ALIX Monowall Firewall – Part 2

This tutorial covers the post installation basic configuration of Monowall (M0n0wall). This segment covers changing the default password, setting the time zone of the firewall. It also covers setting static IP address mappings via DHCP as well as configuring port forwarding. This is the second part in a series of tutorials which will range from basic configuration of the firewall to more advanced topics such as IPSEC tunnels and VPN clients.

Log into the firewall

media_1249428136293.png
Open a web browser and log in to the firewall. The default address is http://192.168.1.1. The username is: admin and the default password is: mono

Change password & time zone

media_1249428907666.png
1.) Click on ‘General Setup’ under ‘System’
2.) Type in a new password in both boxes. As a general rule of thumb you should you upper and lowercase characters as well as symbols.
3.) Select the time zone you are in.
4.) Click the ‘Save’ button.
After you click save the firewall will prompt you to log back in with the new password.

Open the DHCP server configuration page

media_1249430240384.png
If you are going to access any devices on your local network via the Internet you need assign them static IP addresses. This is important if you’re going to log into your workstation remotely via a service like ‘Back To My Mac’, connect to a SlingBox remotely or play video games via a PC, Xbox360 or a PS3. This will become clear when we start configuring Port ‘Forwarding’. So let’s get started on assigning IP addresses to these devices. For this example we are going to assign a static IP to the workstation connected to the firewall. We will need to know the MAC address of the device, this is the physical address of the network interface. On some devices you will see a sticker which states the MAC address of the device, on others you will have to go into a configuration or information screen to gather that information. The MAC address will be in the following format ##:##:##:##:##:##, it will be a combination of numerals and characters. On a Mac you would click on the Apple logo on the menu-bar, go to ‘About This Mac’, ‘More Info..” and click on ‘Network’. You will see the different available network interfaces, click on the network interface in question and you will see the MAC address of the interface. So now that you have the needed information, lets proceed.
Also the static IPs have to be outside the range of IPs given out by the DHCP server. The default range is 100 – 199, keep that in mind.
1.) Click ‘DHCP server’ under the ‘Services’ section
2.) Click the ‘+’ symbol under the ‘Reservations’ section

Add static IP address mapping

media_1249432275997.png
1.) Enter the MAC address of the device you are adding
2.) Enter the IP address you would like to assign to the device. (i.e.. 192.168.1.200) Make sure the IP address falls within the range of your local network.
3.) Enter a description for the device you are adding a static mapping to and click save.
Repeat these steps for every device you need to add. Once you are done continue to the next section.

Apply changes, beware of the bugs though

media_1249434205703.png
1.) You will notice your new reservations listed below.
2.) Click the ‘Apply changes’ button.
3.) If you are installing 1.3 version you will see the above error. This is a bug in that version, it will be fixed in the next revision.
**If you do get this error after clicking ‘Apply changes’, you need to reboot the firewall. To do that click ‘Reboot system’ under the ‘Diagnostics’ section. Once you do that the changes will take affect.

Port forwarding

media_1249434561843.png
1.) Click on ‘NAT’ under Firewall
2.) Make sure ‘Inbound’ is selected
3.) Click the ‘+’ symbol

Adding port forwarding rule

media_1249434624783.png
I am going to create a port forwarding rule as if I had a SlingBox on my local network. SlingBox uses TCP port 5001 to communicate with the Internet. So I am going to configure a rule that states and traffic coming in on the WAN port (Internet interface) on TCP port 5001 be forwarded to an IP address on my local network. These are the steps to achieve that:
1.) Interface: should point to WAN
2.) External address: should point to ‘interface address’
3.) Protocol: select the appropriate protocol from the drop down (i.e.. TCP)
4.) External port range: enter the port number in both boxes (i.e.. 5001)
5.) NAT IP: this would be the IP address of the device on your local network (i.e.. 192.168.1.200)
6.) Local port: this would be the same port number used in step 4 (i.e.. 5001)
7.) Description: enter a thorough description of the device and port number you are forwarding for future reference
8.) Click the checkbox: This will automatically create the firewall rule you will need at the same time.
9.) Click the ‘Save’ button
Repeat these steps if you have multiple ports you have to open for a device. Also repeat these steps if you have multiple devices to add.

