spacer
spacer search

Miller Family Site
For family and friends

Search
spacer
Newsflash
header
Main Menu
Home
News
Family
The Web Links
Newsfeeds
Computing
Picture Gallery
Neighborhood
Site Map
Administrator
Old Content
Login Form
Username

Password

Remember me
Password Reminder
No account yet? Create one
 
Home

m0n0wall round 2 PDF Print E-mail
User Rating: / 5
PoorBest 
Written by terry miller   
Sunday, 29 August 2004

I went out and bought 2 new network cards (Linksys, $14) so that I could finish the m0n0wall test. The network configuration is wired and wireless lans on separate subnets with limited traffic between them. I'll go through the step by step setup.

Interface Setup

The first chore was to get all of the interfaces working. The lan and wan interfaces were set up from the preliminary console menu. The lan ip was also set up there. Set up was pretty straight forward, just remove the old DHCP server after starting m0n0wall's. The rest of the configuration is with the Web GUI.


The third interface is added by clicking the (assign) link next to the interfaces menu. Once you notice that (assign) is a link the rest of the setup is easy, just  click the round button and then select the interface (mac addresses are shown) in the dropdown list box and save the config. After a reboot there will be an OPT1 link under interfaces which you can use to configure the IP settings. If you then go to the DHCP menu you will see an OPT1 tab that allows you to set up a DHCP server on that interface as well.


M0n0wall by default sets itself up as a DNS forwarder. Rather than passing the ISP's DNS server to the client computers it sends its own IP as a DNS server and fulfills any requests. There is no noticeable increase in latency so I just left it that way.


New version

At this point I'll take a break. It seems that m0n0wall 1.1 (8/22/04) is out so I'll burn that to the CD and continue my review based on that. Downloading the new ISO image was easy and quick. Since monowall runs in memory a reboot is required to update the version. You can read about the changes on the monowall site, the most obvious differences are "Proxy ARP", "Captive portal", "Wake on Lan", and "Traffic Graph" menu options.

DHCP
DHCP options include supplying a Wins server and setting the lease lifetime. Specific IP addresses may be tied to specific MAC addresses. This didn't work the first time for me, but it's working now. The IP-Mac mappings must be addresses outside of the DHCP pool. Even though monowall doesn't request it you should reboot after configuring these mappings to get the configuration to work.


IPSEC VPN
Setting up an IPSEC VPN was remarkably simple. Perhaps this was because the default configuration matches my work configuration. The notes below the configuration options are clear and concise. I like the way the different phases are layed out on the screen. There is no support for certificates that I can see, but using a fairly long random pre-shared key is pretty secure and I've used that config for a while.


One of the best features of m0n0wall's VPN configuration is the support for multiple encryption algorithms simultaneously. M0n0wall defaults to 3DES,Blowfish,CAST128 and AES all selected, MD5 and SHA1 are selected for the hashes. This should get anyone connected. My other endpoint expects a certain configuration and that configuration was negotiated in just under 3 seconds at boot. The diagnostics menu has an IPSEC option to view the built tunnels.
IPSEC VPN's are supposed to work with different security association lifetimes specified at each endpoint so I tested that. The connection was built just as rapidly with the differing lifetimes. I did not see a place to set the lifetime based on the amount of data transferred.

It would be nice to see a certificate generator built in to monowall since the PC platform has so much processing power anyway. It would also be nice to set the lifetime by the amount of data transferred as well as time based. Neither of these settings are absolutely critical, but both could result in a slightly more secure connection if this were used as the primary VPN endpoint with heavily used connections.

Overall, this was the easiest IPSEC VPN configuration I've seen. The shortcomings are minimal. If traffic is expected to be heavy as in site to site VPN's just set a short SA lifetime and use a strong preshared key. In my case the other endpoint requests a new tunnel built on the amount of data sent as well as time so there's no need for a painfully short lifetime.


