The entire system configuration is stored in one single XML text file to keep things transparent. m0n0wall is probably the first UNIX system that has its boot-time configuration done with PHP, rather than the usual shell scripts, and that has the entire system configuration stored in XML format.
Updates (via Distrowatch):
Manuel Kasper has announced the availability of the first beta release of m0n0wall 1.33, a tiny FreeBSD-based operating system for firewalls: "m0n0wall 1.33b1 released. This beta version further improves IPv6 support (DHCP-PD, AICCU), adds user-customizable captive portal logout/status pages, fixes many small bugs and XSS vulnerabilities and contains updates for ipfilter and the Realtek driver as well as other small improvements. Changelog: updated ipfilter to 4.1.33; inbound NAT rules can now be added on the LAN interface with the WAN address as a target; replaced if_re driver by Realtek customized version to support RTL8111C (among others); IPv6 improvements; added support for user-customizable captive portal logout and status page, as well as a password change option for local CP users; added 'Bind to LAN' option for syslog, so you can syslog over a VPN tunnel...." See the project's beta versions page for the rest of the changelog. Download: cdrom-1.33b1.iso (17.7MB, SHA256).
Download (MD5): cdrom-1.3.iso (17.5MB).
• 2010-12-30: Development Release: m0n0wall 1.33 Beta 1
• 2009-12-01: BSD Release: m0n0wall 1.3
• 2009-09-30: BSD Release: m0n0wall 1.236
• 2009-08-12: Development Release: m0n0wall 1.3 Beta 17
• 2009-04-12: Development Release: m0n0wall 1.3 Beta 16
• 2008-08-09: BSD Release: m0n0wall 1.234
As an alternative to the traditional documentation and other resources (FAQ, mailing lists, forums), screencasts demonstrate how to set up a particular aspect of m0n0wall by providing a recording of the necessary steps as performed in the webGUI – sometimes also with audio narration.
At this time, m0n0wall can be used as-is with the Wireless Router Application Platform from PC Engines (www.pcengines.ch), the net45xx/net48xx embedded PCs from Soekris Engineering (www.soekris.com) or most standard PCs (with a BIOS that supports booting from CD-ROM (El Torito standard) for the CD-ROM version).
m0n0wall already provides many of the features of expensive commercial firewalls, including:
- web interface (supports SSL)
- serial console interface for recovery
- set LAN IP address
- reset password
- restore factory defaults
- reboot system
- wireless support (including access point mode)
- captive portal
- 802.1Q VLAN support
- IPv6 support
- stateful packet filtering
- block/pass rules
- NAT/PAT (including 1:1)
- DHCP client, PPPoE and PPTP support on the WAN interface
- IPsec VPN tunnels (IKE; with support for hardware crypto cards, mobile clients and certificates)
- PPTP VPN (with RADIUS server support)
- static routes
- DHCP server and relay
- caching DNS forwarder
- DynDNS client and RFC 2136 DNS updater
- SNMP agent
- traffic shaper
- SVG-based traffic grapher
- firmware upgrade through the web browser
- Wake on LAN client
- configuration backup/restore
- host/network aliases
- Initial installation
- Firewall configuration
- Traffic shaping
Everybody likes screenshots, right? Here are a few of them:
(some may be outdated or display outdated versions of the menu on the left-hand side)
- Traffic shaper
- Interface configuration
- Interface status
- Traffic graph
The m0n0wall project is an Open Source FreeBSD-based firewall designed for use on minimal PC hardware, including embedded devices such as the Soekris net4501 and net4801 hardware platforms, while still providing all of the essential features of commercial firewall appliances. Virtually all configuration and administration is done using a web-based interface that makes setting up a robust firewall extremely easy.
The web interface, while straightforward, does assume a certain minimum understanding of both network administration in general, and m0n0wall specifically. This guide was written to explain the initial steps required to get a m0n0wall system configured to provide the two services — DHCP configuration for clients and NAT-based connection sharing — that are most useful for a typical home network.
This guide does not attempt to provide detailed information about configuring a firewall. We highly recommend two books for learning about firewalls in-depth:
Important: You are responsible for your own network security. We absolutely take no responsibility for the security of your network, whether you follow the instructions here or not.
General Principles of Firewall and NAT Appliances.
