Note: For this configuration, all other items are left at
default.
These are working settings
for a Netgate
PowerG8 WRAP setup. This unit is setup to be the main
access point, feeding nodes underneath it. These settings are
based on original configuration files kindly provided courtesy
of www.socalfreenet.org.
System: General setup
Note: If you set this to HTTPS, be extremely
careful that you remember to put the "s" in https. If this
is set to HTTP on one node and HTTPS on another node, it is extremely
easy get yourself confused and think that the webGUI isn't loading,
when in fact it is a user error.
System Static
Routes
Note: On the main unit, you need to set a
static route to the subnets on the nodes that connect to the
main unit.
Warning: After you click "Save", you must
reboot the firewall to make the changes take effect. You
may also have to do one or more of the following steps
before you can access your firewall again:
change the IP address of your
computer
renew its DHCP lease
access the webGUI with the new
IP address
Note: The sis0 here is the serial interface
that the CAT-5 cable will plug into. The webGUI is on the sis0
interface. In this setup, the LAN will be an 802.11b AP and
the Backhaul will be an 802.11a backhaul that feeds the nodes.
In a MonoWall default setup, "Backhaul" would be the
OPT1 interface.
Interfaces: LAN (Note:
In this setup, this is your 802.11b radio.)
Interfaces:
WAN(Note: This is your sis0 interface
(i.e. that one the CAT-5 will plug into.))
Static
IP configuration
IP address
/
Gateway
Block private networks
When set, this option blocks traffic from IP addresses that
are reserved for private
networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well
as loopback addresses
(127/8). You should generally leave this option turned on,
unless your WAN network
lies in such a private address space, too.
Note:
In this setup, the above items were the only thing configured.
Unless you know you need another setting for some reason,
leave everything else at default.
Note: Since this is the interface that the
CAT-5 will plug into, set the IP address on this interface to
the network that will supply your Internet connection.
Note: Heed the note above to set firewall
rules, and set them properly. Remember, the webGUI is on sis0,
and if there are no rules to allow access to this interface,
then you can't remotely configure the nodes (e.g., you will
have to physically plug a CAT-5 into it to access the webGUI).
Also, if you enable access to the webGUI from the other
interfaces but don't create rules to let sis0 pass data, then
be very careful in troubleshooting the node. For instance,
even if everything is working correctly, and you use the
MonoWall Diagnostics to ping the default gateway, the ping
will fail. However, the same ip address can be successfully
pinged from the command line of a computer logged on to the
same access point...IF the rules are configured
properly. Troubleshooting can become troublesome and very time
consuming. Stay organized, think things through, and don't
waste time "fixing" things that are actually
working!
Note: In the original settings, Enable
advanced outbound NAT was turned on. Depending on your
network, for this setup, you should not need any NAT settings
other than default. However, if everything appears to be
functioning properly but you still can't pass data, uncheck
this setting and test again. If unchecking this box fixes the
problem, after you get a node up and running, you will have to
configure proxy ARP or the node will not pass data
properly, either.
Note: Proxy ARP can be used if you need m0n0wall to
send ARP replies on an interface for other IP addresses than
its own (e.g. for 1:1, advanced outbound or server NAT). It is
not necessary on the WAN interface if you have a subnet routed
to you or if you use PPPoE/PPTP, and it only works on the WAN
interface if it's configured with a static IP address or DHCP.
Note:
If you unchecked Enable advanced
outbound NAT then you will
probably need to configure Proxy ARP for your nodes to
function properly. If you left it checked, you will not have
anything in the Proxy ARP settings.
Note: The ping function will be one of your
main diagnostics tools. From here, you should start testing by
pinging your interfaces (LAN, WAN, Backhaul (a.k.a. OPT1). If
these pings are successful, ping up stream from the unit you
are on. If you are on a node, ping the unit above it. If
successful, ping the default gateway and DNS servers, and then
ping outside of your network.
Note: As important as this diagnostic tool
is, also connect to the unit wirelessly and ping the unit from
a command line. If your rules aren't configured properly, and
you haven't enabled the webGUI interface (sis0) permission to
access an interface, it is possible that the unit is working
and a ping from your connected device would be successful, yet
a ping from the webGUI would fail. Pay careful attention to
this, as you could waste a lot of time on a non-existent connectivity
problem, when in all actuality, it is a firewall rule problem.
Note:
Depending on your network setup (e.g., if the unit you are
testing is behind a router directly connected to your Internet
provider or if you are on your LAN behind a firewall),
if you can ping, say your default gateway, from the MonoWall
ping Diagnostic tool successfully, but pings from your laptop
go through to the unit, but fail on pinging the same default
gateway, you probably need to configure a static route in your
router or firewall pointing back to the subnet(s) configured
on the units.
If you can ping from m0n0wall but not your laptop - its
possible you are missing a static route somewhere along the
line - i.e. so the packet goes out as, say, 10.12.12.180 but
can't come back becuase the 10.12.12.160/27 subnet isn't
listed anywhere. A quick way to tell if this might be
the case is to turn NAT back on (NAT -> advanced,
uncheck option) and then try surfing from your laptop.
Also, Other things that may cause similar
problems is if -- assuming you have captive portal
enabled -- you haven't clicked through it yet. Or, you don't
have an exception for the m0n0wall box itself.
Note: While the owners of any copyrighted information retain ownership of
their respective copyrights, all other information presented here is published
under a creative commons license:
This document released under the
Attribution-NonCommercial-ShareAlike 2.0
You are free:
to copy, distribute, display, and perform the work
to make derivative works
Under the following conditions:
Attribution. You must give the original
author credit.
Noncommercial. You may not use this work
for commercial purposes.
Share Alike. If you alter, transform, or
build upon this work, you may distribute the resulting
work only under a license identical to this one.
For any reuse or distribution, you must make clear
to others the license terms of this work.
Any of these conditions can be waived if you get
permission from the copyright holder.
Your fair use and
other rights are in no way affected by the above.
