Minor typos in System: Group Manager page

mtnbkr — 2008-11-26T15:30:47

Manuel... Not a high priority in the grand scheme of things, but I just noticed a minor issue in the output of the "System: Group Manager" page. It looks like text from somewhere else is being pulled in for the "Description" column for the "Firewall Rules" and "Firewall Rules Edit" lines: --[snip]-- Firewall: Traffic shaper: Queues firewall_shaper_queues.php Firewall: Traffic shaper: Rules firewall_shaper.php Firewall: ipv6enabled( firewall_rules.php Firewall: ipv6enabled( firewall_rules_edit.php Hidden: Detailed Status status.php Hidden: Exec exec.php --[snip]-- The same symptom exists for the "System Routes" and "System Routes Edit" lines: --[snip]-- System: Group manager system_groupmanager.php System: ipv6enabled( system_routes_edit.php System: ipv6enabled( system_routes.php VPN: IPsec: CAs vpn_ipsec_ca.php VPN: IPsec: Edit CA certificate vpn_ipsec_ca_edit.php --[snip]-- This is on 1.3b15, I have not looked elsewhere. Cheers! -- Bill Arlofski Reverse Polarity, LLC

Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME notification

Michael Stecher — 2008-11-25T14:21:00

Hello List! I've got a Problem with our IPSec tunnel. Tunnel work's fine for about an hour. After this time we can't send any packets. Only a restart of the tunnel brings it up again - for about the next hour. Maybe this is the problem: At the beginning of the connection we receive this warning: racoon: WARNING: attribute has been modified. racoon: WARNING: ignore RESPONDER-LIFETIME notification. I've found some threads about this problem. To solve this problem we should use same key lifetime as our peer. The peer has a lifetime (phase 1) about 86400 secs. But whatever I set this value the peer will receive a lifetime of 28800: Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 8 policy Nov 25 12:11:51.899: ISAKMP: life type in seconds Nov 25 12:11:51.899: ISAKMP: life duration (basic) of 28800 Nov 25 12:11:51.899: ISAKMP: encryption 3DES-CBC Nov 25 12:11:51.899: ISAKMP: auth pre-share Nov 25 12:11:51.899: ISAKMP: hash SHA Nov 25 12:11:51.899: I

OT: wireless PTP

David Burgess — 2008-11-25T07:04:52

Definitely off topic here, and I know it's been discussed on the list in the past, but darn it, I know some of the smartest wi-fi folks in the world hang out here, and my internet searches keep coming up dry :) I need to set up a point-to-point wireless link, and just wondering the best way to go. Labour is not an issue, but price of parts should be

WLan card not supported with m0n0wall on Soekris?

Holger Rodriguez — 2008-11-24T20:13:46

Hi, I have a net45xx board, I switched from OpenBSD to m0n0wall, which runs perfect. Besides the fact, that the installed WLAN card does not work. I bought it here: https://kd85.com/soekris.html the model is: 802.11ABG RAL miniPCI card ral0 at pci0 dev 14 function 0 "Ralink RT2561S" rev 0x00: irq 11, address 00:10:60:00:00:68 ral0: MAC/BBP RT2561C, RF RT5225 (this is the OpenBSD output). I do not blame Vim at all, I planned to stick to OpenBSD, but time changes. When I fire up the web GUI, I get Status: Wireless No supported wireless interfaces were found for status display (only cards that use the wi[n] driver are supported). Is there any chance to get this device up and running? Thanks for your help. Holger

PCI wireless AP?

JP Vossen — 2008-11-19T20:31:47

I am building a generic-pc-1.3b15.img M0n0wall on an old PII whitebox. In the interest of one less gadget/wires/power-supply, I was thinking about adding a PCI wireless card and using the M0n0wall stuff. The Froogle links (awesome idea) aren't always clear if the device is a PC Card or PCI, or what. For the couple that I'm pretty sure are PCI (e.g., Netgear MA311), they are a) only 11Mb and b) > $50. So this may not be as fast and as cost effective as I'd hoped. 1) Is http://doc.m0n0.ch/handbook/hardware-wireless.html current and correct for v1.3 (I know, still in beta, but...)? 2) Is this, circa 2004, still true? http://doc.m0n0.ch/handbook/faq-ap.html 3) Is this actually a Good Idea, or should I just get a cheap stand-alone AP and be done with it? (In that case, recommendations for that?) Thanks, JP ----------------------------|:::======|------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http:

