m0n0wall中文手册 handbook chinese.pdf · m0n0wall中文手册作者: Chris Buechler Manuel Kasper 译文：Ben Zeng m0n0wall 的作者是Manuel Kasper。大部分文档由Chris

m0n0wall

:

Chris Buechler

Manuel Kasper

Ben Zeng

m0n0wall Manuel Kasper Chris Buechler

m0nowall 1.2

2005 m0n0wall Documentation Project

m0n0wall Documentation Project



(

)

()

2005 9

........................................................................................................................................ 11

1.1 M0N0WALL ...................................................................................................................... 11

1.2 M0N0WALL ..................................................................................................................12

1.3 .............................................................................................................................................12

1.4 .............................................................................................................................................13

1.4.1 .....................................................................................................................................15

1.4.2 .....................................................................................................................................15

1.5 () ..............................................................................................................15

1.5.1 .........................................................................................................................16

1.6 .................................................................................................................................17

1.6.1 .....................................................................................................................................17

1.6.2 .....................................................................................................................................18

............................................................................................................................19

2.1 .........................................................................................................................19

2.2 PC ...................................................................................................................20

2.2.1 ..............................................................................................................................20

2.2.2 BIOS ...............................................................................................................20

2.2.3 .............................................................................................................................21

2.3 .....................................................................................................................22

2.3.1. Soekris Engineering .........................................................................................................22 2.3.2. PC Engines WRAP...........................................................................................................22 2.3.3. Nokia IPxxx boxes ............................................................................................................22 2.3.4. NexCom NexGate Appliances ........................................................................................23

2.4 .........................................................................................................................................24

2.5 .....................................................................................................................................24

2.5.1 .........................................................................................................................24

2.5.1.1. Soekris 45xx .............................................................................................................................. 25 2.5.1.2. Soekris 48xx .............................................................................................................................. 25 2.5.1.3. WRAP ......................................................................................................................................... 25

2.5.2 .....................................................................................................................................26

2.5.3 CPU .....................................................................................................................................26

2.5.4 .....................................................................................................................................27

2.5.5 .............................................................................................................................27

2.5.6 .....................................................................................................................27

2.6 .....................................................................................................................................28

2.6.1 .........................................................................................................................28

2.6.2 .............................................................................................................................28

2.6.3 /....................................................................................................................29

2.7 .....................................................................................................................................30

2.7.1 .............................................................................................................................31

2.7.2 ISA ...............................................................................................................................31

. .........................................................................................................................................32

3.1 .....................................................................................................................................32

3.2 .....................................................................................................................................32

3.3 .....................................................................................................................................33

3.3.1 CD .......................................................................................................................33

3.3.2 CFIDE .......................................................................................................34

3.3.3 .....................................................................................................................36

........................................................................................................................................37

4.1 .................................................................................................................................37

4.2 WEB GUI ....................................................................................................................................38

4.3 .....................................................................................................................................38

4.3.1 .............................................................................................................................38

4.3.2 .............................................................................................................................40

4.3.3 .....................................................................................................................41

4.3.4 .....................................................................................................................................42

4.4 .....................................................................................................................................42

4.4.2 LAN ..........................................................................................................................................44 4.4.3 WAN ....................................................................................................................................45

4.4.4 .................................................................................................................48

4.4.5 .............................................................................................................................49

4.5 .....................................................................................................................................49

4.5.1 DNS .............................................................................................................................49

4.5.2 .............................................................................................................................51

4.5.3 DHCP ..................................................................................................................................53

4.5.3.1 DHCP ................................................................................................................................... 57

4.5.4 SNMP ..................................................................................................................................58

4.5.5 ARP .............................................................................................................................59

4.5.6 Captive Portal.....................................................................................................................61

4.5.7 LAN ..............................................................................................................................64

4.6 VPN .............................................................................................................................65

4.6.1 IPsec....................................................................................................................................66 4.6.2 PPTP ...................................................................................................................................66

4.6.3 PPTP .........................................................................................................................66

4.7 .............................................................................................................................67

4.7.1 .....................................................................................................................................67

4.7.2 .............................................................................................................................68

4.7.3 .................................................................................................................................68

4.7.4 .....................................................................................................................................69

4.8 .....................................................................................................................................70

4.8.1 .............................................................................................................................70

4.8.2 DHCP ..........................................................................................................................70

4.8.3 IPsec....................................................................................................................................71

4.8.4 SIP ...............................................................................................................................72

4.8.5 ping/traceroute ...................................................................................................................72

4.8.6 .............................................................................................................................73

4.8.7 .............................................................................................................................74

4.8.8 .............................................................................................................................75

4.8.9 .............................................................................................................................75

. .............................................................................................................................76

5.1 .............................................................................................................................................76

5.1.1 Action..................................................................................................................76

5.1.2 .....................................................................................................................................77

5.1.3 .....................................................................................................................................77

5.1.4 .....................................................................................................................................77

5.1.5 ICMP............................................................................................................................77

5.1.6 (source) ..........................................................................................................................78

5.1.7 .........................................................................................................................78

5.1.8 Destination .........................................................................................................78

5.1.9 .....................................................................................................................79

5.1.10 ...................................................................................................................................79

5.1.11 ...................................................................................................................................79

5.1.12 ...................................................................................................................................80

5.2 NAT .............................................................................................................82

5.2.1 .....................................................................................................................................83

5.2.2 .............................................................................................................................83

5.2.3 .....................................................................................................................................83

5.2.4 .....................................................................................................................84

5.2.5 NAT IP .................................................................................................................................84

5.2.6 .............................................................................................................................84

5.2.7 .....................................................................................................................................84

5.2.8 NAT .............................................84

5.2.9 .............................................................................85

5.3 NAT.................................................................................................................................85

5.3.1 NAT .........................................................................................................85

5.3.2 NAT .........................................................................................................86

5.3.3 ARP.....................................................................................................................86

5.4. 1:1NAT.......................................................................................................................................87

5.4.1 1:1NAT ..............................................................................................................88

5.4.1.1 ............................................................................................................................................. 88

5.4.1.2 ..................................................................................................................................... 88

5.4.1.3 ..................................................................................................................................... 89

5.4.1.4 ............................................................................................................................................. 89

5.5 NAT.....................................................................................................................................89

5.5.1 NAT .............................................................................................................91

5.6 .....................................................................................................................................91

5.6.1 .............................................................................................................................92

5.6.2 .............................................................................................................................93

5.6.3 .............................................................................................................................95

5.6.4 .............................................................................................................................97

5.7 .............................................................................................................................................97

5.7.1 .............................................................................................................................98

5.7.1.1 ............................................................................................................................................. 99

