m0n0wall - PC Platform Quick Start Guide

Chris Buechler

m0n0wall written by Manuel Kasper. Additional Contributors listed in the m0n0wall Handbook.

m0n0wall Version 1.2, September 2005

All rights reserved.

Redistribution and use in any form, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Neither the name of the m0n0wall Documentation Project nor the names of its contributors may be used to endorse or promote products derived from this documentation without specific prior written permission.


September 2005


Getting started with m0n0wall, a complete embedded firewall software package.

Table of Contents

1. Introduction
1.1. TO DO
1.2. Getting Started with m0n0wall on the PC
1.3. Prerequisites
1.4. Understanding CIDR Subnet Mask Notation
2. Getting and Installing m0n0wall
2.1. Choosing your Media
2.2. Getting and Installing the Software
2.3. Final Preparation
3. Initial Configuration
3.1. Initial Configuration
3.2. Connecting to the WRAP serial console
3.3. m0n0wall Console Setup
3.4. Assigning Interfaces
3.5. Changing the LAN IP and/or DHCP server settings.
4. Client Machine Configuration
4.1. Using DHCP for client machines
4.2. Static IP addresses
5. Initial webGUI Configuration
5.1. Logging into the webGUI
5.2. webGUI System -> General Setup screen
5.3. Configuring your WAN interface
5.4. What next?
6. Troubleshooting

List of Tables

1.1. CIDR Subnet Table

Chapter 1. Introduction

1.1. TO DO

Add hardware chapter

List of things to fix once 1.2 is released (for my own reference).

Finish tutorials that rely on current website (need m0n0.ch to show 1.2 release first).

Change out screenshots where applicable with final 1.2 release.

Change console output to that of final 1.2 release.

1.2. Getting Started with m0n0wall on the PC

The m0n0wall Quick Start Guide is intended to get you up and running with m0n0wall on a two interface (LAN and WAN) setup. The m0n0wall Handbook contains the information you need to further configure your m0n0wall installation after completing this guide.

This version of the Quick Start Guide is specifically tailored to the PC platform. If you are using Soekris hardware, please see the Soekris Quick Start Guide and for WRAP hardware, please see the WRAP Quick Start Guide.

I am currently working on adding a number of example configurations in Chapter 9 of the m0n0wall Handbook. These configurations will describe how to configure several things such as multiple LAN interfaces, setting up DMZ interfaces, wireless interfaces, etc. The base for adding those additional features will be the basic LAN/WAN setup this guide describes.

1.3. Prerequisites

This chapter will go through the hardware and network information you need to gather to proceed through in this guide.

1.3.1. Required Hardware

First, you need to make sure you have the following hardware.

  • Destination PC

  • storage medium

  • Two network cables

1.3.2. Required Network Information

You'll need some information about your Internet connection. You'll need to know which category of the below list your Internet connection falls into, and the appropriate details. You can usually find these details on your ISP's website, and/or in paperwork you receive when you sign up for service. You can also call your ISP's technical support to get this information.

  • Static IP.  - If you have a connection with a static IP, you will need to make note of your IP address, subnet mask, default gateway, and DNS server IP's.

  • DHCP.  - If you have an Internet connection that uses DHCP, you need not gather any more information unless your ISP requires you to pass a certain DHCP hostname value (this is uncommon). If this is the case, you will need to check with your ISP to determine this hostname.

  • PPPoE.  - Many DSL providers provide PPPoE or PPPoA service. Either of these is supported with the PPPoE WAN option. You will need to know your PPPoE username and password and possibly your service name (though this can usually be left blank).

  • PPTP.  - A few ISP's require you to connect to them via PPTP. If your ISP requires this, you will need a username, password, local IP address, and remote IP address from your ISP.

  • BigPond.  - This setting is for BigPond cable connections. You will need your username, password, and possibly authentication server and domain.

Make note of the appropriate information for your connection type for later use.