SSH NAT/PAT woes

Thomas Sprinzing — 2008-11-18T19:56:17

Hi there: how do i set up the following scenario: linux server behind m0n0, ADSL connection w/ dynamic external ip. I have to set up external ssh access: NAT + PAT incoming from any:any to port 12322 on m0n0 ---> 192.168.1.1:22 NAT incoming from one fixed address:any ----> 192.168.1.1:22 Is that possible? (last one, yes, but together with first?) I have trouble with the first one. In testing, i accidentally opened : 22 to any ip, which i absolutely dislike, because port 22 gets brute- forcedfrom .ru and .cn constantly. Also, i tried to change the _firewall_ rule to pass any:any to WAN:11122, but to no avail. Thanks for your insight Thomas

Inject routes in m0n0

Dennis Wallberg — 2008-11-18T19:21:31

Hi, I have a problem regarding routing and PPTP tunneling. I use m0n0 at home as my firewall / NAT / GW and it works great, however when working from home I need to connect to the office PPTP VPN this is where Im having some problems. When connecting to the office VPN with my desktop or laptop I can of course use this computer to do work related stuff. Recently I started to connect and set up the PPTP tunnel from my home server (also behind m0n0wall) by doing this I can reach the office lan from any computer on my LAN (laptop, desktop etc) which is really much better for me. By doing this I do need to specify all the routes (static) on all computers to point to the home server running the PPTP tunnel and appropriate iptables rules. This is the bad part of my setup as I do not want to have static routes on all the computers on the LAN or enter them (manually) in m0n0. What I want is to have these office / work related prefixes set up dynamically when starting the tunnel and of course removed whe

FW: lan firewall rules

Nuno Meireles — 2008-11-14T09:20:20

Nuno Meireles (nuno.meireles< at >cm-penela.pt) Tecnico de Informática _____________________________________ Município de Penela Praça do Município 3230-253 Penela (T) 239 560 120 (F) 239 569 400 (W) http://www.cm-penela.pt -----Mensagem original----- De: Nuno Meireles [mailto:nuno.meireles< at >cm-penela.pt] Enviada: sexta-feira, 14 de Novembro de 2008 9:20 Para: 'Tim Nelson' Assunto: RE: [m0n0wall] lan firewall rules Thanks for the help, the soluction it´s so easy and i dont see....when i block all traffic from lan subnet lost the internet connection. Nuno Meireles -----Mensagem original----- De: Tim Nelson [mailto:tnelson< at >rockbochs.com] Enviada: quinta-feira, 13 de Novembro de 2008 19:12 Para: Monowall User List Assunto: Re: [m0n0wall] lan firewall rules You haven't actually said what type of problem you're having... however looking at your rules... I'd say there are a few changes you need to make. 1. Your port assignments should be in the "Destination" fields, not the "Source" fields. 2. You

IPsec problems with 1.3b15

Andreas Grote — 2008-11-13T23:59:46

Hi list, I'm experiencing some troubles with a site-to-site IPsec connection using m0n0 on my side and a CISCO unit on the end side. After some time, a couple of ours, the connection gets broken and I have to disable/enable IPsec to get it running again. I have recently upgraded from 1.23b1 to 1.3b15 and that's when this problem occurred. I've made an upgrade once before to 1.3b5 but that one I had to downgrade to 1.23b1 again due to the same problems I'm having now. I've marked the "Allow fragmented IPsec packets" check box and I'm using main, 3DES and SHA1. It's not so easy to find something in the log as you don't really know when the error occurs. Anyone having any ideas what to look for? Chears Andy

Performance difference between 1.235 and 1.3b15

Neil A. Hillard — 2008-11-13T23:48:18

Hi, Since I got my configuration working on 1.3b15 (by disabling device polling) I've noticed a big difference in Internet performance. Even things like going to my router's admin page was very slow and there was a big delay before it even displayed the password prompt! This evening I managed to get wireshark out and see exactly what was going on. It turns out that my PC is spending most of its time waiting for a response, not getting it and then doing a retransmit! Things work eventually but very slowly. My configuration is: Compaq EN SFF 350MHz 128Mb RAM 64Mb CF Card On board Intel 82558 Ethernet adapter 2 off 3com 3c905C Ethernet adapters The onboard Intel is running a vlan trunk to my switch with VLAN IDs 1 - 6 which correspond to vlan0 - vlan5. VLAN ID 1 (vlan0) is LAN. The two 3c905Cs are WAN and OPT1 and are bridged, with filtering bridge enabled. I'm running the same configuration that I was running on 1.22 on 1.3b15. Additionally I'd configured an ipsec tunnel. I've now disabled it to ch

lan firewall rules

Nuno Meireles — 2008-11-13T19:03:57

I setup today a monowall box, but have some with the firewall rules. I need to allow traffic from lan->Wan : http ftp pop smtp and block everthing else. This is my setup Pro Soruce Port Dest Port TCP * 53 (DNS) * * TCP LAN net 80 (HTTP) * * TCP * 110 (POP3) * * TCP/UDP * 25 (SMTP) * * TCP/UDP * 443 (HTTPS) * * TCP/UDP * 21 (FTP) * * TCP LAN net * * * Can you help??? Nuno Meireles