5.7.1.2 ............................................................................................................................................. 99

5.7.1.3 ............................................................................................................................................. 99

5.7.1.4 ............................................................................................................................................. 99

5.7.2 .............................................................................................................................99

NAT() .........................................................................................................................100

NAT......................................................................................................................................101

() .................................................................................................................103

IPSEC ....................................................................................................................................105

8.1 IPSEC .........................................................................................................................106

8.2 IPSEC 1 2............................................................................................................107

8.3 IKE KEY ........................................................................................................................108

84 ................................................................................................................................ 110

85 HASH ............................................................................................................................. 110

86 ............................................................................................................................ 110

8.7 ................................................................................................................................... 111

8.8 ................................................................................................................................... 113

8.9 DIFFIE-HELLMAN GROUPS ........................................................................................................ 113

8.9 IKE(MAIN MODE)........................................................................................................... 115

8.10 IKEAGGRESSIVE MODE .................................................................................. 115

8.11 IKE .................................................................................................................................. 115

8.12 PFS PERFECT FORWARD SECRECY .................................................120

8.13 IPSEC OVER NAT-T ................................................................................................................120

8.13.1 NAT-T..................................................................................................................121

8.14 IPSEC ...............................................................................................................125

8.15 IPSEC VPN .............................................................................................................126

PPTP......................................................................................................................................132

9.1 ...........................................................................................................................................132

9.2 ...........................................................................................................................................132

9.3 ...................................................................................................................................133

9.4 VLAN ....................................................................................................................133

9.5 PPTP ................................................................................................................................134

9.6 PPTP ........................................................................................................................136

9.7 PPTP...................................................................................................................137

9.7.1 PPTP .....................................................................................................139

9.8 WINDOWS XP PPTP.........................................................................................140

9.9 PPTP.............................................................................................146

OPENVPN ............................................................................................................................147

............................................................................................................................147

CAPTIVE PORTAL ..........................................................................................................147

....................................................................................................................................147

............................................................................................................................148

14.1 DMZNAT ........................................................................................................148

14.1.1 .....................................................................................................................149

14.1.2 .................................................................................................................149

14.1.3 .................................................................................................................150

14.1.4 DMZ ........................................................................................150

14.1.5 DMZLAN ............................................................................................153

14.1.6 NAT.........................................................................................................................154

14.1.6.1 1:1NAT...............................................................................................................154

14.1.6.2 1:1NAT ................................................................................................................... 155

14.1.6.3 NAT.................................................................................................. 155

14.2 DMZ ................................................................................................................157

14.3 .........................................................................................................................158

14.3.1 .........................................................................................................................159

14.3.2 WAN ................................................................................................................159

14.3.3 OPT .................................................................................................................159

14.3.4 .........................................................................................................160

14.3.5 .............................................................................................................160

1.4.3.5.1 OPT .................................................................................................................... 160

14.3.5.2 WAN .................................................................................................................... 161

14.3.5.3 LAN ...................................................................................................................... 161

14.3.5.4 ................................................................................................................. 161

14.3.6 .................................................................................................................162

SITE TO SITE VPN......................................................................................162

15.1 CISCO PIX FIREWALL ..............................................................................................................162

15.1.1 PIX .......................................................................................................................163

15.1.2 m0n0wall.............................................................................................................167

15.2 SMOOTHWALL ..........................................................................................................................169 15.3 FREES/WAN (OPENSWAN) ....................................................................................................169 15.4 SONICWALL ..............................................................................................................................169 15.5 NORTEL....................................................................................................................................169

(FAQ) .........................................................................................................170

1.1 m0n0wall

m0n0wall

PC

m0n0wall bare-bones version of FreeBSD WEB PHP

XML

m0n0wall PHP UNIX shell

XML

1.2 m0n0wall

m0n0

m0n0wall 3 4

m0n0wall CPU

m0n0wall CPU

CF(Compact Flash),()

m0n0wall

/(IDS)

WEB

FTP

m0n0 (login):

telnet ssh (deamon)

1.3

Manuel Kasper, m0n0wall

PC web

WEB Linux

WEB webmin ----

LAN IP WEB

SHELL SHELL

C PHP WEB

PHP

SHELL ----

XML

m0n0wall beta 2003 2 15 1.0 2004 2

15 26 beta

m0n0wall Change Log

1.4

monowall

WEB SSL

LAN IP

access point with PRISM-II/2.5/3 cards, BSS/IBSS with other cards

including Cisco

captive portal

802.1Q VLAN

block/pass

NAT/PAT ( 1:1)

WAN DHCP PPPoEPPTP Telstra BigPond Cable

IPsec VPN IKE;

PPTP VPN RADIUS

DHCP

DNS

DNS RFC 2136 DNS

SNMP

SVG

WEB

LAN

/

/

1.4.1

m0n0wall

FreeBSD components (kernel, user programs) ipfilter PHP (CGI version) thttpd MPD ISC DHCP server ez-ipupdate (for DynDNS updates) Dnsmasq (for the caching DNS forwarder) Raccoon(for IPsec IKE)

1.4.2

m0n0wall 6M CFCD-ROM

net4501 NAT m0n0wall 17

Mbps WAN LAN TCP net4801

WRAP 50Mbp PC > 100 Mbps

net4501 , m0n0wall 40

POST ( BIOS

1.5 ()

m0n0wall is Copyright 2002-2004 by Manuel Kasper. All rights reserved.

(

)

()

1.5.1

m0n0wall m0n0wall

FreeBSD (http://www.freebsd.org) Copyright 1994-2003 FreeBSD, Inc. All rights

reserved.

This product includes PHP, freely available from http://www.php.net. Copyright 1999 -

2003 The PHP Group. All rights reserved.

mini_httpd (http://www.acme.com/software/mini_httpd) Copyright 1999, 2000 by Jef

Poskanzer . All rights reserved.

ISC DHCP server (http://www.isc.org/products/DHCP) Copyright 1996-2003 Internet

Software Consortium. All rights reserved.

ipfilter (http://www.ipfilter.org) Copyright 1993-2002 by Darren Reed.

MPD - Multi-link PPP daemon for FreeBSD (http://www.dellroad.org/mpd) Copyright

1995-1999 Whistle Communications, Inc. All rights reserved.

ez-ipupdate (http://www.gusnet.cx/proj/ez-ipupdate) Copyright 1998-2001 Angus

Mackay. All rights reserved.

