ALIX Monowall Firewall – Part 2

This tutorial covers the post installation basic configuration of Monowall (M0n0wall). This segment covers changing the default password, setting the time zone of the firewall. It also covers setting static IP address mappings via DHCP as well as configuring port forwarding. This is the second part in a series of tutorials which will range from basic configuration of the firewall to more advanced topics such as IPSEC tunnels and VPN clients.

Log into the firewall

media_1249428136293.png
Open a web browser and log in to the firewall. The default address is http://192.168.1.1. The username is: admin and the default password is: mono

Change password & time zone

media_1249428907666.png
1.) Click on ‘General Setup’ under ‘System’
2.) Type in a new password in both boxes. As a general rule of thumb you should you upper and lowercase characters as well as symbols.
3.) Select the time zone you are in.
4.) Click the ‘Save’ button.
After you click save the firewall will prompt you to log back in with the new password.

Open the DHCP server configuration page

media_1249430240384.png
If you are going to access any devices on your local network via the Internet you need assign them static IP addresses. This is important if you’re going to log into your workstation remotely via a service like ‘Back To My Mac’, connect to a SlingBox remotely or play video games via a PC, Xbox360 or a PS3. This will become clear when we start configuring Port ‘Forwarding’. So let’s get started on assigning IP addresses to these devices. For this example we are going to assign a static IP to the workstation connected to the firewall. We will need to know the MAC address of the device, this is the physical address of the network interface. On some devices you will see a sticker which states the MAC address of the device, on others you will have to go into a configuration or information screen to gather that information. The MAC address will be in the following format ##:##:##:##:##:##, it will be a combination of numerals and characters. On a Mac you would click on the Apple logo on the menu-bar, go to ‘About This Mac’, ‘More Info..” and click on ‘Network’. You will see the different available network interfaces, click on the network interface in question and you will see the MAC address of the interface. So now that you have the needed information, lets proceed.
Also the static IPs have to be outside the range of IPs given out by the DHCP server. The default range is 100 – 199, keep that in mind.
1.) Click ‘DHCP server’ under the ‘Services’ section
2.) Click the ‘+’ symbol under the ‘Reservations’ section

Add static IP address mapping

media_1249432275997.png
1.) Enter the MAC address of the device you are adding
2.) Enter the IP address you would like to assign to the device. (i.e.. 192.168.1.200) Make sure the IP address falls within the range of your local network.
3.) Enter a description for the device you are adding a static mapping to and click save.
Repeat these steps for every device you need to add. Once you are done continue to the next section.

Apply changes, beware of the bugs though

media_1249434205703.png
1.) You will notice your new reservations listed below.
2.) Click the ‘Apply changes’ button.
3.) If you are installing 1.3 version you will see the above error. This is a bug in that version, it will be fixed in the next revision.
**If you do get this error after clicking ‘Apply changes’, you need to reboot the firewall. To do that click ‘Reboot system’ under the ‘Diagnostics’ section. Once you do that the changes will take affect.

Port forwarding

media_1249434561843.png
1.) Click on ‘NAT’ under Firewall
2.) Make sure ‘Inbound’ is selected
3.) Click the ‘+’ symbol

Adding port forwarding rule

media_1249434624783.png
I am going to create a port forwarding rule as if I had a SlingBox on my local network. SlingBox uses TCP port 5001 to communicate with the Internet. So I am going to configure a rule that states and traffic coming in on the WAN port (Internet interface) on TCP port 5001 be forwarded to an IP address on my local network. These are the steps to achieve that:
1.) Interface: should point to WAN
2.) External address: should point to ‘interface address’
3.) Protocol: select the appropriate protocol from the drop down (i.e.. TCP)
4.) External port range: enter the port number in both boxes (i.e.. 5001)
5.) NAT IP: this would be the IP address of the device on your local network (i.e.. 192.168.1.200)
6.) Local port: this would be the same port number used in step 4 (i.e.. 5001)
7.) Description: enter a thorough description of the device and port number you are forwarding for future reference
8.) Click the checkbox: This will automatically create the firewall rule you will need at the same time.
9.) Click the ‘Save’ button
Repeat these steps if you have multiple ports you have to open for a device. Also repeat these steps if you have multiple devices to add.

