggestyoulimitittoyouruseonlyunlessyouwanttheVPNnetworktobe madeavailabletoalluseraccountsontheworkstation. 8. Nextyoucaneitherjustfinishoraddashortcuttothedesktop.Youarenearlydone! 9. Whenyoulaunchtheclientforthefirsttime(hopefullyfromtheiconyouaskedittocreate fromthewizard,ifnotthenyouwillneedtoaccesstheNetworkConnectionswindowagain anddoubleclickyournewconnection.)youwillbeaskedforausernameandpassword.Click connectwhenyouaredonewiththisandifallgoeswellyouwillconnecttothePPTPServer.

9.8.1. Testing our PPTP Connection in Windows

1. StartbyopeningaDOSwindow.(Commandwindow)

2. Runipconfigandyoushouldgetsomethingsimilartothenextfigure: Asyouhopefullywillseeyouhavethesettingsforyourphysicaladapter(inmycaseIrenameditto ETH0) YouwillalsoseethePPPAdapterwiththenameyougavetheVPNConnectionwhenper formingthe stepsinthelastsection.ItshouldhaveanIPaddressthatisintherangeyoudefinedforthePPTP Server.Itshouldalsohavethesubnetof255.255.255.255anditwillbeusingitselfasthedefault gateway.Justlivewithit;itishowitworks. Forthemoreadvancedwhowishtoknowifthingsareallworkingright,Figure6,displaysafull ipconfigonthevirtualadapter. 3. Nowletstrydoingsomething.Ifyoufollowedthesetupforthishowtoyouwillhavesetupfull accessfromthePPTPnetworktotheLANandWAN.Ifyousetupselectiverulesyouwill havetotestspecificallywhatyousetup.E.g.ifyousetuprulestoonlyallowSMTPyouwill needtotelnettothehost:25thatyoudesignatedinthefirewallrule.Orwriteanewrule allowingICMPtoahostthatwillechoareplyback. WewillbesendingaICMP(Ping)tothefirewallsinternalinterfacetotesttheVPN connection. 4. Inmycasethefirewallis192.168.1.1(pleaseuseyourinternaladdressbeforewritingtometo saypinging192.168.1.1didntworkonyour10.x.x.xnetwork.Hehe)Ifdoneright(assuming yourfirewallisntblockinginternalICMPpackets)youaregoodforLANaccess.(Ifyouare blockingICMPontheinternalinterfacepingsomeotherhostonyourhomenetwork.)

5. Nowletstestbeyondthefirewall.Pingisntsogoodtousehereasmoreandmorepeopleare blockingICMPpackets.Sowewillusetracerttocheckweare1.)RoutingviathePPTPtunnel and2.)Thatwesuccessful.OfcourseifyoutoldthefirewalltonotallowWANaccessthen thisstepcanbeskipped.

Asseeninthelastfigure,thefirsthopisthePPTPServerAddressasthisisthegateway/interface forthePPTPNetwork. NowcheckthingslikeHTTP,etc.Ifyouhavethismuchandfollowedthedirectionsyoushouldbe abletodoeverything.

9.9. Some things I have found not to work over the PPTP Connection
ThesearemorelimitsinPPTPthanotherVPNprotocols. NATsometimesdoesnotplaynicewithPPTP.Thoughm0n0wallseemstohavethislicked, anditworksratherwell. MajorGotcha!Ifyouarevisitingaremotenetworkwherethenetworkrangeisthesameas thenetworkrangeonthePPTPNetwork(yourLANnetworkinmostcases)thenthePPTP tunnelwillnotwork.E.g.YouareusingaWiFiconnectioninalocalcoffeeshopandthe networkrangeithasputyouinis192.168.1.0/24.Youtrytoconnecttoyourhomenetworkvia PPTP,butyourhomealsouses192.168.1.0/24.Thetunnel/authenticationtothePPTPserver willhappen,butnotrafficwillgoacrossthattunnelduetotheconfusionintheTCP/IP stackonyourworkstation.Togetaroundthisusesomeoddnetworkrangeathome.E.x. 192.168.88.0/24.Mostpeopleuse10.0.0.1and192.168.1.0sotrytosetyourhomenetwork differently.ThiswillalsohelpwhenyousetupIPSECtunnelsbetweenyourhouseandsay yourfriendshouse. SomeISP'suseunreasonablyshortDHCPleasetimes,likeonehour.IfthePPTPclient machinegetsashortleasefromDHCP,itwillloseinternetconnectivityaftertheleaseexpires. Thisisbecauseallnetworktraffic,includingyourDHCPrenewalrequests,aregoingacross theVPN.Sinceitcan'thitthelocalDHCPserverthroughtheVPN,whentheleaseexpires yourmachinewillreleaseitsIPaddress.Thiscausesthelossofallconnectivity.Youhaveto

disconnectfromthePPTP(ifitdoesn'tdisconnectitself),renewyourIPaddress,and reconnect.ThisiscommononWindowshosts,andlikelyotherOS'saswell.Ifthishappens, contacttheadministratorofyourDHCPserver(likelytheclientmachine'sISP)andgetthe leasetimelengthened. Theauthorhasseenthissituationnumeroustimes,andineverycase,theISPwaswillingto helpandresolvedtheproblem.Yourmileagemayvary. UPnPpacketsfromyourLANdonotmakeittothePPTPnetwork.Thisismorethanlikely becausethecurrentversionofm0n0walldoesnotsupportUPnP.(InEnglish:thoseofuse havingdreamsofaccessingourReplayTVorothermediadevicesthatuseUPnPcandream ofotherthingsfornow.ItisactuallymoresecuretonothaveUPnPonafirewall,butsome peopleoverlookthatsotheycanusevoicechatsoftwareandDVRs.) NetworkNeighborhoodinWindowsdoesnotworkoverPPTPconnectionsbecausebroadcasts arenotforwardedacrossthePPTPconnection. IhaventreallybeatenthePPTPtunnelthatmuchyet,soifyoufindmoreitemsthatdontseemto workrightletmeknowandIwilladdthemheresopeopledontgocrazytryingtofigureout somethingthatjustwontwork.;)

Chapter 10. OpenVPN

OpenVPNwasatemporarynewadditiontom0n0wallinthe1.2betaversions.Itwasremoveddueto problemsitcausedwithOPTinterfaces,whichhavenotbeenfixedtodateanditisnotavailablein anycurrentm0n0wallrelease.

Chapter 11. Wireless

TableofContents 11.1.AddingAWirelessInterface 11.2.WirelessParameters1.2.x 11.3.WirelessParameters1.3.x 11.4.WirelessStatus Wirelessfunctionalityisavailableforselectedwirelesscards.The1.2.xversionofm0n0wallallows some802.11bwirelessadapters/chipsets(mostnotablyLucentHermesandIntersilPrismII/2.5tojoin awirelessnetworkwithWEPencryption.Theupcoming1.3.xversionwhichisbasedonFreeBSD6, supports(almost)allAtherosbased802.11a/b/gcardsaswell(andsomeRalinkcardstoo)andoffers morecapabilities.Version1.3.xallowstheuseofenhancedencryption,usingthem0n0wallasan accesspoint,andthecapabilitytouseaRadiusserverforauthentication.

Note

Version1.3.xm0n0wallisstillinbetatestingandfeaturescanchangebeforeitis releasedasastableversion. Someofthem0n0wallwirelessfeaturesinclude: supportforwiandathwirelesscards supportfor802.11b/g/a channelselectionfrom1to14 supportforhostap,BSSadIBSSmodes enable/disablewirelessinterface SSID(hidingSSIDintheupcoming1.3m0n0wall) 64bitor128bitWEPencryptionforASCIIorhexadecimaldigits BridgingwithanotherEthernetinterfaceifusinghostapmode WPAandWPA2encryptionusingPSKandEnterprisemode(inhostapmodeoftheupcoming 1.3m0n0wall) AES/CCMPandTKIPciphers(intheupcoming1.3m0n0wall) WPARadiusserverparameters(intheupcoming1.3m0n0wall)

Note
AWirelessDistributionSystem(WDS)iscurrentlynotsupportedineither1.2.xor 1.3.x.

11.1. Adding A Wireless Interface

Thedefaultm0n0wallconfigurationincludesaLANandWANinterface.Ifyouhaveaninstalled wirelesscardyouwillhavetoaddtheinterfacemanually.Belowarethestepsneededtoinstallthis interfaceusingthewebinterfaceofyourm0n0walldevice. 1. logintothewebinterfaceofyourm0n0walldevice 2. clickthe+symbolatthebottomrightoftheInterfaceAssignmenttable 3. clickonthedropdownlistandselectawirelessinterface(ifnowirelesscardsareshownthen eitheryourwirelesscardisnotcorrectlyinstalledoritisnotcompatiblewithm0n0wall. 4. clickthesavebutton(yournewwirelessinterfacewillappearundertheInterfacesmenuitem ofthewebinterface) 5. rebootyourm0n0wallfirewallforthechangestotakeeffect 6. clickthenewwirelessinterface(probablynamedOPT1)andmakeyourdesiredwireless

configuration.

11.2. Wireless Parameters 1.2.x

Belowarethewirelessparametersthatareavailableinthem0n0wallfirmware1.2.x.Theywillbe availableonlyifyouhaveacompatiblewirelesscardinstalledandifyouhaveaddedthewireless interfacetoyourinterfacelist. Table11.1.Wireless1.2Parameters Parameter Description customnamefortheinterface Bridgewith selectanethernetinterfacetobridgetothewirelssinterface IPaddress Standard Mode SSID Channel assignthewirelessinterfaceanIPaddressandsubnetmask Select802.11b/g/a Note:Tocreateanaccesspoint,choose"hostap"mode.IBSSmodeissometimesalso called"adhoc"mode;BSSmodeisalsoknownas"infrastructure"mode. Theservicesetidentifier(SSID)isa32characternameofyourwirelessnetwork EitherchooseAutoforthem0n0walldevicetoscanandfindanavailablewireless channelorselectachannelmanually.Toseecurrentlyusedchannels,clicktheWireless optionofthem0n0wallStatusmenu. Description

StationName Hint:thisfieldcanusuallybeleftblank EnableWEP CheckthisboxtoenableWEPencryptionofyourwirelessdata 40(64)bitkeysmaybeenteredas5ASCIIcharactersor10hexdigitsprecededby'0x'. WEPKeys1 104(128)bitkeysmaybeenteredas13ASCIIcharactersor26hexdigitsprecededby 4 '0x'. Belowisascreenshotofthewirelessinterfaceconfigurationscreenof1.2.xm0n0wall.

11.3. Wireless Parameters 1.3.x

Belowarethewirelessparametersthatareavailableintheupcomingm0n0wallfirmware1.3.x.They willbeavailableonlyifyouhaveacompatiblewirelesscardinstalledandifyouhaveaddedthe wirelessinterfacetoyourinterfacelist. Table11.2.Wireless1.3Parameters Parameter Standard Mode Select802.11b/g/a Note:Tocreateanaccesspoint,choose"hostap"mode.IBSSmodeissometimes alsocalled"adhoc"mode;BSSmodeisalsoknownas"infrastructure"mode. Description

Parameter SSID HideSSID

Description Theservicesetidentifier(SSID)isa32characternameofyourwirelessnetwork Ifthisoptionisselected,theSSIDwillnotbebroadcastinhostapmode,andonly clientsthatknowtheexactSSIDwillbeabletoconnect.Notethatthisoption shouldneverbeusedasasubstituteforpropersecurity/encryptionsettings. EitherchooseAutoforthem0n0walldevicetoscanandfindanavailablewireless channelorselectachannelmanually.Toseecurrentlyusedchannels,clickthe Wirelessoptionofthem0n0wallStatusmenu. ChoosenonetonotuseWPAencryptiononyourwirelessdata.Otherwisechoose PSKtouseaPresharedKey(password)orEnterprisetouseaRadiusserver. ChoosefromWPA,WPA2,orWPA+WPA2.Inmostcases,youshouldselect "WPA+WPA2"here. ChoosefromTKIP,AES/CCMP ,orTKIP+AES/CCMP.AES/CCMPprovides bettersecuritythanTKIP,butTKIPismorecompatiblewitholderhardware. EntertheASCIIpassphrasethatwillbeusedinWPAPSKmode.Thismustbe between8and63characterslong.

Channel

WPAMode WPAVersion WPACipher WPAPSK

RadiusServerIP EntertheIPaddressoftheRADIUSserverthatwillbeusedinWPAEnterprise Address mode. Radius Authentication Port Leavethisfieldblanktousethedefaultport(1812).

RadiusAccounting Leavethisfieldblanktousethedefaultport(1813). Port RadiusShared Secret EnableWEP WEPKeys14 OptionallyleavethesharedsecretblanktonotuseaRADIUSsharedsecret(not recommended). CheckthisboxtoenableWEPencryptionofyourwirelessdata 40(64)bitkeysmaybeenteredas5ASCIIcharactersor10hexdigitspreceded by'0x'.104(128)bitkeysmaybeenteredas13ASCIIcharactersor26hexdigits precededby'0x'.

Belowisascreenshotofthewirelessinterfaceconfigurationscreenof1.3.xm0n0wall.

11.4. Wireless Status

Chapter 12. Captive Portal

TableofContents 12.1.ConnectionManagement 12.1.1.PassthroughMACAddresses 12.1.2.AllowedIPAddresses 12.2.AuthenticationManagement 12.2.1.SecureAuthentication 12.2.2.LocalUserManagement 12.2.3.RadiusUserManagement 12.3.CustomPagesAndFiles 12.3.1.PortalPageContents 12.3.2.AuthenticationErrorPageContents 12.3.3.CustomFiles 12.4.Vouchers 12.4.1.QuickHowto 12.4.2.VoucherParameters 12.4.3.VoucherRolls 12.5.Limitations 12.6.AdditionalInformation 12.6.1.IsthereanyextraCaptivePortalRADIUSfunctionalityavailable? 12.6.2.UsingCaptivePortalandMACpassthrough ThisCaptivePortalfunctionalityallowsyoutocontrolHTTPbrowseraccesstotheInternet.Allusers tryingtoleavetheselectednetwork(forexampleallusersfromtheLANnetworkgoingtothe Internet)willberedirectedtoaHTMLpagestoredonyourm0n0wall.Thispageistypicallywhere theusertryingtoreachtheInternetcanenterinusernameandpasswordinformationtobe authenticatedandallowedaccesstotheInternet. UsersareidentifiedbytheirMAChardwareaddressoftheirethernetcard.Alltraffictryingtoreach theInternetorselectednetworkbyanyuserisblockeduntiltheyuseawebbrowserandfinishthe authenticationprocessontheHTMLauthenticationpage. Somefeaturesofthem0n0wallCaptivePortalinclude: Interfaceselection(typicallytheLANinterface) AllowselectedIPorMACaddresses Userauthenticationchoices(none,local,orRADIUS) Maximumconcurrentconnections Concurrentuserlogins Localusermanagementoption Peruserbandwidthrestrictions IdleandHardtimeout Logoutpopupwindow RedirectionURL MACfiltering HTTPSauthentication Customizableportalpagecontents

Customizableauthenticationfailurepage Vouchersupport(intheupcoming1.3m0n0wall)

Caution

12.1. Connection Management

Don'tforgettoenabletheDHCPserveronyourcaptiveportalinterface!Makesure thatthedefault/maximumDHCPleasetimeishigherthanthetimeoutenteredonthis page.Also,theDNSforwarderneedstobeenabledforDNSlookupsby unauthenticatedclientstowork.

BelowaresomeoftheConnectionoptionsthatcanbeconfiguredforusewiththeCaptivePortal. AdditionallythereissomeinformationaboutallowingpassthroughMACaddressesandmakingalist ofallowedIPaddressesthatdonotneedauthentication. Table12.1.ConnectionParameters Parameter Interface Description Choosewhichinterfacetorunthecaptiveportalon.CaptivePortalcanonlyberun ononeinterface. Thissettinglimitsthenumberofconcurrentconnectionstothecaptiveportal HTTP(S)server.Thisdoesnotsethowmanyuserscanbeloggedintothecaptive portal,butratherhowmanyuserscanloadtheportalpageorauthenticateatthe sametime!Defaultis4connectionsperclientIPaddress,withatotalmaximumof 16connections. Clientswillbedisconnectedafterthisamountofinactivity.Theymayloginagain immediately,though.Leavethisfieldblankfornoidletimeout. Clientswillbedisconnectedafterthisamountoftime,regardlessofactivity.They mayloginagainimmediately,though.Leavethisfieldblankfornohardtimeout (notrecommendedunlessanidletimeoutisset). Ifenabled,apopupwindowwillappearwhenclientsareallowedthroughthe captiveportal.Thisallowsclientstoexplicitlydisconnectthemselvesbeforethe idleorhardtimeoutoccurs. IfyouprovideaURLhere,clientswillberedirectedtothatURLinsteadoftheone theyinitiallytriedtoaccessafterthey'veauthenticated.

Maximum concurrent connections

Idletimeout

Hardtimeout

Logoutpopup window RedirectionURL

Ifthisoptionisset,onlythemostrecentloginperusernamewillbeactive. Concurrentuser Subsequentloginswillcausemachinespreviouslyloggedinwiththesame logins usernametobedisconnected. Ifthisoptionisset,noattemptswillbemadetoensurethattheMACaddressof clientsstaysthesamewhilethey'reloggedin.ThisisrequiredwhentheMAC addressoftheclientcannotbedetermined(usuallybecausetherearerouters betweenm0n0wallandtheclients). Ifthisoptionisset,thecaptiveportalwillrestricteachuserwhologsintothe specifieddefaultbandwidth.RADIUScanoverridethedefaultsettings.Leave emptyorsetto0fornolimit.Youwillneedtoenablethetrafficshaperforthis

MACfiltering

Peruser bandwidth restriction

Parameter tobeeffective.

Description

12.1.1. Pass-through MAC Addresses

AddingMACaddressesaspassthroughMACsallowsthemaccessthroughthecaptiveportal automaticallywithoutbeingtakentotheportalpage.ThepassthroughMACscanchangetheirIP addressesontheflyanduponthenextaccess,thepassthroughtablesarechangedaccordingly.Pass throughMACswillhoweverstillbedisconnectedafterthecaptiveportaltimeoutperiod. YoucanenteralistofMACaddress(6hexoctetsseparatedbycolons)andadescriptionhereforyour reference(itisnotparsed).

12.1.2. Allowed IP Addresses

AddingallowedIPaddresseswillallowIPaccessto/fromtheseaddressesthroughthecaptiveportal withoutbeingtakentotheportalpage.Thiscanbeusedforawebserverservingimagesfortheportal pageoraDNSserveronanothernetwork,forexample.Byspecifyingfromaddresses,itmaybeused toalwaysallowpassthroughaccessfromaclientbehindthecaptiveportal. Somesamplerulesare: anyx.x.x.x>AllconnectionstotheIPaddressareallowed x.x.x.x>anyAllconnectionsfromtheIPaddressareallowed ForeachentryontheAllowedIPAddresslistyoucanuseFromtoalwaysallowanIPaddressthrough thecaptiveportal(withoutauthentication).UseTotoallowaccessfromallclients(evennon authenticatedones)behindtheportaltothisIPaddress.AdditionallyeachentrywillcontainanIP addressandadescriptionforyourreference(itisnotparsed).

Caution

Ifyouhaveserverssuchasweboremailonaseparatesubnetwork(forexamplea DMZ)besuretoaddtheirIPaddressestothislist.Otherwiseuserswillnotbeallowed toaccessthemwithoutauthenticatingfirst.

12.2. Authentication Management

Thereare3usermanagementchoicesthatcanbeusedtoauthenticateuserstotheCaptivePortal. Noauthentication Localusermanager Radiusauthentication OptionallywebauthenticationcanbesecuredwithHTTPS.

12.2.1. Secure Authentication

BelowaresomeoftheSecureAuthenticationoptionsthatcanbeconfiguredforusewiththCaptive Portalto. Table12.2.SecureAuthenticationParameters Parameter Description Ifenabled,theusernameandpasswordwillbetransmittedoveranHTTPSconnection HTTPSlogin toprotectagainsteavesdroppers.Aservername,certificateandmatchingprivatekey mustalsobespecifiedbelow. HTTPSserver ThisnamewillbeusedintheformactionfortheHTTPSPOSTandshouldmatchthe

Parameter name HTTPS certificate HTTPS privatekey

Description CommonName(CN)inyourcertificate(otherwise,theclientbrowserwillmostlikely displayasecuritywarning).Makesurecaptiveportalclientscanresolvethisnamein DNS. PasteasignedcertificateinX.509PEMformathere. PasteanRSAprivatekeyinPEMformathere.

12.2.2. Local User Management

WhenusingtheLocalUserManageroptionforAuthenticationitispossibletostoreandaccessalist ofusersonthem0n0walldeviceitself.Thislistismanuallyenteredfromthewebinterfaceand includesthefollowingparameters. Table12.3.UserParameters Parameter Username Password Fullname Expiration Date Description Thenameauserwillusetoauthenticatewith Thepasswordauserwillusetoauthenticatewith User'sfullname,foryourowninformationonly Leaveblankiftheaccountshouldn'texpire,otherwiseentertheexpirationdateinthe followingformat:mm/dd/yyyy

12.2.3. Radius User Management

WhenusingtheRadiusAuthenticationoptionforAuthenticationitispossibletoauthenticatewithan existingRadiusserveronaconnectednetwork.TheRadiusserverwillmanagetheuserauthentication requests.Thislistismanuallyenteredfromthewebinterfaceandincludesthefollowingparameters. Table12.4.RadiusServerParameters Parameter PrimaryRADIUS server Description EntertheIPaddressoftheRADIUSserverwhichusersofthecaptiveportal havetoauthenticateagainst.Youcanchangethedefaultport(1812)andshared secret.OptionallyleavethesharedsecretblanktonotuseaRADIUSshared secret(notrecommended).

SecondaryRADIUS IfyouhaveasecondRADIUSserver,youcanactivateitbyenteringitsIP server address,portandsharedsecretasdonefortheprimaryserver. sendRADIUS accountingpackets Reauthentication Ifthisisenabled,RADIUSaccountingpacketswillbesenttotheprimary RADIUSserver.Optionallychangethedefaultport(1813). Ifreauthenticationisenabled,AccessRequestswillbesenttotheRADIUS serverforeachuserthatisloggedineveryminute.IfanAccessRejectis receivedforauser,thatuserisdisconnectedfromthecaptiveportal

Parameter immediately. Accountingupdates RADIUSMAC authentication RADIUSSession Timeoutattributes

Description Thesereauthenticationupdatescanbeconfiguredtosupportnoaccounting updates,stop/startaccounting,orinterimupdates. Ifthisoptionisenabled,thecaptiveportalwilltrytoauthenticateusersby sendingtheirMACaddressastheusernameandastaticpassword/secrettothe RADIUSserver. Whenthisisenabled,clientswillbedisconnectedaftertheamountoftime retrievedfromtheRADIUSSessionTimeoutattribute. IfRADIUStypeissettoCisco,inRADIUSrequests (Authentication/Accounting)thevalueofCallingStationIdwillbesettothe client'sIPaddressandtheCalledStationIdtotheclient'sMACaddress. DefaultbehaviourisCallingStationId=client'sMACaddressandCalled StationId=m0n0wall'sWANMACaddress.