AICCU/Firewall on Beta 1.3b15

Andreas Wisskirchen DG1KWA — 2008-11-12T20:15:11

Hello, I has configure a IP v6 with AICCU on my m0n0wall. The tunnel will be come up, but I can't ping my local IP v6-address. In the log auf m0n0wall I found this entry's: 21:05:00.728443 tun0 2a01:198:200:269::1 2a01:198:200:269::2 ICMPV6 21:04:47.571366 tun0 2a01:198:200:269::1 2a01:198:200:269::2 ICMPV6 21:04:34.376427 tun0 2a01:198:200:269::1 2a01:198:200:269::2 ICMPV6

m0n0wall as persistent VPN end-point?

Michael Graves — 2008-11-10T19:44:44

Hi All, I've used m0n0 for a long time in my home office. I work from home connecting to my employers MS PPTP VPN on an as needed basis. Essentially, I have a PC or two that have VPN logins to the head office for access to Exchange or corp file servers. My router (m0n0wall on Net4801) does not itself have a connection to the head office. I also have a substancial VoIP setup so managed QoS/traffic shaping is a must. My employer approached me about providing me with a router that was a VPN end point. They think that this might get around issues we have with DNS failure through the VPN. That has typically required hosts file entries for servers inside the corp firewall, even thought we are connected to the VPN. This brings up a couple of questions: 1. Is there a DNS configuration that would allow m0n0wall to reference the corp DNS server for systems within our local LAN/WAN? 2. Could m0n0wall be that persistent VPN connection? 3. Would it be harder or easier using IPSEC vs PPTP? Thanks, Michael -- Mich

tech support please

Marsh, Richard — 2008-11-10T10:57:23

Hi all, I hope I have sent this to the correct address. I have a m0n0wall setup with a 80.252.126.10 WAN address /26......I have added in the ip 80.252.126.11 in the server NAT tab, assuming that I could NAT port 3389 on 80.252.126.10 à 192.168.171.1 an port 3389 on 80.252.126.11 à 192.168.171.2.... The rules are in the NAT table and I notice that the RDP to the second IP is listed in the NAT ip table column along with the source.....but I cannot RDp to either of the servers.... I have also added rules in, with a * source to the specific internal ips of the servers....but nothing... What am I doing wrong, I thought this would be easy. Thanks Richard Marsh COMPUTING INFORMATION SYSTEMS LIMITED Gainfield House, Gainfield Faringdon Oxfordshire SN7 8QQ Tel: 01367 870 555 Mob: 07970 097 446 DDI: 01367 700 551 The information contained in this e-mail is confidential and is intended only for the addressee. If you have received this e-mail in error plea

Passing TFTP through Monowall

2008-11-08T00:17:51

Is there any way to pass TFTP traffic through monowall? I know on an IPCop box you have to specify for it to load the conntrack modules to do so. I use a VOIP adapter and also manage several remote networks that I load configs via TFTP. I like monowall but can't use it in an everyday setting without being able to use TFTP. Thanks. Morgan McNeely

multiple ip's on WAN via DHCP (offtopic)

Michel Servaes — 2008-11-07T19:39:43

Hi, I don't know if this has already been addressed, or even if it would be possible or not... I get 4 ip's of my ISP provider, but they are provided through DHCP. Would anything (monowall/pfsense) accept 4 times a DHCP offer (by either simulating, or using VLAN's on the WAN side ?) Or can monowall accept multiple WAN cards ?? (in that, I could add another 3 nic's for WAN) - if one of these solutions seems feasible, how about using a DynDns on all 4 WAN ip's ?? I guess the answer shall be "no, no and no" - but I've been sitting on this question, and can't find a real answer... mind you, there isn't a commercial product either that would allow me to this - tried the Linksys RV082 lately, and only the 1st WAN port could be connected to DHCP, the other port had to be static or PPPoE (in which my cable don't quite accept :-) ) kind regards, Michel