PPTP VPN
M0n0wall can also act as a PPTP endpoint for up to 16 concurrent PPTP connections. This is handy because Microsoft bundles a built in PPTP client with XP.

The PPTP connection can be set up with Username/password combinations or use a RADIUS server. Some of the settings include assigning specific users specific IP addresses and require 128 bit encryption.

Dynamic DNS
M0n0wall includes support for DynDns.org, ZoneEdit, DHS, ODS, DyNS, HN.org, GnuDip, easyDNS, EZ-IP and  TZO. The DynDNS account was tested and it works. Only one client works at a time, so if you have multiple dynamic accounts you'll still need a software solution.


Traffic Grapher
This requires the Adobe SVG viewer. I don't know whether the plug in mentions it, but shut down all Firefox windows before running the installer. I didn't and so I had to reboot to get the viewer to work on FireFox. IE was not open so it worked there right away. It's a pretty cool feature that I'll use when I set up bandwidth shaping.

 

Network configuration:

The network was set up with 2 lan subnets and a PPPOE wan configuration. This would seem to me to be the most common reason to choose m0n0wall. Routers with true DMZ's are relatively expensive. The DMZ in this case could be used for a wireless lan or a series of publicly available servers. The illustration below represents the current configuration.


Let me just mention that when using routers to test the configuration of a routed lan you need to add static routes to the lan side of the routers. This situation takes care of itself when using computers with DHCP. Otherwise you can spend a fair amount of time troubleshooting a problem that isn't there.


Installation Summary:
1) Download and write m0n0wall to CD if testing with the CD/floppy config.
2) Boot and configure interfaces from the menu.  I liked the automatic config where you connect the interfaces as you go.
3) Enter the web GUI and configure the opt1 subnet and DHCP. This is two steps really.
4) Configure firewall rules between the lan subnets.
5) Don't configure the wireless access points for static routes and drive yourself mad trouble shooting the routing. You can skip this step if you like.
6) Configure IPSEC (This is so easy with monowall to Cisco).
7) Configure DynamicDNS if required. Again, this is as simple as any client.

Total time if you skip step 5 is about 30 minutes the first time through. If you've done it before maybe 15 minutes. If you choose to include step 5 it mostly depends on how long it takes you to ask for help (about a week in my case).

Conclusion:

m0n0wall is not a toy. It's a serious router in a really easy to configure package. The ability to run off of a compact flash card on a cheap motherboard makes it as stable as any router. Anyone that uses routing should really familiarize themselves with it. The main uses I see are separating intranets or wireless networks from corporate lans, but there have to be many more.
It functions fine as a home router behind a cable or dsl modem, but it requires a PC or a Soekris box which can make it more expensive than necessary. If you are going to use bandwidth shaping, 3 interfaces, and the VPN capabilities then monowall becomes much more cost effective even with purchasing hardware to run it on. With more than 3 interfaces in use then monowall is certainly the least expensive option, you just need to see if it has the features you need.

If you run into problems m0n0wall has an active mailing list that will answer even stupid questions rather quickly. I had an answer in about an hour and a second answer 45 minutes later. Please do your homework before asking questions though. There are a lot of rather advanced discussions going on in the mailing list that requires research on the part of the participants.

Hopefully this document can serve as somewhat of an initial set up guide. Please consider contributing some time or money if you choose to use m0n0wall.

These guys are working for no pay here.

Next:

Firewall rules and bandwidth shaping. The firewall rules are a little unusual compared to what I'm used to. Bandwidth shaping will be a learning curve for me.

 

Some useful links for the interested:

m0n0wall home

Soekris hardware

pc engines hardware

Free BSD supported hardware


 

My first impressions of monowall

My magic traffic shaper implementation


 
Last Updated ( Wednesday, 22 September 2004 )
< Previous   Next >
[ Back ]
spacer
Search

 

Mambo is Free Software released under the GNU/GPL License.
spacer