RadiusType

ThisoptionchangestheMACaddressformatusedinthewholeRADIUS system.Changethisifyoualsoneedtochangetheusernameformatfor MACaddressformat RADIUSMACauthentication.default:00:11:22:33:44:55singledash:001122 334455ietf:001122334455cisco:0011.2233.4455unformatted: 001122334455

12.3. Custom Pages And Files

ItispossibletocustomizetheHTMLpagesthatareusedfortheCaptiveportalauthenticationprocess. Thepagethatdoestheauthenticationitselfanbechangedaswellasthedefaultpagethatisshownfor afailedauthentication.Graphicsfilescanalsobeloadedintothem0n0walldeviceforuseonthese pages,uptoamaximumof256KB. OptionallyaredirectedURLcanbeusedwhereclientswi lberedirectedinsteadoftheonethey l initiallytriedtoaccessafterthey'veauthenticated.Afterreadingthisinformationtheyarefreeto accesstheremotenetworkssincetheyhavealreadybeenauthenticated. Belowaretheparametersforcustompagesandfiles.

12.3.1. Portal Page Contents

UploadanHTMLfilefortheportalpagehere(leaveblanktokeepthecurrentone).Makesureto includeaform(POSTto"$PORTAL_ACTION$")withasubmitbutton(name="accept")anda hiddenfieldwithname="redirurl"andvalue="$PORTAL_REDIRURL$".Includethe"auth_user" and"auth_pass"inputfieldsifauthenticationisenabled,otherwiseitwillalwaysfail.Examplecode fortheform:
<form method="post" action="$PORTAL_ACTION$"> <input name="auth_user" type="text"> <input name="auth_pass" type="password"> <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$"> <input name="accept" type="submit" value="Continue"> </form>

12.3.2. Authentication Error Page Contents

ThecontentsoftheHTMLfilethatyouuploadherearedisplayedwhenanauthenticationerror

occurs.Youmayinclude"$PORTAL_MESSAGE$",whichwillbereplacedbytheerrororreply messagesfromtheRADIUSserver,ifany.Youmayalsoincludeanewloginformintheerrorpageto allowtheusertoattemptanotherlogindirectly.

12.3.3. Custom Files

TheloadingpageforcustomfilescanbefoundintheFileManagersectionoftheCaptivePortalmain menu. Anyfilesthatyouuploadherewillbemadeavailableintherootdirectoryofthecaptiveportal HTTP(S)server.YoumayreferencethemdirectlyfromyourportalpageHTMLcodeusingrelative paths.Example:you'veuploadedanimagewiththename'test.jpg'usingthefilemanager.Thenyou canincludeitinyourportalpagelikethis:
<img src="test.jpg" width=... height=...>

Thetotalsizelimitforallfilesis256KB.

12.4. Vouchers
BelowisaquickhowtofrommwigetwhoaddedtheVoucherfeaturetom0n0wall.Vouchersareonly availableintheupcoming1.3firmwarreleaseandarecurrentlypartofthebetaversionofthe firmware.

12.4.1. Quick Howto

Belowarethestepstoquicklysetupandusethevoucherfunctionalityofm0n0wall'sCaptivePortal. 1. Toenable,createandmanagevouchersupportviacaptiveportal,thereisanewTabunder Services>CaptivePortal:Voucher. 2. Enablecaptiveportalfirst,uploadalandingpagethatcontainsaninputfield'auth_voucher'. AnexamplecanbefoundonthetheURLabove. 3. ThenenableVouchersupportontheVouchertab.Initiallyyoucanleaveallfieldswithits defaults.Everynewinstallwillcreateuniqueencryptionkeys. 4. Nowaddatleastone"Roll"byclicking'+'ontheVoucherspage,rightto'Voucherrolls': SpecifyaRollNumber,e.g.0,howmanyvouchersthatrollshallcontain,andhowlongeach voucherallowsnetworkaccess. 5. Thengeneratethenewvouchersbyclickingonthepaperlogorighttothenewlyaddedroll. ThiswillgenerateaCSVfileanddownloadviayourbrowser. Eachofthesegeneratedvoucherscannowbeusedbyusersfortheconfiguredamountofminutesfor thatroll.Notethatassoonasavoucherhasbeenactivated,itstimerwillrundowntozeroandthen blockaccess,nomatterifthesessionisidleorgotdisconnectedduetologoutorsessiontermination. Totestthevouchersinthem0n0wallGUI,clickonStatus>CaptivePortal.Newtabs,dedicatedto voucherhandling,showupwhenvouchersupportisenabled.Clickonstatus>captiveportal>Test VouchersandenteroneormoreofthenewlygeneratedvouchersfromthedownloadedCSVfileand clicksubmit.Amessagewillbeshownwiththevalidationanddurationofeachgivenvoucher. Onecanaddmultiplerolls,e.g.tohavevoucherswithdifferenttimecredit.Itisalsopossible,toenter multiplevouchers,separatedbyspace,togainthesumoftimecreditofallenteredvouchers. Thereismoretoit,readthecommentstoeachconfigparameteronthevoucherpage. Noteontheveryshortpublic/privateRSAkeys:Iknow,thosecanbecrackedeasyandinnotime,if oneofthekeysisknown.Theideaherewastomakeitalittlebitharderthansimplyaddingashared passwordintothem0n0wallconfigfile.UnfortunatelyI'mnoexpertonencryptionbutIassumewith suchshortencryptedvouchers,thereisnosecuritydifferencebetweentheusedRSAkeysanda symmetricencryption.Anyhow,allthatencryption/decryptionstuffisdoneinanewlyaddedbinaryC

programvoucher.c,thatiscompiledandaddedintothem0n0wallimage,andcanbemodifiedto increasetheusabilityandsecurity.

12.4.2. Voucher Parameters Note

Belowarethefollowingparametersthatcanbeconfiguredforvoucheruseintheupcoming1.3 m0n0wall).TheEnableVoucherscheckboxmustactivatedfortheseparameterstobeused. ChanginganyVoucherparameter(apartfrommanagingthelistofRolls)onthispage willrenderexistingvouchersuselessiftheyweregeneratedwithdifferentsettings. Table12.5.VoucherParameters Parameter Description Create,generateandactivateRollswithVouchersthatallowaccessthroughthe captiveportalfortheconfiguredtime.Onceavoucherisactivated,itsclockisstarted VoucherRolls andrunsuninterrupteduntilitexpires.Duringthattime,thevouchercanbereused fromthesameoradifferentcomputer.Ifthevoucherisusedagainfromanother computer,theprevioussessionisstopped. Voucher publickey Voucher privatekey PasteanRSApublickey(64Bitorsmaller)inPEMformathere.Thiskeyisusedto decryptvouchers. PasteanRSAprivatekey(64Bitorsmaller)inPEMformathere.Thiskeyisonly usedtogenerateencryptedvouchersanddoesn'tneedtobeavailableifthevouchers havebeengeneratedoffline.

Ticketsaregeneratedwiththespecifiedcharacterset.Itshouldcontainprintable Characterset characters(numbers,lowercaseanduppercaseletters)thatarehardtoconfusewith others.Avoide.g.0/Oandl/1. #ofRollBits ReservesarangeineachvouchertostoretheRoll#itbelongsto.Allowedrange:1..31. SumofRoll+Ticket+ChecksumbitsmustbeoneBitlessthantheRSAkeysize. ReservesarangeineachvouchertostoretheTicket#itbelongsto.Allowedrange: 1..16.Using16bitsallowsarolltohaveupto65535vouchers.Abitarray,storedin RAMandintheconfig,isusedtomarkifavoucherhasbeenused.Abitarrayfor 65535vouchersrequires8KBofstorage. ReservesarangeineachvouchertostoreasimplechecksumoverRoll#andTicket#. Allowedrangeis0..31. Magicnumberstoredineveryvoucher.Verifiedduringvouchercheck.Sizedepends onhowmanybitsareleftbyRoll+Ticket+Checksumbits.Ifallbitsareused,no magicnumberwillbeusedandchecked.

#ofTicket Bits #of Checksum Bits Magic Number

Thelistofactiveandusedvoucherscanbestoredinthesystem'sconfigurationfile SaveInterval onceeveryxminutestosurvivepoweroutages.Nosaveisdoneifnonewvouchers havebeenactivated.Enter0toneverwriteruntimestatetoXMLconfig. Invalid Voucher Errormessagedisplayedforinvalidvouchersoncaptiveportalerrorpage ($PORTAL_MESSAGE$)

Parameter Message Expired Voucher Message

Description

Errormessagedisplayedforexpiredvouchersoncaptiveportalerrorpage ($PORTAL_MESSAGE$).

12.4.3. Voucher Rolls

Eachvoucherrollhasthefollowingparameters. Table12.6.VoucherRollParameters Parameter Roll# Minutesper Ticket Count Comment Description EntertheRoll#(0..65535)foundontopofthegenerated/printedvouchers. Definesthetimeinminutesthatauserisallowedaccess.Theclockstartstickingthe firsttimeavoucherisusedforauthentication. Enterthenumberofvouchers(1..1023)foundontopofthegenerated/printed vouchers.WARNING:ChangingthisnumberforanexistingRollwillmarkall vouchersasunusedagain. Canbeusedtofurtheridentifythisroll.Ignoredbythesystem.

12.5. Limitations
BecauseusersareidentifiedbytheirMAChardwareaddressitispossiblethatsomeoneusingapacket sniffercanspoof/impersonatetheauthenticatedMAChardwareaddressandtherebygainnetwork access.Settingahardtimeoutcanhelptominimizethisrisk. Don'tforgettoenabletheDHCPserveronyourcaptiveportalinterface!Makesurethatthe default/maximumDHCPleasetimeishigherthanthetimeoutenteredonthispage.Also,theDNS forwarderneedstobeenabledforDNSlookupsbyunauthenticatedclientstowork. PlancarefullywhenyouwillmakechangestotheCaptivePortalconfiguration.Changinganysettings onthemainCaptivePortalconfigurationwindowwilldisconnectallclients! BecauseofthewayCaptivePortalisimplemented,itcannotbeusedonmorethanoneinterface.

12.6. Additional Information 12.6.1. Is there any extra Captive Portal RADIUS functionality available?
JonathanDeGraevehasimplementedanumberofnewRADIUSfeaturesforCaptivePortalthatwill beimplementedinafuturebetaversion.Fornow,thesefeaturesareavailableontestimagesavailable fordownloadfromhttp://inf.imelda.be/downloads/m0n0wall/. Featurescurrentlyimplementedinthetestimagesinclude: RADIUSdefinedURLredirectiontakingprecedenceoverURLredirectionparameterin captiveportalsetuppage. MultipleRADIUSserversupport Failuremessageoncaptiveportalloginerrorpage,plusloggingtothecaptiveportallogon whyauthenticationfailed(useraccountexceededbandwidthlimit,badpassword,etc.).

Ciscocompatiblefeature(sendingcallingstationidwithclientipandcalledstationidwith clientmacinsteadofstandardbehaviorcallingstationidandclientmac). Timeoutparameterandmaxauthenticationretriesparameter retrievalofuserbandwidthsettings retrievalofusergroup retrievalofsessiontimeout

Note

12.6.2. Using Captive Portal and MAC pass-through

RetrievalmeansthevariableispresentandCANbeused,butthereisnoactionbound toityet.

YoucanutilizeCaptivePortalanditsMACpassthroughfunctionalityforrudimentaryMACaddress restrictions. 1. EnableCaptivePortalonthedesiredinterface(e.g.LAN)attheServices>CaptivePortal screen.CreateaHTMLpageofyourlikingthatdoesnotincludethesubmitbuttonsotheuser cannotauthenticatewiththecaptiveportal.Othersettingscanallbeleftattheirdefaults. 2. Clickthe"PassthroughMAC"tabontheCaptivePortalscreen.Clickthe+tostartadding permittedMACaddresses.IntheMACaddressbox,typeinthesixhexoctetsseparatedby colons(e.g.ab:cd:ef:12:34:56),optionally(butrecommended)enteradescription,andclick Save.Repeatforeveryauthorizedhostonyournetwork.

Appendix A. Reference
TableofContents A.1.IPBasics A.2.IPFiltering A.3.NAT A.4.TrafficShaping A.5.DNS A.6.Encryption(PPTP/IPsec) A.7.Logging(syslog)

A.1. IP Basics
YoucanchangethehostnameanddomainusedbyyourfirewallintheGeneralSetupscreen.

A.2. IP Filtering A.3. NAT

NAT(NetworkAddressTranslation)permitsyoutouseprivateIPaddressspaceonyourLANwhile stillbeingabletoaccesstheinternet. TherearetwomaintypesofNATinm0n0wall,inbound,and1:1.

A.4. Traffic Shaping A.5. DNS

YoucanchangetheDNSserversusedbyyourfirewallintheGeneralSetupscreen.

A.6. Encryption (PPTP/IPsec) A.7. Logging (syslog)

Itisrecommendedthatyoulogyourm0n0walltoaremotesyslogserverfordiagnosticsandforensic purposes.ThereareanumberoffreetoolsreceiveandstoresyslogmessagesforyouonWindows, Mac,andUnixbasedsystems.Thesesoftwarepackagesalsoofferadditionalfeaturessuchas automaticallysendingpages,emailsorSMSmessagesaswellasrunningsoftwareorcommands basedonthemessagesthatarereceived.

Tip
Logmessagesincludeatimestampofwhentheeventocurred.Thesystemtimeonthe firewallissynchronizedtoanNTP(NetworkTimeProtocol)server.Youcanchange theNTPserverandrelatedparametersintheGeneralSetupscreen. Unixbasedtools ThesyslogdaemonbuiltintovirtuallyeveryUnixlikesystemcanbeconfiguredtoacceptlog messagesfromremotehosts.CheckdocumentationspecifictoyourOSonhowtoconfiguresyslogd toacceptmessagesfromremotehosts. OtherUnixTools syslogng nsyslog Windowsbasedtools ThereareseveralfreeandcommercialtoolsavailableonWindowstoenableyoursystemtoaccept syslogmessagesfromhostsonyournetwork. KiwiSyslog OneofmyfavoritesonWindowsisKiwiSyslog.Thereisaversionwith"basic"featuresthatisfree, andamoreadvancedversionwith$49registration.Evenifyouarejustlookingforafreetool,the

basicversionhasasmanyifnotmorefeaturesthananyotherfreepackageonthislist. http://www.kiwienterprises.com/ 3Comoffersacoupleoffreeutilitiesonthispage.3CSyslogisaGUItoolbestusedonatemporaryor asneededbasisonly.Tocollectlogsusingaservicethatwillberunningatalltimes,whetherornot anyoneisloggedintothemachine,trywsyslogd. SeveralmoreforWindowsandacoupleforMaclistedonthissite.

Chapter 13. Example Configurations

TableofContents 13.1.ConfiguringaDMZInterfaceUsingNAT 13.1.1.NetworkDiagram 13.1.2.AddingtheOptionalInterface 13.1.3.ConfiguringtheOptionalInterface 13.1.4.ConfiguringtheDMZInterfaceFirewallRules 13.1.5.PermittingselectservicesfromDMZintotheLAN 13.1.6.ConfiguringNAT 13.2.LockingDownDMZOutboundInternetAccess 13.3.Configuringafilteredbridge 13.3.1.GeneralConfiguration 13.3.2.WANConfiguration 13.3.3.OPTInterfaceConfiguration 13.3.4.EnableFilteringBridge 13.3.5.ConfigureFirewallRules 13.3.6.CompletingtheConfiguration

13.1. Configuring a DMZ Interface Using NAT

ThissectionwillexplainhowtoaddaDMZinterfacetothetwointerface(LAN/WAN)base configurationfromtheQuickStartGuide. YoumusthaveafunctioningtwointerfacesetupbeforestartingonconfiguringyourDMZinterface. The1:1NATDMZsetupismostappropriatewhereyouhavemultiplepublicIP'sandwishtoassigna singlepublicIPtoeachDMZhost.

13.1.1. Network Diagram

Figure13.1.ExampleNetworkDiagram

ThisdepictsthenetworklayoutwewillhaveafterconfiguringourDMZinterface.

13.1.2. Adding the Optional Interface

Logintoyourm0n0wall'swebGUI,andclick"(assign)"nexttoInterfaces.

Clickthe

onthispagetoaddyourthirdinterface.

Nowrestartyourm0n0wallforthechangestotakeaffect.

13.1.3. Configuring the Optional Interface

Afteryourm0n0wallrestarts,logbackintothewebGUI.UnderInterfaces,youwillseeOPT1.Click onit.

Checktheboxatthetoptoenabletheinterface,giveitamoredescriptivename(I'llcallit"DMZ"), andsetupthedesiredIPconfiguration.TheIPsubnetmustbedifferentfromtheLANsubnet.

13.1.4. Configuring the DMZ Interface Firewall Rules

ThemainpurposeofaDMZistoprotecttheLANfromthepubliclyaccessibleInternethostsonyour network.Thiswayifoneofthemweretobecompromised,yourLANstillhasprotectionfromthe attacker.Soifwedon'tblocktrafficfromtheDMZtotheLAN,theDMZisbasicallyuseless. FirstwewillputinafirewallruleontheDMZinterfacedenyingalltraffictotheLANwhilestill permittingalltraffictotheWAN.ClickFirewall>Rules,andclickthe atthebottomofthepage.

FillingoutthisscreenasshownbelowwillpermitalltrafficouttheDMZinterfacetotheinternet,but prohibitallDMZtrafficfromenteringtheLAN.ItalsoonlypermitsoutboundtrafficfromtheDMZ's IPsubnetsinceonlytrafficfromasourceIPwithinyourDMZshouldcomeinontheDMZinterface (unlessyouhavearoutedDMZ,whichwouldbestrange).Thispreventsspoofedpacketsfromleaving yourDMZ.

ClickSaveafterverifyingyourselections.ThenclickApplyChanges.

13.1.5. Permitting select services from DMZ into the LAN

YouprobablyhavesomeservicesonyourLANthatyourDMZhostswillneedtoaccess.Inour

samplenetwork,weneedtobeabletoreachDNSonthetwoLANDNSservers,cvsupprotocoltoour LANcvsupmirrorserver,andNTPfortimesynchronizationtothetimeserverthatresidesonthe cvsupmirrorserver. Alwaysusespecificprotocols,ports,andhostswhenpermittingtrafficfromyourDMZtoyourLAN. Makesurenothingthatisn'trequiredcangetthrough.

Note
Don'tforgetthatsourceports(TCPandUDP)arerandomlyselectedhighports,and notthesameasthedestinationport.You'llneedtouse"any"forsourceport. MyDMZinterfacefirewallrulesnowlooklikethefollowingafterpermittingtherequiredservices fromDMZtoLAN.

NotethatIaddedaruletodenyanytrafficcominginontheDMZinterfacedestinedfortheLAN. Thiswasnotrequiredbecauseofthewayweconfiguredtheallowrule,howeverIliketoputitinthere tomakeitveryclearwherethetrafficfromDMZtoLANisgettingdropped. Whenenteringyourrules,remembertheyareprocessedintopdownorder,andruleprocessingstops atthefirstmatch.Soifyouhadlefttheruleweaddedaboveasthetoprule,itwoulddroppackets fromDMZtoLANwithoutgettingtothepermitrulesyouadded.Irecommendyoudesignyourrules similartohowIhave,withdropDMZtoLANasthesecondlastline,andpermitDMZtoanyexcept LANasthelastline.

13.1.6. Configuring NAT

Nowyouneedtodeterminewhetheryou'lluseinboundor1:1NAT.IfyouhavemultiplepublicIP's, use1:1NAT.IfyouhaveonlyasinglepublicIP,you'llneedtouseinboundNAT.Ifyouhavemultiple publicIP's,butmoreDMZhoststhanpublicIP's,youcanuseinboundNAT,oracombinationof1:1 andinbound. 13.1.6.1. Using 1:1 NAT Forthisscenario,we'llsaywehavea/27publicIPsubnet.We'llsayit's2.0.0.0/27.m0n0wall'sWAN interfacehasbeenassignedwithIP2.0.0.2.Iwilluse1:1NATtoassignthepublicIP2.0.0.3tothe DMZmailserverand2.0.0.4totheDMZwebserver. GototheFirewall>NATscreenandclickthe1:1tab.Clickthe .Iwilladdtwoentries,oneeach

forthemailserverandwebserver.

Afteraddingtherules,clickApplychanges.You'llnowseesomethinglikethefollowing.

13.1.6.2. Testing the 1:1 NAT Configuration Youcantestthe1:1NATwejustconfiguredbygoingtowhatismyip.comonthemachineconfigured for1:1.Ifyoudon'thaveaGUI,lynxwillwork,oryoucanfetchorwgettheURLandcattheresulting file.(fetchhttp://whatismyip.com&&catwhatismyip.com|grep"IPis"). YoushouldseetheIPistheoneyoujustconfiguredin1:1NAT.IfyougetanIPotherthantheone

youconfiguredin1:1,thereisaproblemwithyourconfiguration. 13.1.6.3. Using Inbound NAT IfyouhaveonlyonepublicIP,ormoreneedmorepubliclyaccessibleserversthanyouhavepublicIP addresses,you'llneedtouseinboundNAT.GototheNATscreen,andontheInboundtab,click . Forthisexample,wewillassumeyouhaveonlyonepublicIP,anditistheinterfaceaddressofthe WANinterface. First,anythingtotheWANIPtoport25(SMTP)willgotothemailserverinourDMZ.

ClickSave,andclick

toaddtheinboundNATrulefortheHTTPserver.

Click"Applychanges"andyourconfigurationwillbeworking.Itshouldlooklikethefollowing.

13.2. Locking Down DMZ Outbound Internet Access

We'velimitedDMZhosts'accessibilitytotheLAN,butwecanlockitdownastepfurtherusing egressfiltering.ManyDMZhostsdon'tneedtobeabletotalkouttotheInternetatall,orpossibly onlywhileyouarerunningupdatesordoingmaintenanceorneedtodownloadsoftware. IfwecankeepourDMZhostsfromaccessingtheInternet,wecanmakeanattacker'sjobmuchmore

difficult.Manyexploitsrelyonthetargetbeingabletopullfilesfromamachinetheattackercontrols, orinthecaseofaworm,fromtheinfectedhost.I'lluseCodeRedandNimdaasanexample.Infected hostsexploitedthevulnerability,andtheremotehostpulledtheinfectedadmin.dllviaTFTPfromthe alreadyinfectedhost.Ifyouwererunningvulnerablewebservers,butdidnotallowTFTPtraffic outboundfromyourwebservers,youcouldnothavebeeninfected.(reference) Attackersmostalwaystrytopullinatoolkitorrootkitofsomesortontomachinestheyexploit. Therearewaysaroundthis,butitjustmakesitthatmuchmoredifficult.Thiswillmerelyslow downaknowledgeableattacker(who'llfindawaytogetinonewayoranother),butitcouldstopa scriptkiddiedeadintheirtracksandkeepsomewormsfrominfectingyournetwork. Thisisnotareplacementforproperpatchingandothersecuritymeasures,it'sjustgood practiceinadefenseindepthstrategy.