1.4. Understanding CIDR Subnet Mask Notation

m0n0wall uses a subnet mask format that you may not be familiar with. Rather than the common 255.x.x.x, it uses CIDR (Classless InterDomain Routing) notation.

1.4.1. CIDR Table

You can refer to the following table to find the CIDR equivalent of your subnet mask.

Table 1.1. CIDR Subnet Table

Subnet Mask CIDR Prefix Total IP's Usable IP's Number of Class C networks /32 1 1 1/256th /31 2 0 1/128th /30 4 2 1/64th /29 8 6 1/32nd /28 16 14 1/16th /27 32 30 1/8th /26 64 62 1/4th /25 128 126 1 half /24 256 254 1 /23 512 510 2 /22 1024 1022 4 /21 2048 2046 8 /20 4096 4094 16 /19 8192 8190 32 /18 16,384 16,382 64 /17 32,768 32,766 128 /16 65,536 65,534 256 /15 131,072 131,070 512 /14 262,144 262,142 1024 /13 524,288 524,286 2048 /12 1,048,576 1,048,574 4096 /11 2,097,152 2,097,150 8192 /10 4,194,304 4,194,302 16,384 /9 8,388,608 8,388,606 32,768 /8 16,777,216 16,777,214 65,536 /7 33,554,432 33,554,430 131,072 /6 67,108,864 67,108,862 262,144 /5 134,217,728 134,217,726 1,048,576 /4 268,435,456 268,435,454 2,097,152 /3 536,870,912 536,870,910 4,194,304 /2 1,073,741,824 1,073,741,822 8,388,608 /1 2,147,483,648 2,147,483,646 16,777,216 /0 4,294,967,296 4,294,967,294 33,554,432

1.4.2. So where do these CIDR numbers come from anyway?

The CIDR number comes from the number of 1's in the subnet mask when converted to binary.

The common subnet mask is 11111111.11111111.11111111.00000000 in binary. This adds up to 24 1's, or /24 (pronounced 'slash twenty four').

A subnet mask of is 11111111.11111111.11111111.11000000 in binary, or 26 1's, hence a /26.

And so on...

Chapter 2. Getting and Installing m0n0wall

2.1. Choosing your Media

m0n0wall provides two options for PC users, either a CD and floppy setup or a hard disk setup.

2.1.1. CD/floppy Setup

m0n0wall can run from a CD, with a floppy disk to save the configuration. This is typically a good way to try m0n0wall without actually overwriting a hard drive. However, we do not recommend it for production use, due to the likelihood of floppy disk or drive failure. A hard drive is far more reliable, and Compact Flash is even more reliable still.

2.1.2. Hard drive Setup

You can install m0n0wall to any hard drive of sufficient size (>=8 MB, so basically any IDE hard drive ever made).

Of preference to many m0n0wall PC users for maximum reliability is a Compact Flash to IDE adapter, and a CF card.

2.2. Getting and Installing the Software

To download the PC image or CD, point your web browser to http://www.m0n0.ch/wall/downloads.php and select the WRAP download link from that page. Download the file to the machine from which you will be writing to the CompactFlash card.

2.2.1. Preparing the CompactFlash

FIXME - add tutorial

Now you need to write the image to a sufficiently large CF card (at least 8 MB). Extra space on the CF card is ignored; there is no benefit to using one larger than 8 MB other than possibly compatibility on future releases.

The following sections will cover how to write the CF card in Windows, FreeBSD, and Linux. Windows

Manuel Kasper's (author of m0n0wall) physdiskwrite should be used on Windows to write the CF card. Download it from the m0n0wall web site's physdiskwrite page.

Save physdiskwrite.exe and the downloaded m0n0wall image in the same directory on your hard drive, then open a Windows Command Prompt (click Start, Run, type in cmd and click OK).

Plug in your CF card reader/writer and insert your CF card.

'cd' into the directory containing physdiskwrite and the m0n0wall image and run the following:

physdiskwrite wrap-xxx.img

Replacing wrap-xxx.img with the name of the WRAP image you downloaded.

