Technical Solution

We propose deploying a Soekris Net4511 to provide wireless coverage to the surrounding neighborhood. This device would run the M0n0wall FreeBSD based operating system. The advantage of the net4501 is that it supports a PCMCIA card (allowing us to install a 200mw Senao radio) in addition to a mini-PCI slot, which we could leave unoccupied and available for future 802.11a expansion. Unlike the Netgate G8 WRAP-based alternatives, the Soekris net4511 contains 2 ethernet ports.

We intend to assign one port for the WAN. We have selected DSL Extreme as the ISP, as they allow sharing in their ToS. The other port will be configured as a LAN port (in a segment protected and firewalled from the WLAN segment). The LAN port of the Soekris device will be connected to a 24-port switch, which will then be connected to the lab PCs.

M0n0wall offers standard functionality we intend to enable, including captive portal, bandwidth shaping, SNMP monitoring and more.

El Toyon m0n0wall configuration

Here are the steps taken to program monowall for use at El Toyon Rec Center with a Soekris 4511 box. Read the Network Configuration in conjunction with this guide.

Download M0n0wall, install on 16MB CF Card.
Connect Ethernet to eth0 (PoE). By default, M0n0wall will be running DHCP on that interface and give your laptop an IP address of 192.168.1.199/24, with a default gateway of 192.168.1.1. Open a browser and point it to 192.168.1.1. Default username/password = admin/mono.

The latest version of m0n0wall available was used, 1.2b6. It was configured as follows.

Query: It would also be possible to bridge the wireless and LAN interfaces and just use one /24 subnet instead of two separate ones. This may be a preferable configuration. It also has the advantage of forcing the captive portal on the lab computers also - which would otherwise avoid the captive portal because it can only be active on one interface

  1. IMPORTANT NOTE: Do not reboot until you have made all changes.
  2. Click Sytem -> General Setup:
    • Change hostname to ElToyonRecCenter
    • change password
    • set webGUI protocol to https
    • set timezone to America/Los_Angeles
  3. Click Save
  4. Click Interfaces | assign, then click on the + (This will add the third interface) and then click Save
  5. Click Interfaces | WLAN
  6. Click Interfaces | OPT1
    • Click (to select) "Enable Optional 1 interface"
    • rename OPT1 to WLAN
    • set the WLAN IP to 10.12.10.129/25
    • set the SSID to "socalfreenet.org" (lower case, no quotes)
    • set the channel (we're using 1)
    • WEP should be disabled
  7. Click Interfaces | assign
    • Verify Interfaces: LAN, WAN and WLAN are assigned to sis0, sis1, wi0 respectively.
  8. Click Interfaces | LAN
    • set the LAN IP to 10.12.10.1/25, click Save.
  9. Click Interfaces | WAN
    • set the WAN to PPPoE as the DSL modem will be PPPoE
    • fill out the PPPoE username and password
    • leave the Enable Dial-On-Demand *un*checked - this will create a full time connection
    • leave the idle timeout empty
    • Click Save
  10. Click Services | DHCP Server
    • LAN Tab: enable DHCP Server, set range to 10.12.10.50 - 10.12.10.99, click Save.
    • WLAN Tab: enable DHCP Server, set range to 10.12.10.154 - 10.12.10.250, click Save.
  11. Click Firewall | Rules
  12. Click on the LAN tab (if not already selected). Then click on the + sign next to the rule that has the description "Default LAN -> any". This will create and go to edit mode a new rule with the same settings. Then change:
    • Interface: WLAN
    • Source: WLAN subnet
    • Description: Default WLAN -> any
  13. Click Save
  14. Click Apply Changes

That's the important settings completed. Everything should basically work at this point and its worth stopping to make sure. Click Reboot.

After rebooting, you'll need to release and renew your IP address. Assuming you are on a wired interface, M0n0wall should assign an IP address of 10.12.10.99/25, with a default gateway of 10.12.10.1. Open a browser and point it to https://10.12.10.1. (Don't forget the S in httpS://10.12.10.1).

We want to keep the LAN completely firewalled from the WLAN so we need some rules to ensure that it is:

  1. Click Firewall | Rules | WLAN tab
  2. Click 'e' next to the WLAN rule that allows all traffic anywhere
    • under Destination check the 'not' box and then select Lan subnet from Type
    • modify the description (e.g. add ", except LAN")
  3. Click Save
  4. Click Apply Changes

Unfortunately now we can't access the browser-based administration interface via wireless on the WLAN, so we add another rule. We make this rule very specific:

  1. Click Firewall | Rules | WLAN tab
  2. Click '+' next to the WLAN rule that allows all traffic anywhere (except LAN)
    • change Protocol to TCP
    • Under "Destination", deselect "not".
    • Under "Destination", change to Type "Single host or alias" and the address to 10.12.10.1
    • Under "Destination port range", set "from:" and "to:" to HTTPS
    • Under "Description", change to "Allow WLAN admin access"
  3. Click Save
  4. Now, move the new rule to the top by checking the empty box next to the new rule and the click on the left arrow next to the first rule.
  5. Click Apply Changes

At this point it shold now be possible to access https://10.12.10.1 from a client on the WLAN port (i.e. a wireless client).

Some additional settings will complete the configuration:

  1. Click Diagnostics | Logs | Settings tab
  2. Click (Select) "Show log entries in reverse order (newest entries on top)
  3. Click (Select) "Enable syslog'ing to remote syslog server"
    • Under "Remote syslog server", enter xx.xx.xx.xx and select all events except firewall
  4. Click Save
  5. Click Firewall | Traffic shaper | Magic shaper wizard tab
  6. Click (Select) "Set P2P traffic to lowest priority" and "Share bandwidth evenly on LAN"
  7. Click Install/Update
  8. Click the Rules tab
  9. Click (Select) Enable traffic shaper
  10. Click Save
  1. Click Services | Captive portal:
  2. Click (Select) "Enable captive portal"
    • Under "Interface", select WLAN
    • Under "Idle timeout", enter 60 minutes
    • Under "Hard timeout", enter 1440 minutes (24 hours)
    • Under "Portal page contents", add the portal page - see file attached to this page
  3. Click Save
  4. Click on Allowed IP addresses tab
  5. Click on the blue plus sign, to the right of the description field
    • Under "Direction", select "To"
    • Under "IP address", enter 216.193.213.171
    • Under "Desription", enter www.socalfreenet.org
  6. Click Save
  7. Click Apply Changes

That's it! Save the configuration just to be safe (under Diagnostices -> Backup/Restore).

Further configuration can be done for syslog, outside PPTP access etc. This will be added here as time permits.