Installation

I have just installed m0n0wall and it seems to be working fine.

I am running on Soekris hardware.

Currently my Office network (10.0 0 0/24) is connected to the LAN port via a switch.  I would like to (add) provide a public WiFi that does not have access to the regular LAN.

I have a cable run directly to the WAP (wireless access point) from the m0n0wall but have not yet connected it. My WAP has ability to provide DHCP and NAT for the WiFi users (192.168.1.0/24)

I am assuming I would enable an additional port on m0n0wall that would be on same network as the LAN.  Then use firewall rules for that NIC/port to only allow 80 and 443 (and 53) thru and only to WAN??

Am I thinking correctly or should I be considering a better configuration.    I would like the WiFi users to see a Captive Portal page before receiving access.

I was also considering adding a PC to run CUPS on the WiFi network to allow hosts to print.  I would make a rule allowing only the the CUPS print server to connect to the office network printers.

Thanks for any assistance/validation/correction you will provide.

Ben

You should be able to do everything you are wanting. I would not recommend having the WAP do any NAT though, as the m0n0wall will be doing NAT and you would end up with a double-NAT scenario, which is always a pain.

It sounds like you have the right idea with the configuration. I would suggest moving ahead with your plan and post here again if you have more specific issues while trying to get the configuration completed.

Thanks for your reply Iridris,

You should be able to do everything you are wanting. I would not recommend having the WAP do any NAT though, as the m0n0wall will be doing NAT and you would end up with a double-NAT scenario, which is always a pain.

I am not sure how to configure the two separate networks using only m0n0wall.  Main office network (A) should only have staff computers on it.  Wireless network (B) is for guests which I cannot control.  I do not want guests connecting to the Main office network. 

I believe I see a need for NAT on both networks.  I only have one internet connection.  Can a single m0n0wall control both networks?  How do I prevent this "double nat scenario" and still provide two separate (seemingly separate) networks?

Thanks
- Ben

Do you have an extra NIC available on your m0n0wall, or can one be added? You could set up that NIC as OPT1. OPT1 would be your 'guest' network. On OPT1, assign it the address 192.168.1.1/24 and set up firewall rules that prevent OPT1 and LAN from talking (OPT1 should only be able to get to the WAN network). Your WAP would then have an address like 192.168.1.2 with a default gateway of 192.168.1.1. Whether you have the m0n0wall or the WAP assign DHCP, you would want to ensure that the gateway is set to 192.168.1.1 for clients. This setup eliminates the double-NAT.

Thanks for the Helpful reply iridris,

I have m0n0wall running on a Soekris net5501.  I have multiple ports available for the OPT1 separate connection.  Now I have a better idea of how to use the additional ports. 

Hopefully I can have this configuration working soon and can move on to some additional future configuration additions like VPN.

I very much appreciate your replying.  Has been a big help!
- Ben