Circular log support for FreeBSD syslogd (http://software.wwwi.com/syslogd) Copyright

2001 Jeff Wheelhouse ([email protected])

Dnsmasq - a DNS forwarder for NAT firewalls (http://www.thekelleys.org.uk) Copyright

2000-2003 Simon Kelley

Racoon (http://www.kame.net/racoon) Copyright 1995-2002 WIDE Project. All rights

reserved.

before version pb23: watchdogd (watchdog) Copyright 2002-2003 Dirk-Willem van

Gulik. All rights reserved. This product includes software developed by the Stichting

Wireless Leiden (http://www.wirelessleiden.nl). See LICENSE for more licensing

information.

msntp (http://www.hpcf.cam.ac.uk/export) Copyright 1996, 1997, 2000 N.M. Maclaren,

University of Cambridge. All rights reserved.

UCD-SNMP (http://www.ece.ucdavis.edu/ucd-snmp) Copyright 1989, 1991, 1992 by

Carnegie Mellon University. Copyright 1996, 1998-2000 The Regents of the University

of California. All rights reserved. Copyright 2001-2002, Network Associates Technology,

Inc. All rights reserved. Portions of this code are copyright 2001-2002, Cambridge

Broadband Ltd. All rights reserved.

choparp (http://choparp.sourceforge.net) Copyright 1997 Takamichi Tateoka

([email protected]) Copyright 2002 Thomas Quinot ([email protected])

1.6

1.6.1

m0n0wall Manuel Kasper

m0n0wall :

Bob Zoller (bob at kludgebox dot com): Diagnostics: Ping function; WLAN channel

auto-select; DNS forwarder

Michael Mee (m0n0wall at mikemee dot com): Timezone and NTP client support

Magne Andreassen (magne dot andreassen at bluezone dot no): Remote syslog'ing;

some code bits for DHCP server on optional interfaces

Rob Whyte (rob at g-labs dot com): Idea/code bits for encrypted webGUI passwords;

minimalized SNMP agent

Petr Verner (verner at ipps dot cz): Advanced outbound NAT: destination selection

Bruce A. Mah (bmah at acm dot org): Filtering bridge patches

Jim McBeath (monowall at j dot jimmc dot org): Filter rule patches (ordering, block/pass,

disabled); better status page; webGUI assign network ports page

Chris Olive (chris at technologEase dot com): enhanced "execute command" page

Pauline Middelink (middelink at polyware dot nl): DHCP client: send hostname patch

Bjrn Plsson (bjorn at networksab dot com): DHCP lease list page

Peter Allgeyer (allgeyer at web dot de): "reject" type filter rules

Thierry Lechat (dev at lechat dot org): SVG-based traffic grapher

Steven Honson (steven at honson dot org): per-user IP address assignments for PPTP

VPN

Kurt Inge Smdal (kurt at emsp dot no): NAT on optional interfaces

Dinesh Nair (dinesh at alphaque dot com): captive portal: pass-through MAC/IP

addresses, RADIUS authentication HTTP server concurrency limit

Justin Ellison (justin at techadvise dot com): traffic shaper TOS matching; magic shaper;

DHCP deny unknown clients; IPsec user FQDNs

Fred Wright (fw at well dot com): ipfilter window scaling fix; ipnat ICMP checksum

adjustment fix

1.6.2

m0n0wall Manuel Kasper

m0n0wall :

Chris Buechler (m0n0wall at chrisbuechler.com): Editor, numerous contributions

throughout.

Jim McBeath (monowall at j dot jimmc dot org): Users Guide outline, editing

Rudi van Drunen (r.van.drunen at xs4all dot nl) with thanks to Manuel Kasper, Edwin

Kremer, PicoBSD, Matt Simerson and John Voight: m0n0wall Hackers Guide, used as the

basis for the Development chapter.

Francisco Artes (falcor at netassassin.com): IPsec and PPTP chapters.

Fred Wright (fw at well dot com): Suggestions and review.

Axel Eble (axel+m0n0-0001 at balrog dot de): Help with the wiki, ddclient howto

contribution.

Brian Zushi (brian at ricerage dot org): Linux CD burning instructions, documentation

review and suggestions.

Dino Bijedic (dino.bijedic at eracom-tech dot com): Sonicwall example VPN contribution.

2.1

m0n0wall X86 PC

X86 PC

X86 MIPSLinksysARMD-Link

http://doc.m0n0.ch/handbook-single/##http://doc.m0n0.ch/handbook-single/#IPsec#IPsechttp://doc.m0n0.ch/handbook-single/#PPTP#PPTP

FreeBSD MIPS ARM FreeBSD

http://www.freebsd.org/platforms/index.htmlMIPS

m0n0wallX86

2.2 PC

m0n0wall X86 PC

2.2.1

486 CPU 486 CPU m0n0wall CPU

486 (Pentium )CPU

64M 64M RAM m0n0wall CD 32MB

m0n0wall CF(Compact Flash) 64MB

m0n0wall RAM (swap

space)

2.2.2 BIOS

BIOS m0n0wall

Plug and Play OS

BIOS Plug and Play OSNO

Disable BIOS BIOS

FreeBSD( m0n0wall)

http://www.freebsd.org/platforms/index.html

BIOS

2.2.3

m0n0wall CF(compact Flash) CD

CompactFlash

8M Compact Flash

IDE SCSI FreeBSD

CD/

IDE SCSI CD-ROM/DVD m0n0wall 1.44MB

MS-DOS/FAT

PC CD-ROM

Zip Drive setup

1.2b3 m0n0wall Zip Drive

Zip Drive

2.3

m0n0wall

2.3.1. Soekris Engineering

Soekris m0n0wall net4501 45xx net45xx

net4801 net48xx

net4501-30: 133 Mhz CPU, 64 Mbyte SDRAM, 3 Ethernet, 2 Serial, CF socket, 1 Mini-PCI socket,

3.3V PCI connector.


Single PC-Card socket, PoE


Dual PC-Card socket, PoE

net4526-20: 100 Mhz CPU, 32 Mbyte SDRAM, 1 Ethernet, 1 Serial, 16 Mbyte CF Flash, 2 Mini-PCI

sockets, PoE.

net4526-30: 133 Mhz CPU, 64 Mbyte SDRAM, 1 Ethernet, 1 Serial, 64 Mbyte CF Flash, 2 Mini-PCI

sockets, PoE.

net4801-50: 266 Mhz CPU, 128 Mbyte SDRAM, 3 Ethernet, 2 serial, USB connector, CF socket, 44

pins IDE connector, 1 Mini-PCI socket, 3.3V PCI connector.