You will see output similar to the following:

physdiskwrite v0.5 by Manuel Kasper <mk@neon1.net>

Searching for physical drives...

Information for \\.\PhysicalDrive0:
   Windows:       cyl: 14593
                  tpc: 255
                  spt: 63
   C/H/S:         16383/16/63
   Model:         ST3120026A
   Serial number: 3JT1V2FS
   Firmware rev.: 3.06

Information for \\.\PhysicalDrive1:
   Windows:       cyl: 1
                  tpc: 255
                  spt: 63

You will see all the hard drives in your system listed, as well as the compact flash card. Since we did not run physdiskwrite -u, physdiskwrite will refuse to write to any drive over 800 MB. This is a protection so you don't accidentally overwrite your hard drive. FreeBSD

The procedures to image a CompactFlash card depend upon the type of adapter you are using. The CF card will either appear as a SCSI or IDE hard drive.

Run the command atacontrol list. You will get output similar to the following:

su-3.00# atacontrol list
ATA channel 0:
Master: ad0 <WDC WD200EB-75CSF0/04.01B04> ATA/ATAPI revision 5
Slave: ad1 <WDC WD800AB-22CBA0/03.06A03> ATA/ATAPI revision 5
ATA channel 1:
Master: acd0 <_NEC CD-RW NR-7800A/10DA> ATA/ATAPI revision 0
Slave: no device present

Then run the command camcontrol devlist. You will see output similar to the following:

su-2.05b# camcontrol devlist
<ADAPTEC RAID-5 320R> at scbus2 target 0 lun 0 (pass0,da0)
<SEAGATE ST39204LC 0005> at scbus2 target 3 lun 0 (pass1,da1)
<ESG-SHV SCA HSBP M10 0.05> at scbus2 target 6 lun 0 (pass2)                

You will find your CF card somewhere in the above output. Make note of its device name (adX or daX).

Run the following command, replacing adX with your CF device as determined above, and wrap-xxx.img with the name of the m0n0wall image you downloaded.

gzcat wrap-xxx.img | dd of=/dev/adX bs=16k

Ignore the warning about trailing garbage - it's because of the digital signature. Linux

gunzip -c net45xx-xxx.img | dd of=/dev/hdX bs=16k

where X = the IDE device name of your CF card (check with hdparm -i /dev/hdX) - some adapters, particularly USB, may show up under SCSI emulation as /dev/sdX.

Ignore the warning about trailing garbage - it's because of the digital signature.

2.3. Final Preparation

Now put your written CF card into your WRAP board, and put it in its case.

2.3.1. Plugging in the Network Interfaces

The LAN and WAN interfaces are pre-assigned on the WRAP image. Two Ethernet models

On the two Ethernet port models, the LAN port is the port closest to where the power adapter plugs in, and the WAN port is the port closest to the serial port. Three Ethernet models

On three Ethernet port WRAP models, the LAN port is the port closest to where the power adapter plugs in, and the WAN port is the middle port.

Plug the LAN interface into the hub or switch that is connected to your LAN. Plug the WAN interface into your Internet connection (DSL or cable modem, router, etc.)

After plugging in your interfaces, plug in your WRAP to turn it on.

Chapter 3. Initial Configuration

3.1. Initial Configuration

By default, m0n0wall enables its DHCP server on its LAN interface, and configures the LAN interface with IP address If you have an existing DHCP server, and/or wish to use a different IP subnet on your LAN, you will need to connect via the WRAP's serial console.


Unless you know what you're doing, we strongly recommend not changing the LAN IP address or pre-configured DHCP settings to avoid difficulties caused by misconfiguration.

If you do not need to change the interface assignments, LAN IP address, or DHCP server settings, you can skip ahead to the next chapter.

3.2. Connecting to the WRAP serial console

3.2.1. Getting the appropriate cable

First you need a null modem cable, not a straight through serial cable. For the appropriate pin-out, see this page. You can purchase a null modem cable at most any store that carries computer cables, or from a variety of online sources. (Froogle link for null modem cables)

Connect the null modem cable to your embedded device and PC.

