The m0n0wall project is an Open Source FreeBSD-based firewall designed for use on minimal PC hardware, including embedded devices such as the Soekris net4501 and net4801 hardware platforms, while still providing all of the essential features of commercial firewall appliances. Virtually all configuration and administration is done using a web-based interface that makes setting up a robust firewall extremely easy.
The web interface, while straightforward, does assume a certain minimum understanding of both network administration in general, and m0n0wall specifically. This guide was written to explain the initial steps required to get a m0n0wall system configured to provide the two services — DHCP configuration for clients and NAT-based connection sharing — that are most useful for a typical home network.
This guide does not attempt to provide detailed information about configuring a firewall. We highly recommend two books for learning about firewalls in-depth:
Important: You are responsible for your own network security. We absolutely take no responsibility for the security of your network, whether you follow the instructions here or not.
Fundamentally, a m0n0wall-based system is used to connect two (or more) separate networks together, allowing devices like computers and servers on both networks to make permitted connections to each other. A m0n0wall-based appliance can add connections and capabilities to a network, such as allowing many systems to share a single public IP address. It can also restrict connections to systems under its control, acting as a guardian to prevent unauthorized access of internal systems by outsiders.
For the purposes of this guide we will simplify the possibilities, and only discuss one of the more common situations where m0n0wall is frequently used, connecting a home or small office network to the internet via a broadband connection (dial-up is not discussed here):
Figure 1: A simple home network.
In Figure 1, m0n0wall is being used to connect a small home network, the LAN, to the internet, which is the biggest WAN of all.
[[More info here…eventually…]]
Before you begin making changes to your existing network, it is a very, very good idea to document your current, working configuration. If your operating system allows you to make a backup of your network configuration, do it now.
Documenting a working configuration is the perfect time to gather some important information. Having some specific details about your network written down in one place will make the setup and activation of m0n0wall go much faster, as well as make it possible to back out if things go awry.
The ideal place to collect this information from is the kit your ISP sent you when you signed up for your network connection. Most people file and lose this information, but fortunately, you can get most of it just by opening the network configuration utility for a client computer that currently has access to the internet:
The information you’ll want to collect is:
|WAN IP address for m0n0wall device||IP Address (Mac)
IP address (Win2K)
|Subnet Mask||Subnet Mask||255.255.255.248|
|WAN Gateway||Router (Mac)
Default Gateway (Win2K)
|DNS Servers||DNS Servers (Mac)
Preferred / Alternate DNS server
If your ISP gave you more than one IP address for your network, you will need to pick one to give to m0n0wall. For simplicity’s sake, we recommend you choose either the lowest or the highest IP address allocated to a client system (not a server). All of your desktop systems will get new, “internal” IP addresses, automatically provided by m0n0wall, so really, pick any address you want.
Setting up a new m0n0wall appliance consists of the following seven steps:
For the most part, you simply need to plug the basic information you gathered earlier into the right places in m0n0wall. None of these steps are complicated, and for many networks you can accept the defaults, i.e., all you need to do is check the step off.
If you plan to run m0n0wall on the wonderful embedded-style hardware from Soekris (either the net4501 or net4801 series of devices), the process of setting up the hardware could not be more simple. This is because all the network interfaces are built-in, and m0n0wall knows about them by default.
If you plan to run m0n0wall on a standard PC, you need to make sure there are enough network interface cards (or built-in interfaces), so that you can connect the required cables to the system.
In either case, you want to connect your LAN (most likely via an Ethernet cable attached to a hub or a switch) to the first network interface (Net0), and the WAN (probably an Ethernet cable connected to your DSL or cable modem or router) to the second network interface (Net1):
Figure 3: Connecting your m0n0wall device between your home network and your internet ISP equipment.
On Soekris devices, the Net0 and Net1 interfaces are RJ-45 connectors for 100-Mbps Etherent, and they are labeled Net0 and Net1. If you are setting up your own PC with multiple network interfaces, you will have to decide which interface is which (and it’s a good idea to label them with one of those label makers, so you’ll remember later!).
Note: in case it’s not obvious, your desktop computers on your home network should be hooked together using the rest of the connectors on your LAN Ethernet hub or switch.
