MV Technical Website  m0n0wall Firewall
  
Page Collections
Attributes
Hierarchy
  • RSS Feed

Last modified on 8/14/2015 12:51 PM by User.

Tags:

m0n0wall Firewall

m0n0wall is an open source firewall/Internet Access Device/VPN all built into one software package.  It runs on freeBSD which is a variant of Unix and can be installed on regular PC hardware or embedded systems.  An example of an embedded system is the WRAP (Wireless Router Application Platform) hardware from PC Engines that runs a stripped down version of the OS and does not contain a hard-drive. The programs and OS are stored in compact flash drive that is loaded with a simple Windows utility.  The advantage of not having moving parts such as a hard-drive is that once the unit is running, it's much more reliable. 

The hardware documentation  WRAP.1D-2_20(1-3)-manual.pdf  describes the lower level system, much of which we didn't need to use, since the m0n0wall documentation and site had great directions on how to put this all together.

The MV Software m0n0wall unit was assembled using an embedded system from www.mini-box.com.  Our unit came with three ethernet ports.  We configured one of them to be our LAN port on the internal (Subnet:  192.168.100.0 Mask: 255.255.255.0) subnet, another to be our WAN port (IP Range 68.167.9.18 - 31 Mask 255.255.255.240), and finally the last one referred to as the OPT (optional) port to our wireless LAN (Subnet (192.168.200.0 Mask 255.255.255.0).

We have used the m0n0wall to expose certain internal services (TCP and UDP ports) from the outside to internal servers using the NAT capabilities of the device.  In addition we have created our own VPN that enables users to login from the outside to our network and enables them to access internal resources such as servers, drives, and network services from anywhere on the Internet.  Finally, we have an authenticated Wireless LAN that connects to our network after users authenticate themselves with usernames and passwords.

Following are some links and info on the device and its use and configuration in our environment.

Main Web Page

Administration Page

Web Links

m0n0wall Home

www.pcengines.ch (Designer of the WRAP hardware)

www.mini-box.com (Distributor of the Embedded hardware)

Instructions and Documentation

    Quick Start Guide

    Complete Documentation

Internal Notes

Table of Contents
  1. IP Addresses and Ranges
  2. VPN and WLAN User Setting
  3. Setting up a remote PC to connect to the MV Software VPN
  4. Setting up m0n0wall to use the Microsoft Internet Authentication service (IAS)
  5. DNS Issues
  6. VPN DNS Binding Order
  7. Files and Downloaded Info

 

IP Addresses and Ranges

LAN Subnet:

  1. m0n0wall ethernet port IP Address:  192.168.100.21
  2. LAN Subnet:  192.168.100.0, Mask:  255.255.255.0  (/24 in CIDR)

WAN Subnet

  1. m0n0wall ethernet port IP Address:  68.167.9.28
  2. WAN IP Range:  68.167.9.18 - 31, Mask: 255.255.255.240 (/28 in CIDR)

VPN Subnet

  1. VLAN Server address: 192.168.110.254
  2. IP Range: 192.168.110.192 - 254, Mask:  255.255.255.240 (/28 in CIDR)

    Note: While connected to the VPN, the gateway that shows up in "ipconfig" is the IP address of the VPN connection itself.  Not intuitive, but that's how it is.

VPN and WLAN User Setting

Our m0n0wall has been configured to use Sabrina, our local Win2K server to authenticate user logins for VPN and Wireless LAN access.  This way we don't need to create users in the m0n0wall itself.

  1. Add user to Sabrina
  2. Add to group "VPN Users"

Setting up a remote PC to connect to the MV Software VPN

    This link on the m0n0wall site shows how to do this for Windows XP (It also applies for Windows 2000)

    For Windows 98 VPN connections are made via the Dial-up Adaptor.   vpn98.pdf is a short PDF file that describes the setup.  Dial-up Networking Ver 1.1 or higher is required.  The installation files for Dial-up Networking Ver 1.4 for both Win98 and Win98 SE are in the Win98 folder in the m0n0wall folder listed below.

    In our case for all operating systems, since we will assume that a connection has already been made to the Internet, we will assume that we DO NOT need to dial-up another connection.  In special cases this may not apply.

In all cases, the server name to be used during configuration is  vpn.mvsoftware.com

Here is a write-up on how to map your PC to a shared network drive on a remote machine so you can drag and drop files to it.

Setting up m0n0wall to use the Microsoft Internet Authentication service (IAS)

  1. Install Internet Authentication Service
  2. Setup m0n0wall to use "RADIUS" server in both PPTP as well as Captive Portal setting
  3. Set the IP address of the server on which IAS is installed as the RADIUS server
  4. Add the m0n0wall as a client on the server with IAS installed with the same shared secret configured in the m0n0wall
  5. Create a "Remote Access Policy" in IAS
  6. Edit the profile of the policy
  7. Enable MS CHAP v2 and PAP protocols
  8. Enable Strongest encryption only
  9. Now a user connecting to the VPN should be able to connect to the LAN

DNS Issues

  1. In all static (LAN) and VPN connections go to "Advanced Settings" of the IP Protocol in DNS tab and enter "mvsoftware.com" as the DNS suffix
  2. For all static connections set the m0n0wall IP (192.168.100.21) as the DNS server.  We can leave this as the only server since it's the Internet gateway.  If it goes down, our Internet connection will also be down.   We will be putting in place another Unit as a hot backup.

VPN DNS Binding Order

Sometimes in Windows XP or 2000 when multiple network adaptors are added and removed, the order of DNS servers used doesn't follow the DNS servers used in the gateway.  For example, the DNS Server to be used when connecting over the VPN (Subnet 192.168.110.*) should be the m0n0wall itself.  However, in some cases the DNS server used is the one of the WAN connection of the VPN client.  This can mess up access to NATed servers.

To fix:

  1. Use regedt32.exe on Windows 2000, or regedit.exe on Windows XP, to navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
  2. Double-click the Bind value name, a REG_MULT_SZ data type.
  3. Click in the Multi-String Editor to de-select all the entries.
  4. Select the \Device\NdisWanIp entry and press CTRL+X to Cut this item to the clipboard.
  5. Click in front of the first device in the list and press CTRL+V to Paste \Device\NdisWanIp from the clipboard. Press OK.
  6. Exit the Registry Editor

Files and Downloaded Info

All downloaded info and files are on Google Drive \My Drive\Applications and tools\m0n0wall folder.