Apply changes

media_1249435797716.png
Once you are finished adding all of you port forwards, you can click on the ‘Apply changes’ button and you are done

Ports for forwarding common devices

Xbox360 Live: UDP/TCP 3074
PS3: TCP 5223, UDP 3478. UDP 3479, UDP 3658 **Certain games may require additional port forward mappings, check with game vendor
SlingBox: TCP 5001
If you need information on ports for device not listed here, check with the manufacturers support web page. If you cannot find it there try Googling: firewall port forwarding for (then add your device and then hit the ‘Search’ button)

Finished

We are done with this segment of the tutorial. In the next installment we will discuss Dynamic DNS services and VPN Tunnels (IPsec Mobile, PPTP).

m0n0wall & pfSense Tutorials

I am in the process of creating an updated video tutorial on installing Monowall (m0n0wall) firewall on an ALIX embedded system. While I am at it, I will also doing the same for the pfSense firewall installed on the same platform. There will also be written guides to go along with these video tutorials. These forthcoming guides will come in segments ranging from copying the firewall to a CF card that will be inserted into the system board to more advanced topics such as configuring IPSEC tunnels. You should see the first of these tutorials released on July 15th.
Enjoy the tutorials and should you have any recommendations or things you would like to see included in these tutorials just leave a comment.
UPDATE: I ran into a personal matter which had delayed the production of the first segment. I should have it completed and posted within the next couple of days. Sorry about the unexpected delay.

Embedded Monowall: Installation


UPDATE: An updated tutorial has been posted here: https://www.techunplugged.com/2009/07/22/alix-monowall-firewall-part-1/
This tutorial will guide you through copying the m0n0wall image to a compact flash card and the initial configuration of the m0n0wall on the ALIX embedded board. I will be using a VPN accelerator card since I will have about 10 IPsec tunnels actively running at one time. I would only recommend using the VPN accelerator card if you plan on maintaining several VPN tunnels at one time, otherwise it is overkill. The following is a list of the items that were used:
Continue reading “Embedded Monowall: Installation”

Monowall Tutorial

I just finished my initial tutorial on setting up a m0n0wall firewall on a PC Engines ALIX 2C3 board. I have setup several of these using a Mac. There was a lot of research I had to do to figure out how accomplish it using OS/X. Most of the documentation I found online referenced using Windows systems. So I decided to take what I learned and write a “How-To” on the topic as well as a video to accompany it. You can find the How-To by following this link: https://www.techunplugged.com/tutorials/embeded-m0n0wall-firewall-on-alix-hardware/
Enjoy!
UPDATE: An updated tutorial has been posted here: https://www.techunplugged.com/2009/07/22/alix-monowall-firewall-part-1/

Embedded Firewall

In part of my quest to simplify my life I moved away from Windows workstations and servers to Macs. With the number of systems that were removed it had a large impact on the acoustics of the room as well as power consumption. I still had one relic left behind and that was a firewall running on a PC to keep my IPSEC tunnels up with all my clients. I decided I could replace that unit as well with something that was at least fanless. During my research I found something that would be fanless and work with a 15w power adapter so it would have a small electrical footprint. The hardware I used was a PC Engines ALIX 2c3 board on which I installed the m0n0wall embedded firewall OS. I also used a Soekris VPN1411 mini-pci card to offload the encryption processing from the CPU. It is very small and runs super smooth on a 30mbit connection with 10 tunnels running. The CPU never goes above 40% utilization on a full load. It is fairly inexpensive and quite simple to assemble and program. I am in the middle of doing a video tutorial on putting one of these together and programing it. I should have the video done along with support pages tomorrow, so check back.
UPDATE: An updated tutorial has been posted here: https://www.techunplugged.com/2009/07/22/alix-monowall-firewall-part-1/