Fundamentally, a m0n0wall-based system is used to connect two (or more) separate networks together, allowing devices like computers and servers on both networks to make permitted connections to each other. A m0n0wall-based appliance can add connections and capabilities to a network, such as allowing many systems to share a single public IP address. It can also restrict connections to systems under its control, acting as a guardian to prevent unauthorized access of internal systems by outsiders.
For the purposes of this guide we will simplify the possibilities, and only discuss one of the more common situations where m0n0wall is frequently used, connecting a home or small office network to the internet via a broadband connection (dial-up is not discussed here):
Figure 1: A simple home network.
In Figure 1, m0n0wall is being used to connect a small home network, the LAN, to the internet, which is the biggest WAN of all.
Before You Begin.
Before you begin making changes to your existing network, it is a very, very good idea to document your current, working configuration. If your operating system allows you to make a backup of your network configuration, do it now.
Documenting a working configuration is the perfect time to gather some important information. Having some specific details about your network written down in one place will make the setup and activation of m0n0wall go much faster, as well as make it possible to back out if things go awry.
The ideal place to collect this information from is the kit your ISP sent you when you signed up for your network connection. Most people file and lose this information, but fortunately, you can get most of it just by opening the network configuration utility for a client computer that currently has access to the internet:
Figure 2: Collecting network settings from client network utilities. (Click for full-size images.)
The information you’ll want to collect is:
|WAN IP address for m0n0wall device||IP Address (Mac) |
IP address (Win2K)
|Subnet Mask||Subnet Mask||255.255.255.248|
|WAN Gateway||Router (Mac) |
Default Gateway (Win2K)
|DNS Servers||DNS Servers (Mac) |
Preferred / Alternate DNS server
If your ISP gave you more than one IP address for your network, you will need to pick one to give to m0n0wall. For simplicity’s sake, we recommend you choose either the lowest or the highest IP address allocated to a client system (not a server). All of your desktop systems will get new, “internal” IP addresses, automatically provided by m0n0wall, so really, pick any address you want.
Overview of m0n0wall Setup.
Setting up a new m0n0wall appliance consists of the following seven steps:
- Hardware setup, including network cable connections
- Boot and configure minimum m0n0wall parameters via the m0n0wall console interface
- Configure a client system for the new network, and connect to the m0n0wall appliance via the web interface
- Change the admin password
- Configure general settings for m0n0wall
- Configure the LAN interface
- Configure the WAN interface
For the most part, you simply need to plug the basic information you gathered earlier into the right places in m0n0wall. None of these steps are complicated, and for many networks you can accept the defaults, i.e., all you need to do is check the step off.
If you plan to run m0n0wall on the wonderful embedded-style hardware from Soekris (either the net4501 or net4801 series of devices), the process of setting up the hardware could not be more simple. This is because all the network interfaces are built-in, and m0n0wall knows about them by default.
If you plan to run m0n0wall on a standard PC, you need to make sure there are enough network interface cards (or built-in interfaces), so that you can connect the required cables to the system.
In either case, you want to connect your LAN (most likely via an Ethernet cable attached to a hub or a switch) to the first network interface (Net0), and the WAN (probably an Ethernet cable connected to your DSL or cable modem or router) to the second network interface (Net1):
Figure 3: Connecting your m0n0wall device between your home network and your internet ISP equipment.
On Soekris devices, the Net0 and Net1 interfaces are RJ-45 connectors for 100-Mbps Etherent, and they are labeled Net0 and Net1. If you are setting up your own PC with multiple network interfaces, you will have to decide which interface is which (and it’s a good idea to label them with one of those label makers, so you’ll remember later!).
Note: in case it’s not obvious, your desktop computers on your home network should be hooked together using the rest of the connectors on your LAN Ethernet hub or switch.
The First Boot.
Once you’ve wired your m0n0wall system into your network, it’s time to power it up. You will definitely want to see the logging and messages that are printed to the console by m0n0wall as it boots up. Soekris systems connect via serial cable to a terminal or the serial port on a PC. A regular PC can connect to a standard monitor.
As m0n0wall starts up you will see a lot of messages fly past; most of the time you can ignore these, and just wait for the m0n0wall console menu to appear (the other messages can be useful when hardware troubleshooting):
Figure 4: The m0n0wall console menu after booting successfully for the first time.