2.3.2. PC Engines WRAP

Wireless Router Application Platform (WRAP)

PC Engines WARP m0n0wall WARP

2.3.3. Nokia IPxxx boxes

Nokia IPxxx CheckPoint PC

m0n0wall

eBay $100 IP110 IP120

IP110,120 130

10/100

National GX 300Mhz CPU

110 64MB RAM120 128MB130 256MB

5GB

auxiliary and console

IP330,440,530,650,740

m0n0wall PC

m0n0wall

HSS1,T-1CSU/DSU, V.35 X.21 OC-3 ATM, FDDI

NokiaNICMACFF.FF.FF.FF.FF.FF

http://chrisbuechler.com/m0n0wall/nokia/ip110.html

2.3.4. NexCom NexGate Appliances

NexCom Nexgate m0n0wall WRAP Soekris

$500

http://chrisbuechler.com/m0n0wall/nokia/ip110.html

2.4

m0n0wall VMware Workstation,GSX ESX

Microsoft Virtual PC Virtual Server

m0n0wall Chris Buechler 10-15 VMware

m0n0wallChris Buechlerm0n0wall

VMware http://chrisbuechler.com/index.php?id=18

MS VPCVSm0n0wallChris Buechlerm0n0wall images for

Microsoft Virtual PC and Virtual Server(http://chrisbuechler.com/index.php?id=31)

Chris Notingham

2.5

m0n0wall

2.5.1

http://chrisbuechler.com/index.php?id=18http://chrisbuechler.com/index.php?id=31

2.5.1.1. Soekris 45xx

Soekris 45xx 10Mbps IPsec VPN 45xx

3Mbps IPsec

DMZ LAN 45xx

17Mbps 17Mbps

2.5.1.2. Soekris 48xx

Soekris 48xx 30Mbps IPsec VPN 45xx

?? Mbps IPsec

DMZ LAN 48xx

40Mbps 40Mbps

2.5.1.3. WRAP

WARP 30Mbps IPsec VPN 45xx

?? Mbps IPsec

DMZ LAN WARP

40Mbps 40Mbps

2.5.2

:

PC

NICNIC CPU

CPU NIC

FreeBSD Intel Pro/100 (

fxp) 3COM 3C905 ( xl) FreeBSD fxp0,fxp1

xl0

Intel Pro/100 Pro/1000 m0n0wall

Realtek (FreeBSD rl)

m0n0wall Intel ebay $30 USD 3-5

()

6Mbps

30-40Mbps LAN DMZ LAN

2.5.3 CPU

CPU CPU CPU

Intel Pentinum CPU

30-40MbpsPentium III 100Mbps 1000

2.8+GHz Pentium 4

2.5.4

m0n0wall 64M RAM

64MB

2.5.5

m0n0wall CF 8MBm0n0wall RAM

RAM

CF

CF

2.5.6

1000 PCI

CPI

PCI 133MBbps 1064Mbsp 1000

PCI-X 1056Mbps 8.25Gbsp

1000 PCI-X PCI-X

NIC

2.6

m0n0wall FAQ

http://doc.m0n0.ch/handbook-single/#FAQ.AP

/

2.6.1

b, b/ga/b/gm0n0wallFreeBSD

5.x 6.x m0n0wall BSD 4.11m0nowallFreeBSD

http://doc.m0n0.ch/handbook-single/#

2.6.2

100%Chris

Buechler (mailto:[email protected])

(hostap)!()

m0n0wall FreeBSDno hostap

m0n0wall froogle.google.com

http://doc.m0n0.ch/handbook-single/#FAQ.APhttp://doc.m0n0.ch/handbook-single/mailto:[email protected]

3COM 3crwe737A AirConnect Wireless LAN PC Card Cisco Systems Aironet 340 - no hostap Cisco Systems Aironet 350 - no hostap Compaq WL100 Compaq WL110 D-Link DWL-520 - NOT DWL-520+ as it uses a different, unsupported, chipset. D-Link DWL-650 - Revisions A1-J3 ONLY. K1, L1, M, and P revisions not

supported.

Dell TrueMobile 1150 Series - no hostap Intel PRO/Wireless 2011 LAN PC Card Linksys Instant Wireless WPC11 Netgear MA311 Netgear MA401 SMC 2632W PC Card SMC 2602W PCI US Robotics Wireless Card 2410 NL-2511CD

miniPCI

2511MP Dell TrueMobile 1150 Series

2.6.3 /

hostap Google FreeBSD

wi hostapwi

hostap

Accton airDirect WN3301 Addtron AWA100 Adtec ADLINK340APC Aironet 4500/4800 series (PCMCIA, PCI, and ISA adapters are all supported) Airway 802.11 Adapter Avaya Wireless PC Card BayStack 650 and 660 Blue Concentric Circle CF Wireless LAN Model WL-379F BreezeNET PC-DS.11

http://froogle.google.com/froogle?q=3crwe737ahttp://froogle.google.com/froogle?q=cisco+340http://froogle.google.com/froogle?q=cisco+350http://froogle.google.com/froogle?q=compaq+wl100http://froogle.google.com/froogle?q=compaq+wl110http://froogle.google.com/froogle?q=dwl-520http://froogle.google.com/froogle?q=dwl-650http://froogle.google.com/froogle?q=TrueMobile+1150http://froogle.google.com/froogle?q=Intel+PRO%2FWireless+2011http://froogle.google.com/froogle?q=wpc11http://froogle.google.com/froogle?q=Netgear+MA311http://froogle.google.com/froogle?q=Netgear+MA401http://froogle.google.com/froogle?q=SMC+2632Whttp://froogle.google.com/froogle?q=SMC+2602Whttp://froogle.google.com/froogle?q=US+Robotics+Wireless+Card+2410http://netgate.com/EL2511.htmlhttp://tinyurl.com/65ye7http://froogle.google.com/froogle?q=TrueMobile+1150

Buffalo WLI-CF-S11G Cabletron RoamAbout 802.11 DS Corega KK Wireless LAN PCC-11, PCCA-11, PCCB-11 ELECOM Air@Hawk/LD-WL11/PCC ELSA AirLancer MC-11 Farallon Skyline 11Mbps Wireless Farallon SkyLINE Wireless ICOM SL-1100 Icom SL-200 IBM High Rate Wireless LAN PC Card IO Data WN-B11/PCM Laneed Wireless card Lucent Technologies WaveLAN/IEEE 802.11 PCMCIA and ISA standard speed

(2Mbps) and turbo speed (6Mbps) wireless network adapters and workalikes

Lucent WaveLAN/IEEE 802.11 Melco Airconnect WLI-PCM-S11, WLI-PCM-L11 Melco WLI-PCM NCR WaveLAN/IEEE 802.11 NEC Wireless Card CMZ-RT-WP NEC Aterm WL11C (PC-WL/11C) NEC PK-WL001 NEL SSMagic Netwave AirSurfer Plus and AirSurfer Pro PLANEX GeoWave/GW-NS110 Proxim Harmony, RangeLAN-DS Raytheon Raylink PC Card Sony PCWA-C100 TDK LAK-CD011WL Toshiba Wireless LAN Card Webgear Aviator Webgear Aviator Pro Xircom Wireless Ethernet adapter (rebadged Aironet) ZoomAir 4000

2.7

m0n0wall NIC

m0n0wall Realtek

Intel

CPU CPU

Intel Intel Pro/100

eBay $25

2.7.1

1000

Intel Pro/1000

FreeBSD 411-RELEASE Hardware

Notes(http://www.freebsd.org/releases/4.11R/hardware-i386.html#ETHERNET)

2.7.2 ISA

ISA

PCI

ISA PCI

ISA

PCI

ISA ISA

3COM ISA plug and playFreeBSD plug and play

http://www.freebsd.org/releases/4.11R/hardware-i386.html#ETHERNET

3COM ISA 3COM DOS

DOS

Plug and Play

BIOS ISA IRQ

ISA/PnP

.