How does this work?

Youmightbewonderinghowyourserverswillbeabletoservecontentwhilenotbeingabletotalk outtotheInternet.I'llusewebserversasanexample.WhenpacketscomeinontheWANinterface throughfirewallrulesyouhaveenteredtopermitHTTPtraffic,thereisastateentrythatpermitsany returntrafficfromthatconnectiontotraversethefirewall. Rememberthisonlyaffectstheabilitytoinitiateconnectionsoutbound,nottheabilitytorespondto incomingtrafficrequests.

Recommended configuration

Aswithallfirewallrules,limittheaccessibilityasmuchaspossible.Mailserversthatmustsend outboundmailwillneedtoinitiateconnectionstodestinationTCPport25toanyhost.IftheDNS serversyourDMZhostsuseresideoutsideoftheDMZ,you'llneedtoallowUDPport53totheDNS serversbeingused. Itypicallyputinrulesforupgradepurposestopermitoutboundtraffictotheportsrequired.For FreeBSD,TCP5999(cvsup)andTCP80(HTTP)willgenerallysuffice.WhenI'mnotupgradingthe system,Iusethe"disable"checkboxtodisabletherule,butleaveitinplacetoeasilyenableitwhen needed.Justalwaysremembertodisableitwhenyou'redoneupdatingthesystem.

13.3. Configuring a filtered bridge

AfilteredbridgeisacommonwayofconfiguringaDMZsegment.Thiscanbeusedasatypical DMZwhereyouhavehostsontheLANinterface,butisprobablymorefrequentlyusedtoprotect serversatacolocationfacilitywheretherearenoLANhosts.

Note
RememberyoucannotaccesshostsonabridgedinterfacefromaNAT'edinterface,so ifyoudohaveaLANinterfacesetup,youwon'tbeabletoaccessthehostsonthe bridgedinterfacefromtheLAN.

Network Diagram for this Configuration

Thefollowingdiagramdepictstheexampleconfigurationdescribedinthissection.Thecolocation facilityhasassignedyouwiththesubnet111.111.111.8/29,whichincludesusableIP's.9.14.Oneof thoseisrequiredforthecolo'srouter,soyouendupwith5usableIP's. Figure13.2.FilteredBridgeDiagram

13.3.1. General Configuration

Afteryouhaveyournetworksetupasshown,andtheinterfacesandLANIPassignedappropriately, logintothewebGUItobegintheinitialconfiguration. FirstgotoSystem>Generalsetup,andconfigurethehostname,domain,DNSservers,changethe password,switchthewebGUItoHTTPS,andsetyourtimezone.ClickSave,andrebootm0n0wallfor thechangestotakeaffect.

13.3.2. WAN Configuration

LogbackintothewebGUIandgototheInterfaces>WANpage.Fortheexamplenetwork,we'll assignthestaticIP111.111.111.10/29,defaultgateway111.111.111.9.UnlessyourWANnetworkis privateIP's,checkthe"Blockprivatenetworks"box.ClickSave.

13.3.3. OPT Interface Configuration 13.3.4. Enable Filtering Bridge

GototheFirewall>Rulesscreen.

ClickInterfaces>OPT.Nametheinterfacetoyourliking(fortheexample,we'lluseServersforthe name).Inthe"Bridgewith"box,selectWAN.ClickSave. GototheSystem>Advancedpageandcheckthe"Enablefilteringbridge"box.ClickSave.

13.3.5. Configure Firewall Rules Note

Chancesareforanyconfiguration,especiallyifyou'rerestrictingoutbound connections,you'llneedamuchmoreinvolvedrulesetthanisdepictedhere.Open whatyouknowyouneedopen,andwatchfordroppedtrafficinyourlogstoseewhat elseyoumightneedtoopen.Ittakessomeefforttogetyourfirewalllockeddownas tightlyasitcanpossiblybe,butthelongtermeffectofincreasedsecurityiswellworth thetimespent.

13.3.5.1. OPT Interface Rules Initially,youmaywanttoconfigurearuleontheOPTinterfacepermittingtraffictoanywhere,then afterthingsareworking,tighteningthatrulesasdesired.Forthisexample,we'llgoaheadand implementlockeddownrulesfromthegetgo. ThemailserveronourbridgedinterfaceneedstosendmailtoanyhostontheInternet.Bothservers needtogettoDNSserversat111.111.110.2and111.111.109.2.We'lladddisabledmaintenancerulesfor HTTPandcvsup. 13.3.5.2. WAN Interface Rules Sincethisexampleportraysafirewallatacolocationfacility,weneedaremoteadministrationruleto allowtrafficfromourtrustedlocation'sstaticIPaccesstoadministrationfunctionsoftheservers,as wellasthem0n0wallwebGUI.Forthisexample,we'llpermitalltrafficfromthetrustedlocation(IP 11.12.13.30).Youmaywanttotightenthisrule.Ifyoudon'thaveanythingontheLANsegment, remembertoallowremoteadministrationfromsomewheresoyoucangetintothewebGUIwithout beingonsite. WealsoneedtoaddrulestopermitSMTPtraffictothemailserverandHTTPandHTTPStrafficto thewebserver. 13.3.5.3. LAN Interface Rules YoucanleaveorremovethedefaultLANtoanyruleifyoudon'thavehostsontheLANinterface.In theexample,theLANinterfacewillbeunpluggedoncetheonsiteconfigurationiscompleted. 13.3.5.4. Firewall Rules Completed

13.3.6. Completing the Configuration

Everythingshouldbeworkingasdesirednow,aslongastheserversareconfiguredappropriately.Test thattheconfigurationworksasdesired,includingallinboundandoutboundrules.Onceyou're satisfiedwiththetestingresults,yoursetupiscomplete.

Chapter 14. Example IPSec VPN Configurations

TableofContents 14.1.CiscoPIXFirewall 14.1.1.PIXConfiguration 14.1.2.m0n0wallConfiguration 14.2.Smoothwall 14.3.FreeS/WAN 14.4.Sonicwall 14.4.1.SonicwallConfiguration 14.4.2.m0n0wallConfiguration 14.5.Nortel 14.6.MobileUserVPNwithIPsec? 14.6.1.m0n0wallsetup 14.6.2.Clientsetup m0n0wallcanconnecttoanythirdpartyVPNdevicethatsupportsstandardIPsecsitetositeVPN's, whichincludesmostanyVPNdeviceandfirewallwithIPsecVPNsupport. Thischapterwillprovideinstructionsonconnectingm0n0wallwithanumberofthirdpartyIPsec devices. HaveyouconfiguredaVPNbetweenm0n0wallandadevicenotlistedhere?Pleasedocumenthow youaccomplishedthis.Thereisasectionofthewikidedicatedtoconfigurationsforthischapter. Belowyouwillfindsampleconfigurationsforthefollowingdevices. CiscoPIXFirewall Smoothwall FreeS/WAN Sonicwall Nortel

14.1. Cisco PIX Firewall

ThefollowingdescribeshowtoconfigureasitetositeIPsecVPNtunnelbetweenaPIXFirewalland m0n0wall.

14.1.1. PIX Configuration

pixfirewall# sh ver

FirstweneedtomakesurethePIXhas3DESenabled.
Cisco PIX Firewall Version 6.3(3) Cisco PIX Device Manager Version 2.0(2) Compiled on Wed 13-Aug-03 13:55 by morlee pixfirewall up 157 days 5 hours Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0x300, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 0: ethernet0: address is 000b.4605.d319, irq 10 1: ethernet1: address is 000b.4605.d31a, irq 11 2: ethernet2: address is 0002.b3b3.2e54, irq 11 Licensed Features: Failover: Disabled

VPN-DES: Enabled VPN-3DES-AES: Enabled

Ifthe"VPN3DESAES"lineabovedoesnotshow"Enabled",youneedtoinstallthePIX3DESkey. ThisisnowavailablefreefromCiscohereforallPIXfirewalls(click3DES/AESEncryption License).DoNOTuseDESforaVPNifyouwantittobecryptographicallysecure.DESisonly slightlybetterthantransmittingincleartext. Nextwe'llseeifanyVPNconfigurationsareinplaceonthePIX.

pixfirewall# sh isakmp policy Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit

Ifyouonlyseethedefaultpolicy,therearenoVPN'sconfigured.Thisdocumentcannotbefollowed verbatimifyouhavecurrentVPN's(thoughyoushouldbeabletofigureitout,justbecarefulnotto breakyourexistingVPN'swithanyduplicatenames). AllowIPSecconnectionstothePIX

pixfirewall(config)# sysopt connection permit-ipsec

EnableISAKMPontheoutsideinterface(where"outside"isthenameoftheinternetfacinginterface)
pixfirewall(config)# isakmp enable outside

isakmppolicycommandonPIX
pixfirewall(config)# isakmp policy ? Usage: isakmp policy %lt;priority> authen %lt;pre-share|rsa-sig> isakmp policy %lt;priority> encrypt %lt;aes|aes-192|aes-256|des|3des> isakmp policy %lt;priority> hash %lt;md5|sha> isakmp policy %lt;priority> group %lt;1|2|5> isakmp policy %lt;priority> lifetime %lt;seconds>

NowweneedtoconfiguretheISAKMPpolicyonthePIX.Enterthefollowingcommandsin configuremode:
isakmp isakmp isakmp isakmp isakmp policy policy policy policy policy 10 10 10 10 10 authen pre-share encrypt 3des hash md5 group 2 lifetime 86400

Thispolicyusespresharedkeysasauthenticator,3DESencryption,md5hashing,group2,and86400 secondlifetime. Nowweneedtodefinethepresharedkeyforthisconnection.(1.1.1.1=publicIPaddressof m0n0wall,qwertyuiopisthesharedkey,randomlygeneratesomethingtouseforyourconfiguration)

isakmp key qwertyuiop address 1.1.1.1 netmask 255.255.255.255

Nowweneedtocreateanaccesslistdefiningwhattrafficcancrossthistunnel.
access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0 access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

Definetransformsetforthisconnectioncalled"monovpnset"
crypto ipsec transform-set monovpnset esp-3des esp-md5-hmac

Definesecurityassociationlifetime
crypto ipsec security-association lifetime seconds 86400 kilobytes 50000

Nowtosetuptheactualconnection,thecryptomap"monovpnmap".(where1.1.1.1isthepublicIP addressofthem0n0walldevice)
crypto map monovpnmap 10 ipsec-isakmp

crypto map monovpnmap 10 set peer 1.1.1.1 crypto map monovpnmap 10 set transform-set monovpnset crypto map monovpnmap 10 match address monovpn

TheselinesspecifytypeofVPN(ipsecisakmp),peerIPaddress(1.1.1.1),transformsettobeused (monovpnset,definedabove),andthatpacketsmatchingtheaccesslist"monovpn"createdabove shouldtraversethisVPNconnection. LaststepistotellthePIXtonotuseNATonthepacketsusingthisVPNconnectionandroutethem instead. Firstwe'llseeifanythingiscurrentlyrouted.

pixfirewall# sh nat nat (inside) 0 access-list no-nat

Lookfor"nat(interface)0..."commands.Theabovemeansanytrafficmatchingaccesslist"nonat" willrouted,nottranslated.Inthisinstance,weareaddingtoacurrentaccesslist(ifyouuseaDMZ, youlikelyhavesomethingsimilartothissetup).

access-list no-nat permit ip 10.0.0.1 255.255.255.0 10.0.1.0 255.255.255.0 access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0

Ifyoudonothavea"nat(interface)0..."commandinyour"shnat"output,youcanusetheabovetwo linestocreatea"nonat"accesslist.Youthenhavetoapplyitwiththe"nat(interfacename)0access listnonat"command(replacing"interfacename"withthenameofyourLANinterface).

14.1.2. m0n0wall Configuration

Logintothem0n0wallwebGUI,andunderVPN,clickIPSec. Ifthe"EnableIPSec"boxisnotchecked,checkitandclickSave. Clickthe+buttontoaddaVPNtunnel.Onthe"Edittunnel"screen,fillinasfollows: Leave"Disablethistunnel"boxunchecked. Interface"WAN" Localsubnet:Type:"LANsubnet" Remotesubnet:10.0.0.0/24(fillinthesubnetofthenetworkbehindthePIXhere,rathert hanthemadeup10.0.0.0/24) Remotegateway:publicIPaddressofPIX Description:addonetodescribetheconnection(e.g."PIXVPN") Phase1 Negotiationmode:Aggressive Myidentifier:"MyIPAddress" Encryptionalgorithm:3DES Hashalgorithm:MD5 DHkeygroup:2 Lifetime:86400 Presharedkey:qwertyuiop(enterexactlywhatyoudefinedasyourpresharedkeyonthe PIXearlier) Phase2 Protocol:ESP Encryptionalgorithms:only3DESchecked Hashalgorithms:onlyMD5checked PFSkeygroup:2

Lifetime:86400

Note
Inm0n0wall1.2betaversions,youmayexperiencetheconnectiondroppingfrequently withthisconfiguration.Ifthishappens,setthePFSkeygroupinphase2to"off".

Note
Ifyoudon'tspecifyakeylifetimeinthem0n0wallconfig,thetunnelwillwork,but appeartogoinsaneafterawhile.SupposedlyCisco'swillnegotiateakeylifetime,but Ihavenotseenthisworkinmyexperience.ThisisalsotrueofaCiscoVPN Concentrator.(anonymouswikicontribution)

14.2. Smoothwall
Rev.TigpostedthefollowinginformationonconnectingSmoothwallandm0n0wallviaIPsecVPNin apostonthemailinglistonSeptember30,2004.
I could not find a working solution in the mailing list archives but here is how I have managed to create a VPN between Smoothwall Corporate with Smoothtunnel and m0n0wall and I thought I would share it here to same people going through the same headbashing experience I did :) This will be far to much of a teaching granny to suck eggs for most people on the list but it might help someone get up and running quickly. Variety is the spice of life and just to confuse matters the m0n0wall box was stuck behind NAT :) The office I was linking to was in a serviced building and hence the connection was a shared one with a private IP and public one port forwarded to it. I had never done this before so corrections are welcome :) I am not saying these are the best settings all I know is my VPN is up and running and it seems to be happy :) What I have created is a VPN between one subnet at one site running Smoothwall Corporate Server 3.0 with Smoothtunnel and a m0n0wall v1 box sitting behind NAT with a private IP at the other site. Any other versions of the software may need slightly different settings but hopefully this should put you in the right ballpark. First off IPSEC over NAT, if at all possible don't :) If you have to or for some perverse reason you fancy a crack at this then read on, if you are just here for the Smoothwall bit scroll down :) IPSEC over NAT does work but it can be a case of sacrificing the odd network card to the deity of your choice, what I did in the end was ask their network guy to just send everything and I will let m0n0 do the firewalling, this is what I would recommend as then you don't have to hassle them every time you want a port opening, but from what I have gathered is that all you need are port 500 forwarding and IP protocols 50 and 51 to be routed but the firewall. Apparently your IPSEC traffic goes through port 500 but IP protocols 50 and 51 are needed for phase 1 (authentication) and phase 2 (key exchange). If I am wrong (this is quite possible there will be a load of mails below correcting me :) If m0n0 is behind NAT and you are certain the other end is right but there appears to be no attempts to authenticate then check here first. Now onto Smoothwall Corporate, now I know Rich Morrell posts on here

so I have to be careful about what I say about the interface but that is just a personal taste thing :) Right here are the Smoothwall settings : Local IP : your RED IP address (if you are using Smoothhost then put the IP of your firewall in) Local ID type: Local IP Remote IP : the external IP of your NATted m0n0wall box. Remote ID type : Remote IP Authenticate by : Preshared Key Preshared Key : put your shared key here Use Compression : Off Enabled : On Local network : in this case it was 192.168.0.0/255.255.255.0 Local ID value : same as your Local IP Remote network: in this case it was 192.168.1.0/255.255.255.0 Remote ID value : the same as your Remote IP Initiate the connection : Yes I will use these networks in this example as it shows you a little gotcha in m0n0wall that threw me because I was not thinking :) Next block : Local Certificate : (your local certificate) Perfect Forward Secrecy : Yes Authentication type: ESP (it has to be AH will NOT work over NAT) Phase 1 crypto algo: 3DES Phase 1 hash algo : MD5 Key life : 480 (mins) Key tries : 0 (never give up) Right now the m0n0wall settings : Phase 1: Mode : tunnel (well you can't change it and why would you want to :) Interface : WAN Local Subnet : 192.168.1.0 / 24 (don't do what I did and select LAN :) Remote Subnet : 192.168.0.0 / 24 Remote IP : The RED IP of your Smoothwall box Negotiation Mode : Main My Identifier : IP Address : Your public IP (non NATed) for your m0n0wall box Encryption Algo: 3DES Hash Algo : MD5 DH Key Group : 5 Lifetime : (blank) Preshared Key : put your shared key here. Phase 2: Protocol : ESP Encryption Algo: 3DES (only! untick the others) Hash Algo: MD5 (again only) PFS Key Group : 5 Lifetime : (blank) That is it, your can now bring the link up from Smoothwall by going into the VPN control tab and clicking UP!

14.3. FreeS/WAN
JoshMcAllisterprovidedthefollowingsampleipsec.conf,whichcanbeusedtoconnectm0n0wall withFreeS/WANinasitetositeIPsecconfiguration.

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file version 2.0 specification # conforms to second version of ipsec.conf

config setup interfaces=%defaultroute klipsdebug=none plutodebug=none uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 #compress=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn josh type=tunnel left=ip.add.of.m0n0 leftsubnet=m0n0.side.subnet/24 leftnexthop=%defaultroute right=ip.add.of.freeswan rightsubnet=freeswan.side.subnet/24 rightnexthop=%defaultroute authby=secret auth=esp esp=3des-md5-96 pfs=no auto=start m0n0-side: Phase1 Neg. mode = main Enc. Alg = 3DES Hash Alg = MD5 DH key grp = 5 Phase2 Protocol = ESP Uncheck all Enc. Alg. Except 3des Hash alg = md5 PFS key group = off

14.4. Sonicwall
ContributedbyDinoBijedic<dino.bijedic(at)eracomtech(dot)com> ThefollowingdescribeshowtoconfigureasitetositeIPSecVPNtunnelbetweenaSonicwall(PRO 300)andm0n0wall. Editor'snote:IwouldsuggestusingMainmoderatherthanAggressive. Figure14.1.Networkdiagram

14.4.1. Sonicwall Configuration

LogintoSonicwall ClickVPN>Configure Add/ModifyIPSecSecurityAssociation InConfigure,selectSecurityAssociation>AddNewSA Name:Nameofconnection(Monowalltest) IPSecGatewayNameorAddress:TypeIPaddressofyourm0n0wall(203.49.X.117) SecurityPolicy Exchange:AggressiveMode Phase1DHGroup:Group2 SALifetime(secs):28800 Phase1Encryption/Authentication:3DES&MD5

Phase2Encryption/Authentication:StrongEncryptionandAuthentication(ESP3DESH MACMD5) ShareSecret:typeyoursharesecret(novitest) DestinationNetworks Select"Specifydestinationnetworkbelow". Thefollowingscreenshotshowswhatthisscreenwilllooklike.

ClickAddNewNetwork Youwillget:EditVPNDestinationNetwork(Note:ThisisPopupwindowenablePopupinyour browser) Network:typeyourdestinationnetwork(192.168.200.0) Subnetmask:Typedestinationsubnetmask(255.255.255.0)

ClickUpdate Figure14.2.ExampleofSonicwallconfiguration

14.4.2. m0n0wall Configuration

Configurem0n0wallIPsecEditTunnelscreenasfollows. Interface:WAN Localsubnet:LANsubnet Remotesubnet:192.168.2.0/24 Remotegateway:61.95.x.99 Description:Sonicwall Negotiationmode:Aggressive Myidentifier:MyIPaddress Encryptionalgorithm:3DES Hashalgorithm:MD5

DHkeygroup:2 Lifetime:28800 Presharedkey:novitest Protocol:ESP Encryptionalgorithms:3DES Hashalgorithms:MD5 PFSkeygroup:off Lifetime:28800 ClickSaveatthebottomofthepagetocompletetheVPNconfiguration.

14.5. Nortel
IfyougotoNortel'ssupportsite,theyhaveanumberofdocumentsavailableonsettinguppeerto peerIPsectunnelsusingpresharedkeyauthentication.Findtheappropriateoneforyourdevice,and setupthem0n0wallendwiththeappropriatesettingsasdescribedintheNorteldocumentation.

14.6. Mobile User VPN with IPsec?

ThistutorialtriestoexplainhowtosetupmobileuserIPsecVPNwithm0n0wallandWindowsclients thatuseSafeNetSoftRemoteLT,apopularIPsecVPNclient.Youneedm0n0wallpb25orlaterfor mobileuserVPN.

14.6.1. m0n0wall setup

1. Logintoyourm0n0wallandgototheIPsec:Mobileclientspage. 2. Configurethesettingsasshowninthefollowingpicture:

14.6.2. Client setup

Youmustuseaggressivemode,asonlyIPaddressescanbeusedasidentifiersinmainmode. 3. Click"Save",thengototheIPsec:Presharedkeyspage. 4. Addanewkeyforeachmobileuser(usedifferentkeys,andatleast8characters!).Usethee mailaddressofthecorrespondinguserastheidentifier. 5. GototheIPsec:Tunnelspage,check"EnableIPsec"andclick"Save".

Thisexampleassumesversion10ofSafeNetSoftRemoteLT. 1. InstallSafeNetSoftRemoteLT,ifnotalreadyinstalled,andreboot. 2. RightclickontheSoftRemoteiconnexttotheclockandselect"SecurityPolicyEditor". 3. ChooseEdit>Add>Connection. 4. Configuretheconnectionpropertiesasfollows:

InsertyourLANsubnet+maskandentertheexternalIPaddress(orhostname)ofyour m0n0wallinsteadof"12.34.56.78". 5. Select"SecurityPolicy"andusethefollowingsettings:

6. Select"MyIdentity"andusethefollowingsettings:

Entertheuser'semailaddress,thenclickthebutton"PreSharedKey"andenterthepre sharedkey.Theemailaddress(andpresharedkey)mustcorrespondwithanentryonthe IPsec:Presharedkeyspageonm0n0wall.