Figure 4 shows the m0n0wall console after booting with the factory default configuration. Important settings are displayed, e.g., the LAN IP address, and the current assignment of network interfaces. This console is where you must edit a few initial configuration settings, unless your hardware works correctly with the m0n0wall defaults (only Soekris devices are likely to do so).
You can also use the console to reset m0n0wall, in case you make changes via the webGUI that make it impossible to connect to m0n0wall over the network. Last, you can reboot m0n0wall, if you have made settings changes that require rebooting.
Note: If you are running m0n0wall on a Soekris net45xx or net48xx embedded device, you can skip this section, as m0n0wall’s default settings should work fine.
The m0n0wall console allows you to tell m0n0wall the basics of how to connect to your network. You have to tell m0n0wall about your network before you will be able to use the web configuration interface, called webGUI, because webGUI depends on network access. In other words, you cannot connect to m0n0wall over the network until you’ve told it about your network.
The critical information is assigning roles to the different network interfaces. You need to tell m0n0wall which network interface is connected to your internal network (LAN) and which is connected to the internet (WAN). This is the port configuration displayed in the middle of the console, and you make changes to the configuration by choosing the first option on the console menu, “Interfaces: assign network ports”:
Figure 5: Assigning network ports using the m0n0wall console.
When you choose option 1, you first get a listing of the network interfaces which m0n0wall found when it initialized the hardware on which it is running. These are the network interfaces it knows about, and these are the only interfaces you can assign to m0n0wall ports. (Something interesting to note in Figure 5 is that the factory default assigns the WAN port to the sis1 interface, but when the valid interfaces are listed, there is no sis1 interface on the list!)
At each prompt, enter the name of the interface to assign to the requested port. You only enter the short name for the interface, e.g., de0, sis0, etc. (the long string of numbers and letters is the Ethernet MAC address, and is listed for informational purposes only).
Note: the network interface names — sis0, de1, etc. — are derived from the name of the “driver” for the interface’s hardware. It is unlikely that your network interfaces will have these names on them. You may have to make some educated guesses as to which interface is which. Just plug your Ethernet cables in, and if you are unable to connect to webGUI in the next section, try swapping the cables.
For the benefit of Soekris device owners, the network interfaces are labeled, but not with the device names. Here’s a quick mapping of the labels on the case to the device names that m0n0wall sees:
- Net0 —> sis0 (should be connected to the LAN)
- Net1 —> sis1 (should be connected to the WAN)
- Net2 —> sis2 (may be connected to the DMZ, not discussed in this guide)
The other setting you may wish to change is the LAN IP address. This is the IP address for the m0n0wall system as it appears on your internal network. The default setting is to use a special IP address for use only on private networks. If you are planning to use NAT to allow multiple internal systems share a single “public” IP address, then the m0n0wall default LAN IP address should work fine for your setup.
This guide assumes you use the default setting on your network. More complicated networks and configurations are not discussed in this guide; however, there is a wealth of information on this topic available on the internet. [suggested links or Google searches here…]
After assigning network interfaces to ports, you will need to reboot m0n0wall. If m0n0wall does not offer to do it for you, simply choose option 5, “Reboot system” from the console menu. Once m0n0wall finishes rebooting, it’s time to re-configure at least one client computer on the LAN to know about m0n0wall, and then move to the web configuration interface, webGUI.
Once m0n0wall is configured for your network and has rebooted to activate that configuration, you will want the systems on your internal network (LAN) to connect to the internet through m0n0wall. For most situations, this could not be simpler. m0n0wall can send network settings to all of the clients on your network, automatically, when your client systems boot up. All you need to do is configure the client systems to get their network settings via DHCP:
Figure 6: Configuring client systems to receive network settings from m0n0wall. The examples are from Mac OS X 10.3 and Windows 2000. (Click for full-size images.)
m0n0wall is very flexible about how to work with LAN clients. There are other configuration possibilities, including static IP addresses configured on the client side, DHCP assigning fixed IP addresses to clients based on their Ethernet MAC address, and others. There are frequently good reasons to want these configurations, but for many home networks it’s overkill. This guide will not address these configurations.
Introducing the Web Configuration Application (webGUI).