3.1

m0n0wall X86 PC Soekris Engineering net45xx/48xx

PC Engines WARP X86 PC

m0n0wallPCgeneric-pcCF

CD-ROM+m0n0wallFreeBSD4

FreeBSDm0n0wallFreeBSD/i386

Hardware Noteshttp://www.freebsd.org/releases/4.9R/hardware-i386.html

m0n0wall 64M/

m0n0wall swap

3.2

Soekris net45xx/48xx PC Engines Wireless

http://www.freebsd.org/releases/4.9R/hardware-i386.html

Router Application Platform(WARP) PC CF/HD

PC CD-ROM(ISO) TAR (tarball)

http://www.m0n0.ch/wall/downloads.php

CD-R CF

3.3

m0n0wall CD CF /IDE

CD CF

3.3.1 CD

CD-ROM PC m0n0wallm0n0wall

CD PC

HD CD m0n0wall

ISO 3.2

ISO CD-R(-RW)

FreeBSD(ATAPI Recorder) burncd -s max -e data cdrom-xxx.iso fixate

Linux(ATAPI w/ SCSI emulation)

SCSI ID/LUN

linuxbox# cdrecord --scanbus Cdrecord-Clone 2.01 (i686-pc-linux-gnu) Copyright (C) 1995-2004 J?rg Schilling Linux sg driver version: 3.1.25 Using libscg version 'schily-0.8'.

http://www.m0n0.ch/wall/downloads.php

scsibus0: 0,0,0 100) 'LITE-ON ' 'COMBO LTC-48161H' 'KH0F' Removable CD-ROM

SCSI ID/LUN 0,0,0

cdrecord --dev=0,0,0 --speed= cdrom-xxx.iso

Windows Nero ISO

(2048bytes/sector, Mode-1)

1.44MB MS-DOS/FAT

FreeBSD fdformat -f 1440 /dev/fd0 && newfs_msdos -L "m0n0wallcfg" -f 1440 /dev/fd0

: (low-level)fdformat

Windows

format A:

m0n0wall PC CD-ROM

3.3.2 CF IDE

m0n0wall CF Soekris

IDE PC m0n0wall CF

SWAP CF

CF/IDE 3.2

CF 5MBCF

CF

FreeBSD

gzcat net45xx-xxx.img | dd of=/dev/rad[n] bs=16k

n=CF ( dmesg)net4801 net48xx-xxx.imgWRAP

wrap-xxx.img PC generic-pc-xxx.img

Trailing garbage -

Linux gunzip -c net45xx-xxx.img | dd of=/dev/hdX bs=16k

X=CF ( hdparm I /dev/hdX )- USB

SCSI /dev/sdX

Trailing garbage -

Windows physdiskwrite [-u] net45xx-xxx.img

physdiskwrite 0.3 m0n0wall physdiskwrite

(http://www.m0n0.ch/wall/physdiskwrite.php) 800M -u

()

CF/HD physdiskwrite

physdiskwrite v0.5 by Manuel Kasper Searching for physical drives... Information for \\.\PhysicalDrive0: Windows: cyl: 14593 tpc: 255 spt: 63 C/H/S: 16383/16/63 Model: ST3120026A Serial number: 3JT1V2FS Firmware rev.: 3.06

CF physdiskwrite

http://www.m0n0.ch/wall/physdiskwrite.php

3.3.3

m0n0wall

(http://doc.m0n0.ch/handbook-single/#OtherDoc.Installation)

3.4 m0n0wall

m0n0wall

m0n0wall

m0n0wall

m0n0wall CDCF CD

FAT

CDCF BIOS

PC Soekris

NULL-MODEM

PC

Soekris WRAP () BIOS 9600bps

Soekris ConSpeed=9600

webGUI m0n0wall

http://doc.m0n0.ch/handbook-single/#OtherDoc.Installation

:

Soekris net45xx BUG

BIOS 1.15a

m0n0wall

m0n0wall LAN IP

192.168.1.1 192.168.1.X DHCP

m0n0wall LAN LAN

192.168.1.1:80WEB m0n0wall webGUI

m0n0wall

webGUI webGUI

webGUI

4.1

BIOS FreeBSD m0n0wall

LANWAN OPTOPT

DMZ Host Access Point LAN

webGUI LAN IP LAN IP

webGUI

4.2 WEB GUI

m0n0wall m0n0wall LAN WEB

80 m0n0wall WEB

admin mono

m0n0wall

LAN

m0n0wall webGUI

m0n0wall

4.3

4.3.1

4.1:

4.1.

myfirewall

IP

Mydomain.com

IP

DNS DNS IP DNS

webGUI admin

webGUI

m0nowall

webGUI m0n0wall webGUI

HTTS webGUI HTTS

webGUI m0n0wall webGUI

80

Logging

NTP Logging

NTP NTP(Network Time Protocol)

Logging

4.3.2

CIDR (Classless Inter-Domain

Routing, RFC 1517,RFC1518,RFC1519,RFC1520)

4.3.2

4.3.3

4.3.3

4.3.4

[]

4.4

4.4.1

LANWAN

4.4.2 LAN

LAN IP CIDR

4.4.3 WAN

WAN WAN IP DHCP

PPPoE PPTP WAN

IP Ipsec VPN WAN WAN

VPN IP VPN WAN

WAN

WAN IP

DHCP WAN DHCP IP

PPPoEPPP over Ethernet ADSL

PPTP PPTP ADSL PPTP

: MAC MTU

WAN MAC

xx:xx:xx:xx:xx:xx MAC

TCP MSS 40TCPIP

PPPoE MTU 14928 PPPoE

4 1500

IP WAN IP IP

IP IP

PPPoE WAN PPPoE ADSL

ADSL

ADSL

PPTP WAN PPTP PPTP ADSL

PPTP (ADSL)

PPTP (ADSL)

IP IP

IP IP

RFC1918 (10/8, 172.16/12,

192.168/16 127/8)

WAN

4.4.4

LAN DMZ

4.4.5

4.5

4.5.1 DNS

m0n0wall DNS

DNS

DNS LAN DNS

DNS m0n0wall LAN IP DNS

DNSDHCP LANIP

DNSDNS DNS

DNS

DHCPPPPDNSDNS DNS

DNS WAN

IP DNS

DNS

m0n0wallLANDHCPLAN

DNSDHCPm0n0wall

my-pc

example.comm0n0wallIPmy-pc.example.com

DNS

(DNS )/IP

www.yourcompany.com

IP

IP

www.example.com 1.2.3.4

DNS (hosts)

( DNS )

4.5.2

IP DHCP

( ADSL) IP WEB

m0n0wall ez-ipupdate(http://www.ez-ipupdate.com/)

MX DNS ()

(dyndns.org )

MX

()

example.homeip.net

example.homeip.net example.homeip.net www.

example.homeip.net,mail example.homeip.net,

WAN IP PING

WAN IP :

4.5.3 DHCP

DHCP WAN

DHCP

( WAN ) xxx DHCP

DHCP

DHCP IP

DHCP IP(

)

MAC

DHCP

IP

DHCP IP

( ID) m0n0wall

WINs

NT 4 windows 2000 (AD)

WINs IP WINs

DHCP

DHCP 7200 (

)

604800

DHCP

DHCP

DHCP IP IP

DHCP LAN

MAC IP

IP

MAC MAC xx:xx:xx:xx:xx:xx Windows NT/2000/XP

ipconfig MAC Windows 95/98/ME

-> winipcfg Unix ifconfig

IP IP IP

IP IP IP IP

DNS ( DNS ) DHCP

4.5.3.1 DHCP

4.5.4 SNMP

SNMP

m0n0wall

SNMP public

SNMP

(

)

4.5.5 ARP

ARP IP IP ARP

1:1NAT NAT NAT WAN

PPPoe/PPTP WAN IP DHCP

1:1 NAT NAT NAT IP ARP

+

ARP

ARP

http://doc.m0n0.ch/handbook-single/#Proxy.ARP

http://doc.m0n0.ch/handbook-single/#Proxy.ARP

4.5.6 Captive Portal

Captive Portal HTTP

internet HTTP

Captive

Captive Portal (Wi-Fi)

Captive Portral

Captive Portral

HTTP(S)

Captive portal Captive portal

IP 4 16

Captive portal

URL URL Captive portal URL

MAC MAC

MAC Captive Portal

captive portal

RADIUS

Radius

HTTPS

HTTPS

HTML (POST

to "$PORTAL_ACTION$") (name="accept")

name="redirurl" and value="$PORTAL_REDIRURL$"

"auth_user" and "auth_pass"

HTML

"$PORTAL_MESSAGE$" RADIUS

4.5.7 LAN

Magic Pakcets Wake

On Lan WOL BIOS

VPN

LAN Router/VPN

wake up

MAC

MAC

4.6 VPN

4.6.1 IPsec

4.6.2 PPTP

4.6.3 PPTP

4.7

4.7.1

4.7.2

4.7.3

4.4:

1.1

Adobe SVG Viewer

4.7.4

4.8

4.8.1

4.8.2 DHCP

DHCP

DHCP :

4.8.3 IPsec

IPsec SAD SPD

SADSecurity Association Database

SADSAs IPsec

SA

SPDSecurity Policy Database

SPD IPsec IPsec VPN

SPD IPsec IPsec VPN

IP

4.8.4 SIP

4.8.5 ping/traceroute

GUI ping/traceroute IP PING

ping/traceroute

PINGVPNPINGSNMP

VPN FAQ

http://doc.m0n0.ch/handbook-single/#FAQ.SNMPoverVPN

PINGVPN

4.8.6

NAT

NAT/Firewall

NAT

IP PPTP Ipv6

http://doc.m0n0.ch/handbook-single/#FAQ.SNMPoverVPN

4.8.7

config.xml

4.8.8

m0n0wall

4.8.9

.

5.1

LANWANOPT1OPT2

WANIPWAN

->WAN

BLOCK

5.1.1 Action

IP

Pass IP

Block IP

RejectIPIPTCP RST ICMP

TCPUDP ( "TCP/UDP")Reject

5.1.2

5.1.3

IP

5.1.4

TCP UDP TCP/UDP ICMP ESP AH GRE IPv6 IGMP

Any()

5.1.5 ICMP

ICMP ICMP

Destination unreachable Echo Echo reply Source quench Redirect Time exceeded Parameter problem

Timestamp Timestamp reply Information request Information reply Address mask request Address mask reply

5.1.6 (source)

IP

WAN

LAN

PPTP

OPTn ()

5.1.7

(

"any") ''

5.1.8 Destination

IP

WAN

LAN

PPTP

OPTn ()

5.1.9

(

"any") ''

5.1.10

DoS

5.1.11

IP

syslog ( )

http://192.168.15.2/diag_logs_settings.php

5.1.12

5.2 NAT

NAT IP LAN OPT

+

5.2.1

WAN Internet OPT

VLAN

OPT DMZ DMZ LAN

LAN DNS UDP Port 53

LAN DNS IP NAT DMZ IP DNS IP

NAT IP DMZ LAN

DNS

5.2.2

NAT WAN OPT IP WAN OPT

IP IP NAT

5.2.3

TCPUDP TCP/UDP

5.2.4

''

5.2.5 NAT IP

IPLANIP 192.168.1.12

5.2.6

IP

5.2.7

/

5.2.8 NAT

5.2.9

NATNAT

internet

->

5.3 NAT

NAT IP NAT

5.3.1 NAT

->NAT-> NAT, +

5.3.2 NAT

NAT+

NAT IP

5.3.3 ARP

WAN NAT ARP

ARP

WAN IP ISP

WAN PPPoE PPTP

ARP WAN IP DHCP

WAN IP->ARP

WAN IP ARP

5.4. 1:1NAT

1:1 NAT IP IP (), IP IP

. 1:1NAT , IP NAT

IP( Internet),, IP , NAT IP.(

, 1:1NAT )

1:1NAT .

1:1NAT OPT(),.

