VPN

Ok, so here is the situation.  I am relatively new to m0n0wall, and to setting up VPN solutions as well.  I am looking to create a fairly simple VPN solution to dial into a network via PPTP for a small company that I work for.  I am loving m0n0wall, but I really only want to have it functioning as a VPN solution for now, since we already have a very nice and functional firewall up and running, and i have very few intentions of removing it.  Currently i have a few questions about how to use m0n0wall best in my environment.

If I am only using the VPN, do i still need dual NICs? and if so, how do i set them up in my IP address scheme.  Should they both end up being inside my network (or rather should i say behind the current firewall) with the WAN IP being in either in the DMZ or should i set up port forwarding so that all incoming VPN traffic is forwarded to it?

Why, when I have both NICs assigned with static IP's, does plugging in the WAN port freeze up the GUI on m0n0wall? (LAN 10.1.0.18, WAN 10.1.0.19)  usually a reboot fixes this, but sometimes after 30 or so minutes it crashes again.  Oddly, it does not freeze the terminal interface on the actual box.

Also, any hints on how the actual wiring should be done, or best practices that people have found would be nice.  Currently I have a feeling i will be plugging the WAN port into the back of the current firewall, using port forwarding to push traffic towards it, and then having the LAN port (obviously) sit in the actual network.

You have the same subnet on both interfaces - I'm surprised it works at all. Of course you probably have both interfaces pugged into the same broadcast domain as well.

The easiest thing is to yank whatever firewall or router you're using now so your m0n0wall WAN has a real public IP and the LAN is the default gateway for your network. Then start from there setting up the VPN. You're going to have all kinds of likely unnecessary networking issues to address if you don't do it that way. 

[Block private networks]

If you don't want to remove the current firewall, what you could do is setup a double firewall. In all that is said the NAT being done twice really won't effect your performance to the point of notice. I have done this many of times, not to mention it add's more security. Here's how I go about doing this. Change your current firewall to a different IP subnet.

Example: set the LAN IP of your current firewall to something like 192.168.1.1 mask 255.255.255.0 or /24

Then set the WAN IP of your monowall to something like 192.168.1.2 mask 255.255.255.0 or /24 and set the default route to the LAN interface of your current firewall at 192.168.1.1 mask 255.255.255.0 or /24, aslo don't forget to uncheck the check box on the WAN configuration section that states Block private networks

Then set your LAN IP on the monowall system to what ever your current IP subnet is 10.1.1.1 mask 255.255.255.0

Enable the dhcp server on the monowall and set client machines to obtain.

After you get this far set you front firewall the one you already have in place to forward pptp 1723 and gre to the WAN interface of the monowall firewall. At this point you will need to configure monowalls pptp server.

Not to mention for your help in intrest. If you are only looking for a PPTP solution, look at Clark Connect Community or even PFsense. All of these firewalls are great, but you might find Clark Connect to be a little easier. It is a Linux based firewall using red hat. Monowall and PFsense are more UNIX based on freeBSD.

I hope this helps.

it helps greatly.  I will modify my lay out as such.

thank you.