General Questions

Hi I'm having some trouble setting up my new m0n0wall installation.

WAN:
I have a cable modem connected to Telstra cable internet, connected to a Linksys Router with DHCP turned on.
Attached to the router is the m0n0wall box, also with DHCP turned on (for the LAN).

LAN:
Attached to the m0n0wall box is another Linksys, with DHCP off (to act as a hub for the LAN portion of the m0n0wall network), and a notebook on this hub.

So:
1. Internet -> 2. Router with DHCP -> 3. m0n0wall with DHCP -> 4. Hub -> 5. Notebook

The IP addresses are
1. Internet 50.10.10.10 (doesn't matter)
2. Router 192.168.1.1
3. m0n0wall:  Assigned IP from the DHCP router is 192.168.1.151.  Its own IP address on its LAN is 192.168.1.1
4. The "hub" has an fixed(assigned) IP of 192.168.1.2, is running DD-WRT.  (Is actually a router with DHCP switched off).
5. Notebook 192.168.1.50, assigned from m0n0wall

- The Notebook can see the m0n0wall GUI, but not the internet.
- m0n0wall gets the DNS server values from the first router, passed from the Internet modem
- The WAN interface page doesn't list an IP address for its internet connection.  Why is this?  The table just skips the IP line completely, it doesn't show it at all.  Instead it shows:


Status: Interfaces

WAN interface
Status    up
DHCP    up 
MAC address    03:e0:04:02:04:ab
Gateway    192.168.1.1
ISP DNS servers    61.9.134.49 ****
61.9.133.193
Media    100baseTX <full-duplex>
In/out packets    74/4 (9 KB/1 KB)
In/out errors    0/0
Collisions    0

LAN interface
Status    up
MAC address    03:e0:4c:bc:08:81
IP address    192.168.1.1 
Subnet mask    255.255.255.0
Media    100baseTX <full-duplex>
In/out packets    38097/454 (2.19 MB/339 KB)
In/out errors    0/0
Collisions    0

*** As can be seen,  these are passed (correct values) from the first router acting as a DHCP server, the m0n0wall box is set up to receive DHCP.

Block private networks is turned on, I've turned it off but didn't make any difference.

I've also tried plugging the m0n0wall WAN directly into the Internet modem, in this case the IP address shows up as 0.0.0.0 even if I replicate the MAC from the router.

I'm out of ideas!  I've also swapped the LAN/WAN card configuration, no difference.

m0n0wall is a ROUTER.  You LAN and WAN are configured to use the same network subnet.  Think about it.  How can your m0n0wall possibly ROUTE packets?  It's like getting into a cab in front of your home and asking the cab driver to take you to your home address.

CS...

Hi Chainsaw,

Great that you understand the problem 

I'm sorry but while I know enough to be dangerous, and I kind of understand what you're saying, I don't actually know how to fix it.  I thought the idea was that the LAN and WAN are made independent by the firewall?

I've never played with the subnet settings and in truth I don't actually know what difference it makes as I've never seen subnets discussed in the m0n0wall documentation that I've read, even the troubleshooting guide makes no reference to the subnet.  Otherwise I would have tried it of course!

Obviously its an easy fix, please point me in the right direction.  So I need to configure them to be on different subnets, which specific setting(s) is/are wrong and need to be changed?  Can you give some example values please.

Thanks a million!!! 

1.  Remove your Linksys router and connect your cable modem directly to your m0n0wall.
3.  Set the WAN port to DHCP and change the LAN port to address to something other than 192.168.1.1.  The first .1 is the problem so pick something like 192.168.9.1 (note: you will also need to change your DHCP scope to match this new subnet).
4.  Power cycle your cable modem and the notebook you are testing with.
5.  Login to your m0n0wall and see if you now have a public IP on your WAN interface.  If not, check link status on the cable modem's LAN and m0n0wall's WAN interface.  If you have a good link, you may need to unplug the power cord (don't use the power switch) and leave the power off to your cable modem for 30 min for it to forget your old Linksys router and assign your m0n0wall an IP address.

If all this fails, call your cable provider and ask them to take a look at your connection.

CS...

Thanks, you rock!  It worked.    And now at least I understand more about subnets!

I have the (2) Linksys Router in there because it's already running my existing encrypted wireless LAN.  It is still there now, all working fine-a-rama.

The reason I had m0n0wall at 192.168.1.1 is because I found some dodgy tute on the Net that instructed me to do it that way, ah well will have to post follow up to  them. 

Thanks again! 
Mark

192.168.1.x for your LAN subnet is only a problem if your WAN is using the same subnet or you want to VPN into your m0n0wall from another private network using the same 192.168.1.x subnet.  Since many routers and m0n0wall use this address as the default, it's best to change it to something not so common.

BTW, your wireless access points should all be on the LAN or OPT side of your m0n0wall.  Also, your firewall will do you little to no good if you frontend it with a Linksys router.

CS...

192.168.1.x for your LAN subnet is only a problem if your WAN is using the same subnet or you want to VPN into your m0n0wall from another private network using the same 192.168.1.x subnet.  Since many routers and m0n0wall use this address as the default, it's best to change it to something not so common.

OK, cool.  Thanks for the explanation its making much more sense now.

BTW, your wireless access points should all be on the LAN or OPT side of your m0n0wall.

I can see this will simplify the network.  Is there also another reason to do this, apart from reduced complexity?

Also, your firewall will do you little to no good if you frontend it with a Linksys router.

The Linksys actually has its own very basic firewall, are you saying that it is not very good and is easily hacked, or that its going to cause a conflict somewhere?  Does installing a second firewall inside my existing WAN compromise security in some way?  Obviously its unnecessarily complicated to have an extra device, but at the moment I'm not needing to VPN or anything.

The only real reason I'm leaving the Linksys in place for the moment is because I'm still experimenting with m0n0wall.  I think once I understand firewall rules properly and all the features, etc,  I'll be more confident about removing the Linksys permanently.  But if its compromising things then its coming off immediately!

Thanks for all your valuable information and explanations!    

It's not a security problem it's simply negates almost all the features in m0n0wall and buys you nothing in return.   Sort of like getting married and not ever having sex! 

CS...