7. Select"Authentication(Phase1)>Proposal1"andusethefollowingsettings:

8. Select"KeyExchange(Phase1)>Proposal1"andusethefollowingsettings: Ifyouhaveacryptoacceleratorcardinyourm0n0wall,youmaywanttouseTripleDES insteadofAES256astheencryptionalgorithm(somecryptoacceleratorsdonotsupport AES). 9. ChooseFile>Save. 10. Ifyouhaveacryptoacceleratorcardinyourm0n0wall,youmaywanttouseTripleDES insteadofAES256astheencryptionalgorithm(somecryptoacceleratorsdonotsupport AES). 11. ChooseFile>Save. 12. MakesurethattheInternetconnectionisestablished.TrytopingahostonyourLAN(e.g. yourm0n0wall'sLANIPaddress).Thefirstfewpingswilltimeoutasittakesafewseconds fortheIPsectunneltobeestablished.UseSoftRemote'slogviewerandconnectionmonitorto tellyouwhat'sgoingon(rightclickontheSoftRemoteiconnexttotheclocktoopenthem).

Chapter 15. FAQ

TableofContents 15.1.HowdoIsetupmobileuserVPNwithIPsec? 15.1.1.m0n0wallsetup 15.1.2.Clientsetup 15.2.HowcanIprioritizeACKpacketswithm0n0wall? 15.3.Whyisn'titpossibletoaccessNATedservicesbythepublicIPaddressfromLAN? 15.4.IenabledmyPPTPserver,butamunabletopasstrafficintomyLAN 15.5.Ijustaddedanewinterfacetomym0n0wallbox,andnowitdoesn'tshowupinthewebGUI! 15.6.Doesm0n0wallsupportMACaddressfiltering? 15.6.1.UsingCaptivePortalandMACpassthrough 15.6.2.UsingDHCPreservationsandfirewallrules 15.6.3.UsingStaticARP 15.7.Doesm0n0wallsupportSMPsystems? 15.8.Whycan'thostsonaNATedinterfacetalktohostsonabridgedinterface? 15.9.Whatwerethegoalsbehindthem0n0wallproject? 15.10.HowdoIsetupmultipleIPaddressesontheWANinterface? 15.10.1.ProxyARP 15.11.CanIfilter/restrict/blockcertainwebsiteswithm0n0wall? 15.12.Whyaresomepasswordsstoredinplaintextinconfig.xml? 15.13.Arethereanyperformancebenchmarksavailable? 15.14.Whatabouthiddenconfig.xmloptions? 15.15.Whycan'tIquerySNMPoverVPN? 15.16.CanIusem0n0wall'sWANPPTPfeaturetoconnecttoaremotePPTPVPN? 15.17.CanIusemultipleWANconnectionsforloadbalancingorfailoveronm0n0wall? 15.18.CanIaccessthewebGUIfromtheWAN? 15.18.1.WhenusingstaticIPonWAN 15.18.2.WhenusingdynamicIPonWAN 15.19.CanIaccessashellprompt? 15.20.CanIputmyconfigurationfileintothem0n0wallCD? 15.21.HowcanImonitor/graph/reportonbandwidthusageperLANhost? 15.22.Willthereeverbetranslatedversionsofm0n0wall?CanItranslatem0n0wallintomy language? 15.23.Doesm0n0wallsupporttransparentproxying? 15.24.ShouldIusem0n0wallasanaccesspoint? 15.25.WhyamIseeingtrafficthatIpermittedgettingdropped? 15.26.HowcanIroutemultiplesubnetsoverasitetositeIPsecVPN? 15.26.1.Summarizingthesubnetsusingalargermask 15.26.2.SettingupmultipleIPsecconnections 15.27.HowcanIblock/permitarangeofIPaddressesinafirewallrule? 15.28.WhydoesmyMSNMessengertransferfilesveryslowlywhenusingtrafficshaper? 15.29.CanIforwardbroadcastsoverVPNforgamingorotherpurposes? 15.30.HowcanIusepublicIP'sontheLANside?OrhowcanIdisableNAT?

15.31.ArePCMCIAcardssupported? 15.32.Arethereanytweaksforsystemsthatwillneedtosupportlargeloads? 15.33.CanIaddMRTGorsomeotherhistoricalgraphingpackagetom0n0wall? 15.34.CanCaptivePortalbeusedonabridgedinterface? 15.35.CanIrunCaptivePortalonmorethanoneinterface? 15.36.WhydomySSHsessionstimeoutaftertwohours? 15.37.Whyisn'tthereplyaddressofthelistsettothelist? 15.38.WhyamIseeing"IPFirewallUnloaded"log/consolemessages? 15.39.Whycan'tmyIPsecVPNclientsconnectfrombehindNAT? 15.40.Whydoesn'tm0n0wallhavealogoutbutton? 15.41.CanIhavemorethan16simultaneousPPTPusers? 15.42.CanIsellm0n0wall(oruseitinacommercialproduct)? 15.43.WherecanIgetahighresolutionversionofthem0n0walllogo? 15.44.Whenwillm0n0wallbeavailableonanewerFreeBSDversion? 15.45.IsthereanyextraCaptivePortalRADIUSfunctionalityavailable? 15.46.HowcanIincreasethesizeofthestatetable? Everythingyoueverwantedtoknowaboutm0n0wallbutwereafraidtoask.Thisisamustread beforepostingquestionstothemailinglist!

15.1. How do I setup mobile user VPN with IPsec?

ThistutorialtriestoexplainhowtosetupmobileuserIPsecVPNwithm0n0wallandWindowsclients thatuseSafeNetSoftRemoteLT,apopularIPsecVPNclient.Youneedm0n0wallpb25orlaterfor mobileuserVPN.

15.1.1. m0n0wall setup

1. Logintoyourm0n0wallandgototheIPsec:Mobileclientspage. 2. Configurethesettingsasshowninthefollowingpicture:

Youmustuseaggressivemode,asonlyIPaddressescanbeusedasidentifiersinmainmode. 3. Click"Save",thengototheIPsec:Presharedkeyspage. 4. Addanewkeyforeachmobileuser(usedifferentkeys,andatleast8characters!).Usethee mailaddressofthecorrespondinguserastheidentifier. 5. GototheIPsec:Tunnelspage,check"EnableIPsec"andclick"Save".

15.1.2. Client setup

Thisexampleassumesversion10ofSafeNetSoftRemoteLT. 1. InstallSafeNetSoftRemoteLT,ifnotalreadyinstalled,andreboot. 2. RightclickontheSoftRemoteiconnexttotheclockandselect"SecurityPolicyEditor". 3. ChooseEdit>Add>Connection. 4. Configuretheconnectionpropertiesasfollows:

InsertyourLANsubnet+maskandentertheexternalIPaddress(orhostname)ofyour m0n0wallinsteadof"12.34.56.78". 5. Select"SecurityPolicy"andusethefollowingsettings:

6. Select"MyIdentity"andusethefollowingsettings:

Entertheuser'semailaddress,thenclickthebutton"PreSharedKey"andenterthepre sharedkey.Theemailaddress(andpresharedkey)mustcorrespondwithanentryonthe IPsec:Presharedkeyspageonm0n0wall.

7. Select"Authentication(Phase1)>Proposal1"andusethefollowingsettings:

8. Select"KeyExchange(Phase1)>Proposal1"andusethefollowingsettings:

Ifyouhaveacryptoacceleratorcardinyourm0n0wall,youmaywanttouseTripleDES insteadofAES256astheencryptionalgorithm(somecryptoacceleratorsdonotsupport AES). 9. ChooseFile>Save. 10. Ifyouhaveacryptoacceleratorcardinyourm0n0wall,youmaywanttouseTripleDES insteadofAES256astheencryptionalgorithm(somecryptoacceleratorsdonotsupport AES). 11. ChooseFile>Save. 12. MakesurethattheInternetconnectionisestablished.TrytopingahostonyourLAN(e.g.

yourm0n0wall'sLANIPaddress).Thefirstfewpingswilltimeoutasittakesafewseconds fortheIPsectunneltobeestablished.UseSoftRemote'slogviewerandconnectionmonitorto tellyouwhat'sgoingon(rightclickontheSoftRemoteiconnexttotheclocktoopenthem).

15.2. How can I prioritize ACK packets with m0n0wall?

OnasymmetricInternetlinkslikeDSLandoftenCable,abiguploadthatconsumesallofthe availableupstreambandwidthcanrenderthelinkalmostunusablebyproducingahugebackloginthe DSL/Cablemodem'sbuffer,thusincreasingthedelaytoseveralseconds.BecauseACKpackets(TCP acknowledgments)forreceiveddataaredelayedorevenlostaswell,downloadspeeddrops,too. ThisproblemcanbesolvedbyprioritizingtheseACKpackets,sotheywillbesentoutbeforeany otheruploadpackets.Here'showtodoitwithm0n0wall: Firstofall,youneedm0n0wallpb24orlater.Startbyaddinganewpipetothetrafficshaper.Thisis necessarybecauseweneedtomovetheupstreamqueueintom0n0wall(wheretheorderinwhich packetsaresentoutcanbechangedwhilepacketsareinthequeue)ratherthantheDSL/Cable modem.OncethepacketsareintheDSL/Cablemodem'soutputqueue,there'snowayofhavingACK packetssentoutimmediatelyanymore.Therefore,itisveryimportanttosetthatpipe'sbandwidthtoa valuethatisslightlybelowtheeffectiveupstreambandwidthofyourInternetlink.Don'tforgetthat e.g.128kbpsADSLlinespeedisonlyabout100kbpseffective.Ifyousetthisvaluetoohigh,your modembufferwillstillbecomefullandprioritizationwillaccomplishnothing. Whenyouhaveaddedthatpipe,addtwoqueueslinkedtothatpipewithdifferentweights,e.g.one queuewithweight=10andonewithweight=1.Thefirstqueuebecomesyourhighpriorityqueue. Nowit'stimetoaddrulesthatclassifyupstreamtrafficintooneofthesetwoqueues.Thereareloads ofpossibilities,e.g.prioritizingbyTCP/UDPport,butfornowwe'llfocusonIPpacketlengthand TCPflags.Addanewtrafficshaperrule,linkittothefirst(highpriority)queue,interface=WAN, protocol=TCP,source=any,destination=any,direction=out,IPpacketlength080,TCPflags: ACK=set,everythingelse=don'tcare.Itisnotsufficienttoclassifypacketsintothehighpriority queuebasedontheACKflagonly,because(big)upstreamTCPdatapacketscanhavetheACKflag setaswell.080isjustanexampletogetyoustarted.Savetherule,andaddanotheronebelowit, linkedtothesecond(lowpriority)queue,interface=WAN,protocol=any,source=any,destination =any,direction=out.Enablethetrafficshaperifnecessary,applythechangesthat'sit.Herearea fewpointstoremember: makesurenoupstreamInternettrafficcanbypassthepipe despiteACKprioritization,thedelaywillstillgoup,asitisnotpossibletostopsendingabig packetmidway.Forexample,afullsize(1500bytes)packetat100kbpswilltake120ms ifyouwanttobeabletosurfthewebwhileperformingalargeupload,you'llalsohaveto prioritizeHTTPupstreamtraffic(i.e.destinationport=80)otherwise,TCPSYNpackets (forconnectionestablishment)towebserverswillnotgetprioritized,andtherewillbeabig initialdelayuntilaconnectionisestablished.PrioritizingDNSpacketsisagoodideaaswell. Ifyouwanttofindoutwhatprioritizationdoesforyou,addaruletoclassifyoutgoingICMP packetsintothehighpriorityqueueandtrypingingsomeInternethostwhileyou'reuploading oncewiththetrafficshaperon,andonceoff.Thereshouldbeahugedifferenceinresponse times.

15.3. Why isn't it possible to access NATed services by the public IP address from LAN?
Problem.ItisnotpossibletoaccessNATedservicesusingthepublic(WAN)IPaddressfromwithin LAN(oranoptionalnetwork).Example:you'vegotaserverinyourLANbehindm0n0wallandadded aNAT/filterruletoallowexternalaccesstoitsHTTPport.Whileyoucanaccessitjustfinefromthe Internet,youcannotaccesshttp://yourexternalip/fromwithinyourLAN. Reason.Thisisduetoalimitationinipfilter/ipnat(whichareusedinm0n0wall).Readtheipfilter FAQfordetails.m0n0walldoesnot(andprobablywillnot)includea"bounce"utility. Solution.Ifyouusem0n0wall'sbuiltinDNSforwarderforyourLANclients,youcanaddoneor moreoverridessothattheywillgettheinternal(LAN)IPaddressofyourserverinsteadofthe externalone,whileexternalclientsstillgetthereal/publicIPaddress.

Note

15.4. I enabled my PPTP server, but am unable to pass traffic into my LAN

Thiswillonlyworkifyouusem0n0wallastheprimaryDNSserveronyourLAN hosts.IfyouuseanotherDNSserver,youneedtouseitsfunctionalitytoresolvethat hosttotheappropriateprivateIP.SeeyourDNSserverdocumentationformore information.

Youneglectedtocreateafirewallruletoallowthistraffic. GotoFirewallRulesandaddaruleonthePPTPinterfacetopermittrafficfromPPTPclients.(ex: interfacePPTP,protocolany,sourcePPTPclients,destinationany) Trafficshouldnowpassthroughtheinterfacecorrectly.

15.5. I just added a new interface to my m0n0wall box, and now it doesn't show up in the webGUI!
Youprobablyforgottoassignafunctiontotheinterface.Usetheconsolemenu's"assignnetwork ports"optiontodothat.

15.6. Does m0n0wall support MAC address filtering?

Shortanswer:Notyet.(i.e.youcannotspecifyMACaddressesinfirewallrules) Longanswer:Thereareseveral"hacks"youmaybeabletousetoachievethedesiredendresult.

Note 15.6.1. Using Captive Portal and MAC pass-through

ThereisnobulletproofmethodofaccesscontrolbyMACaddress.Keepinmindthat MACaddressesareeasytochangeandspoof.

YoucanutilizeCaptivePortalanditsMACpassthroughfunctionalityforrudimentaryMACaddress restrictions. 1. EnableCaptivePortalonthedesiredinterface(e.g.LAN)attheServices>CaptivePortal screen.CreateaHTMLpageofyourlikingthatdoesnotincludethesubmitbuttonsotheuser cannotauthenticatewiththecaptiveportal.Othersettingscanallbeleftattheirdefaults. 2. Clickthe"PassthroughMAC"tabontheCaptivePortalscreen.Clickthe+tostartadding permittedMACaddresses.IntheMACaddressbox,typeinthesixhexoctetsseparatedby colons(e.g.ab:cd:ef:12:34:56),optionally(butrecommended)enteradescription,andclick Save.Repeatforeveryauthorizedhostonyournetwork.

15.6.2. Using DHCP reservations and firewall rules

First,setupyourDHCPscope.AtthebottomoftheServices>DHCPscreen,addeveryauthorized MACaddressonyournetwork,andcheckthe"Denyunknownclients"box.Thiswillpreventan unauthorizedmachinefromgettinganIPaddressfromDHCP.

15.6.3. Using Static ARP

YoucanensurecertainMACaddressescanonlyuseacertainIPbyusingstaticARP. ToaddastaticARPentry,use/exec.phptorunthearpcommand.
arp -s 192.168.1.11 ab:cd:ef:12:34:56

Toverifythisaddition,run'arpa'inexec.phpandyou'llseethefollowinginthelist.
? (192.168.1.11) at ab:cd:ef:12:34:56 on sis2 [ethernet]

Thischangewillnotsurviveareboot.Youneedtoputthearpscommandinyourconfig.xmlin <shellcmd>.SeethisFAQentryformoreinformationonhiddenconfig.xmloptions

Note
Anunauthorizeduserwithacluewillbeabletogetaroundthissecondmethodmore easilythanthefirstmethodbyjustassigningastaticIPaddressthatisn'tinuse.Either methodiseasyenoughtogetaroundforauserwithadecentamountofknowledge.

15.7. Does m0n0wall support SMP systems? Note

SMPsupportisntbuiltintom0n0wall,andthecurrentversionshavenoaddonSMPsupport available.m0n0wallwillrunonSMPsystems,howeveritwillonlyutilizeoneprocessor. Michael'sSMPsupporthasn'tbeenupdatedinquitesometime,andwillnotworkwith currentm0n0wallreleases. MichaelIedemahaswrittenaprogramtoautomaticallyaddSMPsupporttoam0n0wallrelease, whichisavailablefromhttp://www.michaeli.com/files/projects/m0n0smp. Thescriptrequirespseudo-device vnbuiltintoyourkernel.Whenfirstrun,itdownloadsthe latestSMPkernelfromMichaelssiteandupdatestheimage.Theupdateflagwillredownloadthe SMPkernelintheeventthatMichaelreleasesanewrevisionofthekernel.Michaelalsohasapre builtcopyofthelatestgenericpcimagewithSMPavailablefordownloadfromhispage.

15.8. Why can't hosts on a NATed interface talk to hosts on a bridged interface?

ThisfrequentlyhappenswhensomeonewantstobridgeaninterfacetotheirWANtouseitasaDMZ, andwantstoputallofthehostsontheirLANinterfacebehindaNAT.Thisisactuallyafairly reasonableandnaturalthingtowanttodo. Theproblemhereisthatipnatandbridging(atleastasimplementedinFreeBSD)don'tplaywell together.PacketsfromtheLANtotheDMZgooutjustfine,butintheotherdirection,itseemslike thepacketsarrivingontheunnumberedbridgeinterfacedon'tgetlookedupcorrectlyintheipnatstate tables. I'vemanagedtoconvincemyselfthatsolvingthisisReallyReallyHard(TM).Theirritatingthingis thatthere'snotheoreticalreasonwhythisshouldbedifficult...itallcomesdowntoimplementation details. ContributionfromBruceA.Mah<bmah(at)freebsd.org>

15.9. What were the goals behind the m0n0wall project?

BackinJanuary2004,Manuel,theguybehindm0n0wall,postedthefollowingtothem0n0wall mailinglist,

Hey folks, I feel the need to state once and for all what the intention with which I started m0n0wall was. My goal was to create a free/open-source alternative to smaller commercial firewall boxes - no more, no less. I figured that on a Soekris or similar embedded PC, it could be made to look and behave just like a commercial firewall - only cheaper and with me in control of the features. When I started working on it, I especially had the following models in mind: WatchGuard SOHO ZyXEL ZyWALL 10 SonicWALL SOHO NetScreen 5XP

I didn't intend to create an enterprise-class firewall, and I didn't intend to make a file, mail, print, web or whatever server. And despite the fact that m0n0wall runs well (and in the majority of installations, according to the survey!) on normal PCs, it is targeted at embedded PCs, which means they dictate what is possible in terms of storage, CPU speed and RAM size. I think m0n0wall mostly meets or even exceeds the feature range of the aforementioned products, so my goal has already been reached. That doesn't mean there's no room for or point in improvements. I just want to make it clear that I don't think we're ever going to see things like the following in m0n0wall: caching proxy file server (Samba etc.) mail server web server (Apache etc.) very extensive statistics

simply because it wasn't my goal to produce some all-in-one thing like e-smith, but a packet filtering firewall. Furthermore, these things usually don't mix well with embedded PCs for several reasons. Why do we have a DHCP server then? Because all the commercial products I mentioned before do, because it's small and lightweight enough to fit in with the rest, and because it considerably increases ease-of-use (meaning that if your Internet connection uses DHCP too, like for example cable, you don't have to configure anything at all to let your clients access the Internet - that's why it's on by default too). Now, about the NTP server... Rest assured that if msntp didn't have problems with Windows XP clients, there would have been a nice little NTP server configuration page in the webGUI, or at least a checkbox on the general setup page (with default to off of course), since pb15. But I don't like stuff that works only half of the time, so that's why it hasn't happened yet. There you go... Hope I've explained my point of view now.

Regards, Manuel

15.10. How do I setup multiple IP addresses on the WAN interface?

Althoughthem0n0wallwebGUIonlyallowssettingupasingleIPaddressontheWANinterface,you canstillhavem0n0wallacceptpacketsdestinedtosecondaryIPaddresses.Itisnotnecessarytotell m0n0walltousetheseIPaddressesontheWANinterface(howeverinsomecasesproxyARPhasto beusedseebelow),butyouhavetotellitwhattodowithpacketsthataresenttothem.Thereare twopossibilities: Routing YoucanusethisifyouhaveanentiresubnetofpublicIPaddresses(withm0n0wall'sWANIP addressnotbeinginthatsubnet!). Example:youhaveseveralserversconnectedtoanoptionalinterface(let'sassumeOPT1). ChooseanIPaddressoutofyourpublicsubnetform0n0wall'sIPaddressonOPT1.Useitas thedefaultgatewayonalltheserversconnectedtoOPT1(itgoeswithoutsayingthatyou assignpublicIPaddressesdirectlytotheserversonOPT1inthisscenario).Makesuretoget thesubnetmaskrightonm0n0wallandtheOPT1servers.TurnonadvancedoutboundNAT anddefinearuleforyourLAN,butnotforOPT1.ThiswilleffectivelydisableNATbetween WANandOPT1.Nowyoucanaddfilterrulestoselectivelypermittrafficto/fromOPT1. NAT inbound/serverNAT UsethisifyouwanttoredirectconnectionsfordifferentportsofagivenpublicIP addresstodifferenthosts(defineoneormoreofyoursecondaryIPaddressesforserver NAT,thenusethemwithinboundNATasusual). 1:1NAT UsethisifyouhaveenoughpublicIPaddressesforallyourservers,butcan'tuse routingbecauseyoudon'thaveawholesubnet. advancedoutboundNAT UsethisifyouwanttotakecontrolovertheIPaddressesthatareusedforoutgoing connectionsfrommachinesthatdon'thave1:1mappings(bydefault,m0n0wall'sWAN IPaddressisused).

15.10.1. Proxy ARP

Ifanyofthefollowingappliestoyoursetup,youshouldbefinewithoutproxyARP: theadditionalIPaddressesthatyou'retryingtousearepartofasubnetthatisroutedtoyouby yourISP(i.e.yourISPhasastaticrouteforthatsubnetwithyourm0n0wall'sWANIPaddress asthegateway) you'reusingPPPoEorPPTPonWAN UsingproxyARPundertheseconditionswillnotachieveanything.IfhoweveryouusestaticIP addressesorDHCPonWANanddon'thavearoutedsubnet,addingproxyARPentriesforthe additionaladdresses/ranges/subnetsinthewebGUIwillmakesurethatm0n0wallrespondstoARP queriesfortheseaddressesontheWANinterface. AddingProxyARPwhenitisnotrequiredusuallywillnothurtanything,sowhenindoubt,add it!