The m0n0wall web configuration application, webGUI, is where most configuration changes are made to m0n0wall. The web interfaces allows a much more pleasant user experience than trying to configure from the console all of the different features built into m0n0wall. webGUI is both easy to use and pleasing to look at, providing a high quality, professional-looking interface to m0n0wall.
To connect to the m0n0wall webGUI, type into your browser’s location field the LAN IP address that is listed in the m0n0wall console. By default this would be http://192.168.1.1/. You will be prompted for a login and a password. The login is “admin” and the default password is “mono”. (This will be changed in the next step!)
After entering the authentication information, if you’ve correctly set up your physical network, the m0n0wall console settings, and your client’s network settings, you should be presented with the m0n0wall webGUI splash screen:
Figure 7: The m0n0wall webGUI configuration application.
Congratulations! You have done 80% of the work to set up m0n0wall to serve and protect your network! Almost all of the hard work is behind you.
Once logged into the webGUI configuration interface it is possible to finish setting up m0n0wall for your network. The first step is to change the default administrative password, which is done in the System / General setup panel:
Figure 8: General settings for m0n0wall.
Enter the new admin password in the Password fields midway through the General setup panel, and click the Save button at the bottom. Don’t worry about the other settings yet, just change the password. (Forgetting to change default passwords is the number one security hole in network infrastructure.) m0n0wall should report that it successfully saved the changes.
After changing the admin password, the rest of the options on the General setup panel can be reviewed and updated. The important settings to enter are:
- Domain, if you have one
- DNS servers (your own, or the ones supplied by your ISP)
- Time zone (pick a city in your time zone; unless you’re lucky, your own city won’t be on the list)
If you will ever be administering m0n0wall remotely from a public network, you should also change the webGUI protocol to HTTPS. If you do so, remember that the URL for accessing webGUI will change to
https://192.168.1.1/ (if you’re using the default address) — note that the URL now begins with
Also, when accessing the new URL, your browser may give you an alert about not being able to verify the authenticity of the site. You can eliminate this message by giving the server an SSL certificate, in the webGUI SSL certificate/key section of the Diagnostics / Advanced settings panel. This is beyond the scope of this guide. [[mostly because I don’t know how to do this myself, yet…]]
The other settings here may be useful to modify, but we will not deal with them in this guide.
Configuring the LAN Interface,
To configure or review the settings for the LAN interface, go to the Interfaces / LAN panel:
Figure 9: Configuring the LAN interface.
The settings here allow you to configure the range of IP addresses that can be used on your internal network. If you have a relatively small network (fewer than 200 systems), and plan to use NAT to connect them to the internet, there is no good reason to make changes to the default m0n0wall settings for the LAN interface.
If your internal network is large, and you therefore need a larger range of IP addresses, you can make that change here. Enter the IP address for m0n0wall on your internal network, and then, using the CIDR-style netmask pop-up menu, say how big to make the network. If your network is larger than 200 systems, you may as well go all out here, and enter 10.0.0.1 / 8, to allocate a very large range of IP addresses to your internal network.
While the number of settings fields on this panel is small, the range of possibilities, and the reasons for making changes from the defaults, is quite large. If your needs are not met by the defaults here, you probably need a much larger networking reference than this guide.
Configuring the WAN Interface.
The final step for setting up m0n0wall for the first time is to configure the WAN interface. This is done using the Interfaces / WAN settings panel:
Figure 10: Configuring the WAN interface for DHCP.
The settings here tell m0n0wall how to connect to the external network, usually your ISP’s connection to the internet. There are a variety of ways in which external networks allow connections, which is why this settings panel looks so complicated. Don’t worry, you don’t have to fill it all out!
First, you need to tell m0n0wall what kind of connection to make. There are four different possible types of WAN interface, and these are set via the Type pop-up menu. Which type you choose will depend on what kind of network you are connecting to. The first three options (DHCP, Static, and PPPoE) are most frequently used to connect to the internet via an ISP. The last option (PPTP) is commonly used to connect to private networks, i.e., connecting a satellite office with the main corporate network. PPTP will not be discussed here.
For each type of connection, there is a section further down the panel, which allows you to enter the details of the connection. You only need to fill in the details for the type of connection you have chosen. All the other information can and should be left blank. This means the WAN Interface settings panel is a lot simpler than it looks.
DHCP WAN Interface.
In the same way that m0n0wall can use DHCP to distribute network settings to your client systems, your ISP can use DHCP to provide network settings for m0n0wall to use for itself. If your ISP’s network provides DHCP, then this is by far the easiest way to set up. In fact, because this is the default setting, your network connection may already be working! (Go ahead and test, as described in Testing the Network Connection below.)
The only setting you might need to provide for a DHCP connection is the Hostname, in the DHCP client configuration section of the panel. Your ISP will have to tell you what, if anything, to put in this field. But if your connection is already working, you can leave it blank.
Once you have entered the appropriate information into the DHCP WAN interface section, click the Save button at the bottom of the panel.
Static WAN Interface.
If you received a fixed IP address from your ISP (as opposed to a dynamic IP address, which changes regularly), then you will want to configure a Static WAN interface. This is commonly the case if you have a “business-class connection” service agreement with your ISP, which among other things allows you to run your own servers without violating your ISP’s terms of service. But there are a variety of reasons why you might have a fixed or static IP address given to you by your ISP. In any case, if they gave you an IP address and a netmask to use in your network settings, this is the way to go.
Configuring a Static WAN interface is not much harder than a DHCP WAN interface, once you have gathered the necessary information as described at the beginning of this document. You will need the following details:
- m0n0wall IP address
- Network gateway IP address
- Network netmask
Enter the m0n0wall IP address into the IP address field, and the network gateway IP address into the Gateway field.
The netmask is a little tricky. Most ISPs and desktop operating systems display the netmask as a series of four numbers separated by periods (very similar to an IP address), e.g., 255.255.255.248. m0n0wall uses the CIDR-style notation, which is a slash (“/”) and a number between 1 and 31. You enter it via the pop-up menu after the IP address field.
Explaining the differences or the conversion formula is more complicated than it’s worth. Here’s a translation table you can use to convert from the most likely traditional style netmasks to CIDR-style netmasks:
|Traditional Netmask||CIDR Netmask|
Once you have entered the appropriate information into the Static WAN interface section, click the Save button at the bottom of the panel.
PPPoE WAN Interface.
PPP was the standard way of connecting to the internet via a dial-up connection using a regular modem and phone line. PPPoE is a way of doing PPP over Ethernet, instead of a phone line.
While that sounds complicated, the good news is that PPPoE is the second-easiest WAN Interface type to configure, after DHCP. You just need to plug your PPPoE username and password into the PPPoE configuration section of the WAN Interface settings panel.
You may also need the service name in this same section, but as the m0n0wall interface suggests, you can probably skip it. Try connecting with it blank, and if it doesn’t work, look for this in the information sent to you by your ISP, etc.
Once you have entered the appropriate information into the PPPoE WAN interface section, click the Save button at the bottom of the panel.
Testing the Network Connection.
Once you’ve entered the necessary settings as described above, you’re ready to test your network connection. The simplest way to do this is to visit a public website using the same web browser you just used to configure m0n0wall. Try yahoo.com, google.com, or itunes.com for starters. If any of the sites load, your m0n0wall configuration is probably working fine. Congratulations!
You may want to test other kinds of network connections besides web connections, because some network protocols behave differently than the HTTP protocol that underlies the web.
One example that deserves checking is FTP, which definitely needs to be configured correctly to work from behind m0n0wall. By default m0n0wall only supports “passive” FTP, and “active” FTP is likely to fail. (The difference between active and passive FTP is complicated.) You may need to make configuration changes to your system or file transfer tools:
Figure 11: Examples of configuring client systems and applications to use passive (“PASV”) FTP.
Other applications you might want to test at this time include streaming media players. Go to QuickTime.com and watch some movie trailers. Go to NPR.org and listen to some news, or the latest episode of Fresh Air. Use iTunes to listen to a few music samples from the iTunes Music Store.
Testing the Firewall.
Effectively and completely testing a firewall is a topic far beyond the scope of this guide. However, you can make use of Gibson Research Corporation’s ShieldsUP! service to quickly test your new m0n0wall gateway. While no substitute for a professional assessment of your network’s security, it’s a great way to identify some of the easier-to-plug holes you may have overlooked.
If you liked this article, subscribe to the feed by clicking the image below to keep informed about new contents of the blog: