The General Setup screen allows you to control some general parameters of your firewall.
The General Setup screen allows you to change the following parameters:
Table 4.1. General Setup parameters
Parameter | Description | Example | Reference |
---|---|---|---|
Hostname | The unqualified hostname of your firewall. | myfirewall | IP Basics |
Domain | The domain name to qualify your firewall hostname. | example.com | IP Basics |
DNS Servers | The IP address of one or more DNS servers for use by the firewall. | 10.0.0.123 | DNS |
Username | The username to use when connecting to the m0n0wall webGUI. | admin | |
Password | The password to use when connecting to the m0n0wall webGUI. The current password is not displayed; this field is used only to change the password You should change this when you first install m0n0wall. | ||
webGUI Protocol | The protocol for the m0n0wall webGUI to use. If you select HTTPS, you will need to securely access your webGUI using a URL that starts with "https:" and to enter a signed certificate and key in the Advanced System page. | ||
webGUI Port | The port for the m0n0wall webGUI to use, if not the default. | ||
Time zone | The time zone of your firewall. This affects the value of times printed to logs. | Logging | |
Time update interval | How often your firewall should contact the NTP server to update its time. | Logging | |
NTP time server | The name of the NTP (Network Time Protocol) server for your firewall to use. | Logging |
Static routes are necessary when you have a subnet behind another router on any of your internal networks. Static routes are never required for directly connected networks or if the network in question is reachable through your WAN interface's default gateway.
The Static Routes sub section allow the user to set up static routes in order to reach network that must use a gateway different from the default one. By pressing the + icon, the system allows the user to add new static routes.
The parameters to set up a new route are the following:
Interface: select the interface to which the route must be applied. This is the interface off of which the destination network is located.
Destination Network: select the network that have to be reached with Classless Inter-Domain Routing (CIDR) code for subnetting (see RFC1517, RFC1518, RFC1519, RFC1520 for more details)
Gateway: the IP address of the router/gateway that the firewall must use in order to reach the defined Destination Network
Description: enter an optional description for the inserted route
The Firmware screen allows you to upgrade or downgrade your m0n0wall version (only available if you are running a hard drive or compact flash installation).
The options on the Advanced System page are intended for use by advanced users only, and there's NO support for them.
Table 4.2. Advanced System Options
Options | Description |
---|---|
IPv6 tunneling | Add the IP address to NAT encapsulated IPv6 packets (IP protocol 41/RFC2893) to here. Don't forget to add a firewall rule to permit IPv6 packets! |
Filtering bridge | This will cause bridged packets to pass through the packet filter in the same way as routed packets do (by default bridged packets are always passed). If you enable this option, you'll have to add filter rules to selectively permit traffic from bridged interfaces. |
webGUI SSL certificate/key | Paste a signed (firmware 1.2) or create a self signed (firmware 1.3b12+) certificate in X.509 and a RSA private key in PEM format here. |
Console menu | Changes to this option will take effect after a reboot. |
Firmware version check | This will cause m0n0wall not to check for newer firmware versions when the System: Firmware page is viewed. |
IPsec fragmented packets | This will cause m0n0wall to allow fragmented IP packets that are encapsulated in IPsec ESP packets. |
IPsec DNS check interval (firmware 1.3) | If at least one IPsec tunnel has a host name (instead of an IP address) as the remote gateway, a DNS lookup is performed at the interval specified here, and if the IP address that the host name resolved to has changed, the IPsec tunnel is reconfigured. The default is 60 seconds. |
TCP idle timeout | Idle TCP connections will be removed from the state table after no packets have been received for the specified number of seconds. Don't set this too high or your state table could become full of connections that have been improperly shut down. The default is 2.5 hours. |
Hard disk standby time | Puts the hard disk into standby mode when the selected amount of time after the last access has elapsed. Do not set this for CF cards. |
Navigation | Keep diagnostics in navigation expanded. |
Static route filtering | This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface. |
