El Toyon m0n0wall configuration

Here are the steps taken to program monowall for use at El Toyon Rec Center with a Soekris 4511 box. Read the Network Configuration in conjunction with this guide.

Download M0n0wall, install on 16MB CF Card.
Connect Ethernet to eth0 (PoE). By default, M0n0wall will be running DHCP on that interface and give your laptop an IP address of 192.168.1.199/24, with a default gateway of 192.168.1.1. Open a browser and point it to 192.168.1.1. Default username/password = admin/mono.

The latest version of m0n0wall available was used, 1.2b6. It was configured as follows.

Query: It would also be possible to bridge the wireless and LAN interfaces and just use one /24 subnet instead of two separate ones. This may be a preferable configuration. It also has the advantage of forcing the captive portal on the lab computers also - which would otherwise avoid the captive portal because it can only be active on one interface

  1. IMPORTANT NOTE: Do not reboot until you have made all changes.
  2. Click Sytem -> General Setup:
    • Change hostname to ElToyonRecCenter
    • change password
    • set webGUI protocol to https
    • set timezone to America/Los_Angeles
  3. Click Save
  4. Click Interfaces | assign, then click on the + (This will add the third interface) and then click Save
  5. Click Interfaces | WLAN
  6. Click Interfaces | OPT1
    • Click (to select) "Enable Optional 1 interface"
    • rename OPT1 to WLAN
    • set the WLAN IP to 10.12.10.129/25
    • set the SSID to "socalfreenet.org" (lower case, no quotes)
    • set the channel (we're using 1)
    • WEP should be disabled
  7. Click Interfaces | assign
    • Verify Interfaces: LAN, WAN and WLAN are assigned to sis0, sis1, wi0 respectively.
  8. Click Interfaces | LAN
    • set the LAN IP to 10.12.10.1/25, click Save.
  9. Click Interfaces | WAN
    • set the WAN to PPPoE as the DSL modem will be PPPoE
    • fill out the PPPoE username and password
    • leave the Enable Dial-On-Demand *un*checked - this will create a full time connection
    • leave the idle timeout empty
    • Click Save
  10. Click Services | DHCP Server
    • LAN Tab: enable DHCP Server, set range to 10.12.10.50 - 10.12.10.99, click Save.
    • WLAN Tab: enable DHCP Server, set range to 10.12.10.154 - 10.12.10.250, click Save.
  11. Click Firewall | Rules
  12. Click on the LAN tab (if not already selected). Then click on the + sign next to the rule that has the description "Default LAN -> any". This will create and go to edit mode a new rule with the same settings. Then change:
    • Interface: WLAN
    • Source: WLAN subnet
    • Description: Default WLAN -> any
  13. Click Save
  14. Click Apply Changes

That's the important settings completed. Everything should basically work at this point and its worth stopping to make sure. Click Reboot.

After rebooting, you'll need to release and renew your IP address. Assuming you are on a wired interface, M0n0wall should assign an IP address of 10.12.10.99/25, with a default gateway of 10.12.10.1. Open a browser and point it to https://10.12.10.1. (Don't forget the S in httpS://10.12.10.1).

We want to keep the LAN completely firewalled from the WLAN so we need some rules to ensure that it is:

  1. Click Firewall | Rules | WLAN tab
  2. Click 'e' next to the WLAN rule that allows all traffic anywhere
    • under Destination check the 'not' box and then select Lan subnet from Type
    • modify the description (e.g. add ", except LAN")
  3. Click Save
  4. Click Apply Changes

Unfortunately now we can't access the browser-based administration interface via wireless on the WLAN, so we add another rule. We make this rule very specific:

  1. Click Firewall | Rules | WLAN tab
  2. Click '+' next to the WLAN rule that allows all traffic anywhere (except LAN)
    • change Protocol to TCP
    • Under "Destination", deselect "not".
    • Under "Destination", change to Type "Single host or alias" and the address to 10.12.10.1
    • Under "Destination port range", set "from:" and "to:" to HTTPS
    • Under "Description", change to "Allow WLAN admin access"
  3. Click Save
  4. Now, move the new rule to the top by checking the empty box next to the new rule and the click on the left arrow next to the first rule.
  5. Click Apply Changes

At this point it shold now be possible to access https://10.12.10.1 from a client on the WLAN port (i.e. a wireless client).

Some additional settings will complete the configuration:

  1. Click Diagnostics | Logs | Settings tab
  2. Click (Select) "Show log entries in reverse order (newest entries on top)
  3. Click (Select) "Enable syslog'ing to remote syslog server"
    • Under "Remote syslog server", enter xx.xx.xx.xx and select all events except firewall
  4. Click Save
  5. Click Firewall | Traffic shaper | Magic shaper wizard tab
  6. Click (Select) "Set P2P traffic to lowest priority" and "Share bandwidth evenly on LAN"
  7. Click Install/Update
  8. Click the Rules tab
  9. Click (Select) Enable traffic shaper
  10. Click Save
  1. Click Services | Captive portal:
  2. Click (Select) "Enable captive portal"
    • Under "Interface", select WLAN
    • Under "Idle timeout", enter 60 minutes
    • Under "Hard timeout", enter 1440 minutes (24 hours)
    • Under "Portal page contents", add the portal page - see file attached to this page
  3. Click Save
  4. Click on Allowed IP addresses tab
  5. Click on the blue plus sign, to the right of the description field
    • Under "Direction", select "To"
    • Under "IP address", enter 216.193.213.171
    • Under "Desription", enter www.socalfreenet.org
  6. Click Save
  7. Click Apply Changes

That's it! Save the configuration just to be safe (under Diagnostices -> Backup/Restore).

Further configuration can be done for syslog, outside PPTP access etc. This will be added here as time permits.