News: This forum is now permanently frozen.
Pages: [1]
Topic: LAN configuration  (Read 2968 times)
« on: December 18, 2007, 09:18:38 »
detectiveinspekta *
Posts: 7

Internet
-
ADSL modem
LAN IP 10.0.1.1 SUBNET 255.0.0.0
-
WAN IP 10.0.1.2 /8
M0n0wall
LAN IP 10.0.0.2
-
16 PORT SWITCH
-
DHCP Computers


My ADSL connection uses PPPoA and I have set the WAN IP on monowall to be static. I want it to be as efficient as possible. I keep hearing of letting m0n0wall handle everything using bridging (something I dont really understand). Sometimes when I change a few configurations on the modem (like disable/disable NAT (does the modem really need NAT if its only sending to m0n0wall computer?)) it takes 15min before web browsing works. ATM what is my firewall doing?
« Reply #1 on: December 18, 2007, 09:30:10 »
detectiveinspekta *
Posts: 7

My guess is that the modem is still doing NAT.
People trying to make connections to my WAN are denied.

As per the documentation how do I assign my WAN IP to be my public IP?
« Reply #2 on: December 18, 2007, 10:25:59 »
markb ****
Posts: 331

In my experience, getting DSL modems to work in bridge mode is a bit of a black art. Many modems say that they work in bridge mode not all appear to.  What it basically does, is lets the DSL modem handle the dsl signalling, but passes the authentication and IP address through to your monowall. This simplifies the network by cutting out additional configuration and a subnet. In my opinion, it is worth trying to get it to work, as it is a much neater way of working.  VPN's for example especially incoming can struggle with multiple NAT I believe that IPSEC is particularly fussy.  Give it a go.  You will have to change the monowall to PPPoE and put your ISP username and password in.  If you are looking for a reliable DSL modem for this I use a Dratec Vigor 2600 Plus.  One of my suppliers swears by this range of routers to handle bridge mode.
« Reply #3 on: December 19, 2007, 09:40:07 »
detectiveinspekta *
Posts: 7

Yes thank you. Sadly my ISP doesn't support PPPoE so I can't do full bridging. However I can do half-bridging which is essentially the same (assigns WAN IP with public IP) but authentication is still done by the modem. Again however my modem needs a firmware upgrade which potentially could break the modem (so I'v heard).

So at the moment for the time being (with regards to bit-torrent) I think I have to resort to port forwarding on the modem to m0n0wall and creating a NAT rule in m0n0wall. Is this logic correct.

One last thing is that I access my internal server by typing "server" into my browser, this was done by editing  /etc/hosts. Now if I wanted to access the server from any of the client computers how would I go about setting this in m0n0wall. Is a DNS required?
« Reply #4 on: December 19, 2007, 10:10:24 »
markb ****
Posts: 331

Yes, your logic is correct. You might want to think about setting your monowall as the DMZ for the DSL router so that all traffic is passed to the Monowall and then you only have to create rules in one place if you want to let traffic in.  With regards to the DNS, if you try to access the Web server by using the same FQDN (Fully qualified domain name) as those outside you will run in to the problem of not being able to access NAT'd services on the external IP address.  My best advice for this would be to set up your local LAN with a seperate domain name. e.g. mynetwork.internal and set up a separate entry for yuor server on it's internal IP address.  External clients would resolve server.mynetwork.com to your external IP address which is the forwarded and NAT'd to your server.  You access it with server.mynetwork.internal. Hope this makes sense.
« Reply #5 on: December 20, 2007, 08:42:21 »
detectiveinspekta *
Posts: 7

oh thanks the DMZ made things alot easier.

One last question with the DMZ. I did a security test at https://www.grc.com/x/ne.dll?bh0bkyd2
It shows 50% ports in steath mode and 50% closed. Is this a security risk? I'm assuming the DMZ will forward all ports to m0n0wall. Hopefully m0n0wall can stand up against hackers. At the moment I have blocked all "WAN" access to my "LAN subnet" and also made another rule below it to access bittorrent ports.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines