Firewall/NAT

Hi there guys,

I have a Monowall Soekris 4801 running 1.2.  I am trying to set up something that I am sure is kindergarden stuff for most of the people here, so I am sorry in advance  .

Please, if anyone can respond - talk baby talk - my extent of router experience is setting up basic Linksys routers in homes, etc, and 'cheating' via Gotomypc.com.

Ok, previously with voice IP devices I have just put them on the public internet.  No biggee, not a PC, no worries about 'hacking' and such.  Now, I am dealing with voice/pc devices so I cannot do that.

I'll use my office setup as a specific example.  My ISP provides me with a static block of 8 IP address.  The first one, 68.XXX.XX.8, is used for my Monowall router. 

In trying to set up a static NAT on the Monowall, I used the .10 public address as the 'NAT' address and the phone device's Native/private IP 192.xxx.xx.x as the corresponding address.  Now, have I screwed up already?  Can the Wan address on the Soekis 'associate' with the .8 and the .10 address - both?

I tried to setup a 1:1 nat so I could get something working and worry about filtering ports, restrictions later.  Even that screen has me confused.   It says if you are referring to ONE static IP, enter it is XXX.XXX.XXX.X/32 (still grasping the /24 /32 thing vs 255.255..... .. anyway, so I do that.

Then it asks about to and from TCP or SMTP, etc, etc, I'm already lost.   Then the internal IP address - that part I get.

Do any of you live in Portland Oregon?? 

My other option is to put the phone device/pc on a Non-Nat DMZ I understand that basics of a DMZ except how the heck you physically connect devices.  Do you plug the device into one of the OPT ports?  Geez.  I just wish there was a knowledgeable person in PDX that I could pay to set down with me for a couple of hours one on one and explain the basics. 

Another thing, I'd like to be able to get to the Monowall web gui externally (I get there by GotomyPC now  ), but I can't even do that.  Should the remote IP I enter by the notebook's private IP on my notebook at home or the static IP my home router is using?

Be merciful - think back to the day when you guys knew nearly nothing, when you were 11 yrs old

One other thing.  Is it a mistake to try and learn about firewalls via the Monowall?  Is there a better 'beginner' choice?  Like a CheckPoint, Adtran router/firewall or even a Cisco. 

I guess the first question is, do you need to have any of your devices accessible directly from the Internet?  In other words, multiple servers on different ports, etc.  If not (e.g. you're just using a VoIP phone, multiple workstations/laptops, and maybe a web or email server), then it would be simpler to just use one of your 8 public addresses and NAT it.  Then port forward whichever ports need to be accessible from the Internet.

Otherwise, you can use static NAT.  I haven't done it yet myself, but you should be able to use the /32 mask to map straight to that address.

Regarding TCP & SMTP, etc.  They are different layers in the OSI networking model.  TCP (as opposed to UDP) is used for reliable, ordered traffic such as a web page or email.  UDP is used to get it to the destination as fast as possible without resending (because if you resend, it's too late).  Examples of UDP would be voice traffic or gaming.  Typically UDP is higher priority for this reason as well, but not always.  SMTP is Simple Mail Transport Protocol.  It happens to use TCP, and deals with.. you guessed it, transporting email. It is one level above ("rides on top of") the TCP/UDP layer (3).  Another example would be HTTP (web pages).

In your situation, if you're creating a static NAT, I would imagine you'd need it to be "any" (TCP or UDP) and "any" (type of traffic, e.g. SMTP or HTTP).

Since you want VoIP traffic to have priority, you can use the Traffic Shaper functionality of m0n0wall to prioritize the traffic.  Use the magic shaper wizard and assign a DHCP address to the phone/converter box, and give that IP higher priority in the shaper.

The web GUI is easy enough to setup and is unrelated to the above.  Enable it by going to System->General Setup, and select "HTTPS" for webGUI protocol (the best option).  Then enter a username and password twice above it.  Then Save and Apply Changes.

Oh, and regarding learning about routing, I'd recommend reading up and/or taking a class on general networking (that includes routing) first.  Then get some experience with some actual hardware of various types that will give you a well-rounded, but also practical knowledge of the concepts.  M0n0wall is a decent start and something that is cheap and easy to play with.  It just lacks some of the very in depth capabilities of something like Cisco where you can program those routers to speak various router-to-router protocols to optimize links and create take advantage of redundancy, etc.

>> = answers ...

I guess the first question is, do you need to have any of your devices accessible directly from the Internet?  >> Yes, the Phone Server needs to be seen from the internet, for say IP phones out on the internet or remote administration of the server.  The manufacturer - Inter-tel - is specific about what TCP/UDP, etc, ports need to be opened.

Otherwise, you can use static NAT.  I haven't done it yet myself, but you should be able to use the /32 mask to map straight to that address.  >> I've set this up, but it just won't 'talk.'  I am forwarded the programmed on the server itself to Inter-tel so they can verify THAT part is programmed correctly.

Regarding TCP & SMTP, etc.  >> I've got a pretty grasp of this part, I am CTP certified, believe it or not 

In your situation, if you're creating a static NAT, I would imagine you'd need it to be "any" (TCP or UDP) and "any" (type of traffic, e.g. SMTP or HTTP). >> I was assuming that a 1:1 nat does just that - all ports are open, maybe not.

Since you want VoIP traffic to have priority, you can use the Traffic Shaper functionality of m0n0wall to prioritize the traffic.  Use the magic shaper wizard and assign a DHCP address to the phone/converter box, and give that IP higher priority in the shaper. >> This will be the next step for me, but when I figure this out, I'll be very happy.  To get around the bottle neck at the WAN connection/firewall.  Up to now, when I've put a 'phone card' on a public switch in front of the firewall, literally.  For instance - DSL Modem ethernet port plugs into a 5-port switch -- I plug the firewall into this on a static IP, then the phone card, then the phone CPU, etc --- there were not many worries about hackers since it is only a card (maybe denial of service, but unlikely) - however in this scenario there is no Qos at all - my VOIP traffic is just dumped into the river per se.  If I can get to a point with tunneling or such where I can say the Phone card/server has priority or a certain amount of bandwidth reserved that would be fantastic.  Typically, my accounts are set up with a partial T-1 768k or a T-1 vs DSL or cable. 

The web GUI is easy enough to setup and is unrelated to the above.  Enable it by going to System->General Setup, and select "HTTPS" for webGUI protocol (the best option).  Then enter a username and password twice above it.  Then Save and Apply Changes.  >> Easy for you to say!   

Hey noisycow.  didn't expect that kind of handle from a guy in Washington! 

Did you see this ?  http://doc.m0n0.ch/handbook/nat.html  If I remembe right, it helped me alot.  Default the router if you can and do it by the numbers and it works.  I assigned my 5k to a staic address from the DHCP server in m0no.  I'll try to see if I can get the shaper working sometime this week.

Okay... you can setup your IP phone two ways.

The easy way... port forward the necessary TCP/UDP ports from your WAN interface to the phone.  Just because you are running a server or device like a phone that require people to connect to them from the internet doesn't mean they need their very own IP address on the internet.  You can have one IP for your network and forward the necessary ports to internal devices as needed.  This, of course, assumes that no two devices need the same port.  E.g. two web servers that default to port 80 would need at least one on its own 1:1 IP.

So for now, try going to NAT select the Inbound Tab and create a rule that has WAN as the Interface, TCP/UDP as the protocol, the port or range (if the ports aren't in a sequential range you will need to make a rule for each one), the NAT IP is the internal IP of the phone (I suggest using a static IP) and then the Internal port range will match that of the external.  Enter a description for yourself.  Select the amazing check box to create the rule for you automatically.  Click save and then apply.  To get the port ranges check the documentation for the device or software you are working with.

If you just have to have a 1:1 static IP check out my directions for someone using their Xbox 360 http://forum.m0n0.ch/index.php/topic,34.0.html  That will give you all the steps to create the 1:1 server NAT and have all the ports forwarded.  You can always limit the ports by using more restricted rules.

One other thing.  Is it a mistake to try and learn about firewalls via the Monowall?  Is there a better 'beginner' choice?  Like a CheckPoint, Adtran router/firewall or even a Cisco. 

   If you don't think m0n0wall is a good beginner choice, you'd crap yourself if you tried any of those last 3 you mentioned.   

It's pretty much as easy as any fully-featured firewall you'll find, and I would say it's substantially easier for a beginner than any of the last 3 commercial options mentioned.

This is not to say m0n0wall is better than any of those, or worse than any of those. It's not as capable as some commercial options, but it does what the majority of people require.

The more powerful things get, the more complex they get. Cisco devices are very, very powerful and can do some crazy cool stuff, but also are substantially more complex and exponentially more expensive.

Well, not to be a whiner, but a Linksys I have is SO EASY for port forwarding.  Click the tab, pick the port(s), then the internal IP, done.   The Monowall I am sure may be that easy, but it never appears that way to us noobs.   

m0n0wall is just as easy - see inbound NAT. Click +, pick the ports, internal IP, check auto-add firewall rule, done.

And you weren't comparing ease of use to a Linksys, you mentioned real firewalls like Cisco, CheckPoint, etc. - in fact what I said, with power and flexibility comes complexity, can be applied in reverse. A Linksys isn't even remotely as flexible or powerful as a m0n0wall, and hence isn't as complex.