Golden Villas - m0n0wall configuration

Here are the steps taken to program monowall for use at Golden Villas apartments with a Soekris 4501 box. Read the Network Configuration in conjunction with this guide.

The latest version of m0n0wall available was used, 1.2b3. It was configured as follows.

  1. Interfaces -> assign: add the third interface and enable it
  2. Rename the interfaces: LAN, WLAN and WAN and assign to sis0, sis1, sis2 respectively
  3. set the LAN IP to
  4. set the WLAN IP to
  5. leave WAN at DHCP as the cable modem will be DHCP
  6. Under Services -> DHCP:
    • set LAN range to -
    • set WLAN range to -
  7. Under Sytem -> General Setup:
    • Change hostname to goldenvilla
    • change password
    • set webGUI protocol to https
    • set timezone to America/Los_Angeles
  8. Under Firewall -> Rules, click on the LAN tab (if not already selected). Then click on the + sign next to the rule that has the description "Default LAN -> any". This will create and go to edit mode a new rule with the same settings. Then change:
    • Interface: WLAN
    • Source: WLAN subnet
    • Description: Default WLAN -> any

That's the important settings completed. Everything should basically work at this point and its worth stopping to make sure.

We want to keep the LAN completely firewalled from the WLAN so we need some rules to ensure that it is:

  1. click on the Firewall -> Rules -> WLAN tab
  2. click 'e' next to the WLAN rule that allows all traffic anywhere
  3. under Destination check the 'not' box and then select Lan subnet from Type
  4. tweak the description (e.g. add ", except LAN")
  5. Click Save
  6. Click Apply Changes

Unfortunately now we can't admin the firewall via wireless on the WLAN, so we add another rule. We make this rule very specific:

  1. click on the Firewall -> Rules -> WLAN tab
  2. click '+' next to the WLAN rule that allows all traffic anywhere
  3. change Protocol to TCP
  4. change Destination to Type "Single host or alias" and the address to
  5. set the Destination port range to HTTPS
  6. tweak the description, e.g. "Allow WLAN admin access"
  7. Click Save
  8. now move the new rule to the top by checking the empty box against the new rule and the click on the left arrow against the first
  9. Click Apply Changes

At this point it shold now be possible to access from a client on the WLAN port (i.e. a wireless client once WLAN is connected to an AP).

Some more settings will complete the configuration:

  1. Under Diagnostics -> Logs -> Settings
    • set remote syslog server IP
    • check "Show log entries in reverse order"
  2. fill in the Firewall -> Traffic shaper -> Magic shaper wizard settings and enable the traffic shaper. Check both options - share bandwidth evenly and set P2p to lowest priority
  3. configure Services -> captive portal:
    • enable captive portal
    • interface WLAN
    • idle timeout: 60 mins
    • hard timeout: 1440 mins (24 hours)
    • add the portal page - see file attached to this page
  4. click on Services -> captive portal -> Allowed IP addresses and allow to be visited without authentication
    • select "To"
    • add IP
    • desription:

That's it! Save the configuration just to be safe (under Diagnostices -> Backup/Restore).

captiveportal.html20.15 KB


Post new comment

The content of this field is kept private and will not be shown publicly.

Back to top