Apply changes

media_1249435797716.png
Once you are finished adding all of you port forwards, you can click on the ‘Apply changes’ button and you are done

Ports for forwarding common devices

Xbox360 Live: UDP/TCP 3074
PS3: TCP 5223, UDP 3478. UDP 3479, UDP 3658 **Certain games may require additional port forward mappings, check with game vendor
SlingBox: TCP 5001
If you need information on ports for device not listed here, check with the manufacturers support web page. If you cannot find it there try Googling: firewall port forwarding for (then add your device and then hit the ‘Search’ button)

Finished

We are done with this segment of the tutorial. In the next installment we will discuss Dynamic DNS services and VPN Tunnels (IPsec Mobile, PPTP).

ALIX Monowall Firewall – Part 1

This tutorial covers the installation of Monowall (M0n0wall) onto a compact flash card utilizing a Mac and assembling the firewall. The firewall is being built utilizing an ALIX embedded system. This is the first part in a series of tutorials which will range from basic configuration of the firewall to more advanced topics such as IPSEC tunnels and VPN clients.
Download the Monowall embedded image file
Visit Monowall’s website and download the embedded image file for ALIX. Below is a link to the appropriate page.
Monowall Download Page: http://m0n0.ch/wall/beta.php
Place the file you just downloaded onto your desktop.

Run Disk Utility

media_12482528767123.png
Insert a compact flash card into a card reader attached to your computer, a 256MB card will do just fine. Open up ‘Disk Utility’ which is located in the ‘Utilities’ folder under ‘Applications’ on your boot drive. Select the Compact Flash card you inserted on the right side. Make sure that you select the right drive, double check to make sure the size matches the card. Be very careful, if you select the wrong drive you could wipe all the information from a hard drive. Right-Click on the drive and select information.

Compact Flash Disk ID

media_12482531834083.png
Jot down the the ‘Disk Identifier’ information associated with the drive. This number will vary on your own system so do not use the information listed above. Writing the wrong information down could result in one of your hard drives being wiped so pay very close attention. You will need this information for the next step.

Partition Mounted?

media_12482536149563.png
If there is a partition on the Compact Flash Card it needs to be unmounted. Right-Click on the partition listed underneath Compact Flash Card and select ‘Unmount’.

Run Terminal

media_12482539686233.png
When you open Terminal it will default to your home directory. Issue the following commands to change to the desktop directory and write out the image file to the Compact Flash Card:
cd desktop
gzcat embedded-1.3b16.img | dd of=/dev/disk# bs=16k (Insert the Disk ID number that you jotted down from the previous step) Last warning if you enter the wrong information you could wipe a hard drive or other removable drive connected to your system)
You should receive a message as displayed above. If you receive a message that states the resource is busy, it means that you did not unmount a partition on the Compact Flash Card. Please go back to the previous step and unmount the partition.

Assemble the firewall

ALIX_Firewall3.png
Remove the the Compact Flash Card from the card reader and insert it into the card slot on the ALIX board. Do this before you install it into the case as it will block the slot. This would also be good time to install any add in cards you might have into the mini-pci slots (wifi, vpn accelerator) Remove the hex bolts on both sides of the serial port, otherwise you cannot slip it into the case. Slide the board with the network ports going in first so they slide into the cutouts. With that inserted screw in the board to case, followed by reattaching the the hex bolts on the both sides of the serial port. Put the cover on the case and screw it in place. Thats all there is to it, pretty simple wouldn’t you say?