Note
DonotaddProxyARPentriesforIPaddressesthatarenotassignedtoyou!Most DHCPserverswillattempttodoanARPquerybeforeassigninganIPaddresstoa client,andifyouenableProxyARPonIP'sthatarenotyours,theywillappeartobein usetotheDHCPserver.WehaveheardofinstanceswherepeopleenabledProxyARP fortheirentireWANsubnet,andgotdisconnectedbecausetheywere"takingupallthe DHCPaddresses."Technicallyyouaren'ttakingalltheleases,you'rejustanswering ARPonallofthemwhichisjustasbad.Thisistypicallyonlyanissuewhenyour WANisanEthernetnetwork,butdon'teverdoit. Notethatitisnevernecessary(andstronglydiscouraged)touseIPaliasingontheWANinterface (bymeansofifconfigcommands).

15.11. Can I filter/restrict/block certain websites with m0n0wall?

Therearenofilteringcapabilitiesbuiltintom0n0wallbasedonwebsitecontent,keywords,etc.,nor anysupportedaddonswithsuchfunctionality. BlockingbyIPAddress/Subnet Youcanblockspecificsitesbyputtinginfirewallrulestodenyaccesstotheundesiredserver'sIP address.Ifyoutakethispath,itisrecommendedyouuse"reject"ratherthan"block"inthefirewall rulessoinaccessiblesitestimeoutimmediately. BlockingbyDNSOverride Ifyouuseyourm0n0wallasyouronlyDNSserver,youcanalsoblockspecificsitesbyputtingin DNSoverridefortheundesiredsitetopointtoaninternalorinvalidIPaddress.Toblock www.example.com,putinaDNSoverridepointingitto1.2.3.4orsomeotherinvalidIPaddress,oran addressofaLANwebserver.IfyouuseaninvalidIPaddress,youshouldputinafirewallruleto rejectpacketstothisaddresssotherequeststimeoutimmediately. NotethisiseasytogetaroundbyeitherusingadifferentDNSserveroreditingthehostsfileonthe localmachine,thoughthisisbeyondthecapabilitiesandknowledgeofmostanyuser. UsingaProxyServer TheidealsolutionwouldbetouseaproxyserveronyourLAN,andblockoutgoingtrafficfromyour LANhostsotherthantheproxyserver.

15.12. Why are some passwords stored in plaintext in config.xml?

PPPoE/PPTPclient,PPTPVPN,andDynDNSpasswordsaswellasRADIUSandIPsecshared secretsappearinplaintextinconfig.xml.Thisisadeliberatedesigndecision.Theimplementationsof PPP,IKE,RADIUSandthewayDynDNSworksrequireplaintextpasswordstobeavailable.We couldofcourseusesomesnakeoilencryptiononthosepasswords,butthatwouldonlycreateafalse senseofsecurity.SincewecannotprompttheuserforapasswordeachtimeaPPPsessionis establishedortheDynDNSnameneedstobeupdated,anyencryptionweapplytothepasswordscan bereversedbyanyonewithaccesstothem0n0wallsourcesi.e.everybody.HasheslikeMD5cannot beusedwheretheplaintextpasswordisneededatalaterstage,unlikeforthesystempassword,which isonlystoredasahash.Byleavingthepasswordsinplaintext,itismadeveryclearthatconfig.xml deservestobestoredinasecurelocation(orencryptedwithoneofthecountlessprogramsoutthere).

15.13. Are there any performance benchmarks available?

Needsupdating.

15.14. What about hidden config.xml options?

Somem0n0walloptionsareonlyaccessiblebymodifyingconfig.xmldirectly.Thisisusuallythecase forstrange/exoticoptionsthatonlyfewpeople(should)use.InsteadofclutteringthewebGUIwith lotsofoptionsthatalmostnobodyreallyuses,theycanonlybesetinconfig.xml.Fortheultimate referenceonallavailableoptionsinconfig.xml,seethelatestdefaultconfig.xmlavailableat http://m0n0.ch/wall/downloads/config.xml.Notalloftheseoptionsmaybeavailableunlessyou're usingthelatestbeta. Toputintheseoptions,downloadyourconfig.xmlviathebackupfeatureandopenitinatexteditor. Putinthedesiredoptionsintheappropriatelocationinthefile,asshowninthedefaultconfig.xml linkedabove.Aftersavingyourdesiredchanges,usetherestorefeatureinm0n0walltorestorethe changedconfiguration. Someoptionsaredocumentedbelow: system/webgui/noassigninterfaces hidesthe"assigninterfaces"linkinthenavigationbar system/earlyshellcmdandsystem/shellcmd maycontainashellcommandthatisexecutedbeforethebootscriptsactuallystartsettingup thesystem(forearlyshellcmd),orafterthebootscriptshavefinishedsettingupthesystem(for shellcmd).Youcanhavemultiple(early)shellcmdtags.Don'tforgettoreplacespecial characterswiththeirXMLequivalents(mostnotably<and>(&lt;and&gt;). interfaces/(if)/mediaandinterfaces/(if)/mediaopt IfyouneedtoforceyourNICtoaspecificmediatype(e.g.10BaseThalfduplex),youcanuse thesetwooptions.RefertotheappropriateFreeBSDmanpageforthedriveryou'reusingtosee whichoptionsareavailable(orrunifconfigm). dhcpd/(if)/gateway AllowsyoutospecifyacustomgatewaytoassigntoDHCPclients(insteadofm0n0wall'sIP addressonthecorrespondinginterface) dhcpd/(if)/domain AssignsacustomdomainnametoDHCPclients(insteadoftheoneconfiguredonSystem: Generalsetup) dhcpd/(if)/dnsserver AssignscustomDNSserverstoDHCPclients(insteadofm0n0wall'sIPaddressiftheDNS forwarderisenabled,ortheDNSserversconfiguredonSystem:Generalsetupotherwise) dhcpd/(if)/nextserveranddhcpd/(if)/filename TheseareusedforPXEbooting,andyoushouldknowwhattheydoifyou'retryingtosetup PXE.

15.15. Why can't I query SNMP over VPN?

Withanoutoftheboxconfiguration,youcannotquerySNMPontheLANinterfaceofaremote m0n0walloveraVPNconnection.FredWrightexplainedinaposttothemailinglistonSeptember 12,2004whythisis.
Due to the way IPsec tunnels are kludged into the FreeBSD kernel, any traffic *initiated* by m0n0wall to go through an IPsec tunnel gets the wrong source IP (and typically doesn't go through the tunnel at all as a

result). Theoretically this *shouldn't* be an issue for the *server* side of SNMP, but perhaps the server has a bug (well, deficiency, at least) where it doesn't send the response out through a socket bound to the request packet. You can fake it out by adding a bogus static route to the remote end of the tunnel via the m0n0wall's LAN IP (assuming that's within the nearend tunnel range). A good test is to see whether you can ping something at the remote end of the tunnel (e.g. the SNMP remote) *from* the m0n0wall. There's an annoying but mostly harmless side-effect to this - every LAN packet to the tunnel elicits a no-change ICMP Redirect.

Todothis,click"StaticRoutes"inthewebGUI.Clickthe+toaddastaticroute.IntheInterfacebox, chooseLAN,fordestinationnetwork,entertheremoteendVPNsubnet,andforthegatewayputinthe LANIPaddressofyourlocalm0n0wall.

15.16. Can I use m0n0wall's WAN PPTP feature to connect to a remote PPTP VPN?
Them0n0wallWANPPTPfeatureisforISP'sthatrequireyoutoconnectusingPPTP(somein Europerequirethis). ThisfeaturecannotbeusedasaPPTPclienttoconnecttoaremotePPTPservertoallowm0n0wallto routeoverthePPTPconnection.

15.17. Can I use multiple WAN connections for load balancing or failover on m0n0wall?
Notyet.

15.18. Can I access the webGUI from the WAN?

Notinadefaultconfiguration.Thisisdisabledforsecurityreasons. Toenablethis,firstswitchtoSSLifyouhaven'talready.Todoso,gotoSystem>GeneralSetup,and changewebGUIprotocolfromHTTPtoHTTPS.

Note

15.18.1. When using static IP on WAN

YoumayneedtochangetheportnumberusedbythewebGUI.Ifyouhaveused inboundNATtoopenHTTPStoawebserver,you'llhavetochangethatportnumber tosomethingotherthanthedefault443,andchangethedestinationportonthefirewall ruleshownbelowaccordingly.

NowclickFirewall>Rulesandclickthe onthatscreen.Addarulelikethefollowing,replacing themadeupIP12.221.133.125withthepublicIPoftheremotesystemyouwishtousetoadminister yourm0n0wall,and64.22.12.25withthepublicIPofyourm0n0wall.

15.18.2. When using dynamic IP on WAN

Thismakesthingsalittletrickier.Youcan'tsetthedestinationIPbecauseitwillchange,andwhenit changesyouwouldnolongerbeabletogettothewebGUI.Youcansetthesourceto"any"ratherthan theWANIP.NotethatthiswillgrantaccesstoanythingwithaninboundNATentryfortheport

(likelyHTTPS),oranythingbehindabridgedinterfacewithapublicIPonthatport.Unlessyouhave multiplepublicIP's,thiswillnotgrantaccesstoanythingotherthanthewebGUI.Thisdoesnotgrant thathostaccesstoHTTPSforanythingonyourLAN.EvenifyoudohavemultiplepublicIP's, openingHTTPStoahostyouintendtoallowtoconfigureyourfirewallislikelyoflittletono concern.

Note

OpeningyourwebGUItotheentireinternetisabadidea.LimitittoonlytheIP addressrequired.IftheremoteadministrationhostisonDHCP,youcanlimitittothe remotemachine'sISP'snetblockratherthanopeningittotheentireinternet.Opening yourfirewalladministrationinterfacetotheentireinternet,evenwithstrong authentication,isstronglydiscouragedonanyfirewall.

15.19. Can I access a shell prompt?

Thereisnotrueshellpromptperseinm0n0wall,andnosupportedwaytoaddone.Youcangetsome limitedshellfunctionalitybygoingtothehidden/exec.phppage.

15.20. Can I put my configuration file into the m0n0wall CD?

Yes,butkeepinmindthismeansyouwillneedtoburnanewCDanytimeyouwanttochange anythingontheconfiguration. Todothis,replacethefile/conf.default/config.xmlontheisowithyourconfig.xmlfile.

15.21. How can I monitor/graph/report on bandwidth usage per LAN host?

JohnVoigtpostedtheawaytoaccomplishthistothem0n0wallmailinglistonSeptember22,2004. ChrisBuechlerisworkingonmakingthismoreunderstandableandeasiertofollow.Youcanseethe workinprogressonthewikiherefornow.

15.22. Will there ever be translated versions of m0n0wall? Can I translate m0n0wall into my language?
Theshortansweris:no. Thelongansweris:theauthorofm0n0wallhasdecidedthattranslationsaddanextremeamountof overhead,sinceeachtimeanewfeatureisdeveloped(oranexistingfeatureismodified),allthe translatorsneedtobecontactedtogetthepropertranslationsforthenewstrings.Experienceshows thatpeopleareofteneagertostartsomethingnew,butloseinterestandgiveuporgoawayaftera while,soit'dbehardtokeepallthedifferentlanguagessynchronized.Failuretodosowouldleadto incompleteormixed(withEnglish)translationssomethingwhichimmediatelycreatesaverybad impressioninmostusers.Furthermore,translatingtheinterfaceofafirewallisn'taseasyasitseems thetranslatorneedstofullyunderstandalltheconceptsthatareinvolvedinordertoproduceaccurate translations. Sidenote:thenativelanguageoftheauthorofm0n0wallisnotEnglisheither.However,hebelieves thatanyonewho'stryingtoaccomplishanythingnontrivialwithafirewall,especiallyanopensource one,willnevergetaroundlearningEnglishanyway. Thatsaid,everybody'sfreetostarttheirown(translated)m0n0wallbranchtheBSDlicense,under whichm0n0wallisplaced,essentiallypermitsanyonetodoanythingwithm0n0wallaslongasthe originalcopyrightnoticeandlicensearepreservedsomewhere(seethelicensefordetails).Itshould bemadeclearthatit'snotan"official"versionthough.

15.23. Does m0n0wall support transparent proxying?

Currentlyitdoesnot.ThefollowingwastakenfromapostbyManuelKasper,m0n0wall'sauthor,ina posttothemailinglistonOctober5,2004.
I think this is very appropriate, but the reason why it hasn't happened yet is that nobody has figured out how to do it yet. ;) The problem always seems to be how to tell the proxy which IP address/port the user initially tried to connect to. But that may not even be necessary (HTTP Host header). If a clean solution with ipfilter/ipnat is possible, that would be cool.

15.24. Should I use m0n0wall as an access point?

ManuelKasper,authorofm0n0wall,postedthefollowingtothem0n0wallmailinglistonDecember 29,2004.
If you want to be really happy with your wireless, then by all means buy a real dedicated AP. hostap just never matches the performance and reliability (not even under Linux) of a *good* AP, and is only intended as a solution for people who absolutely need to do everything on one box.

ChrisBuechlerhasthistoadd:
I have a 2511MP+ in my 4501, though honestly, I don't use it much anymore for anything other than m0n0wall testing. I got a Linksys WRT54G to use for wireless. FreeBSD 4.11's hostap just plain sucks IMO. It's starting to show its age (the 4.x version is several years old). There are many newer cards you just can't get to connect to it no matter what (more than half the b/g and a/b/g cards I've tried), some that require configuration changes to connect, and in general it's just a pain. Given the cost of miniPCI cards, a Linksys or similar is a good alternative for about the same cost - just bridge the wireless over to an OPT port on m0n0wall, as I do. Things should improve very much in the next m0n0wall version, including support for a/b/g cards and none of the pains of 4.11's dated hostap, so you may want to hold off for a few months or so if you can.

15.25. Why am I seeing traffic that I permitted getting dropped?

Assumingyourfirewallrulesaresetupappropriatelytoallowthistraffic,thereasonisbecausethey areduplicateorlastpacketsofasession.ThisisexplainedasfollowsbytheIPFilterhowto. DuetotheoftenlaggynatureoftheInternet,sometimespacketswillberegenerated. Sometimes,you'llgettwocopiesofthesamepacket,andyourstaterulewhichkeepstrack ofsequencenumberswillhavealreadyseenthispacket,soitwillassumethatthepacket ispartofadifferentconnection.Eventuallythispacketwillrunintoarealruleandhaveto bedealtwith.You'lloftenseethelastpacketofasessionbeingclosedgetloggedbecause thekeepstatecodehasalreadytorndowntheconnectionbeforethelastpackethashada chancetomakeittoyourfirewall.Thisisnormal,donotbealarmed.

15.26. How can I route multiple subnets over a site to site IPsec VPN?
Therearetwowaystoaccomplishthis.Whichismostsuitabledependsonifyouareableto summarizethesubnets,andhowmanysubnetsareinvolved.Foreitherway,thesubnetsdonotneedto

bedirectlyconnectedtom0n0wall.TheycanbebehindarouterontheLANbehindm0n0wall.Inthat case,you'llneedtosetupstaticroutesonm0n0wall'sLANinterfacepointingtotheLANrouterfor eachofthesubnetsinquestion.Youcanalsosummarizethesubnetsinstaticroutes.

15.26.1. Summarizing the subnets using a larger mask

Ifyouareusing,forexample,192.168.1.0/24atonesite,andtheothersiteuses10.0.0.0/24, 10.0.1.0/24,10.0.2.0/24,and10.0.3.0/24,youcansummarizethe10.x.x.xsitewith10.0.0.0/22. 10.0.0.0/22includes10.0.0.010.0.3.255.

15.26.2. Setting up multiple IPsec connections

YoucansetuponeIPsecconnectionforeachsubnetyouwanttoconnecttoontheremoteside.Ifyou havealargenumberofsubnetsontheremoteside,itisrecommendedyounumberthemsothey're easilysummarizedsoyoudon'thavetosetupalargenumberofconnections.

15.27. How can I block/permit a range of IP addresses in a firewall rule?

IfyoucansummarizetheIPaddresseswithaCIDRmask,youcanenteraruletoapplytothosehosts. Forexample,10.0.0.810.0.0.15canbesummarizedwith10.0.0.8/29.

15.28. Why does my MSN Messenger transfer files very slowly when using traffic shaper?
BecausethetrafficshapingrulestolimitBitTorrentthroughputcoverthesamerangeofportsMSN uses.MagicShaperuses68816999toclassifyBitTorrenttraffic,whichencompassestheMSNports 68916900.YoucanchangetherulesthatclassifyBitTorrenttrafficinthetrafficshapingpages. TypicallyBitTorrentonlyuses68816889. Credit:ChrisBagnall

15.29. Can I forward broadcasts over VPN for gaming or other purposes?
Notyet.OpenVPNwillmakethispossibleinthefuture.

15.30. How can I use public IP's on the LAN side? Or how can I disable NAT?
Ifyou'reusingpublicIP'sonyourLAN,orneedtodisableNATforsomeotherreason,enable advancedoutboundNAT,underFirewall>NAT,Outboundtab.

15.31. Are PCMCIA cards supported?

ThedriversareavailableformostPCMCIAcards,howeverFreeBSD4.xtypicallydoesn'tworkoutof theboxwithPCMCIAcards.Wirelesscardsaregenerallyanexception,butthismightalsobethe caseforsome.Somecustomizationto/etc/pccard.confistypicallyrequiredforthecardtobedetected. GoogleforyourcardmodelandFreeBSDandpccard.conftofindtherequiredvaluesifthecardisnot detected.You'llhavetoedityourm0n0wallimageappropriately.

15.32. Are there any tweaks for systems that will need to support large loads?

Youmayneedtoupthekern.ipc.nmbclusterssysctl.Ifyouaregetting"outofmbuf"errors,thiswill fixthat. From'mantuning':

kern.ipc.nmbclusters may be adjusted to increase the number of network mbufs the system is willing to allocate. Each cluster represents approximately 2K of memory, so a value of 1024 represents 2M of kernel memory

reserved for network buffers. You can do a simple calculation to figure out how many you need. If you have a web server which maxes out at 1000 simultaneous connections, and each connection eats a 16K receive and 16K send buffer, you need approximately 32MB worth of network buffers to deal with it. A good rule of thumb is to multiply by 2, so 32MBx2 = 64MB/2K = 32768. So for this case you would want to set kern.ipc.nmbclusters to 32768. We recommend values between 1024 and 4096 for machines with moderates amount of memory, and between 4096 and 32768 for machines with greater amounts of memory. Under no circumstances should you specify an arbitrarily high value for this parameter, it could lead to a boot-time crash. The -m option to netstat(1) may be used to observe network cluster use. Older versions of FreeBSD do not have this tunable and require that the kernel config(8) option NMBCLUSTERS be set instead.

Addalinelikethefollowingtothe/boot/loader.rcontheimage.
set kern.ipc.nmbclusters=32768

Thatwouldtake64MBRAM.With128+MBRAMandm0n0wall,youcouldsetittothatorhigher, butsettingitarbitrarilyhighmaycauseproblemsasstatedabove. ThedefaultonFreeBSDandm0n0wallis1024,whichisfineunlessyourequireahugenumberof connections.It'ssetto1024bydefaulttolimitmemoryconsumption,and1024ismorethanenough forthevastmajorityofm0n0wallinstallations.

15.33. Can I add MRTG or some other historical graphing package to m0n0wall?
Or"whySVG,itdoesn'ttellmeanything".Nottrue,therearemanyusesforrealtimegraphingdata thatMRTG,ifgraphandsimilarhistoricalpackagescannotprovide.Thesefilltwodifferentneeds. Notdirectlyonthefirewall.ThesepackagesallhaveheavyrequirementslikePerlandothers.Inorder tokeepm0n0walllight,thesepackagescannotbeaddeddirectlytothesystem.m0n0wall'sfilesystem design,inthatitrunsfromRAManddoesnotmaintainanythingotherthanyourconfigurationacross reboots,isnotcondusivetoapplicationsofthisnature. Youcanrunthesefromanothersystemonyournetwork.Seeifgraphsectionofthisguide.

15.34. Can Captive Portal be used on a bridged interface?

No.BecauseofthewayCaptivePortalisimplemented,itcannotfunctiononabridgedinterface.

15.35. Can I run Captive Portal on more than one interface?

No.BecauseofthewayCaptivePortalisimplemented,itcannotbeusedonmorethanoneinterface.

15.36. Why do my SSH sessions time out after two hours?

Asof1.2b2,theTCPidletimeoutforthefirewallis2.5hoursinsteadoftheipfilterdefaultof10days (!)tokeepthestatetablefromfillingupwithdeadconnections.Thisvaluecanbemodifiedonthe advancedsetuppage,thoughthatisnotrecommended.SoofcourseifyourSSHconnectiondoesn't transferasinglebytefortwohours,theipfilterstatetableentryisdeletedandtheconnectionbreaks. TurningonkeepalivesinyourSSHclientistherecommendedmeansofavoidingbrokensessions.

15.37. Why isn't the reply address of the list set to the list?
TheezmlmFAQexplainswhythisisnotrecommended. ManuelpostedthefollowingexplanationtothelistonMay12,2003.
It will stay this way because I read this: http://www.ezmlm.org/faq-0.40/FAQ-9.html#ss9.8 and found that they're right - I can live with the fact that people have to think twice before posting anything to the list. :) Besides, other lists behave in the same way, too (including soekris-tech and freebsd-small), and every better MUA has got a "Reply All" function, so that issue is settled as far as I'm concerned.

AlsoseeTheGreatReplytoDebateinthebookProducingOpenSourceSoftware.

15.38. Why am I seeing "IP Firewall Unloaded" log/console messages?

Nothingtoworryabout.ipfwisonlyusedfortrafficshapinginm0n0wallyouprobablyenabledand laterdisabledthetrafficshaper(themoduleisonlyloadedondemand).Therealpacketfilteringis donewithipfilter,whichiscompiledintothekernelandcannotbeunloaded.

15.39. Why can't my IPsec VPN clients connect from behind NAT?

That'sbecauseFreeBSDdoesn'tsupportNATT,whichisrequiredforIPsectoworkbehindNATon theremoteend. Reference Unfortunately,there'snowaytofixthatatthispoint.OpenVPN,whichisinthecurrentbetaversions, mightbeagoodsolution.

15.40. Why doesn't m0n0wall have a log out button?

m0n0wallusesHTTPauthentication.Foreverypageyourequestfromm0n0wall,yourbrowsersends theusernameandpasswordfromitscache.Thereisnoreliablewaytoforcethebrowserto"forget" theusernameandpassword,andsessionmanagementtoworkaroundthatwouldintroducepotential securityvulnerabilities,som0n0walldoesnotprovidelogoutfunctionality.Tosafelylogout,close yourbrowser. YourwebbrowsermayhaveawaytoclearcachedHTTPcredentials.Checkyourbrowser's documentationforfurtherinformation.