3.2.2. Connecting to the serial console

For Windows users, HyperTerminal isn't great, but it gets the job done. You can find it under Start, Programs, Communications, HyperTerminal. If you cannot find it on your system, you can download it for free here.

After opening HyperTerminal, you will see the New Connection screen.

Type in something for the connection name and click OK.

Next, you'll see the "Connect to" screen. Select the COM port number of the serial port in your PC. If you do not know which it is, trial and error might be the easiest way to determine this. Start with COM1, and try other ports if necessary. In this case, I know my serial port is COM1.

Now you'll see the Connection Properties screen. If you have changed the console speed on your WRAP, you will need to change the "Bits per second" field accordingly.

Click OK after filling in the Connection Properties appropriately, and you will have a blank HyperTerminal screen. Now power on your device.

3.3. m0n0wall Console Setup

To recap from earlier, your system is now ready to be configured. You are able to view the console at 38400 bps (or via a video card and monitor) and have the media you loaded with m0n0wall earlier installed in the target machine.

When your system finishes booting, you will see the m0n0wall console.

*** This is m0n0wall, version 1.2
    built on Sun Aug 22 11:41:15 CEST 2004 for WRAP
    Copyright (C) 2002-2005 by Manuel Kasper. All rights reserved.
    Visit http://m0n0.ch/wall for updates.
    LAN IP address:
    Port configuration:
    LAN  -> sis0
    WAN  -> sis1

m0n0wall console setup
1) Interfaces: assign network ports
2) Set up LAN IP address
3) Reset webGUI password
4) Reset to factory defaults
5) Reboot system

3.3.1. Console Setup Menu Options

First I will explain the purpose of each menu option.

Option 1 allows you to assign network interfaces to be used for LAN, WAN, and OPT networks, as well as allowing you to configure VLAN's.

Option 2 allows you to set the LAN IP address to something other than the default

Option 3 allows you to reset the webGUI password if you have forgotten it.

Option 4 lets you reset the system to factory default configuration. If you get stuck at some point during configuration, sometimes it is easier to start over from scratch.

Option 5 lets you reboot the system.

3.4. Assigning Interfaces

Press 1 at the console setup screen if you wish to reassign your network interfaces.


To avoid potential problems with mis-assignment, we recommend leaving your interface assignments as is.

On a three Ethernet port WRAP, sis0 is the NIC closest to the power adapter connector, sis1 is the middle Ethernet port, and sis2 is the Ethernet port closest to the serial port.

On a two Ethernet port WRAP, sis0 is the NIC closest to the power adapter connector, and sis1 is the NIC closest to the serial port.

Enter a number: 1

Valid interfaces are:

sis0    00:0c:29:96:5e:de
sis1    00:0c:29:96:53:e8

Do you want to set up VLANs first?
If you're not going to use VLANs, or only for optional interfaes, you
should say no here and use the webGUI to configure VLANs later, if required.

Do you want to set up VLANs now? (y/n) 

As this guide only leads you through a simple two interface configuration, we will press n and hit enter here to skip VLAN configuration. If you need VLAN support, configure it in the webGUI after this initial configuration is complete.

If you don't know the names of your interfaces, you may choose to use
auto-detection.  In that case, disconnect all interfaces before you begin,
and reconnect each one when prompted to do so.

Enter the LAN interface name or 'a' for auto-detection:

Enter the name of the desired LAN interface (sis0 or sis1 on a two port WRAP, sis0, sis1, or sis2 on a three port WRAP) and press Enter.

Enter the WAN interface name or 'a' for auto-detection
(or nothing if finished):

Enter one of the remaining available interfaces and press Enter.

Next you will be prompted for assigning optional interfaces. You can do this later through the webGUI if need be. Without entering anything, hit ENTER at this prompt.