Problems accessing a Firewall

Jessica Aguilar — 2008-11-07T18:55:05

Hello All, I am having some problems with one of my devices. Model is 5501 ver 1.233 1.- Lost ablity to ping and to access via web the device. User are able to go out no problem. * I went to this location and login from inside no problem. I disable the captive portal . Still unable to access remotely. * I open the firewall rule to any any . No go. * I setup my computer with static ip that belogs to monowall . I was able to ping it. * I am able to ping the public ip from internal * I even replace the hardware still doing the same thing. * I upgrade the firmware to 1.235 still doing same thing. * I tried to enable https to access the firewall - still nogo * Unable to access any device from outside using port forwarding. * The only port that I can do is 161 - SNMP. NO port 80 or 443 or icmp. Firewall rules is setup as pass any any and also specific. Each port. Any other ideas ? Thanks Jessica A

AW: DHCP bug ?

Jähne, Marcel — 2008-11-07T15:00:26

Don`t lay static IPs in defiend DHCP-Ranges ! Make a Range for DHCP e.g. 192.168.1.20 - 192.168.1.254, than define the static IPs in the Range 192.168.1.1 - 192.168.1.19. Best regards Marcel Mit freundlichen Grüßen / Best Regards Marcel Jähne Systemadministrator PRIMERA AG IT Harkortstraße 24 48163 Münster Germany Phone: +49 251 7135-341 Fax: +49 251 7135-332 Mail: marcel.jaehne< at >primera-ag.de www.primera-ag.de PRIMERA AG, Harkortstraße 24, D-48163 Münster HRB 725, Amtsgericht Münster, Sitz der Gesellschaft: Münster Vorstand: Enrico Tomassini (Sprecher), Michael Krauledat, Jochen Halfmann Aufsichtsratsvorsitzender: Markus Schürholz -----Ursprüngliche Nachricht----- Von: S S [mailto:n3tr1n0< at >hotmail.com] Gesendet: Freitag, 7. November 2008 15:52 An: m0n0wall< at >lists.m0n0.ch Betreff: [m0n0wall] DHCP bug ? Hello all, I have a problem with my monowall (1.3b15). I am using the default parameters for the DHCP Server and i am specifing some MAC addresses for the clients. The problem starts wh

DHCP bug ?

S S — 2008-11-07T14:51:49

Hello all, I have a problem with my monowall (1.3b15). I am using the default parameters for the DHCP Server and i am specifing some MAC addresses for the clients. The problem starts when i try to specify a static ip for each client ex 192.168.1.10. I get this warning: Static IP addresses may not lie within the dynamic client range. My range is from 192.168.1.2 to 192.168.1.254 as I am using 192/168.1.0/24 network. Is that a known bug? How can resolve it and specify static ips ?? Cheers, Stavros _________________________________________________________________ See the most popular videos on the web http://clk.atdmt.com/GBL/go/115454061/direct/01/

more than one public IP on m0n0-wall

Sebastian Lemke — 2008-11-07T12:24:24

Hi there, I have an Internet-Public IP Range (Network aaa.bbb.ccc.216 / Subnet 255.255.255.248 / Gateway aaa.bbb.ccc.217). I can configure m0n0-wall to take one of these IPs (aaa.bbb.ccc.218) on the WAN-Side and start surfing; everything works. Now I would like to assign the other free addresses also to m0n0-wall. The reason is for port-mapping to multiple servers in the background. e.g: aaa.bbb.ccc.218 : 80 -> 192.168.1.1 : 80 aaa.bbb.ccc.218 : 110 -> 192.168.1.2 : 110 aaa.bbb.ccc.218 : 25 -> 192.168.1.3 : 25 aaa.bbb.ccc.219 : 21 -> 192.168.1.1: 21 < here is actually the problem. Any ideas how to mange this ? Recompiling and/or doing via command line would also be ok Regards, Sebastian Alenconer Straße 30 // 49610 Quakenbrück Tel.: 05431-902555 // Fax: 05431-902556 http://www.infoworxx.de // s.lemke< at >infoworxx.de Softwareentwicklung - Datenbankapplikationen Netzwerksupport - POI/POS-Systeme - infoworxx(r) Providing & Servic

DHCP problem

S S — 2008-11-07T12:26:12

_________________________________________________________________ See the most popular videos on the web http://clk.atdmt.com/GBL/go/115454061/direct/01/

gmane.comp.security.firewalls.m0n0wall