15.41. Can I have more than 16 simultaneous PPTP users? 15.42. Can I sell m0n0wall (or use it in a commercial product)?

Yes,thoughthisisnotofficiallysupported.SeethispageonChrisBuechler'swebsiteforimagesand furtherinformation.

m0n0wallisundertheBSDlicense,whichbasicallymeansthatyoucandowhateveryouwantwithit (includingmodifyingandsellingit)forfree,aslongastheoriginalcopyrightnoticeandlicense appearsomewhereinthedocumentationand/orthesoftwareitself.Therearenowarrantiesofany kindthough. Forthefullcopyrightnotice/licensetext,seehttp://m0n0.ch/wall/license.php. Althoughyoudon'thavetopayanythingform0n0wallevenifyousellit,ifyoudofindyourself makingmoneybysellingm0n0wallbasedproducts,adonationwouldbeverymuchappreciated.

15.43. Where can I get a high-resolution version of the m0n0wall logo?

AnEPSversionofthelogoisavailablehere.

15.44. When will m0n0wall be available on a newer FreeBSD version?

Betaversions1.2b5throughb7werebasedonFreeBSD5.3,aftermuchdemand.Thisbroughtgreatly improvedwirelesscardsupport,butthat'sit.Manyother,moreimportantthingswereamajorstep backfromthecurrentFreeBSD4.x.Networkperformancewasanywherefrom2050%ofthespeedit usedtobeonembeddedplatforms,andstabilitywaspoorincomparisoninsomeenvironments. WeconsultedwithmembersoftheFreeBSDCoreTeamontheissueswewereseeingwith performance,andtheiranswerwasbasically"yes,weknowitisslower,andareworkingonimproving it."FreeBSD6isalreadymuchimproved,andthefundedTCPoptimizationworkcurrentlybeing donewillimprovethingsmuchmore. Itwasdecidedtorevertbackto4.xtofinishthe1.2release,andhencegetitdonemuchfasterthan wouldbepossibleon5.xandwithamuchbetterendresult. After1.2isreleased,discussionwillbestartedonthelistastowhichoperatingsystemandfirewall softwareisbestsuitedforthenextm0n0wallrelease.Atthispoint,FreeBSD6lookslikethemost likelycandidate,andwillbringbackAtherossupportamongstmanyotherenhancementsnotavailable inFreeBSD4or5.

15.45. Is there any extra Captive Portal RADIUS functionality available?

JonathanDeGraevehasimplementedanumberofnewRADIUSfeaturesforCaptivePortalthatwill beimplementedinafuturebetaversion.Fornow,thesefeaturesareavailableontestimagesavailable fordownloadfromhttp://inf.imelda.be/downloads/m0n0wall/. Featurescurrentlyimplementedinthetestimagesinclude: RADIUSdefinedURLredirectiontakingprecedenceoverURLredirectionparameterin captiveportalsetuppage. MultipleRADIUSserversupport Failuremessageoncaptiveportalloginerrorpage,plusloggingtothecaptiveportallogon whyauthenticationfailed(useraccountexceededbandwidthlimit,badpassword,etc.). Ciscocompatiblefeature(sendingcallingstationidwithclientipandcalledstationidwith clientmacinsteadofstandardbehaviorcallingstationidandclientmac). Timeoutparameterandmaxauthenticationretriesparameter retrievalofuserbandwidthsettings retrievalofusergroup retrievalofsessiontimeout

Note

RetrievalmeansthevariableispresentandCANbeused,butthereisnoactionbound toityet. TodoGUIimplementationandenhancements.

15.46. How can I increase the size of the state table?

m0n0wall'sdefaultfirewallstatetableislimitedto30,000states.Thisissufficientforthevast majorityoffirewalls,andextrastatesmayrequiremoreRAMthanexistsinsomem0n0wall installations.

Unfortunately,toincreasethesizeofthestatetableyouhavetorecompilethekernel.SeeThe completeguidetobuildingam0n0wallimagefromscratchinthem0n0wallDevelopers'Handbook.

Note

Thisisrarelynecessary.UnlessyouhaveaveryfastandheavilyloadedInternet connection,or10+Mbofcertaintypesofpeertopeertraffic,chancesareyouwill neverexceed30,000states.Thenumberofstatesrequiredbyagivenenvironmentwill varydramatically.50MbpsofHTTP,SMTP,POP3,andIMAPtrafficmightonlytake 20,000states,but50Mbpsofpeertopeertrafficfromdozensofmachinesmighttake morethanamillionstates. IfyoufindyoucannotcreatenewconnectionstotheInternetfromanymachine,butexisting connectionsallworkproperly,youmayhaveexhaustedyourstatetable.

Chapter 16. Other Documentation

TableofContents 16.1.Installation 16.2.VPN/IPsec/PPTP 16.3.Wireless Therearemanypeoplewhohavewrittenadditionaldocumentationform0n0wallwhicharebeyond thescopeofthismanual,orwhichhavenotyetbeenincorporatedintothismanual.Thischapter providesareferencetosomeofthosesourcestohelpyouwhenyoufindyourselfinasituationnot coveredindetailinthismanual.

16.1. Installation
m0n0wallLiveInstallerFreeBSDLiveCD(builtusingFreeSBIE)includingallm0n0wall1.11and 1.2b3imagesandinstructionsonusingit. Installingm0n0walloveranetworkRobertoPereyra

16.2. VPN/IPsec/PPTP

Authenticatingm0n0wall'sPPTPVPNwithanActiveDirectoryServerMichaelIedema ConfiguringaWirelessNetworktoNetworkIPSECbridgeusingm0n0wallMichaelIedema WirelessinSecurity(bottomofpage)MichaelIedema

16.3. Wireless
SettingUpaCommunityHotspotwithm0n0wall(PDF)NYCwireless

Appendix B. Third Party Software

TableofContents B.1.Introduction B.2.InstallingSVGVieweronMozillaFirefox B.3.CollectingandGraphingm0n0wallInterfaceStatisticswithifgraph B.4.UpdatingmorethanoneDynamicDNShostnamewithddclient B.5.UsingMultiTech'sFreeWindowsRADIUSServer B.6.ConfiguringApacheforMultipleServersonOnePublicIP B.7.OpeningPortsforBitTorrentinm0n0wall B.7.1.OpeningBitTorrentforMultipleLANHosts B.8.Automatedconfig.xmlbackupsolutions B.8.1.BackingupandcommittingtoCVS B.8.2.Backinguptothecurrentdirectory B.9.HistoricalInterfaceGraphingUsingMRTGonWindows

B.1. Introduction

Thereareanumberofthirdpartysoftwarepackagesthatprovidefunctionalitythatm0n0walldoesnot include.Theseapplicationsarenotinstalledonm0n0wall,butratheronanothersystemonyourLAN. Thissectionofthehandbookwilldocumenthowtouseseveralofthesepackages. Ifyouknowofotherthirdpartyapplicationsappropriateforthissectionofthedocumentation,please emailtheeditoratm0n0wall@chrisbuechler.com.

B.2. Installing SVG Viewer on Mozilla Firefox

TheSVGviewerdoesn'twork"outofthebox"afteraninstalllikeitdoesinInternetExplorer.Seethis pageonmozilla.orgforinstructionsoninstallingit.

B.3. Collecting and Graphing m0n0wall Interface Statistics with ifgraph

ifgraphisaniceutilitythatyoucanrunonamachineonyourLANtoquerySNMPonyour m0n0wallandgraphitsinterfaces.Notethatyoumaybeabletohackm0n0walltorunthislocally,but ifyouhaveaconnectionwithmoderatebandwidthandarerunningonlowendhardwarelikea Soekris4501,thiscouldlimitthedevice'sthroughput. Sampleofthewebpageoutputofifgraphonam0n0wall. FreeBSDisusedinthedemonstratedinstallationastheOSperformingthemonitoringandhostingthe graphs.ThiswillworkonotherBSD's,LinuxoranyotherUnixOS,buttheinstallationprocedures andconfigurationfilelocationsmayvary. Prerequisites: InstalledandfunctioningApacheserver m0n0wallSNMPenabledfollowingtheinstructionsintheUsersGuide. 1.Installifgraph. We'llinstallifgraphfromFreeBSDportsusingbinarypackages,unlessyouwanttowaitforitto compile(doesn'ttakehorriblylong).It'llautomaticallyinstallalltheprerequisiteseitherwayyoudo it. Frombinarypackages
su-2.05b# pkg_add -r ifgraph

Compilingyourself
su-2.05b# cd /usr/ports/net-mgmt/ifgraph su-2.05b# make install clean

2.Queryforinterfaces Afterthesuccessfulifgraphinstallation,wewilluseifgraph'sfindif.pltofindtheinterfacenumbers onyourm0n0wall.Replace192.168.1.1withtheLANIPofyourm0n0wall,and'public'withthe SNMPcommunityofyourfirewall.

su-2.05b# /usr/local/bin/find-if.pl -mi 192.168.1.1 public OK: session created, getting info from 192.168.1.1 Showing up interfaces of: 192.168.1.1 Interface total: 8 OK: Collecting info on each interface, wait... Warn: Could NOT get ifPhysAddress table OK: Data collected System Description: FreeBSD m0n0wall.local 4.10-RELEASE FreeBSD 4.10RELEASE #0: Fri Au i386 System Uptime: 3 days, 06:10:58.33 | If # | Description | Stat | Octets In | Errors | Octets Out | Errors | IP Address | MAC Address | | ------- | ----------- | ---- | ------------- | ------- | ------------- | ------- | ---------------- | --------------- | | (1) | wi0 | up | 0 | 0 | 11538828 | 0 | not set | not set | | (2) | sis0 | up | 3234568017 | 0 | 1783247523 | 0 | 62.22.130.150 | not set | | (3) | sis1 | up | 0 | 0 | 42 | 0 | 10.1.0.1 | not set | | (4) | sis2 | up | 1743313091 | 0 | 3020545424 | 0 | 192.168.1.1 | not set | | (5) | lo0 | up | 732 | 0 | 732 | 0 | 127.0.0.1 | not set |

You'llseethenamesofyourinterfacesunderthedescriptioncolumn.Makenoteoftheinterface number(firstcolumn)foryourinterfaces.

3.Editifgraph.conffile. Copythesampleifgraph.conffile(ifgraph.conf.sample)toifgraph.conf.
su-2.05b# cp /usr/local/etc/ifgraph.conf.sample /usr/local/etc/ifgraph.conf

Usethefollowingifgraph.confasatemplate.Youwillneedtoreplace192.168.1.1withtheLANIP addressofyourm0n0wall,"public"withtheSNMPcommunityconfiguredonyourm0n0wall,and the"interface="linetothenumberoftheinterfacetobegraphed.

# # # # # # # # # # # # # # # # # # # [global] target This target is mandatory The directives of this target are: rrdtool = /path/to/rrdtool - full path to rrdtool rrddir = /path/to/rrddir - full path to a writeable dir, where rrd files and logs will be created graphdir = /path/to/public_html - full path to a writeable dir, where png and html will be created template = /path/to/template_dir - full path to a directory containing template files imgformat = the image format. You may choose: PNG - Portable Network Graphics GIF - Graphics Interchange Format iGIF - Interlaced GIF GD - Boutell GD Defaults: You can define default configurations in the global target, but, for this to work, it must be the first target always. If [global] is after another target, default configurations will not work as expected.

[global] rrdtool = /usr/local/bin/rrdtool rrddir = /usr/local/var/ifgraph graphdir = /usr/local/ifgraph/htdocs template = /usr/local/ifgraph/templates/en imgformat=PNG # those are the default configurations, should be # overriden in each target host = your.main.router.com community = public port =161 max=100M dimension=550x200 colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF000 0,out#FFFFFF options=noerror hbeat=600 retry=2 timeout=5 [m0n0wall-wan] host=192.168.1.1 community=public port=161 interface=2 max=100M dimension=550x200 title=In/Out data for m0n0wall WAN interface colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF000 0,out#FFFFFF options=noerror ylegend=kbits per second legends=kbits entering our network,kbits leaving our network

shortlegend=kbits/sec hbeat=600 retry=2 timeout=5 step = 300 periods = -1day, -1week, -1month, -1year [m0n0wall-dmz] host=192.168.1.1 community=public port=161 interface=3 max=100M dimension=550x200 title=In/Out data for m0n0wall DMZ interface colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF000 0,out#FFFFFF options=noerror ylegend=kbits per second legends=kbits entering DMZ network,kbits leaving DMZ network shortlegend=kbits/sec hbeat=600 retry=2 timeout=5 step = 300 periods = -1day, -1week, -1month, -1year [m0n0wall-lan] host=192.168.1.1 community=public port=161 interface=4 max=100M dimension=550x200 title=In/Out data for m0n0wall LAN interface colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF000 0,out#FFFFFF options=noerror ylegend=kbits per second legends=kbits entering our LAN network,kbits leaving our LAN network shortlegend=kbits/sec hbeat=600 retry=2 timeout=5 step = 300 periods = -1day, -1week, -1month, -1year

4.Runtests. Firstwe'llrunifgraph.pltocollectthedata.Runthisatleastthreetimes,andwaitafewsecondsin betweenruns.

su-2.05b# ifgraph.pl -c /usr/local/etc/ifgraph.conf

Nowwe'llrunmakegraph.pltomakethehtmlpagesandgraphs.
su-2.05b# makegraph.pl -c /usr/local/etc/ifgraph.conf

Checktheifgraphhtdocsdirectorytomakesureitcontainsthepngandhtmlfiles.
su-2.05b# ls /usr/local/ifgraph/htdocs index.html m0n0wall-lan-1day.png m0n0wall-wan-1month.png m0n0wall-dmz-1day.png m0n0wall-lan-1month.png m0n0wall-wan-1week.png m0n0wall-dmz-1month.png m0n0wall-lan-1week.png m0n0wall-wan-1year.png m0n0wall-dmz-1week.png m0n0wall-lan-1year.png m0n0wall-wan.html m0n0wall-dmz-1year.png m0n0wall-lan.html m0n0wall-dmz.html m0n0wall-wan-1day.png

5.EditApacheconfig

Inthemod_aliassectionofyourhttpd.conffile(/usr/local/etc/apache/httpd.confinFreeBSD)
Alias /ifgraph/ "/usr/local/ifgraph/htdocs/"

RestartApacheforthechangestotakeeffect.
su-2.05b# apachectl restart

6.Openwebbrowsertoviewgraphs. Openupyourwebbrowserandgotohttp://server/ifgraph/.Youshouldseegraphsthere,thoughthey probablywillnotcontainanydataatthistime.Ifyoucan'tgetanywebpagetoappear,youlikelyhave Apacheissues.Ifyouseebrokenimagesinsteadofgraphs,checkstep4forproblems. 7.Addtocrontoupdateautomatically. Openup/etc/crontabinyourtexteditor,andaddthefollowingtwolinestothebottomofthisfile.

* * * * * root /usr/local/bin/ifgraph.pl -c /usr/local/etc/ifgraph.conf > /dev/null */5 * * * * root /usr/local/bin/makegraph.pl -c /usr/local/etc/ifgraph.conf > /dev/null

Thiswillrunthedatacollectioneveryminute,andmakethegraphsevery5minutes.Youcanchange theseifyoulike,butthesevaluesgenerallyworkoutwell. Notethatyoulikelydon'thavetorunthisasroot.Ifyouwanttobecautious,youshouldcreatean accountwiththeappropriatelylimitedpermissionstorunthisunder. Makecronrereaditsconfigurationfiles:

su-2.05b# killall -HUP cron

B.4. Updating more than one Dynamic DNS hostname with ddclient
m0n0wallupdatesthedynamichostnameoftheexternalinterfacewiththeprogramezipupdate whichislightweightanddoesitsjob.However,itisnotcapableofupdatingmorethanonehostname (likeifyouhostyourdomainatDynDNS).Ifyouwantorneedtodothis,yourbestbetisusing anothersystem(you'llprobablyhaveaserverrunninginthebackgroundanyway). Theddclientprojectwebsitecanbefoundhere. DynDNShasalistofsupportedclients.MostofthesewillworkwithanydynamicDNSprovider,not onlywithDynDNS. SeewhatDynDNSoffersasservices.Thisisvitalinunderstandingtheconfigfileofddclient. Thisdocumentdescribesthesetupforupdatingseveralhostnameswithddclient.Ichosethat particularbeastbecauseitcanreadtheexternaladdressfromstatuspagesofseveralhardwareand softwarefirewallsandrouterssoIthoughtImightcheckifitworksoutoftheboxwiththem0n0wall status_interfaces.phppage.Itdoes. Theconfigisprettyeasy:
# Configuration file for ddclient generated by debconf # # /etc/ddclient.conf pid=/var/run/ddclient.pid protocol=dyndns2 server=members.dyndns.org login=YourDynDNSLogin password=YourDynDNSPassword fw-login=admin fw-password=Yourm0n0Password use=fw, fw=http://Yourm0n0IPOrHostname/status_interfaces.php custom=yes yourdomain.org,mail.yourdomain.org,somehost.yourdomain.org,yourdomain. com

IfyouonlywanttoupdateDynamicDNSentrieswithDynDNS,removethe
custom=yes

directive.IfyouwanttoupdateaDynDNSStaticDNSrecord,replacethe
custom=yes

with
static=yes

Ifyoumanageyourm0n0wallwithTLS,thesetupisslightlydifferentasyoushouldrunanexternal commandtoaccessthestatuspage:
# Configuration file for ddclient generated by debconf # # /etc/ddclient.conf pid=/var/run/ddclient.pid protocol=dyndns2 server=members.dyndns.org login=YourDynDNSLogin password=YourDynDNSPassword # fw-login=admin # fw-password=Password # use=fw, fw=http://Yourm0n0IPOrHostname/status_interfaces.php use=cmd cmd='curl -k -s https://admin:Yourm0n0Password@Yourm0n0IPOrPassword/status_interfaces. php' custom=yes yourdomain.org,mail.yourdomain.org,somehost.yourdomain.org,yourdomain. com

Nowsetupddclienttorunasadaemon.Minechecksthestatuspageevery5minutesandupdatesthe DynDNSrecordsifnecessary.
/usr/sbin/ddclient -daemon 300 -syslog

B.5. Using MultiTech's Free Windows RADIUS Server

Inthisposttothem0n0walllistonSeptember30,2004,BarryMatherexplainshowtosetup MultiTechRADIUSserverforusewithm0n0wall. Getthesoftware(justgoogleradius200.exeanddownloadfrom multitech)Installontoyouwin32machine,Ihaveitworkingonbothwinxpsp2, andwin2k3server. Ifyouinstalledtoadefaultlocation,openc:\programfiles\multitech systems\radiusserver2.00 Opentheusersfilewithnotepad. Removealltheusersinthere,Ihavethefollowinglineforauser: UsernameAuthType=Local,Password="userspassword" Theusernameisthe'username'inthelineaboveistheactualusername youwanttouse. Therealmsfilecanbeempty.

Theradiusprogramwillcreateamyusersfilebasedontheusersfile youjustedited,leavethisalone. Dictionaryfilecanbeleftasis. Theclientsfileneedstobeeditedtoincludetheipaddressofthe m0n0wall,andtheradiusaccesspassword,myfilelookslikethis: 172.16.1.1password That'sit,vsimple Nomorefilestoedit. Itinstallsitselfasawin32service,juststoptheservice,restart it,anditloadsallthesettings/users.. Nowenablethecaptiveportal,tellingittousetheipaddressofthe win32machinethisradiusserverisinstalledon,andthepasswordto use,inthiscasepassword. Makesurethatyourlocalwin32firewalliseithernoton,oris allowingport1812throughforradius!

B.6. Configuring Apache for Multiple Servers on One Public IP

IfyouonlyhaveonepublicIPbutrunmultiplewebservers,youcansetuptheothersonotherport numbers.HowevergivingoutURL'slikehttp://www.example.com:81isn'texactlyideal.You'rebound tohavepeopletryingtogettohttp://www.example.com,andsinceyourport80pointstoanotherweb server,thepersonwillgetthewrongwebpage. Youcangetaroundthisbyusingnamebasedvirtualhostingonthewebserveronport80.This configurationwillworkwithanywebserverthatsupportsnamebasedvirtualhosting(mostany does),butthissectionwilldescribehowtoconfigureApacheforthispurpose. Forthisconfiguration,port80iswww.example.com,port81iswww.whatever.comandport82is www.example.net.Thesearethreeseparatephysicalwebservers. Atthebottomofyourhttpd.conf(in/usr/local/etc/apache/inFreeBSD,thelocationofyour configurationfilemayvary)addthefollowinglines.Thisisontheserverthatisaccessedviaport80 fromtheinternet.
NameVirtualHost 192.168.1.12 <VirtualHost 192.168.1.12> UseCanonicalName off ServerName www.example.com DocumentRoot /usr/local/www/data/ </VirtualHost> <VirtualHost 192.168.1.12> UseCanonicalName off ServerName www.whatever.com

Redirect / http://www.whatever.com:81 </VirtualHost> <VirtualHost 192.168.1.12> UseCanonicalName off ServerName www.example.net Redirect / http://www.example.net:82 </VirtualHost>

Thatconfigurationwillkeepwww.example.comlocal,withthesite'sfilesin/usr/local/www/data/, andwillredirectanyrequeststowww.whatever.comtowww.whatever.com:81andwww.example.net towww.example.net:82. It'snotanidealsetup,butifyou'restuckwithmultiplewebserversandasinglepublicIPtoreference allofthem,it'sbetterthanpeoplegettingthewrongpagewhenforgettingtoputtheportafterthe URL.

B.7. Opening Ports for BitTorrent in m0n0wall

FormaximumperformancewhenusingBitTorrentbehindNAT,youshouldopenports68816889to yourPC.Asofversion3.2andlater,BitTorrentuses68816999thoughyoushouldbefinewiththe smallerrange. Toopentheseports,createanInboundNATrulematchingthefollowing,changing192.168.1.22tothe IPaddressofthesystemusingBitTorrent.

Note
Ifyouaren'talreadyusingastaticIPorstaticDHCPreservation,youshouldsetoneup forthatmachinenowsoitsIPaddresswillneverchange.

B.7.1. Opening BitTorrent for Multiple LAN Hosts

BitTorrentstartsatport6881andwillsequentiallytryhigherportsifitcannotusethatport.Ituses oneportforeachclientsessionyouopen.TouseBTonmultiplehostsonyourLAN,openafewports intherangeof68816999toeachhost.

B.8. Automated config.xml backup solutions

Thefollowingofferstwodifferentwaystoautomaticallybackupyourm0n0wallconfiguration.Keep inmindeitheronerequiresyousavingyourfirewallpasswordincleartext.Thisisn'tthebestidea fromasecuritystandpoint,andmaynotbeariskyouarewillingtotake,dependingonyour environment.Keepthisinmind.Ataminimum,makesureyouhavestrongpermissionsonthe.sh file.