Once you’ve wired your m0n0wall system into your network, it’s time to power it up. You will definitely want to see the logging and messages that are printed to the console by m0n0wall as it boots up. Soekris systems connect via serial cable to a terminal or the serial port on a PC. A regular PC can connect to a standard monitor.
As m0n0wall starts up you will see a lot of messages fly past; most of the time you can ignore these, and just wait for the m0n0wall console menu to appear (the other messages can be useful when hardware troubleshooting):
Figure 4: The m0n0wall console menu after booting successfully for the first time.
Figure 4 shows the m0n0wall console after booting with the factory default configuration. Important settings are displayed, e.g., the LAN IP address, and the current assignment of network interfaces. This console is where you must edit a few initial configuration settings, unless your hardware works correctly with the m0n0wall defaults (only Soekris devices are likely to do so).
You can also use the console to reset m0n0wall, in case you make changes via the webGUI that make it impossible to connect to m0n0wall over the network. Last, you can reboot m0n0wall, if you have made settings changes that require rebooting.
Note: If you are running m0n0wall on a Soekris net45xx or net48xx embedded device, you can skip this section, as m0n0wall’s default settings should work fine.
The m0n0wall console allows you to tell m0n0wall the basics of how to connect to your network. You have to tell m0n0wall about your network before you will be able to use the web configuration interface, called webGUI, because webGUI depends on network access. In other words, you cannot connect to m0n0wall over the network until you’ve told it about your network.
The critical information is assigning roles to the different network interfaces. You need to tell m0n0wall which network interface is connected to your internal network (LAN) and which is connected to the internet (WAN). This is the port configuration displayed in the middle of the console, and you make changes to the configuration by choosing the first option on the console menu, “Interfaces: assign network ports”:
Figure 5: Assigning network ports using the m0n0wall console.
When you choose option 1, you first get a listing of the network interfaces which m0n0wall found when it initialized the hardware on which it is running. These are the network interfaces it knows about, and these are the only interfaces you can assign to m0n0wall ports. (Something interesting to note in Figure 5 is that the factory default assigns the WAN port to the sis1 interface, but when the valid interfaces are listed, there is no sis1 interface on the list!)
At each prompt, enter the name of the interface to assign to the requested port. You only enter the short name for the interface, e.g., de0, sis0, etc. (the long string of numbers and letters is the Ethernet MAC address, and is listed for informational purposes only).
Note: the network interface names — sis0, de1, etc. — are derived from the name of the “driver” for the interface’s hardware. It is unlikely that your network interfaces will have these names on them. You may have to make some educated guesses as to which interface is which. Just plug your Ethernet cables in, and if you are unable to connect to webGUI in the next section, try swapping the cables.
For the benefit of Soekris device owners, the network interfaces are labeled, but not with the device names. Here’s a quick mapping of the labels on the case to the device names that m0n0wall sees:
The other setting you may wish to change is the LAN IP address. This is the IP address for the m0n0wall system as it appears on your internal network. The default setting is to use a special IP address for use only on private networks. If you are planning to use NAT to allow multiple internal systems share a single “public” IP address, then the m0n0wall default LAN IP address should work fine for your setup.
This guide assumes you use the default setting on your network. More complicated networks and configurations are not discussed in this guide; however, there is a wealth of information on this topic available on the internet. [suggested links or Google searches here…]
After assigning network interfaces to ports, you will need to reboot m0n0wall. If m0n0wall does not offer to do it for you, simply choose option 5, “Reboot system” from the console menu. Once m0n0wall finishes rebooting, it’s time to re-configure at least one client computer on the LAN to know about m0n0wall, and then move to the web configuration interface, webGUI.
Once m0n0wall is configured for your network and has rebooted to activate that configuration, you will want the systems on your internal network (LAN) to connect to the internet through m0n0wall. For most situations, this could not be simpler. m0n0wall can send network settings to all of the clients on your network, automatically, when your client systems boot up. All you need to do is configure the client systems to get their network settings via DHCP:
Figure 6: Configuring client systems to receive network settings from m0n0wall. The examples are from Mac OS X 10.3 and Windows 2000. (Click for full-size images.)
m0n0wall is very flexible about how to work with LAN clients. There are other configuration possibilities, including static IP addresses configured on the client side, DHCP assigning fixed IP addresses to clients based on their Ethernet MAC address, and others. There are frequently good reasons to want these configurations, but for many home networks it’s overkill. This guide will not address these configurations.
