So Cal Free Net.org

In our standard Access Point, m0n0wall will run on each of two radios. The basic configuration we're trying to achieve is:

• separate subnet
• local dhcp

Through trial and error it seems the best way to assign these roles in m0n0wall is as follows.

Prepare the Soekris

Not absolutely necessary, but we prepared the soekris boards by connecting a serial adapter, booting it, interrupting the boot sequence within 5 secs with Ctrl-P and then entered the following commands:

set conspeed 9600
set pxeboot disabled
set bootdelay 2

The console speed is set to match the default m0n0wall console speed. Disabling PXE boot seems like a good idea. And the minimum 2 seconds boot delay shaves 3 seconds off the boot time.

Radio 1 - Relay

One radio provides the relay back to 'home base'. This radio also provides DHCP services and routing. We use the WAN port to communicate to the "Home AP" and LAN is hardwired to the local AP radio. Here are the configuration steps:

1. Start with a default configuration of m0n0wall. This has an IP of 192.168.1.1 and has DHCP enabled. Hook up a standalone computer set to DHcP to the first LAN port (for Soekris anyway). Connect to m0n0wall via a browser as usual.
2. Click on Interfaces (assign). For WAN, choose wi0, Save.
3. Click on Interfaces -> WAN. Change Type to static. In Static IP Configuration set the IP to an unused IP in the Home AP's range (e.g. 10.0.0.251). Set the mask to match the destination network (e.g. 24), not 31. Likewise set the Gateway (e.g. 10.0.0.1).
4. Under Wireless Configuration, set Mode to BSS, SSID to the Home AP's SSID (e.g. socalfreenet.org).
5. Uncheck "Block private networks" at the bottom of that page. Click Save.
6. In Interfaces -> LAN, change the IP to reflect the local subnet desired. E.g. 10.0.5.1. Common practice is to end it in 1. Make sure the mask is set appropriately (e.g. 24) as it may change automagically. Click Save.
7. In Services -> DHCP, update the allocated range to match your LAN IP (e.g. 10.0.5.100 - 10.0.5.199). Click Save.
8. Go to Diagnostics -> Reboot System. Answer Yes and wait. With luck your computer will get a new IP in the LAN range.
9. Log back in via the new LAN IP address you set above (e.g. 10.0.5.1).
10. Go to System->General Setup. Enter the DNS server addresses. Set the timezone. Click Save.
11. In Firewall -> NAT, click on Outbound and then "Enable advanced outbound NAT".
    Click Save. (This will effectively disable NAT so the addresses are passed through). Click Apply Changes if prompted.

At this stage your LAN computer should be able to ping the gateway computer beyond the WAN port (e.g. 10.0.0.1). It may even be able ping external links (e.g. www.yahoo.com). A couple of issues may stop this from happening. My gateway to the internet box (at 10.0.0.1) is also running m0n0wall and I had to make two changes to its config before Radio 1 traffic could get to the internet:

• I needed to add a static route so traffic could be sent back to the 10.0.5.0 subnet. Using the values above, I did this in: System->Static Route click '+' to add new route, then enter OPT1 (wireless) for Interface, 10.0.5.0/24 for destination network and 10.0.0.251 for gateway (i.e. the WAN address of the wireless radio).
• I had to expand the subnet from 10.0.0.0/24 to 10.0.0.0/21 (i.e. 255.255.248.0). I'm not sure exactly why this was necessary. At first it was because of a default rule blocking non-LAN IPs internally (i.e. block !10.0.0/24), but that later went away (perhaps because of the static rule above. Perhaps it was because without a wider net, no NAT was performed for the 10.0.5.0 subnet. Anyhow, expanding the subnet mask made everything work.

Radio 2 - Access Point

The AP radio is configured as a bridge. I.e. virtually none of the m0n0wall features are used.

• step by step configuration to follow.