m0n0wall Version 1.2, September 2005
Copyright © 2005 m0n0wall Documentation Project
All rights reserved.
Redistribution and use in any form, with or without modification, are permitted provided that the following conditions are met:
Redistributions must retain the above copyright notice, this list of conditions and the following disclaimer.
Neither the name of the m0n0wall Documentation Project nor the names of its contributors may be used to endorse or promote products derived from this documentation without specific prior written permission.
THIS DOCUMENTATION IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION OR THE ASSOCIATED SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
September 2005
Table of Contents
List of Tables
- 1.1. CIDR Subnet Table
Table of Contents
Add hardware chapter
List of things to fix once 1.2 is released (for my own reference).
Finish tutorials that rely on current website (need m0n0.ch to show 1.2 release first).
Change out screenshots where applicable with final 1.2 release.
Change console output to that of final 1.2 release.
The m0n0wall Quick Start Guide is intended to get you up and running with m0n0wall on a two interface (LAN and WAN) setup. The m0n0wall Handbook contains the information you need to further configure your m0n0wall installation after completing this guide.
This version of the Quick Start Guide is specifically tailored to the PC platform. If you are using Soekris hardware, please see the Soekris Quick Start Guide and for WRAP hardware, please see the WRAP Quick Start Guide.
I am currently working on adding a number of example configurations in Chapter 9 of the m0n0wall Handbook. These configurations will describe how to configure several things such as multiple LAN interfaces, setting up DMZ interfaces, wireless interfaces, etc. The base for adding those additional features will be the basic LAN/WAN setup this guide describes.
This chapter will go through the hardware and network information you need to gather to proceed through in this guide.
First, you need to make sure you have the following hardware.
Destination PC
storage medium
Two network cables
You'll need some information about your Internet connection. You'll need to know which category of the below list your Internet connection falls into, and the appropriate details. You can usually find these details on your ISP's website, and/or in paperwork you receive when you sign up for service. You can also call your ISP's technical support to get this information.
Static IP. - If you have a connection with a static IP, you will need to make note of your IP address, subnet mask, default gateway, and DNS server IP's.
DHCP. - If you have an Internet connection that uses DHCP, you need not gather any more information unless your ISP requires you to pass a certain DHCP hostname value (this is uncommon). If this is the case, you will need to check with your ISP to determine this hostname.
PPPoE. - Many DSL providers provide PPPoE or PPPoA service. Either of these is supported with the PPPoE WAN option. You will need to know your PPPoE username and password and possibly your service name (though this can usually be left blank).
PPTP. - A few ISP's require you to connect to them via PPTP. If your ISP requires this, you will need a username, password, local IP address, and remote IP address from your ISP.
BigPond. - This setting is for BigPond cable connections. You will need your username, password, and possibly authentication server and domain.
Make note of the appropriate information for your connection type for later use.
m0n0wall uses a subnet mask format that you may not be familiar with. Rather than the common 255.x.x.x, it uses CIDR (Classless InterDomain Routing) notation.
You can refer to the following table to find the CIDR equivalent of your subnet mask.
Table 1.1. CIDR Subnet Table
| Subnet Mask | CIDR Prefix | Total IP's | Usable IP's | Number of Class C networks |
|---|---|---|---|---|
| 255.255.255.255 | /32 | 1 | 1 | 1/256th |
| 255.255.255.254 | /31 | 2 | 0 | 1/128th |
| 255.255.255.252 | /30 | 4 | 2 | 1/64th |
| 255.255.255.248 | /29 | 8 | 6 | 1/32nd |
| 255.255.255.240 | /28 | 16 | 14 | 1/16th |
| 255.255.255.224 | /27 | 32 | 30 | 1/8th |
| 255.255.255.192 | /26 | 64 | 62 | 1/4th |
| 255.255.255.128 | /25 | 128 | 126 | 1 half |
| 255.255.255.0 | /24 | 256 | 254 | 1 |
| 255.255.254.0 | /23 | 512 | 510 | 2 |
| 255.255.252.0 | /22 | 1024 | 1022 | 4 |
| 255.255.248.0 | /21 | 2048 | 2046 | 8 |
| 255.255.240.0 | /20 | 4096 | 4094 | 16 |
| 255.255.224.0 | /19 | 8192 | 8190 | 32 |
| 255.255.192.0 | /18 | 16,384 | 16,382 | 64 |
| 255.255.128.0 | /17 | 32,768 | 32,766 | 128 |
| 255.255.0.0 | /16 | 65,536 | 65,534 | 256 |
| 255.254.0.0 | /15 | 131,072 | 131,070 | 512 |
| 255.252.0.0 | /14 | 262,144 | 262,142 | 1024 |
| 255.248.0.0 | /13 | 524,288 | 524,286 | 2048 |
| 255.240.0.0 | /12 | 1,048,576 | 1,048,574 | 4096 |
| 255.224.0.0 | /11 | 2,097,152 | 2,097,150 | 8192 |
| 255.192.0.0 | /10 | 4,194,304 | 4,194,302 | 16,384 |
| 255.128.0.0 | /9 | 8,388,608 | 8,388,606 | 32,768 |
| 255.0.0.0 | /8 | 16,777,216 | 16,777,214 | 65,536 |
| 254.0.0.0 | /7 | 33,554,432 | 33,554,430 | 131,072 |
| 252.0.0.0 | /6 | 67,108,864 | 67,108,862 | 262,144 |
| 248.0.0.0 | /5 | 134,217,728 | 134,217,726 | 1,048,576 |
| 240.0.0.0 | /4 | 268,435,456 | 268,435,454 | 2,097,152 |
| 224.0.0.0 | /3 | 536,870,912 | 536,870,910 | 4,194,304 |
| 192.0.0.0 | /2 | 1,073,741,824 | 1,073,741,822 | 8,388,608 |
| 128.0.0.0 | /1 | 2,147,483,648 | 2,147,483,646 | 16,777,216 |
| 0.0.0.0 | /0 | 4,294,967,296 | 4,294,967,294 | 33,554,432 |
The CIDR number comes from the number of 1's in the subnet mask when converted to binary.
The common subnet mask 255.255.255.0 is 11111111.11111111.11111111.00000000 in binary. This adds up to 24 1's, or /24 (pronounced 'slash twenty four').
A subnet mask of 255.255.255.192 is 11111111.11111111.11111111.11000000 in binary, or 26 1's, hence a /26.
And so on...
Table of Contents
m0n0wall provides two options for PC users, either a CD and floppy setup or a hard disk setup.
m0n0wall can run from a CD, with a floppy disk to save the configuration. This is typically a good way to try m0n0wall without actually overwriting a hard drive. However, we do not recommend it for production use, due to the likelihood of floppy disk or drive failure. A hard drive is far more reliable, and Compact Flash is even more reliable still.
To download the PC image or CD, point your web browser to http://www.m0n0.ch/wall/downloads.php and select the WRAP download link from that page. Download the file to the machine from which you will be writing to the CompactFlash card.
FIXME - add tutorial
Now you need to write the image to a sufficiently large CF card (at least 8 MB). Extra space on the CF card is ignored; there is no benefit to using one larger than 8 MB other than possibly compatibility on future releases.
The following sections will cover how to write the CF card in Windows, FreeBSD, and Linux.
Manuel Kasper's (author of m0n0wall) physdiskwrite should be used on Windows to write the CF card. Download it from the m0n0wall web site's physdiskwrite page.
Save physdiskwrite.exe and the downloaded m0n0wall image in the same directory on your hard drive, then open a Windows Command Prompt (click Start, Run, type in cmd and click OK).
Plug in your CF card reader/writer and insert your CF card.
'cd' into the directory containing physdiskwrite and the m0n0wall image and run the following:
physdiskwrite wrap-xxx.img
Replacing wrap-xxx.img with the name of the WRAP image you downloaded.
You will see output similar to the following:
physdiskwrite v0.5 by Manuel Kasper <mk@neon1.net>
Searching for physical drives...
Information for \\.\PhysicalDrive0:
Windows: cyl: 14593
tpc: 255
spt: 63
C/H/S: 16383/16/63
Model: ST3120026A
Serial number: 3JT1V2FS
Firmware rev.: 3.06
Information for \\.\PhysicalDrive1:
Windows: cyl: 1
tpc: 255
spt: 63
You will see all the hard drives in your system listed, as well as the compact flash card. Since we did not run physdiskwrite -u, physdiskwrite will refuse to write to any drive over 800 MB. This is a protection so you don't accidentally overwrite your hard drive.
The procedures to image a CompactFlash card depend upon the type of adapter you are using. The CF card will either appear as a SCSI or IDE hard drive.
Run the command atacontrol list. You will get output similar to the following:
su-3.00# atacontrol list
ATA channel 0:
Master: ad0 <WDC WD200EB-75CSF0/04.01B04> ATA/ATAPI revision 5
Slave: ad1 <WDC WD800AB-22CBA0/03.06A03> ATA/ATAPI revision 5
ATA channel 1:
Master: acd0 <_NEC CD-RW NR-7800A/10DA> ATA/ATAPI revision 0
Slave: no device present
Then run the command camcontrol devlist. You will see output similar to the following:
su-2.05b# camcontrol devlist
<ADAPTEC RAID-5 320R> at scbus2 target 0 lun 0 (pass0,da0)
<SEAGATE ST39204LC 0005> at scbus2 target 3 lun 0 (pass1,da1)
<ESG-SHV SCA HSBP M10 0.05> at scbus2 target 6 lun 0 (pass2)
You will find your CF card somewhere in the above output. Make note of its device name (adX or daX).
Run the following command, replacing adX with your CF device as determined above, and wrap-xxx.img with the name of the m0n0wall image you downloaded.
gzcat wrap-xxx.img | dd of=/dev/adX bs=16kIgnore the warning about trailing garbage - it's because of the digital signature.
gunzip -c net45xx-xxx.img | dd of=/dev/hdX bs=16k
where X = the IDE device name of your CF card (check with hdparm -i /dev/hdX) - some adapters, particularly USB, may show up under SCSI emulation as /dev/sdX.
Ignore the warning about trailing garbage - it's because of the digital signature.
Now put your written CF card into your WRAP board, and put it in its case.
The LAN and WAN interfaces are pre-assigned on the WRAP image.
On the two Ethernet port models, the LAN port is the port closest to where the power adapter plugs in, and the WAN port is the port closest to the serial port.
On three Ethernet port WRAP models, the LAN port is the port closest to where the power adapter plugs in, and the WAN port is the middle port.
Plug the LAN interface into the hub or switch that is connected to your LAN. Plug the WAN interface into your Internet connection (DSL or cable modem, router, etc.)
After plugging in your interfaces, plug in your WRAP to turn it on.
Table of Contents
By default, m0n0wall enables its DHCP server on its LAN interface, and configures the LAN interface with IP address 192.168.1.1. If you have an existing DHCP server, and/or wish to use a different IP subnet on your LAN, you will need to connect via the WRAP's serial console.
Note
Unless you know what you're doing, we strongly recommend not changing the LAN IP address or pre-configured DHCP settings to avoid difficulties caused by misconfiguration.If you do not need to change the interface assignments, LAN IP address, or DHCP server settings, you can skip ahead to the next chapter.
First you need a null modem cable, not a straight through serial cable. For the appropriate pin-out, see this page. You can purchase a null modem cable at most any store that carries computer cables, or from a variety of online sources. (Froogle link for null modem cables)
Connect the null modem cable to your embedded device and PC.
For Windows users, HyperTerminal isn't great, but it gets the job done. You can find it under Start, Programs, Communications, HyperTerminal. If you cannot find it on your system, you can download it for free here.
After opening HyperTerminal, you will see the New Connection screen.
Type in something for the connection name and click OK.
Next, you'll see the "Connect to" screen. Select the COM port number of the serial port in your PC. If you do not know which it is, trial and error might be the easiest way to determine this. Start with COM1, and try other ports if necessary. In this case, I know my serial port is COM1.
Now you'll see the Connection Properties screen. If you have changed the console speed on your WRAP, you will need to change the "Bits per second" field accordingly.
Click OK after filling in the Connection Properties appropriately, and you will have a blank HyperTerminal screen. Now power on your device.
To recap from earlier, your system is now ready to be configured. You are able to view the console at 38400 bps (or via a video card and monitor) and have the media you loaded with m0n0wall earlier installed in the target machine.
When your system finishes booting, you will see the m0n0wall console.
*** This is m0n0wall, version 1.2
built on Sun Aug 22 11:41:15 CEST 2004 for WRAP
Copyright (C) 2002-2005 by Manuel Kasper. All rights reserved.
Visit http://m0n0.ch/wall for updates.
LAN IP address: 192.168.1.1
Port configuration:
LAN -> sis0
WAN -> sis1
m0n0wall console setup
**********************
1) Interfaces: assign network ports
2) Set up LAN IP address
3) Reset webGUI password
4) Reset to factory defaults
5) Reboot system
First I will explain the purpose of each menu option.
Option 1 allows you to assign network interfaces to be used for LAN, WAN, and OPT networks, as well as allowing you to configure VLAN's.
Option 2 allows you to set the LAN IP address to something other than the default 192.168.1.1.
Option 3 allows you to reset the webGUI password if you have forgotten it.
Option 4 lets you reset the system to factory default configuration. If you get stuck at some point during configuration, sometimes it is easier to start over from scratch.
Option 5 lets you reboot the system.
Press 1 at the console setup screen if you wish to reassign your network interfaces.
Note
To avoid potential problems with mis-assignment, we recommend leaving your interface assignments as is.On a three Ethernet port WRAP, sis0 is the NIC closest to the power adapter connector, sis1 is the middle Ethernet port, and sis2 is the Ethernet port closest to the serial port.
On a two Ethernet port WRAP, sis0 is the NIC closest to the power adapter connector, and sis1 is the NIC closest to the serial port.
Enter a number: 1
Valid interfaces are:
sis0 00:0c:29:96:5e:de
sis1 00:0c:29:96:53:e8
Do you want to set up VLANs first?
If you're not going to use VLANs, or only for optional interfaes, you
should say no here and use the webGUI to configure VLANs later, if required.
Do you want to set up VLANs now? (y/n)
As this guide only leads you through a simple two interface configuration, we will press n and hit enter here to skip VLAN configuration. If you need VLAN support, configure it in the webGUI after this initial configuration is complete.
If you don't know the names of your interfaces, you may choose to use
auto-detection. In that case, disconnect all interfaces before you begin,
and reconnect each one when prompted to do so.
Enter the LAN interface name or 'a' for auto-detection:
Enter the name of the desired LAN interface (sis0 or sis1 on a two port WRAP, sis0, sis1, or sis2 on a three port WRAP) and press Enter.
Enter the WAN interface name or 'a' for auto-detection (or nothing if finished):
Enter one of the remaining available interfaces and press Enter.
Next you will be prompted for assigning optional interfaces. You can do this later through the webGUI if need be. Without entering anything, hit ENTER at this prompt.
Enter the Optional 1 interface name or 'a' for auto-detection (or nothing if finished):
You will now see how your interfaces have been configured.
The interfaces will be assigned as follows:
LAN -> sis1
WAN -> sis0
The firewall will reboot after saving the changes.
Do you want to proceed? (y/n)
This confirms how the interfaces will be assigned. Press y and hit enter here to restart the firewall for the changes to take effect. To discard your changes, enter n and press Enter.
View this tutorial for a how to on changing your LAN IP address and/or DHCP server settings.
Table of Contents
Now you need to get one of your client machines configured so you can access the webGUI to finish the configuration.
If you aren't familiar with networking, the easiest thing to do is set all your machines to obtain their IP address from DHCP. m0n0wall enables its DHCP server on the LAN interface by default.
If you are going to use your m0n0wall as a DHCP server, set the machine you will be using to access the webGUI to obtain its IP address using DHCP. Then release and renew your DHCP lease and you will get a lease from m0n0wall. The procedures to release and renew vary by the client machine's operating system, but if you don't know how to do this, a reboot will achieve the same result.
If you have an existing DHCP server on your LAN, you just need to set your m0n0wall's LAN IP address to the default gateway address assigned by your DHCP server. You can change this using the console "Set LAN IP address" option.
When you get into the webGUI, you'll need to disable m0n0wall's DHCP server. You can also disable it from the console as described in the last chapter.
If you want to use a static IP address on your client machines, be sure to configure them in the same subnet as your m0n0wall LAN interface, using the appropriate DNS servers and the m0n0wall LAN IP address as the default gateway.
We recommend you stick with DHCP at least initially to reduce the likelihood of problems.
Table of Contents
Now that we have the client machines configured appropriately, the interfaces assigned and LAN IP address configured, and the m0n0wall has rebooted with its new configuration, we will log into the webGUI and finish the configuration.
Open your web browser and go to http://192.168.1.1 (if you changed your LAN IP address in the console setup, replace 192.168.1.1 with your LAN IP throughout the remainder of this documentation).
You will be prompted for a username and password. Enter username admin and password mono. You are now logged into the webGUI.
First click "General Setup".
Hostname and Domain
If you wish to change the hostname and domain of your m0n0wall, you can do so in the first two boxes on this screen. If you use m0n0wall as your DNS server, this name will resolve to your LAN IP address. i.e. you can access your webGUI using http://m0n0wall.local or whatever you set the hostname and domain to be.
DNS Servers
If you have a static IP from your ISP, you need to enter the IP addresses of your ISP's DNS servers in these two boxes. Use one IP address per box. If you get your IP address from your ISP via DHCP, leave these boxes blank. If you want to use DNS servers on your LAN, enter their IP addresses here. You can only use one DNS server by filling in the top box and leaving the bottom one blank.
If your ISP uses DHCP and you wish to use the DNS servers the ISP's DHCP server provides, leave the "Allow DNS server list to be overridden by DHCP/PPP on WAN" box checked. If you are using DHCP on the WAN and wish to use DNS servers other than the ones provided by your ISP, uncheck this box.
Username and Password
If you wish to change the username from the default "admin", change the username box appropriately.
It is important that you change your password from the default "mono" by typing in a password of your choosing in the password field and typing it again to confirm in the second field.
webGUI protocol and port
Here you should change the protocol from HTTP to HTTPS so your username and password and configuration details are encrypted while in transit over your LAN.
If you want to make it a little more difficult to find your webGUI logon page, change the port number here. Just remember you will have to put that port number in the URL when logging into the webGUI. For example, if you set this port to 5555, and switch to HTTPS, you will have to use https://192.168.1.1:5555 to access the webGUI.
Time Zone
Select your time zone from this drop down box. This includes all of the time zones from FreeBSD. I am in Louisville, Kentucky, USA, which has its own entry under America/Louisville that I will select. You can likely find a city in the same time zone, or at least find the name of your time zone.
Time Update Interval
m0n0wall has a NTP client built in that by default will synchronize its time to a NTP server every 300 minutes (5 hours). To change the frequency of this update, change this box. Enter 0 to disable NTP clock synchronization (not recommended).
NTP Time Server
This specifies which NTP server m0n0wall will use to synchronize its time. You can leave it at pool.ntp.org unless you have a reason to change it. You might want to change this, for example, to synchronize to a central NTP server on your LAN.
Now review all of your changes on this screen, and when you are satisfied with them, click Save. You'll see notification that the changes were applied successfully.
Now we will configure your WAN interface. At this point, you will need some information from your ISP. The WAN connection types available are DHCP, static IP, PPPoE, PPTP, and BigPond. Chances are you will be using DHCP, static IP, or PPPoE.
In the Type drop down box, you have five choices. Choose accordingly for the information you gathered earlier, and fill in any necessary information for your connection type.
Under "General configuration" on this screen, you can change the MAC address of the WAN interface and change the MTU.
MAC address
Some ISP's keep the MAC address of the device you have connected to their network, and only allow that device access. There is typically a process to register a new device, though sometimes that may require contacting the ISP. To avoid this, you can enter the MAC address of the network card you previously used on your broadband connection to make your ISP think you still have the same device connected.
MTU
Unless you have a very good reason for changing it, leave the MTU alone.
Unless your WAN subnet lies in private IP address space, leave this box checked. It protects you from some IP spoofing attempts.
So you now have m0n0wall configured and working - now what next?
If you are running m0n0wall, we strongly suggest subscribing to the announcements mailing list by sending a blank email to <m0n0wall-announce-subscribe@lists.m0n0.ch>. This is a very low volume list that can only be posted to by Manuel Kasper. It might get 10 messages a year. It's important to subscribe so you are kept up to date on any new releases, and will know if any security issues are discovered.
You might also wish to subscribe to the documentation updates list if you want to keep up to date on major changes to the m0n0wall documentation. Send a blank email to <m0n0wall-doc-announce-subscribe@lists.m0n0.ch> to subscribe. This list can only be posted to by Chris Buechler, and is very low volume with typically less than 10 messages per year.
m0n0wall is capable of much more than the basic two interface LAN/WAN setup you now have running. Peruse the m0n0wall Handbook for information on implementing more of m0n0wall's capabilities.
Some of the problems you may run into in the process of following this guide, and their associated troubleshooting steps follow.
Network interfaces are not detected
Cannot access Internet from LAN after configuring WAN Interface
- DHCP
Dynamic Host Configuration Protocol.
- LAN
Local Area Network. A network that typically includes computers which are physically close, such as in one office, usually connected with hubs and switches rather than routers.
- NIC
Network Interface Card. A.k.a. network card, or Ethernet card.
- NAT
-
Network Address Translation. A technique whereby IP traffic from multiple IP addresses behind a firewall are made to look to the outside as if they all come from a single public IP address.
See Also Wikipedia Network Address Translation page .
- WAN
-
Wide Area Network. A network that spans a large area, typically including routers, gateways, and many different IP networks.
In the context of firewalls, the WAN interface is the one directly connected to the Internet.