The m0n0wall web configuration application, webGUI, is where most configuration changes are made to m0n0wall. The web interfaces allows a much more pleasant user experience than trying to configure from the console all of the different features built into m0n0wall. webGUI is both easy to use and pleasing to look at, providing a high quality, professional-looking interface to m0n0wall.
To connect to the m0n0wall webGUI, type into your browser’s location field the LAN IP address that is listed in the m0n0wall console. By default this would be http://192.168.1.1/. You will be prompted for a login and a password. The login is “admin” and the default password is “mono”. (This will be changed in the next step!)
After entering the authentication information, if you’ve correctly set up your physical network, the m0n0wall console settings, and your client’s network settings, you should be presented with the m0n0wall webGUI splash screen:
Figure 7: The m0n0wall webGUI configuration application.
Congratulations! You have done 80% of the work to set up m0n0wall to serve and protect your network! Almost all of the hard work is behind you.
Once logged into the webGUI configuration interface it is possible to finish setting up m0n0wall for your network. The first step is to change the default administrative password, which is done in the System / General setup panel:
Figure 8: General settings for m0n0wall.
Enter the new admin password in the Password fields midway through the General setup panel, and click the Save button at the bottom. Don’t worry about the other settings yet, just change the password. (Forgetting to change default passwords is the number one security hole in network infrastructure.) m0n0wall should report that it successfully saved the changes.
After changing the admin password, the rest of the options on the General setup panel can be reviewed and updated. The important settings to enter are:
If you will ever be administering m0n0wall remotely from a public
network, you should also change the webGUI protocol to HTTPS. If you do so,
remember that the URL for accessing webGUI will change to
https://192.168.1.1/ (if you’re using the default address) — note that the URL now
Also, when accessing the new URL, your browser may give you an alert about not being able to verify the authenticity of the site. You can eliminate this message by giving the server an SSL certificate, in the webGUI SSL certificate/key section of the Diagnostics / Advanced settings panel. This is beyond the scope of this guide. [[mostly because I don’t know how to do this myself, yet…]]
The other settings here may be useful to modify, but we will not deal with them in this guide.
To configure or review the settings for the LAN interface, go to the Interfaces / LAN panel:
Figure 9: Configuring the LAN interface.
The settings here allow you to configure the range of IP addresses that can be used on your internal network. If you have a relatively small network (fewer than 200 systems), and plan to use NAT to connect them to the internet, there is no good reason to make changes to the default m0n0wall settings for the LAN interface.
If your internal network is large, and you therefore need a larger range of IP addresses, you can make that change here. Enter the IP address for m0n0wall on your internal network, and then, using the CIDR-style netmask pop-up menu, say how big to make the network. If your network is larger than 200 systems, you may as well go all out here, and enter 10.0.0.1 / 8, to allocate a very large range of IP addresses to your internal network.
While the number of settings fields on this panel is small, the range of possibilities, and the reasons for making changes from the defaults, is quite large. If your needs are not met by the defaults here, you probably need a much larger networking reference than this guide. [[Recommendation???]]
The final step for setting up m0n0wall for the first time is to configure the WAN interface. This is done using the Interfaces / WAN settings panel:
Figure 10: Configuring the WAN interface for DHCP.
The settings here tell m0n0wall how to connect to the external network, usually your ISP’s connection to the internet. There are a variety of ways in which external networks allow connections, which is why this settings panel looks so complicated. Don’t worry, you don’t have to fill it all out!
First, you need to tell m0n0wall what kind of connection to make. There are four different possible types of WAN interface, and these are set via the Type pop-up menu. Which type you choose will depend on what kind of network you are connecting to. The first three options (DHCP, Static, and PPPoE) are most frequently used to connect to the internet via an ISP. The last option (PPTP) is commonly used to connect to private networks, i.e., connecting a satellite office with the main corporate network. PPTP will not be discussed here.
For each type of connection, there is a section further down the panel, which allows you to enter the details of the connection. You only need to fill in the details for the type of connection you have chosen. All the other information can and should be left blank. This means the WAN Interface settings panel is a lot simpler than it looks.