Enter the Optional 1 interface name or 'a' for auto-detection
(or nothing if finished):

You will now see how your interfaces have been configured.

The interfaces will be assigned as follows:

LAN  -> sis1
WAN  -> sis0

The firewall will reboot after saving the changes.

Do you want to proceed? (y/n)

This confirms how the interfaces will be assigned. Press y and hit enter here to restart the firewall for the changes to take effect. To discard your changes, enter n and press Enter.

3.5. Changing the LAN IP and/or DHCP server settings.

View this tutorial for a how to on changing your LAN IP address and/or DHCP server settings.

Chapter 4. Client Machine Configuration

Now you need to get one of your client machines configured so you can access the webGUI to finish the configuration.

4.1. Using DHCP for client machines

If you aren't familiar with networking, the easiest thing to do is set all your machines to obtain their IP address from DHCP. m0n0wall enables its DHCP server on the LAN interface by default.

4.1.1. LAN with m0n0wall as DHCP Server

If you are going to use your m0n0wall as a DHCP server, set the machine you will be using to access the webGUI to obtain its IP address using DHCP. Then release and renew your DHCP lease and you will get a lease from m0n0wall. The procedures to release and renew vary by the client machine's operating system, but if you don't know how to do this, a reboot will achieve the same result.

4.1.2. LAN with Existing DHCP Server

If you have an existing DHCP server on your LAN, you just need to set your m0n0wall's LAN IP address to the default gateway address assigned by your DHCP server. You can change this using the console "Set LAN IP address" option.

When you get into the webGUI, you'll need to disable m0n0wall's DHCP server. You can also disable it from the console as described in the last chapter.

4.2. Static IP addresses

If you want to use a static IP address on your client machines, be sure to configure them in the same subnet as your m0n0wall LAN interface, using the appropriate DNS servers and the m0n0wall LAN IP address as the default gateway.

We recommend you stick with DHCP at least initially to reduce the likelihood of problems.

Chapter 5. Initial webGUI Configuration

Now that we have the client machines configured appropriately, the interfaces assigned and LAN IP address configured, and the m0n0wall has rebooted with its new configuration, we will log into the webGUI and finish the configuration.

5.1. Logging into the webGUI

Open your web browser and go to (if you changed your LAN IP address in the console setup, replace with your LAN IP throughout the remainder of this documentation).

You will be prompted for a username and password. Enter username admin and password mono. You are now logged into the webGUI.

5.2. webGUI System -> General Setup screen

First click "General Setup".

Hostname and Domain

If you wish to change the hostname and domain of your m0n0wall, you can do so in the first two boxes on this screen. If you use m0n0wall as your DNS server, this name will resolve to your LAN IP address. i.e. you can access your webGUI using http://m0n0wall.local or whatever you set the hostname and domain to be.

DNS Servers

If you have a static IP from your ISP, you need to enter the IP addresses of your ISP's DNS servers in these two boxes. Use one IP address per box. If you get your IP address from your ISP via DHCP, leave these boxes blank. If you want to use DNS servers on your LAN, enter their IP addresses here. You can only use one DNS server by filling in the top box and leaving the bottom one blank.

If your ISP uses DHCP and you wish to use the DNS servers the ISP's DHCP server provides, leave the "Allow DNS server list to be overridden by DHCP/PPP on WAN" box checked. If you are using DHCP on the WAN and wish to use DNS servers other than the ones provided by your ISP, uncheck this box.

Username and Password

If you wish to change the username from the default "admin", change the username box appropriately.

It is important that you change your password from the default "mono" by typing in a password of your choosing in the password field and typing it again to confirm in the second field.

webGUI protocol and port

Here you should change the protocol from HTTP to HTTPS so your username and password and configuration details are encrypted while in transit over your LAN.

If you want to make it a little more difficult to find your webGUI logon page, change the port number here. Just remember you will have to put that port number in the URL when logging into the webGUI. For example, if you set this port to 5555, and switch to HTTPS, you will have to use to access the webGUI.

