General Questions

I've been using m0n0wall for years at home with one WAP and it was fairly easy to configure. But know I need some help with a more complex setup and suggestions since our credit card terminal is on the LAN.


We're running a coffee shop that has public wifi. One WAP is for the customers and one WAP is for the owners.

The setup is as follows:

DSL modem connected to a Sokeris 4801 with 3 ethernet ports.

WAN -> DSL modem
LAN -> 4 port swith + 1 WAP (named private; WPA2; DHCP disabled )
OPT -> public wifi WAP (named public; open; DCHP dsiabled)

I've setup OPT as DMZ with the block all to LAN rule as per the monowall handbook. When connected to the public WAP I can't connect to any machines on the LAN interface. So far so good.

Monowall is setup for 192.168.1.1 /24
DMZ is setup for 192.168.2.1 /24

Questions:

Should the /24 be set the same for both LAN and DMZ? The default was /24 for LAN and /34 for DMZ, but I could not get a DHCP range for DMZ until i changed it to /24. BTW, what is /24 after the IP range?


Why do I the login screen and am able connect to monowall when connected to the public WAP? That is, if I type 192.168.2.1 I get the login screen. I'd rather not have people using the public wifi to crack my monowall password. Can the monowall login be blocked from the public WAP?


What static IP should I give the public WAP for configuration? Since it's on DMZ, can I only login to change configuration when connected to the public WAP or can specify and IP for the login that is only available from the LAN?

Any other considerations or suggestions for this setup?


Thank you guys, in advance.

Hi,
I have a similar setup. I will try to go through your questions.

The /24 is a short way of specifying your subnet mask. a 24 bit subnet mask would look like 255.255.255.0 which means that for example in your DMZ the IP addresses in that range would be 192.168.2.1-192.168.2.254 They are usually 24, 25, 26, 27, 28, 29, or 30 (For class C ranges) 34 doesn't work which was why it wouldn't let you set up the DHCP

With regard to the accessing the login screen, you are correct to be concerned. A simple fix though. In you  rules for the DMZ interface block access to the interface IP address (192.168.2.1) from the DMZ LAN. I would also suggest blocking access to the WAN interface.

With regard to the WAP, I would keep a range out of the DHCP scope that you can use for static IPs. You will not be able to block access to it from the DMZ though because it sits in this subnet and traffic to it from the DMZ does not pass through the monowall to get to it. I would ensure you have a very strong password for it. I find that this is a useful secure password generator. Make sure you record it somewhere though.

You might want to give thought to using the captive portal as well. I have set up a coffee shop Wi-Fi using a voucher system. The voucher is free for time limited access, they have to accept an Acceptable Use Policy before use and it stops people on the road outside being able to use the Wi-Fi.

It might also be worth (I used this) of using OpenDNS as a method of limiting the type of content that can be accessed. "Family Friendly" Wi-Fi

Hope this helps.