Log into the firewall

media_12482555868043.png
Plug your firewall into the network utilizing the LAN port and power up the unit. You can either plug the firewall into a switch or directly into your network port on your computer. The DHCP server on the firewall will supply your workstation with the appropriate IP address information. Give it a couple of minutes to finish booting up. Open up your favorite browser and type: http://192.168.1.1 into the address bar. This is the default address of the firewall. You will be prompted to login into the firewall, the following are the default credentials:
Username: admin
Password: mono
This information is case sensitive, make sure you enter everything in lower case.
That is it for the first part of the tutorial. The next tutorial will walk you through the basic configuration if the firewall. Subsequent tutorials will discuss more advanced features, such as creating tunnels between two remote firewalls.

m0n0wall & pfSense Tutorials

I am in the process of creating an updated video tutorial on installing Monowall (m0n0wall) firewall on an ALIX embedded system. While I am at it, I will also doing the same for the pfSense firewall installed on the same platform. There will also be written guides to go along with these video tutorials. These forthcoming guides will come in segments ranging from copying the firewall to a CF card that will be inserted into the system board to more advanced topics such as configuring IPSEC tunnels. You should see the first of these tutorials released on July 15th.
Enjoy the tutorials and should you have any recommendations or things you would like to see included in these tutorials just leave a comment.
UPDATE: I ran into a personal matter which had delayed the production of the first segment. I should have it completed and posted within the next couple of days. Sorry about the unexpected delay.

Embedded Monowall: Installation


UPDATE: An updated tutorial has been posted here: https://www.techunplugged.com/2009/07/22/alix-monowall-firewall-part-1/
This tutorial will guide you through copying the m0n0wall image to a compact flash card and the initial configuration of the m0n0wall on the ALIX embedded board. I will be using a VPN accelerator card since I will have about 10 IPsec tunnels actively running at one time. I would only recommend using the VPN accelerator card if you plan on maintaining several VPN tunnels at one time, otherwise it is overkill. The following is a list of the items that were used:
Continue reading “Embedded Monowall: Installation”

Monowall Tutorial

I just finished my initial tutorial on setting up a m0n0wall firewall on a PC Engines ALIX 2C3 board. I have setup several of these using a Mac. There was a lot of research I had to do to figure out how accomplish it using OS/X. Most of the documentation I found online referenced using Windows systems. So I decided to take what I learned and write a “How-To” on the topic as well as a video to accompany it. You can find the How-To by following this link: https://www.techunplugged.com/tutorials/embeded-m0n0wall-firewall-on-alix-hardware/
Enjoy!
UPDATE: An updated tutorial has been posted here: https://www.techunplugged.com/2009/07/22/alix-monowall-firewall-part-1/

Embedded Firewall

In part of my quest to simplify my life I moved away from Windows workstations and servers to Macs. With the number of systems that were removed it had a large impact on the acoustics of the room as well as power consumption. I still had one relic left behind and that was a firewall running on a PC to keep my IPSEC tunnels up with all my clients. I decided I could replace that unit as well with something that was at least fanless. During my research I found something that would be fanless and work with a 15w power adapter so it would have a small electrical footprint. The hardware I used was a PC Engines ALIX 2c3 board on which I installed the m0n0wall embedded firewall OS. I also used a Soekris VPN1411 mini-pci card to offload the encryption processing from the CPU. It is very small and runs super smooth on a 30mbit connection with 10 tunnels running. The CPU never goes above 40% utilization on a full load. It is fairly inexpensive and quite simple to assemble and program. I am in the middle of doing a video tutorial on putting one of these together and programing it. I should have the video done along with support pages tomorrow, so check back.
UPDATE: An updated tutorial has been posted here: https://www.techunplugged.com/2009/07/22/alix-monowall-firewall-part-1/

You Call This An Enterprise Firewall?

I have implemented various firewalls through out the years, but I can say with confidence that the Symantec lines of firewalls are the worst I have ever used. Well at least the 1620, but the entire line utilizes the same software which seems to be the underlying problem. I was installing two units in a failover configuration for an insurance company I service as well as a media buying firm. Both were being setup using content filtering with user authentication against their Active Directory. That’s when I came across a bug that dumb founded the Symantec support desk. Evidently there is an issue with having different levels of content filtering depending on which Active Directory group a user belongs to. I couldn’t believe that no one else has come across this bug before. They bumped this up to their global support group and to the developers. Three days later they still couldn’t give me a fix even though they were able to replicate the problem in their own labs. The real fun part was when I was informed by the support tech that Symantec was ceasing selling their hardware firewalls. That was enough for me to pack up the units and move to a Sonicwall solution for both clients. We have been extremely happy with the Sonicwall solution thus far.

Sgs1620