Time Zone

Select your time zone from this drop down box. This includes all of the time zones from FreeBSD. I am in Louisville, Kentucky, USA, which has its own entry under America/Louisville that I will select. You can likely find a city in the same time zone, or at least find the name of your time zone.

Time Update Interval

m0n0wall has a NTP client built in that by default will synchronize its time to a NTP server every 300 minutes (5 hours). To change the frequency of this update, change this box. Enter 0 to disable NTP clock synchronization (not recommended).

NTP Time Server

This specifies which NTP server m0n0wall will use to synchronize its time. You can leave it at pool.ntp.org unless you have a reason to change it. You might want to change this, for example, to synchronize to a central NTP server on your LAN.

Now review all of your changes on this screen, and when you are satisfied with them, click Save. You'll see notification that the changes were applied successfully.

5.3. Configuring your WAN interface

Now we will configure your WAN interface. At this point, you will need some information from your ISP. The WAN connection types available are DHCP, static IP, PPPoE, PPTP, and BigPond. Chances are you will be using DHCP, static IP, or PPPoE.

5.3.1. WAN configuration screen

5.3.2. Type

In the Type drop down box, you have five choices. Choose accordingly for the information you gathered earlier, and fill in any necessary information for your connection type.

5.3.3. General configuration options

Under "General configuration" on this screen, you can change the MAC address of the WAN interface and change the MTU.

MAC address

Some ISP's keep the MAC address of the device you have connected to their network, and only allow that device access. There is typically a process to register a new device, though sometimes that may require contacting the ISP. To avoid this, you can enter the MAC address of the network card you previously used on your broadband connection to make your ISP think you still have the same device connected.


Unless you have a very good reason for changing it, leave the MTU alone.

5.3.4. Block private networks

Unless your WAN subnet lies in private IP address space, leave this box checked. It protects you from some IP spoofing attempts.

5.3.5. Save and Apply Changes

Now click Save at the bottom of the WAN page. Your changes will immediately take effect, and you should immediately be able to browse the internet from your LAN. If you cannot, see the troubleshooting section.

5.4. What next?

So you now have m0n0wall configured and working - now what next?

5.4.1. m0n0wall Announcements List

If you are running m0n0wall, we strongly suggest subscribing to the announcements mailing list by sending a blank email to <m0n0wall-announce-subscribe@lists.m0n0.ch>. This is a very low volume list that can only be posted to by Manuel Kasper. It might get 10 messages a year. It's important to subscribe so you are kept up to date on any new releases, and will know if any security issues are discovered.

5.4.2. m0n0wall Documentation Announcements List

You might also wish to subscribe to the documentation updates list if you want to keep up to date on major changes to the m0n0wall documentation. Send a blank email to <m0n0wall-doc-announce-subscribe@lists.m0n0.ch> to subscribe. This list can only be posted to by Chris Buechler, and is very low volume with typically less than 10 messages per year.

5.4.3. Explore the Possibilities

m0n0wall is capable of much more than the basic two interface LAN/WAN setup you now have running. Peruse the m0n0wall Handbook for information on implementing more of m0n0wall's capabilities.

Chapter 6. Troubleshooting

Some of the problems you may run into in the process of following this guide, and their associated troubleshooting steps follow.

Network interfaces are not detected

Cannot access Internet from LAN after configuring WAN Interface

Cannot access webGUI from LAN

Cannot get link light on network interface(s).



Dynamic Host Configuration Protocol.


Local Area Network. A network that typically includes computers which are physically close, such as in one office, usually connected with hubs and switches rather than routers.


Network Interface Card. A.k.a. network card, or Ethernet card.


Network Address Translation. A technique whereby IP traffic from multiple IP addresses behind a firewall are made to look to the outside as if they all come from a single public IP address.

See Also Wikipedia Network Address Translation page .


Wide Area Network. A network that spans a large area, typically including routers, gateways, and many different IP networks.

In the context of firewalls, the WAN interface is the one directly connected to the Internet.