B.8.1. Backing up and committing to CVS

JimGiffordpostedthefollowingshellscripttothelistonJanuary29,2004thatautomaticallybacks upthem0n0wallconfig.xmlfileandcommitsitintoaCVSrepository.
#!/bin/sh # m0n0back -- backup up a m0n0wall config and puts it into cvs # depends on: sh, curl, cvs, date, rm CVSROOT=/cvs export CVSROOT CVSPROJ=backup M0N0IP=192.168.1.1 PROTO=http USER=admin PASS=XXXXXX TMPDIR=/tmp/$$

mkdir $TMPDIR cd $TMPDIR cvs -Q co $CVSPROJ cd $CVSPROJ curl -s -o config.xml -F Submit=download -u ${USER}:${PASS} ${PROTO}://$M0N0IP/diag_backup.php NOW=`date +%Y-%m-%d@%H:%M:%S` cvs -Q commit -m "backup of config.xml [$NOW]" cd /tmp rm -rf $TMPDIR

B.8.2. Backing up to the current directory

ChrisBuechlerwroteashellscripttojustbackupthefilewiththefilenameDATEconfig.xml, withoutcommittingitintoCVS.
#!/bin/sh USER=admin PASS=XXXXXX PROTO=http M0N0IP=192.168.1.1 NOW=`date +%Y-%m-%d@%H:%M` curl -s -o ${NOW}-config.xml -F Submit=download -u ${USER}:${PASS} ${PROTO}://$M0N0IP/diag_backup.php

B.9. Historical Interface Graphing Using MRTG on Windows

Ifyouwouldlikehistoricalgraphingofyourm0n0wallinterfaces,butdon'thaveaUnixboxofany sortavailable,MRTGforWindowsisagoodsolution.ThereisahowtoguideavailableontheMRTG website. Beforestartingthatguide,youmustenableSNMPonyourm0n0wallontheServices>SNMP screen.

Chapter 17. Troubleshooting

TableofContents 17.1.Interfacesarenotdetected 17.2.Afterreplacingmycurrentfirewallwithm0n0wallusingthesamepublicIP,m0n0wallcannot getanInternetconnection. 17.3.NoLinkLight 17.4.CannotAccesswebGUI 17.5.CannotAccessInternetfromLANafterWANConfiguration 17.5.1.Pingm0n0wallLANIP 17.5.2.Checkm0n0wall'sWANIP 17.5.3.Pingm0n0wall'sWANIP 17.5.4.Pingm0n0wall'sWAN'sgatewayIP 17.5.5.PinganIPaddressontheInternet 17.5.6.PingaDNSnamethatrespondstopings 17.6.TroubleshootingFirewallRules 17.6.1.ReadingrawIPFilterlogs 17.7.TroubleshootingBridging 17.8.TroubleshootingIPsecSitetoSiteVPN 17.9.TroubleshootingSolidFreezes 17.9.1.SharedIRQ's 17.9.2.BIOSVersionandSettings 17.9.3.HardwareIssues Thischapteroutlinessomeofthemorecommonproblemsyoumayexperiencewhenusingm0n0wall, andhowtotroubleshootandresolvethem.

Tip

17.1. Interfaces are not detected

Toallowyourselfaccesstologmessagesevenifthem0n0walldeviceisunreachable, youcansendsyslogmessagestoaremotesyslogserver.Thiswayyoucanseemany logsthatmighthelpidentifytheproblem.SeethesectiononLoggingformore information.

FirstcheckyourBIOSsettingsfora"PlugandPlayOS"or"OS"setting.For"PlugandPlayOS",set itto"no"or"disable".Ifthereisan"OS"setting,typicallyyoucanandshouldsetitto"other".This mostalwaysfixestheproblem. Ifthatdoesn'tresolveit,trytoupgradeyoursystemBIOS. ResettingtheBIOStodefaultsettingsmighthelp.Therehavebeeninstancesinthepastwherethishas resolvedthisproblem,likelyduetosomestrangeBIOSsetupfrompastuseofthehardware. Occasionallyotherhardwarelikesoundcards,andsimilar,canpreventsomeorallofyourcardsfrom beingdetected.Tryremovinganycardsinthesystemthataren'trequired,anddisablinganyunused hardware(USB,parallelport,serialports,anyonboardsound,etc.)inthesystemBIOS. MostallEthernetcardsaresupportedbym0n0wall,butifyoustillcannotseethenetworkcards, ensuretheyaresupported.

17.2. After replacing my current firewall with m0n0wall using the same public IP m0n0wall cannot get an Internet , connection.
Thissameproblemcanaffectnew1:1andServerNATconfigurations. Cause.Thisistypicallycausedbytherouteroutsideofyourm0n0wallhavingtheMACaddressof yourpreviousfirewallstillinitsARPtable.Ciscorouters,forexample,willcachethisforfourhours bydefault.Manyotherroutersaresimilar.

Solution
CleartheARPcacheonyourrouter.Ifyoudon'thaveaccesstothecommandinterfaceoftherouter, ordon'tknowhowtocleartheARPcache,powercyclingtheroutershouldachievethesameresult. Alternatively,youcouldfillintheMACaddressoftheWANinterfaceofyourpreviousfirewallin m0n0wall'sWANinterfacescreen.

17.3. No Link Light

Ifyoudonothavealinklightonyournetworkinterfaces,theyarenotupandwillnotbeableto communicatewiththenetwork.YourLANandW ANinterfacesbothmusthavelinklights. Ifyoudonothavealinklightononeofyournetworkinterfaces,thereareafewpotentialcausesand thingstocheck. Ensurethenetworkcableissnuglypluggedinonbothends.Unplugandreplugthecableto ensureitisproperlyseated. Tryadifferentcable. Makesureyouareusingtheappropriatetypeofcable. TherearetwotypesofstandardEthernetpatchcables,straightandcrossover.

Straight cables

areusedtoattachdeviceslikecomputers,routers(oneslikeCisco,notcountingmostDSLand cablerouters/modems),servers,printers,firewalls,andotherdeviceswithEthernetcardsinto ahuborswitch.

Crossover cables
areusedtoconnectonehuborswitchtoanotherhuborswitch,orconnectaPCdirectlyto anotherPC,orafirewalldirectlytoaPC,etc. Makesureyouareusingtheappropriatecabletypeforyoursituation.Ifyouareunsureof whichcableisrequiredanddonotgetalinklightwithastraightcable,tryacrossovercable. Ifnoneoftheaboveapplyandyoustillarenotgettingalinklight,verifyfunctionalityofbothpieces ofequipmentbytryingotherdevices.Ifyoucannotgetalinklightonanetworkdevicenomatter whatyouplugitintowithanykindofcable,thedevicehasabadEthernetport.

17.4. Cannot Access webGUI

IfyoucannotaccessthewebGUIafterfollowingthisguide,verifythefollowing. 1. CheckthelinklightsonthenetworkportsontheWRAP.Connectedinterfacesmusthavea linklightortheywillnotwork.Ifyoudonothavealinklight,checkthe"nolinklight" troubleshootingsectionofthisguide. 2. Checktomakesureyouhavetheinterfacespluggedinproperly.RememberontheWRAPthe NICclosesttothepowersupplymustbeconnectedtoyourLANhuborswitch.Onthethree NICmodels,themiddleinterfaceisWAN,andonthetwoNICmodels,theinterfaceclosestto theserialportisWAN.TheWANportmustbepluggedintoyourInternetconnection(cableor DSLmodem,router,etc.).

3. TrytopingtheLANIPofm0n0wall. 4. ChecktheIPconfigurationofthemachineyouareusing.ItsIPaddressmustbewithinthe samesubnetasyourm0n0wall'sLANinterface,andmustbeusingthesamesubnetmask.

17.5. Cannot Access Internet from LAN after WAN Configuration

Thefollowingdiagramprovidesanoverviewoftroubleshootingthisissue.Eachstepisnumbered withthesectionofthisdocumentthataddressestroubleshootingthisparticularissue. Figure17.1.TrobleshootingInternetAccess

17.5.1. Ping m0n0wall LAN IP

Bringupacommandpromptonyourmachine,typein'ping192.168.1.1'andpressEnter. Asuccessfulpingwilllooklikethefollowing.
C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data: Reply Reply Reply Reply from from from from 192.168.1.1: 192.168.1.1: 192.168.1.1: 192.168.1.1: bytes=32 bytes=32 bytes=32 bytes=32 time<1ms time<1ms time<1ms time<1ms TTL=64 TTL=64 TTL=64 TTL=64

Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

Anunsuccessfulpingwilllooklikethis.
C:\>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Request Request Request Request timed timed timed timed out. out. out. out.

Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

SeeCannotAccesswebGUIasifyoucannotping,youwon'tbeabletogetintothewebGUIeither.

17.5.2. Check m0n0wall's WAN IP

GototheStatus>InterfacespageandlookundertheWANinterface.Itmustshowstatusasup,and haveavalidIPaddress,subnetmask,andgateway. Ifthestatusshowsas"down",checkforalinklight.SeeNoLinkLightifyoudonothavealinklight onyourWANNIC. IfyouhaveadynamicIPconnectionlikeDHCP,PPPoE,oranythingbutstatic,andshowa0.0.0.0IP, youarenotgettingaleasefromyourISP.CheckyourWANconfigurationpagetomakesurethe appropriatesettingsareenteredcorrectly(likeusername/passwordifapplicable,etc.). IfyouseeaWANIPaddressontheStatus>Interfacespage,makenoteofitasyouwilluseitinthe nextstep. 17.5.2.1. Cannot get IP address on dynamic IP connection IfallsettingsarecorrectandyoustillcannotgetaleaseandhaveaDSLorcablemodem,try poweringoffthemodemforseveralsecondsandpoweringitbackon.ThengototheWANinterface page,andwithoutsavinganychanges,clicktheSavebutton(orjustpowercyclem0n0wallifyou prefer).ThenchecktheStatus>InterfacespageagaintoseeifyounowhaveanIPaddress. Ifyoustilldon'thaveanIPandpreviouslyhadsomeotherrouter,firewall,orPCconnectedtothis Internetconnection,yourISPmayberestrictingyoutoonlyusingtheMACaddressoftheprevious device.TheeasiestthingtodointhesesituationsistogettheMACaddressoffthedevicethatwas formerlyconnectedandenteritinthe"MACaddress"boxunder"Generalconfiguration"ontheWAN pageinthem0n0wallwebGUI.Onmostrouters,youcanfindtheMACaddressonastickeronthe device.OnWindowsPC's,youcangettheMACaddressbyrunning"ipconfig/all"fromacommand prompt.OnBSDandLinuxmachines,youcangettheMACaddressbyrunning'ifconfig'.

17.5.3. Ping m0n0wall's WAN IP

OntheStatus>Interfacespage,makenoteoftheWANIPaddress.Ontheclientmachineyouare using,trytopingthatIPaddress. Ifthepingisnotsuccessful,checkthedefaultgatewayIPaddressontheclientmachine.Run

'ipconfig/all'fromacommandpromptifusingWindowstocheckthis.Itmustbesettom0n0wall's LANIP(192.168.1.1bydefault).

17.5.4. Ping m0n0wall's WAN's gateway IP

OntheStatus>Interfacespage,makenoteofm0n0wall'sWANdefaultgatewayIP.Trytopingit fromyourclientmachine. Ifthepingstimeout,doublecheckyourWANsetup.Ifthingsfailatthisstage,youmostlikelyfailed theearlierCheckWANIPstepaswell.

17.5.5. Ping an IP address on the Internet

Fromtheclientmachine,pingsomethingontheInternetthatrespondstopings,like216.135.66.19. Ifthisfailsbutallpreviousstepsweresuccessful,yourISPisnotlettingyououtontotheInternetfor somereason.Atthispoint,youwillneedtocontactyourISP'stechnicalsupport.YourISPcould potentiallybeblockingpingsthough(notlikely),soyourpingscouldtimeoutwhileyourInternet connectionstillfunctions(mostly)properly.

17.5.6. Ping a DNS name that responds to pings

PingaDNSnamethatrespondstopingsfromtheclientmachine,likegoogle.com. Youshouldseeresponsestoyourpings.Ifyoureceivea"couldnotfindhost"message,youhavea DNSissue.SeetheTroubleshootingDNSsection.

17.6. Troubleshooting Firewall Rules

Firstrememberrulesareprocessedtopdown,andthefirstmatchistheonlyrulethatapplies. Secondly,remembertocheckyourlogsontheDiagnostics>Logs,Firewalltab.Thiswillshowyou whatisgettingdroppedduetothedefaultdenyallrule.Whentroubleshootingrules,itcanbehelpful toenableloggingontherulesinquestionatleasttemporarily.Rememberm0n0wallhaslimitedlocal loggingspace,sodon'tenabletoomuchonalongtermbasis. RememberifyouneedtopermitservicesfromtheInternetintoanyprivateIPspace,youneedto configureNATaswellasfirewallrules,andwerecommendusingthe"autoaddfirewallrule"when addingNATentries.

17.6.1. Reading raw IPFilter logs

Ifallelsefailsandyouneedtodetermineexactlywhichruleisdroppingthetraffic,gotostatus.php onyourm0n0walltothe"last50filterlogentries"section.Findtheloglineapplyingtothetrafficin question,andmakenoteoftherulenumber.Therulenumberisdenotedbyan@followedbya number,thenacolon,thenanothernumber,forexample@0:18.The0indicatesthefirstgroup,and the18indicatesrulenumber18ingroup0. Thengouptotheoutputof"ipfstatnio"andfindtheruleinquestion.Anythingwithoutagroup numberattheendoftheruleisthe0group.@1:1wouldindicatethefirstrulewith"group100"atthe endoftherule.@2:1wouldbethefirstrulewith"group200"attheendoftherule,andsoon. Findingtheexactrule,sincesomerulesareaddedbythebackendofm0n0wallandnotvisibleonthe rulespage,maymaketroubleshootingeasier.

17.7. Troubleshooting Bridging

Inordertosupportbridging,thenetworkcardsyouareusingmustsupportpromiscuousmode.Notall do.SomepeoplehavereportedproblemswithRealtekchipsetsnotsupportingpromiscuousmode.To determineifyourNICdoes,seeitsdocumentation.

17.8. Troubleshooting IPsec Site to Site VPN

ChecktheSAD.ChecktheSecurityAssociationDatabase(SAD)underDiagnostics.Youneedto haveanentryherefortheconnection.Ifyoudonot,youdon'thavesomethingconfiguredproperly.

Verify Suitable IP Subnets

Firstmakesurethetwosubnetsyouaretryingtoconnectdon'tliewithinthesameaddressspace.i.e. ifbothsidesare192.168.1.0/24,theconnectionwillnotwork.Samegoesifonesideis192.168.0.0/16 andtheotheris192.168.1.0/24,orsimilar,thelatterliesinthesubnetoftheformer. Iftheyarewithinthesameaddressspace,you'llneedtochangeonesideortheother.Thereisnoway tosetupasitetositeIPsecVPNwithanyproductwhenthisisthecase.

17.9. Troubleshooting Solid Freezes

Certainconditionscancauseyourm0n0walltofreezesolidperiodically.Theamountoftimebetween freezestypicallyvaries,andcanbeanywherefromafewhourstoafewdays.

17.9.1. Shared IRQ's

ThefirstthingtocheckiswhetheryouhaveanysharedIRQ's.Thisseemstobethemostcommon cause.Ifyouhaverecentlyrebootedyourm0n0wall,youshouldbeabletoseethebootmessages underDiagnostics>Logs,ontheSystemtab.Otherwiseyoucangoto/exec.phponyourm0n0wall andrun'dmesg'.Lookthroughthebootmessagesandmakenoteofeverythingyouseebeingshown withanIRQ.ThisincludesyourNIC'saswellasotherdeviceslikeserialandparallelports,etc.An exampleofsomedmesgoutputfollows.
sis0: <NatSemi 0xa0001fff irq sis1: <NatSemi 0xa0002fff irq sis2: <NatSemi 0xa0003fff irq DP83815 10/100BaseTX> port 0xe000-0xe0ff mem 0xa000100011 at device 18.0 on pci0 DP83815 10/100BaseTX> port 0xe100-0xe1ff mem 0xa00020005 at device 19.0 on pci0 DP83815 10/100BaseTX> port 0xe200-0xe2ff mem 0xa00030009 at device 20.0 on pci0

TheaboveexampleshowsthreeNIC'swithIRQ's11,5,and9. IfyounoteanytwodevicesusingasingleIRQ,youmayneedtotryotherPCIslots,ifpossible, removeunusedcards(likesoundcards),anddisableunuseddevicesintheBIOS(serialports,parallel ports,etc.).

17.9.2. BIOS Version and Settings

YoumightwanttotryresettingyourBIOSconfigurationtofactorydefaults,andthendisablingany PlugandPlayOSsettings.AlsocheckthatyourBIOSisupdatedtothelatestrevision.

17.9.3. Hardware Issues

UsehardwarediagnosticutilitiestoensureyourRAMandsystemingeneralarefunctioningproperly. TheUltimateBootCDhasseveralutilitiesfortestingCPUandmemory. Hardwareoverheatingisanothercommoncause.ThisissuehasbeennotedonWRAPhardware especiallywhenusingminiPCIcards.It'salsopossibleandhashappenedwithanytypeofhardware. Ifnothingelse,itmayjustbehardwareoracombinationofhardwarethatdoesn'tplaynicelywith FreeBSD.YoumaywanttotrydifferentNIC'soradifferentsystem.Thisespeciallyseemstobea problemwithsomeoldAMDK5andK6systems,thoughsomeworkfine.

Chapter 18. Bibliography

TableofContents 18.1.Books 18.2.Newspapers 18.3.Magazines 18.4.Television 18.5.PopularWebsites 18.6.Conferences Thischapterwilllistallpublishedwritingsregardingormentioningm0n0wallinsomefashion. Knowofsomethingthatisn'tlistedhere?Pleaseemail<m0n0wall@chrisbuechler.com>.

18.1. Books

WirelessHacking:ProjectsforWiFiEnthusiasts

18.2. Newspapers 18.3. Magazines

ComputerShopperreview

WhereGoodWiFiMakesGoodNeighborsTheNewYorkTimes

18.4. Television

BuildaWirelessAccessPointTechTV

18.5. Popular Websites

NewsforgeFornetworksecurity,buildam0n0wall Tom'sNetworkingreview Tom'sNetworkingreview,part2 ReviewonRussianTom'sHardwareGuidesite ReviewonItalianTom'sHardwareGuidesite

18.6. Conferences
Therewillbeasessiononm0n0wallatO'Reilly'sEuroOSCON2005.

Glossary
ACL AH AccessControlList.

AuthenticationHeader.TheAuthenticationHeaderisusedtoprovideconnectionlessintegrity anddataoriginauthenticationforIPdatagrams.Note:AHwillnotworkthroughNAT,soifyou areplacingyourm0n0wallbehindanotherfirewallorlayer2routerthatisperformingNATAH willnotwork.Unlessyoureallyhaveareason,useESP. SeeAlsohttp://www.networksorcery.com/enp/protocol/ah.htm. BroadcastDomain Abroadcastdomainistheportionofanetworksharingthesamelayertwonetworksegment.In anetworkwithasingleswitch,thebroadcastdomainisthatentireswitch.Inanetworkwith multipleswitchesinterconnectedbycrossovercableswithouttheuseofVLAN's,thebroadcast domainincludesallofthoseswitches. AsinglebroadcastdomaincancontainmorethanoneIPsubnet,howeverthatisgenerallynot consideredgoodnetworkdesign.IPsubnetsshouldbesegregatedintoseparatebroadcast domainsviatheuseofseparateswitches,orVLAN's. DHCP DynamicHostConfigurationProtocol.AprotocoltoautomatetheassignmentofIPaddresses andrelatedinformationonanetwork. DMZ ADMZ,orDeMilitarizedZone,isasegmentofyournetworkspecificallyforpublicly accessibleservers.IfyouaremostfamiliarwithresidentialclassrouterslikeLinksysand similar,thesedevicesgenerallyincorrectlyrefertoinboundNAT(openingportsfromthe internettoyourLAN)as"DMZ"functionality. AtrueDMZresidesonaseparatebroadcastdomainfromtheLAN,typicallyonaseparate switchusingathirdinterfaceonthefirewall.VLAN'scanalsobeused,buttoeliminatethe potentialofaswitchmisconfigurationexposingyourLANtoyourDMZandthepotential effectsofVLANhoppingattacks,thisisnotrecommended. ThemainpurposeofaDMZistosegregateInternetaccessibleserversfromtheLAN,toprotect yourtrustednetworksifaDMZhostiscompromised. TypicalDMZConfiguration.ThefollowingdiagramillustratesatypicalDMZconfiguration. Figure11.TypicalDMZNetwork

ESP EncapsulatingSecurityPayload.Encryptsand/orauthenticateseverythingabovetheIPsec layer.ESP,mostagree,rendersAHcompletelyunnecessary. SeeAlsohttp://www.networksorcery.com/enp/protocol/esp.htm. FQDN FullyQualifiedDomainName.Thehostnameofacomputer,includingit'scompletedomain name,suchaswww.m0n0.ch. ICMP InternetControlMessageProtocol.Aprotocol,layeredontopofIP,usedtosendcontrol messagesbetweencomputers,suchasping. IP InternetProtocol.TheprotocolusedtosendpacketsacrosstheInternetatlayerthree. SeeAlsoICMP,TCP. IPsec SecuretransmissionoverIP.IPsecisanextensionoftheIPprotocolusedforencryptionand authentication.EncryptionoccursatthetransportlayeroftheOSImodel,theapplicationdoesn't havetosupportencryptionfortheencryptionprocesstowork.Therefore,allnetworktraffic generatedbyapplicationscanbeencryptedregardlessoftheapplication SeeAlsohttp://www.netbsd.org/Documentation/network/ipsec/. LAN LocalAreaNetwork.Anetworkthattypicallyincludescomputerswhicharephysicallyclose,

suchasinoneoffice,usuallyconnectedwithhubsandswitchesratherthanrouters. SeeAlsoVPN,WAN. MXRecords MXrecordsareDNSrecordsthatenablemailserverstofindthemailserversforanother domainwhensendinginternetemail.Whenamailserverneedstosendanemailto example.com,itperformsaDNSlookupoftheMXrecordforthedomain,andsendstheemail totheresultinghost. NIC NetworkInterfaceCard.A.k.a.networkcard,orEthernetcard. NAT NetworkAddressTranslation.AtechniquewherebyIPtrafficfrommultipleIPaddressesbehind afirewallaremadetolooktotheoutsideasiftheyallcomefromasingleIPaddress. OSI OpenSystemsInterconnect ProxyARP ProxyARPisatechniqueforusingtheARPprotocoltoprovideanadhocroutingmechanism. Amultiportnetworkingdevice(e.g.arouter,firewall,etc.)implementingProxyARPwill respondtoARPrequestsononeinterfaceasbeingresponsibleforaddressesofdeviceaddresses onanotherinterface.Thedevicecanthenreceiveandforwardpacketsaddressedtotheother devices.(adaptedfromwikipedia.org) Inm0n0wall,ProxyARPcanbeusedfor1:1,advancedoutbound,andserverNAT,amongst otherpotentialuses. PPP PointtoPointProtocol. PPTP PointtoPointTunnelingProtocol. Racoon Akeymanagementdaemon.ThemagicbehindtheVPNpowerofm0n0wall. SeeAlsohttp://www.kame.net/racoon/. TCP TransmissionControlProtocol.Aprotocol,layeredontopofIP,thathandlesconnectionsand reliabledelivery. VLAN VirtualLocalAreaNetwork.VLAN'sareacommonfunctionofhigherendswitches.They allowsegregationofportsontheswitchintoseparatebroadcastdomains.Thisisgenerallydone forsecurityorperformancereasons.Inverylargenetworks,theamountofbroadcasttrafficon thewirecaninhibittheperformanceoftheentirenetwork.Segregatingthenetworkinto multipleIPsubnetsandusingVLAN'stoseparatethebroadcastdomain VPN VirtualPrivateNetwork.Aconnectionbetweentwoormoremachinesornetworkswherethe datatravelsoveraninsecurenetwork(typicallytheInternet),butisencryptedtoprevent eavesdropping,andpackagedoneitherendinordertomakethetwoendsappeartobeona WAN.