In the same way that m0n0wall can use DHCP to distribute network settings to your client systems, your ISP can use DHCP to provide network settings for m0n0wall to use for itself. If your ISP’s network provides DHCP, then this is by far the easiest way to set up. In fact, because this is the default setting, your network connection may already be working! (Go ahead and test, as described in Testing the Network Connection below.)
The only setting you might need to provide for a DHCP connection is the Hostname, in the DHCP client configuration section of the panel. Your ISP will have to tell you what, if anything, to put in this field. But if your connection is already working, you can leave it blank.
Once you have entered the appropriate information into the DHCP WAN interface section, click the Save button at the bottom of the panel.
If you received a fixed IP address from your ISP (as opposed to a dynamic IP address, which changes regularly), then you will want to configure a Static WAN interface. This is commonly the case if you have a “business-class connection” service agreement with your ISP, which among other things allows you to run your own servers without violating your ISP’s terms of service. But there are a variety of reasons why you might have a fixed or static IP address given to you by your ISP. In any case, if they gave you an IP address and a netmask to use in your network settings, this is the way to go.
Configuring a Static WAN interface is not much harder than a DHCP WAN interface, once you have gathered the necessary information as described at the beginning of this document. You will need the following details:
Enter the m0n0wall IP address into the IP address field, and the network gateway IP address into the Gateway field.
The netmask is a little tricky. Most ISPs and desktop operating systems display the netmask as a series of four numbers separated by periods (very similar to an IP address), e.g., 255.255.255.248. m0n0wall uses the CIDR-style notation, which is a slash (“/”) and a number between 1 and 31. You enter it via the pop-up menu after the IP address field.
Explaining the differences or the conversion formula is more complicated than it’s worth. Here’s a translation table you can use to convert from the most likely traditional style netmasks to CIDR-style netmasks:
|Traditional Netmask||CIDR Netmask|
Once you have entered the appropriate information into the Static WAN interface section, click the Save button at the bottom of the panel.
PPP was the standard way of connecting to the internet via a dial-up connection using a regular modem and phone line. PPPoE is a way of doing PPP over Ethernet, instead of a phone line.
While that sounds complicated, the good news is that PPPoE is the second-easiest WAN Interface type to configure, after DHCP. You just need to plug your PPPoE username and password into the PPPoE configuration section of the WAN Interface settings panel.
You may also need the service name in this same section, but as the m0n0wall interface suggests, you can probably skip it. Try connecting with it blank, and if it doesn’t work, look for this in the information sent to you by your ISP, etc.
Once you have entered the appropriate information into the PPPoE WAN interface section, click the Save button at the bottom of the panel.
Once you’ve entered the necessary settings as described above, you’re ready to test your network connection. The simplest way to do this is to visit a public website using the same web browser you just used to configure m0n0wall. Try yahoo.com, google.com, or itunes.com for starters. If any of the sites load, your m0n0wall configuration is probably working fine. Congratulations!
You may want to test other kinds of network connections besides web connections, because some network protocols behave differently than the HTTP protocol that underlies the web.
One example that deserves checking is FTP, which definitely needs to be configured correctly to work from behind m0n0wall. By default m0n0wall only supports “passive” FTP, and “active” FTP is likely to fail. (The difference between active and passive FTP is complicated.) You may need to make configuration changes to your system or file transfer tools:
Figure 11: Examples of configuring client systems and applications to use passive (“PASV”) FTP.
Other applications you might want to test at this time include streaming media players. Go to QuickTime.com and watch some movie trailers. Go to NPR.org and listen to some news, or the latest episode of Fresh Air. Use iTunes to listen to a few music samples from the iTunes Music Store.
Effectively and completely testing a firewall is a topic far beyond the scope of this guide. However, you can make use of Gibson Research Corporation’s ShieldsUP! service to quickly test your new m0n0wall gateway. While no substitute for a professional assessment of your network’s security, it’s a great way to identify some of the easier-to-plug holes you may have overlooked.
[[This section to be written later…]]
This guide is copyright © 2004 by Michael A. Alderete
and is licensed under a
Creative Commons License.
Getting Started with m0n0wall: version 1.0, 22-Jan-2004.