webGUI anti-lockout | By default, access to the webGUI on the LAN interface is always permitted, regardless of the user-defined filter rule set. Enable this feature to control webGUI access (make sure to have a filter rule in place that allows you in, or you will lock yourself out!). Hint: the "set LAN IP address" option in the console menu resets this setting as well. |
IPsec SA preferral | By default, if several SAs match, the newest one is preferred if it's at least 30 seconds old. Select this option to always prefer old SAs over new ones. |
Device polling | Device polling is a technique that lets the system periodically poll network devices for new data instead of relying on interrupts. This can reduce CPU load and therefore increase throughput, at the expense of a slightly higher forwarding delay (the devices are polled 1000 times per second). Not all NICs support polling; see the m0n0wall homepage for a list of supported cards. |
Firewall states displayed | Maximum number of firewall state entries to be displayed on the Diagnostics: Firewall state page. Default is 300. Setting this to a very high value will cause a slowdown when viewing the firewall states page, depending on your system's processing power. |
IPv6 support is included in the latest 1.3beta release (v12 or later). The base for this was actually contributed by Michael Hanselmann way back in 2005, and with some modifications to reflect the changes in m0n0wall since then, as well as a few fixes/ improvements (most notably easy to configure 6to4 support), it is now finally in an official release. (Belated) Thanks, Michael!
IPv6 support must be explicitly enabled on the System: Advanced setup page before any of the new options will become available. Also, by default there are no firewall rules for IPv6, so everything is blocked. Make sure to add at least a rule on your LAN interface for outbound connections if you want to use IPv6.
After IPv6 is activated, additional options will become available in the main menu for routing and firewall management. Interface pages will also offer additional IPv6 configuration options. A useful option under the LAN interface will appear to send IPv6 Router Advertisements. This allows other hosts on the LAN to automatically configure their IPv6 address based on the prefix and gateway information that the Firewall provides them.
Since 1.3b12 is the first release with IPv6 support, bugs in the implementation are likely. As always, please post on the mailing list or in the forum if you've found something odd (with a detailed description of what you did, please). Also let us know if everything worked "out of the box". :)
If you don't have native IPv6 connectivity yet, don't worry: 6to4 tunneling is supported, which should work anywhere you've got a (non- firewalled) public IPv4 address. Simply choose "6to4" for the IPv6 mode on both the WAN and LAN interfaces - no need to manually configure any IPv6 addresses (check the IPv6 RA option on the LAN interface and your LAN hosts will be able to automatically obtain an IPv6 address). It can also work with dynamic WAN IPv4 addresses (LAN/ OPT IPv6 subnets are adjusted automatically). Note that some operating systems do not use IPv6 when connecting to a host that supports both IPv4 and IPv6 if they are configured with a 6to4 IPv6 address (-> RFC 3484), so use an IPv6-only host (try http://ipv6.m0n0.ch) for browser testing, or simply do a "ping6".
If you've got native IPv6 connectivity (over PPPoE/PPTP with 1.3b13 or later), remember that you'll have to statically route your m0n0wall's LAN subnet from your upstream router - there's no NAT for IPv6 in m0n0wall (and it would be pretty pointless in most cases anyway :).
Also, if you've gotten it to work and need some IPv6 capable web sites to try it out, have a look at http://sixy.ch (or http://ipv6.sixy.ch), a directory of IPv6 enabled web sites.
Although many operating systems support IPv6 by default such as MacOSX 10.4+, Windows Vista and many Linux packages, some systems need it to be activated (such as Windows XP) and some systems may not support it at all (such as the Apple iPhone 2.0 and older versions of Windows). Check your operating system documentation to see if IPv6 is available.
For more information on IPv6 check out some of the following websites.
Additional webGui users can be added here. User permissions are determined by the admin group they are a member of.
Additional webGui admin groups can be added here as well. Each group can be restricted to specific portions of the webGUI. Individually select the desired web pages each group may access. For example, a troubleshooting group could be created which has access only to selected Status and Diagnostics pages.