WOLWakeonLAN WakeonLANisacapabilityinsomenetworkcardspermittingpoweringonthesystemoverthe networkwithaspeciallycrafted"MagicPacket". GenerallyaWOLcablemustbeattachedfromtheNICtothemotherboardofthesystem.Most NIC'sbuiltintothemotherboardhavethissupportbuiltin.YoumustenableWOLintheBIOS ofthemachine.Thisisgenerallyoffbydefault. WAN WideAreaNetwork.Anetworkthatspansalargearea,typicallyincludingrouters,gateways, andmanydifferentIPaddressgroups. Inthecontextoffirewalls,theWANinterfaceistheonedirectlyconnectedtotheInternet.In thecontextofcorporatenetworks,theWANgenerallyreferstothenetworkthatconnectsallof theorganization'slocationsontothecorporatenetwork.Historicallythiswasaccomplishedwith expensiveprivateleasedlineslikeframerelayandsimilartechnologies.Withthelowcostand widespreadavailabilityofbroadbandInternetconnections,manyorganizationsareswitchingto usingVPNinlieuofleasedlines.VPNprovidesthesamefunctionality,thoughisnotasreliable asleasedlinesandhashigherlatency.

Appendix C. License
TableofContents C.1.TheFreeBSDCopyright C.2.ThePHPLicense C.3.mini_httpdLicense C.4.ISCDHCPServerLicense C.5.ipfilterLicense C.6.MPDLicense C.7.ezipupdateLicense C.8.CircularlogsupportforFreeBSDsyslogdLicense C.9.dnsmasqLicense C.10.racoonLicense C.11.GeneralPublicLicenseforthesoftwareknownasMSNTP C.12.ucdsnmpLicense C.12.1.CMU/UCDcopyrightnotice C.12.2.NetworksAssociatesTechnology,Inccopyrightnotice C.12.3.CambridgeBroadbandLtd.copyrightnotice C.13.choparpLicense C.14.bpaloginLicense C.15.phpradiusLicense C.16.wolLicense m0n0wallisCopyright20022008byManuelKasper<mk@neon1.net>.Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. THISSOFTWAREISPROVIDED"ASIS''ANDANYEXPRESSORIMPLIED WARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOF MERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEARE DISCLAIMED.INNOEVENTSHALLTHEAUTHORBELIABLEFORANYDIRECT, INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES (INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSOR SERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESSINTERRUPTION) HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHERINCONTRACT, STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE)ARISING INANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE.

C.1. The FreeBSD Copyright

Copyright19942004TheFreeBSDProject.Allrightsreserved.

Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. THISSOFTWAREISPROVIDEDBYTHEFREEBSDPROJECT``ASIS''ANDANYEXPRESS ORIMPLIEDW ARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIED WARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEARE DISCLAIMED.INNOEVENTSHALLTHEFREEBSDPROJECTORCONTRIBUTORSBE LIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,OR CONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOF SUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESS INTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHER INCONTRACT,STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE) ARISINGINANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE. Theviewsandconclusionscontainedinthesoftwareanddocumentationarethoseoftheauthorsand shouldnotbeinterpretedasrepresentingofficialpolicies,eitherexpressedorimplied,oftheFreeBSD Project.

C.2. The PHP License

ThePHPLicense,version3.0Copyright19992004ThePHPGroup.Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,ispermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. 3. Thename"PHP"mustnotbeusedtoendorseorpromoteproductsderivedfromthissoftware withoutpriorwrittenpermission.Forwrittenpermission,pleasecontactgroup@php.net. 4. Productsderivedfromthissoftwaremaynotbecalled"PHP",normay"PHP"appearintheir name,withoutpriorwrittenpermissionfromgroup@php.net.Youmayindicatethatyour softwareworksinconjunctionwithPHPbysaying"FooforPHP"insteadofcallingit"PHP Foo"or"phpfoo" 5. ThePHPGroupmaypublishrevisedand/ornewversionsofthelicensefromtimetotime. Eachversionwillbegivenadistinguishingversionnumber. Oncecoveredcodehasbeenpublishedunderaparticularversionofthelicense,youmay alwayscontinuetouseitunderthetermsofthatversion.Youmayalsochoosetousesuch coveredcodeunderthetermsofanysubsequentversionofthelicensepublishedbythePHP Group.NooneotherthanthePHPGrouphastherighttomodifythetermsapplicableto coveredcodecreatedunderthisLicense. 6. Redistributionsofanyformwhatsoevermustretainthefollowingacknowledgment:

"ThisproductincludesPHP,freelyavailablefrom<http://www.php.net/>". THISSOFTWAREISPROVIDEDBYTHEPHPDEVELOPMENTTEAM``ASIS''ANDANY EXPRESSEDORIMPLIEDWARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULAR PURPOSEAREDISCLAIMED.INNOEVENTSHALLTHEPHPDEVELOPMENTTEAMOR ITSCONTRIBUTORSBELIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL, EXEMPLARY,ORCONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO, PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,OR PROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOF LIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT(INCLUDING NEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOFTHIS SOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.

C.3. mini_httpd License

Copyright1999,2000byJefPoskanzer<jef@acme.com>.Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. THISSOFTWAREISPROVIDEDBYTHEAUTHORANDCONTRIBUTORS``ASIS''AND ANYEXPRESSORIMPLIEDW ARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULAR PURPOSEAREDISCLAIMED.INNOEVENTSHALLTHEAUTHORORCONTRIBUTORSBE LIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,OR CONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOF SUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESS INTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHER INCONTRACT,STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE) ARISINGINANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE.

C.4. ISC DHCP Server License

Copyright2004byInternetSystemsConsortium,Inc.("ISC") Copyright19962003byInternetSoftwareConsortium Permissiontouse,copy,modify,anddistributethissoftwareforanypurposewithorwithoutfeeis herebygranted,providedthattheabovecopyrightnoticeandthispermissionnoticeappearinall copies. THESOFTWAREISPROVIDED"ASIS"ANDISCDISCLAIMSALLW ARRANTIESWITH REGARDTOTHISSOFTWAREINCLUDINGALLIMPLIEDWARRANTIESOF MERCHANTABILITYANDFITNESS.INNOEVENTSHALLISCBELIABLEFORANY SPECIAL,DIRECT,INDIRECT,ORCONSEQUENTIALD AMAGESORANYDAMAGES WHATSOEVERRESULTINGFROMLOSSOFUSE,DATAORPROFITS,WHETHERINAN ACTIONOFCONTRACT,NEGLIGENCEOROTHERTORTIOUSACTION,ARISINGOUTOF

ORINCONNECTIONWITHTHEUSEORPERFORMANCEOFTHISSOFTWARE.

C.5. ipfilter License

Copyright19932002byDarrenReed. Theauthoracceptsnoresponsibilityfortheuseofthissoftwareandprovidesitonan``asis''basis withoutexpressorimpliedwarranty. Redistributionanduse,withorwithoutmodification,insourceandbinaryforms,arepermitted providedthatthisnoticeispreservedinitsentiretyandduecreditisgiventotheoriginalauthorand thecontributors. Thelicenseanddistributiontermsforanypubliclyavailableversionorderivativeofthiscodecannot bechanged.i.e.thiscodecannotsimplybecopied,inpartorinwhole,andputunderanother distributionlicense[includingtheGNUPublicLicense.] THISSOFTWAREISPROVIDEDBYTHEAUTHORANDCONTRIBUTORS``ASIS''AND ANYEXPRESSORIMPLIEDW ARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULAR PURPOSEAREDISCLAIMED.INNOEVENTSHALLTHEAUTHORORCONTRIBUTORSBE LIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,OR CONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOF SUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESS INTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHER INCONTRACT,STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE) ARISINGINANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE. Ihatelegalese,don'tyou?

C.6. MPD License

Copyright20032004,ArchieL.Cobbs,MichaelBretterklieber,AlexanderMotin Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. 3. Neitherthenameoftheauthorsnorthenamesofitscontributorsmaybeusedtoendorseor promoteproductsderivedfromthissoftwarewithoutspecificpriorwrittenpermission. THISSOFTWAREISPROVIDEDBYTHECOPYRIGHTHOLDERS NDCONTRIBUTORS"AS A IS"ANDANYEXPRESSORIMPLIEDW ARRANTIES,INCLUDING,BUTNOTLIMITEDTO, THEIMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULAR PURPOSEAREDISCLAIMED.INNOEVENTSHALLTHECOPYRIGHTOWNEROR CONTRIBUTORSBELIABLEFORANYDIRECT ,INDIRECT,INCIDENTAL,SPECIAL, EXEMPLARY,ORCONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO, PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,OR PROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOF LIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT(INCLUDING

NEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOFTHIS SOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.

C.7. ez-ipupdate License

Copyright19982001AngusMackay.Allrightsreserved; Thisprogramisfreesoftware;youcanredistributeitand/ormodifyitunderthetermsoftheGNU GeneralPublicLicenseaspublishedbytheFreeSoftwareFoundation;eitherversion2,or(atyour option)anylaterversion. THISSOFTWAREISPROVIDED``ASIS''ANDANYEXPRESSEDORIMPLIED WARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDW ARRANTIESOF MERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEAREDISCLAIMED.IN NOEVENTSHALLTHEA UTHORBELIABLEFORANYDIRECT,INDIRECT,INCIDENTAL, SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING,BUTNOT LIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE, DATA,ORPROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANY THEORYOFLIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT (INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISSOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.

C.8. Circular log support for FreeBSD syslogd License

Copyright2001JeffWheelhouse(jdw@wwwi.com) ThiscodewasoriginallydevelopedbyJeffWheelhouse(jdw@wwwi.com). Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionofsourcecodemustretailtheabovecopyrightnotice,thislistofconditionsand thefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. THISSOFTWAREISPROVIDEDBYJEFFWHEELHOUSE``ASIS''ANDANYEXPRESSOR IMPLIEDWARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIES OFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEAREDISCLAIMED. INNOEVENTSHALLJEFFWHEELHOUSEBELIABLEFORANYDIRECT,INDIRECT, INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDINGBUT NOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE, DATA,ORPROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANY THEORYOFLIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT (INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISSOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.

C.9. dnsmasq License

dnsmasqisCopyright2000SimonKelley Thisprogramisfreesoftware;youcanredistributeitand/ormodifyitunderthetermsoftheGNU GeneralPublicLicenseaspublishedbytheFreeSoftwareFoundation;version2datedJune,1991. Thisprogramisdistributedinthehopethatitwillbeuseful,butWITHOUTANYWARRANTY; withouteventheimpliedwarrantyofMERCHANTABILITYorFITNESSFORAPARTICULAR PURPOSE.SeetheGNUGeneralPublicLicenseformoredetails.

C.10. racoon License

Copyright1995,1996,1997,1998,1999,2000,2001,2002and2003WIDEProject. llrights A reserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. 3. Neitherthenameoftheprojectnorthenamesofitscontributorsmaybeusedtoendorseor promoteproductsderivedfromthissoftwarewithoutspecificpriorwrittenpermission. THISSOFTWAREISPROVIDEDBYTHEPROJECTANDCONTRIBUTORS``ASIS''AND ANYEXPRESSORIMPLIEDW ARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULAR PURPOSEAREDISCLAIMED.INNOEVENTSHALLTHEPROJECTORCONTRIBUTORSBE LIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,OR CONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOF SUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESS INTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHER INCONTRACT,STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE) ARISINGINANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE.

C.11. General Public License for the software known as MSNTP

Copyright,N.M.Maclaren,1996,1997,2000 Copyright,UniversityofCambridge,1996,1997,2000 FreeuseofMSNTPinsourceandbinaryformsispermitted,providedthatthisentirelicenseis duplicatedinallcopies,andthatanydocumentation,announcements,andothermaterialsrelatedto useacknowledgethatthesoftwarewasdevelopedbyN.M.Maclaren(hereafterreferedtoasthe Author)attheUniversityofCambridge.NeitherthenameoftheAuthornortheUniversityof Cambridgemaybeusedtoendorseorpromoteproductsderivedfromthismaterialwithoutspecific priorwrittenpermission. TheAuthorandtheUniversityofCambridgeretainthecopyrightandallotherlegalrightstothe softwareandmakeitavailablenonexclusively.Allusersmustensurethatthesoftwareinallits derivationscarriesacopyrightnoticeintheform: CopyrightN.M.Maclaren, CopyrightUniversityofCambridge.

NO WARRANTY
BecausetheMSNTPsoftwareislicensedfreeofcharge,theAuthorandtheUniversityofCambridge provideabsolutelynowarranty,eitherexpressedorimplied,including,butnotlimitedto,theimplied warrantiesofmerchantabilityandfitnessforaparticularpurpose.Theentireriskastothequalityand performanceoftheMSNTPsoftwareiswithyou.ShouldMSNTPprovedefective,youassumethe costofallnecessaryservicingorrepair.

Innoevent,unlessrequiredbylaw,willtheAuthorortheUniversityofCambridge,oranyotherparty whomaymodifyandredistributethissoftwareaspermittedinaccordancewiththeprovisionsbelow, beliablefordamagesforanylosseswhatsoever,includingbutnotlimitedtolostprofits,lostmonies, lostorcorrupteddata,orotherspecial,incidentalorconsequentiallossesthatmayariseoutoftheuse orinabilitytousetheMSNTPsoftware.

COPYING POLICY
PermissionisherebygrantedforcopyinganddistributionofcopiesoftheMSNTPsourceandbinary files,andofanypartthereof,subjecttothefollowinglicenseconditions: 1. YoumaydistributeMSNTPorcomponentsofMSNTP,withorwithoutadditionsdeveloped byyouorbyothers.Nocharge,otherthanan"atcost"distributionfee,maybechargedfor copies,derivations,ordistributionsofthismaterialwithouttheexpresswrittenconsentofthe copyrightholders. 2. YoumayalsodistributeMSNTPalongwithanyotherproductforsale,providedthatthecost ofthebundledpackageisthesameregardlessofwhetherMSNTPisincludedornot,and providedthatthoseinterestedonlyinMSNTPmustbenotifiedthatitisaproductfreely availablefromtheUniversityofCambridge. 3. IfyoudistributeMSNTPsoftwareorpartsofMSNTP,withorwithoutadditionsdevelopedby youorothers,thenyoumusteithermakeavailablethesourcetoallportionsoftheMSNTP system(exclusiveofanyadditionsmadebyyouorbyothers)uponrequest,orinsteadyoumay notifyanyonerequestingsourcethatitisfreelyavailablefromtheUniversityofCambridge. 4. Youmaynotomitanyofthecopyrightnoticesoneitherthesourcefiles,theexecutablefiles, orthedocumentation. 5. YoumaynotomittransmissionofthisLicenseagreementwithwhateverportionsofMSNTP thataredistributed. 6. Anyusersofthissoftwaremustbenotifiedthatitiswithoutwarrantyorguaranteeofany nature,expressorimplied,noristhereanyfitnessforuserepresented. October1996 April1997 October2000

C.12. ucd-snmp License C.12.1. CMU/UCD copyright notice

Copyright1989,1991,1992byCarnegieMellonUniversity DerivativeWork1996,19982000 Copyright1996,19982000TheRegentsoftheUniversityofCalifornia AllRightsReserved Permissiontouse,copy,modifyanddistributethissoftwareanditsdocumentationforanypurpose andwithoutfeeisherebygranted,providedthattheabovecopyrightnoticeappearsinallcopiesand thatboththatcopyrightnoticeandthispermissionnoticeappearinsupportingdocumentation,and thatthenameofCMUandTheRegentsoftheUniversityofCalifornianotbeusedinadvertisingor publicitypertainingtodistributionofthesoftwarewithoutspecificwrittenpermission. CMUANDTHEREGENTSOFTHEUNIVERSITYOFCALIFORNIADISCLAIMALL WARRANTIESWITHREGARDTOTHISSOFTWARE,INCLUDINGALLIMPLIED WARRANTIESOFMERCHANTABILITYANDFITNESS.INNOEVENTSHALLCMUORTHE REGENTSOFTHEUNIVERSITYOFCALIFORNIABELIABLEFORANYSPECIAL,

INDIRECTORCONSEQUENTIALD AMAGESORANYDAMAGESWHATSOEVER RESULTINGFROMTHELOSSOFUSE,DATAORPROFITS,WHETHERINANACTIONOF CONTRACT,NEGLIGENCEOROTHERTORTIOUSACTION,ARISINGOUTOFORIN CONNECTIONWITHTHEUSEORPERFORMANCEOFTHISSOFTWARE.

C.12.2. Networks Associates Technology, Inc copyright notice

Copyright20012002,NetworksAssociatesTechnology,Inc Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. NeitherthenameoftheNetworksAssociatesTechnology,Incnorthenamesofitscontributors maybeusedtoendorseorpromoteproductsderivedfromthissoftwarewithoutspecificprior writtenpermission. THISSOFTWAREISPROVIDEDBYTHECOPYRIGHTHOLDERS NDCONTRIBUTORS A ``ASIS''ANDANYEXPRESSORIMPLIEDWARRANTIES,INCLUDING,BUTNOTLIMITED TO,THEIMPLIEDW ARRANTIESOFMERCHANTABILITYANDFITNESSFORA PARTICULARPURPOSEAREDISCLAIMED.INNOEVENTSHALLTHECOPYRIGHT HOLDERSORCONTRIBUTORSBELIABLEFORANYDIRECT,INDIRECT,INCIDENTAL, SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING,BUTNOT LIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE, DATA,ORPROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANY THEORYOFLIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT (INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISSOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.

C.12.3. Cambridge Broadband Ltd. copyright notice

Portionsofthiscodearecopyright20012002,CambridgeBroadbandLtd. Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. ThenameofCambridgeBroadbandLtd.ma ynotbeusedtoendorseorpromoteproducts derivedfromthissoftwarewithoutspecificpriorwrittenpermission. THISSOFTWAREISPROVIDEDBYTHECOPYRIGHTHOLDER``A SIS''ANDANY EXPRESSORIMPLIEDWARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIED WARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEARE

DISCLAIMED.INNOEVENTSHALLTHECOPYRIGHTHOLDERBELIABLEFORANY DIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIAL DAMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODS ORSERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESSINTERRUPTION) HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHERINCONTRACT, STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGIN ANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE.

C.13. choparp License

choparpcheap&omittedproxyarp Copyright1997TakamichiTateoka(tree@mma.club.uec.ac.jp) Copyright2002ThomasQuinot(thomas@cuivre.fr.eu.org) Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. 3. Neitherthenameoftheauthorsnorthenamesoftheircontributorsmaybeusedtoendorseor promoteproductsderivedfromthissoftwarewithoutspecificpriorwrittenpermission. THISSOFTWAREISPROVIDEDBYTHEAUTHORSANDCONTRIBUTORS``ASIS''AND ANYEXPRESSORIMPLIEDW ARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULAR PURPOSEAREDISCLAIMED.INNOEVENTSHALLTHEREGENTSORCONTRIBUTORS BELIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,OR CONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOF SUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESS INTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHER INCONTRACT,STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE) ARISINGINANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE.

C.14. bpalogin License

BPALoginlightweightportableBIDS2loginclient Copyright20013ShaneHyde,andothers. Thisprogramisfreesoftware;youcanredistributeitand/ormodifyitunderthetermsoftheGNU GeneralPublicLicenseaspublishedbytheFreeSoftwareFoundation;eitherversion2oftheLicense, or(atyouroption)anylaterversion. Thisprogramisdistributedinthehopethatitwillbeuseful,butWITHOUTANYWARRANTY; withouteventheimpliedwarrantyofMERCHANTABILITYorFITNESSFORAPARTICULAR PURPOSE.SeetheGNUGeneralPublicLicenseformoredetails.

C.15. php-radius License

Copyright2000,2001,2002byEdwinGroothuis.Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted

providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. 3. Alladvertisingmaterialsmentioningfeaturesoruseofthissoftwaremustdisplaythe followingacknowledgement: ThisproductincludessoftwaredevelopedbyEdwinGroothuis. 4. NeitherthenameofEdwinGroothuismaybeusedtoendorseorpromoteproductsderived fromthissoftwarewithoutspecificpriorwrittenpermission. THISSOFTWAREISPROVIDED``ASIS''ANDANYEXPRESSORIMPLIEDWARRANTIES, INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDW ARRANTIESOFMERCHANTABILITY ANDFITNESSFORAPARTICULARPURPOSEAREDISCLAIMED.INNOEVENTSHALL THEREGENTSORCONTRIBUTORSBELIABLEFORANYDIRE CT,INDIRECT, INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING, BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOF USE,DATA,ORPROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDON ANYTHEORYOFLIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT (INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISSOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.

C.16. wol License

wolwakeonlanclient Copyright2000,2001,2002,2003,2004ThomasKrennwallner<krennwallner@aon.at> Thisprogramisfreesoftware;youcanredistributeitand/ormodifyitunderthetermsoftheGNU GeneralPublicLicenseaspublishedbytheFreeSoftwareFoundation;eitherversion2oftheLicense, or(atyouroption)anylaterversion. Thisprogramisdistributedinthehopethatitwillbeuseful,butWITHOUTANYWARRANTY; withouteventheimpliedwarrantyofMERCHANTABILITYorFITNESSFORAPARTICULAR PURPOSE.SeetheGNUGeneralPublicLicenseformoredetails. YoushouldhavereceivedacopyoftheGNUGeneralPublicLicensealongwiththisprogram;ifnot, writetotheFreeSoftwareFoundation,Inc.,59TemplePlaceSuite330,Boston,MA021111307, USA.