Installation

Soekris 4501 firmware 1.33 and Monowall 1.3b16
Out of the box, was able to use as a simple firewall/router without problems.   However, default prevents the use of the third port (OPT1).
So I had to purchase a serial to usb null modem cable to assign a network interface since I couldn't use the webgui to do it.   :^(
Then I realized there is an assign link...geez.   

bios upgrade requires hyperterminal in windows xp to be set with xon/off vs. hardware to upload the file correctly.

Finally assigned port in the serial console for opt1.

I would like to have the vonage router set up as a separate network so I can keep the lan secured as much as possible.

The question is how to make this work?   I tried to bridge OPT1 to lan which allowed me to be on the same subnet which it seems others have done in the past, but I wanted to keep the firewall rules separate for the VOIP vs. lan network.   So should I be bridging to WAN or nothing then?   Or is the only solution to put it on the lan to connect to the net?

Any specific rules vs. DMZ vs. port forwarding required to get vonage to work behind the m0n0wall?

I tried to keep the rules to a bare minimum so a detailed walk through would be appreciated and I think future monowall users would also appreciate it. 

Hope someone who has gone through the trials and tribulations can provide some updated results.  I have read the older discussions, but nothing with any details.

What firewall rules or dmz instructions or bridging directions should be used?   If no one can help, hopefully, I'll be able to figure it out to provide insight to help.

Cheers!

Well, you want to keep it separate, but what you talk about makes it very complex when it can be simple.


Set OPT1 to a different IP range (un-bridge it), setup one firewall rule that allows any OPT1 to the WAN and you're done. It won't be able to do anything except VoIP calls and won't have any access to your LAN or vice-versa.

I use 6 vonage routers behind my m0n0wall, no special rules needed as they make an outbound session to the voice network and everything flows 2-ways then.

You might want to make a special pipe in the traffic shaping for your vonage so that your phone calls remain smooth by pre-allocating some bandwidth for it.

Can you walk me through what you have?   

Or troubleshoot where I went wrong.
Step 1:   interface OPT1
---> bridge: none [vs. to lan, wan]
---> IP :   10.0.0.0/24

Step 2:   Firewall Rules
OPT1 Rules
any any to Opt1 subnet any
Wan RUles
any any to OPT1 subnet any

Nat inbound
nothing

Step3:   
Now the question is on the vonage router, if I have DHCP turned off.   What is the gateway that I use for this?   
On the Vonage device, just assign a static IP 10.0.0.2, submask 255.255.255.0, Gateway 10.0.0.1?  is there a gateway? with DNS of my dsl modem?


Step2:    Firewall Rules OPT1
Protocol - Source - Port - Destination - Port - Description
TCP - OPT1 - * - !Lan net - * - permit any except lan
UDP - OPT1 - 53(DNS) - 68.xx.xx.xx - 53 (DNS)

FIREWALL WAN
* - * - * - OPT1 net *


Step 3:



I have the router up and I have full connections which is weird, but I cannot get the voip connected.   I can search the net under the vonage device. 

I spoke to Vonage Tech support level 1 and they said I have to turn off SIP or VOIP controls.   Neither of these things are available on the router.   So I'm a little confused.

error code 204

Should I go back to 1.235?   Or can someone help me figure out what I'm doing wrong?

Thanks!  Appreciate your help knightmb and glad to see that it does work behind the firewall

I have been unable to reboot the monowall so I"m not sure if playing with the settings require me to do so, but will try to that at the end of the day.   

I'll post any details I find.

I would stick with the stable release if you need it to work, the beta should be used in a test environment where any bugs or other things won't interfere with something important needing to work.

As for your steps, I take it in Step 1, the IP for the OPT1 is 10.0.0.1 and DHCP range is set accordingly.

Step 2, all you need is a rule for OPT1 to be the source and the destination will be WAN, set for any port, etc. That's all you need to make a one way firewall out to the Internet and without a way to reach the LAN.

No inbound NAT or Firewall rules are necessary, Vonage is all outbound anyway for the initial connection.

You need to make sure the WAN port of the Vonage router is connected to OPT1, not the LAN.

If you want to assign the Vonage router an internal IP, then what you have is correct, must be assigned to the WAN on the Vonage router, the DNS can either be your ISP DNS or m0n0wall's IP if you are using the DNS Forwarder.

You shouldn't have to reboot m0n0wall for any setting change unless it ask you too, everything is pretty much on the fly changes.

A final test is plug something into the LAN of the Vonage router and see if you can surf the web. If outbound works through it that way, then the Vonage router should have all it needs to work. You can always check the firewall states to see if it's trying to connect to the Vonage voice network at 69.59.224.0/19 range or 216.115.16.0/20 range.

So I rebooted from a clean slate and used 1.235.

I set everything up just as stated above and everything worked beautifully.

I don't know if the VPN settings altered anything, but I didn't do anything different.  All settings were similar.

Thank you knightmb.

Vonage working as desired.  woohoo!

Glad to hear it works 

If you have any voice quality issues, then you can go one step further and use some traffic shaping to reserve bandwidth for your calls. If everything is working fine, they don't worry about it.

I have to use traffic shaping for mine because I often max out my upload link and thus have to reserve a little bandwidth so that calls don't become choppy.

Take care!