5.4.1 1:1NAT

: NAT: 1:1 ,+

5.4.1.1

WANOPT

5.4.1.2

IP IP/32

IP C LAN DMZ C

1:1NAT

5.4.1.3

IP LAN DMZ

IP1:1NAT

5.4.1.4

5.5 NAT

NAT LAN

NAT

NATm0n0wall NAT

WANNAT

WANIP WAN

ARP.

http://192.168.16.2/services_proxyarp.php

5.5.1 NAT

5.6

: /

5.6.1

+

5.6.4

5.7

WEB

IP

5.7.1

->

5.7.1.1

5.7.1.2

5.7.1.3

IP

5.7.1.4

5.7.2

,

NAT()

NATNetwork Address Translation IPRFC 1918

IP

NAT NAT IP NAT

NAT IP

IP IANA(Internet Assigned Numbers

Authority) RFC 1918 IP

10.0.0.0 10.255.255.255(CIDR: 10.0.0.0/8)

172.16.0.0 172.31.255.255(CIDR: 172.16.0.0/12)

192.168.0.0 192.168.255.255(CIDR: 192.168.0.0/16)

NAT IP IP

IP

IP NAT

NAT

NAT

NAT

NATS-NAT,SNAT

NAT SNAT

SNAT

SNATmasqueradeIP(outgoing)

IP

NATDNAT

DNAT FTP SNAT

SNAT

NATBi-Directional NAT

NAT NAT NAT

IPsec

IPsec VPN(Virtual Private Network)

VPN

HASH

HASH

IPsec VPN

IPsec VPN

Router/VPN site-to-site IPsec VPN ()point-to-site

site-to-site VPN VPN

IP IP

IP

site-to-site VPN

8.1 IPsec

IPsec (end-to-end)

IP IP IP

IPsec IPsec

IPsec

AH:Authentication Header Protocol

(ESPEncapsulating Security Payload Protocol)

Internet (IKE ISAKMP/Oakley)

ESP IKEESP IKE

IPsec SA

Security Association IPsec SA IPsec IPsec

SAinbound SA SA(outbound SA)

8.2 IPsec 1 2

IPsec IKE

IKE 1. DH 2

ESP SA

IKE 2. 1 ESP SA

ESP SA

IKE 1 ISAKMP SA( IKE SA)IKE

(IKE ISAKMP

Oakey IPsec )

IKE 1 ISAKMP SAIKE SAISAKMP SA

winning proposal

control channel 2

ISAKMP SA ESP SASecurity Association

, IKE

ISAKMP SA lifetime

ISAKMP SA

IKE 2 IKE IKESA

2 SA

ESP HASH IKE 2

ESP SAs( IPsec SAs)inboundoutbound

VPN

IPsec VPN control channel 2

ISAKMP SA

VPN

IPsec SA

8.3 IKE KEY

ISAKMP SA

Diffie-hellman Group

HASH

IKE1VPN1(proposals)SA

IKEKEYinitiatorVPN

1proposals VPN

Responder

ISAKMP

ISAKMP SAIKE SA 22

IPsec SA

IPsec SA IPsec

IKEVPNon-demandVPN

IP

IP

IPsec SAIP

IKE

IPsec SA

84

DES

AES

3DES

SSF33/SCB2:

85 HASH

HASHHASH

message digest/fingerprintHASH

HASH

MD5: 128bits(16bytes)

SHA1: 160bits(20bytes)

86

PSK: Pre-Shared Key/Pre-shared secret

HASHVPN

HASH

HASH

KEY,

PSK

PSKIKE

PSK KEY

KEY

KEY

PSK IKEPSK

PSKPSK

PSK

PSK

PSK

8.7

PSKRSAIKE

RSA

KEY

RSA KEY

HASH

RSA

HASHmessage digest/fingerprint

MD516SHA120

HASH

HASH

8.8

X.509 PEM

IKE1

:

8.9 Diffie-Hellman Groups

DHDH

WhiteField DiffieMartin Hellman1976

http://192.168.16.2/vpn_ipsec_ca_edit.php

DH

A,BDH Groupn,g( n = gk+1 )

A x, X = g^x mod n, X

y, = g^y mod n, Y A

Ak1 = Y^x = (g^y mod n)^x = g^xy mod n;

Bk2 = X^y = (g^x mod n)^y = g^xy mod n;

x,yRSA

DHn,g n,g,X,Y

x,y k1/k2

IPsecDH IKE1IKE

SAIKE 2 IPsec SA

Router/VPNDH Groups:

Group 2

Group 5

8.9 IKE (Main Mode)

ISAKMP SA6

DH

DH

IKE1main mode

DH

8.10 IKE Aggressive Mode

IKE

Aggressive Mode3

DHSA

Responder

8.11 IKE

RFC2409

IKE

HDR: ISAKMP, HDR*

SA: Responder

_b:

SAi_b: SAIPsec DOI(Domain of Information)situation

CKY-I,CKY-R: (Initiator)(Responder)cookie

ISAKMP

g^xi,g^xr: (Initiator)(Responder)Diffie-Hellman

xi,xr

g^xyDiffie-Hellman

KE: Diffie-Hellman

Nx: x: i,r(Initiator)(Responder)

IDx: x : ii,ir,(Initiator)(Responder)

1ui,ur, (Initiator)(Responder)2

.

SIG:

CERT

HASH: HASH

prf(key,msg):

SKEYID

SKEYID_eISAKMP SA

1+

2(Qick Mode)

KE PFS :

KEKEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b)

: KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b).

8.12 PFS Perfect Forward Secrecy

PFSPSKRSA

KEYKEY

PFSRoute/VPN

8.13 IPsec over NAT-T

IPsec ESP TCP/UDP NAT UDP/TCP

IPsec

NAT-T IKE 1 2(Quick

Mode) NAT NAT-T NAT-T

INTERNET-DRAFT

draft-ietf-ipsec-nat-t-ike-06.txt

draft-ietf-ipsec-udp-encaps-06.txt

FreeBSD6 IPsec over NAT-T :

racoon-nattraversal-freebsd6.patch

8.13.1 NAT-T

NAT-T INTERNET-DRAFT

NAT-D payload( NAT Discovery PayLoad)

1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8

+---------------+---------------+---------------+---------------+

| Next Payload | RESERVED | Payload length |

+---------------+---------------+---------------+---------------+

~ HASH of the address and port ~

+---------------+---------------+---------------+---------------+

UDP-encapsulated ESP Header Format

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Source Port | Destination Port |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Length | Checksum |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| ESP header [RFC 2406] |

~ ~

| |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Floated IKE Header Format

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Non-ESP Marker |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| IKE header [RFC 2409] |

~ ~

| |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

NAT-keepalive Packet Format

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| 0xFF |

+-+-+-+-+-+-+-+-+

Transport Mode ESP Encapsulation

BEFORE APPLYING ESP/UDP

----------------------------

IPv4 |orig IP hdr | | |

|(any options)| TCP | Data |

----------------------------

AFTER APPLYING ESP/UDP

-------------------------------------------------------

IPv4 |orig IP hdr | UDP | ESP | | | ESP | ESP|

|(any options)| Hdr | Hdr | TCP | Data | Trailer |Auth|

-------------------------------------------------------

||

||

Tunnel Mode ESP Encapsulation

BEFORE APPLYING ESP/UDP

----------------------------

IPv4 |orig IP hdr | | |

|(any options)| TCP | Data |

----------------------------

AFTER APPLYING ESP/UDP

--------------------------------------------------------------

IPv4 |new h.| UDP | ESP |orig IP hdr | | | ESP | ESP|

|(opts)| Hdr | Hdr |(any options)| TCP | Data | Trailer |Auth|

--------------------------------------------------------------

||

||

8.14 IPsec

IPsec IP

IP ADSL

IPsec IP IPsec

IP

ddnsguard IPsec

IP ddnsguard IPsec

IPsec

8.15 IPsec VPN

VPN IPsec IPsec VPN

http://192.168.16.2/vpn_ipsec_edit.php

IPsec

2

VPN:IPsec

->

IPsec

VPN WANLAN OPT

WAN

NAT-T NAT-T IKE NAT

UDP ESP NAT NAT-T

http://192.168.16.2/vpn_ipsec_edit.php?id=0

NAT-T IKE UDP 500 UDP4500 IKE

UDP 4500/500

VPN LAN

LAN LAN

IP IP

VPN

2

VPN IP

VPN

1

1 2

IKE

aggressive(main) VPN

SA

My IP address IP

IP Address IP

Domain Nmae

User FQDN [email protected]

IP DHCP IP

3DES SSF33/SCB2 VPN

HASH MD5SHA1 VPN

HASH

DH key group: 1024bitsGROUP 2 bit

2 1

28800

RSA

VPN

RSA : X509 PEM RSA

RSA

2

2

ESP IPsec VPN

ESPAH

ESP/AH

VPN

SSF33/SCB2

HASH SHA1MD5

SHA1 VPN

PFS key group: 1 1024bits

86400 20

PPTP

Francisoc Artes m0n0wall-PPTP

9.1

PPTP VPN windows XP PPTP

m0n0wall PPTP VPN Linux

m0n0wall

m0n0wall

9.2

TCP/IP

email

emailm0n0wall

eamail

mailto:[email protected]

9.3

PPTP

NAT

PPTP

9.4 VLAN

VLAN VLAN

PPTP

/28 PPTP

2.55.255.255.255 PPTP

LAN LAN IP

VLAN

WAN internet

WAN PPTP

LAN LAN 192.168.1.1/24

192.168.2.254 192.168.2.16/28PPTP

LAN PPTP WAN OPT WiFi

PPTP windows PPTP

PPTP

9.5 PPTP

1 PPTP VPN: PPTP:

2 PPTP

3 LAN IP IP

ABC

4 16 16

IP /28 IP /28

IP 192.168.1.254, 192.168.1.192/28

PPTP IP VPN IP

PPTP

9.4 VLAN

5. RADIUS

6 128-bit

7 PPTP PPTP

9.6 PPTP

RADIUS

PPTP RADIUS

IP

http://192.168.83.210/vpn_pptp_users_edit.php

9.7 PPTP

PPTP LAN

PPTP

PPTP LANWAN

LAN

1:

http://192.168.16.2/firewall_rules_edit.php?if=wan

PPTP LANWANOPT

2AnyPPTP

PPTP->

3.

PPTP

9.7.1 PPTP

PPTP PPTP

PPTP IP PPTP LAN

WAN SAMBA

PPTP SSH LAN IP 192.168.1.151

ACLs

9.8 windows XP PPTP

1.

2

3.VPN

5 myPPTP

6.

7. PPTP IP

8.

9. IPCONFIG

PING 192.168.16.2

9.9 PPTP

NAT PPTP m0n0wall

PPTP PPTP

WiFi IP

192.168.1.0/24 PPTP PPTP 192.168.1.0/24

IPPPTP IP PPTP

TCP

PPTP IP PPTP

IP

ISP DHCP PPTP

DHCP

DHCP renew PPTP VPN DHCP

PPTP ISP

DHCP

M0n0wall UPnP

PPTP Windows

PPTP

OPenVPN

[]

[]

Captive Portal

[]

[]

14.1 DMZ NAT

LAN/WANDMZ

Quick Start Guide(http://m0n0.ch/wall/quickstart/)

DMZ

IP DMZ IP 1:1 NAT

http://m0n0.ch/wall/quickstart/

14.1.1

14.1.2

: OPT1


14.1.3

OPT1

DMZIP 192.168.2.1/24

14.1.4 DMZ

DMZ internet LAN

DMZ

LAN DMZ LAN IP DMZ

: DMZ DMZ

DMZ WANinternet


DMZ LAN DMZ IP DMZ

DMZ DMZ

14.1.5 DMZ LAN

DMZ LAN DMZ

LAN DNS cvsup cvsup-mirror

NTP TimeServer TimeServer cvsup-mirror

DMZ LAN

DMZ LAN

DMZ LAN

DMZ LAN

DMZ LAN DMZ

LAN

14.1.6 NAT

NAT 1:1NAT IP

1:1NAT IP NAT

IP DMZ NAT

1:1NAT

14.1.6.1 1:1NAT

/27 2.0.0.0/27VPN WAN

IP 2.0.0.2 1:1NAT IP 2.0.0.3 DMZ IP 2.0.0.4

DMZ WEB

: NAT: 1:1

WWW


14.1.6.2 1:1NAT

[]

14.1.6.3 NAT

IP DMZ IP

NAT: NAT:

IP WAN


WAN IP 25SMTP DMZ

HTTP


14.2 DMZ

[]

14.3

DMZ colocation facility

VPN LAN LAN

NAT LAN

LAN

111.111.111.8/29 8 IP8 = NOT(0xFFFFFFF8 1) IP 9-14

ID IP IP

5 LAN

14.3.1

LAN IP webGUI

: DNS webGUI

HTTPS

14.3.2 WAN

webGUI :WAN

IP111.111.111.10/29 111.111.111.9 WAN

14.3.3 OPT

OPT ServersWAN

IP

14.3.4

14.3.5

1.4.3.5.1 OPT

WEB

DNS 111.111.110.2 111.111.109.2(

)

HTTP CVSUP

14.3.5.2 WAN

IP m0n0wall webGUI

11.12.13.30 LAN

webGUI m0n0wall ()

SMTP HTTP/HTTPS WEB

14.3.5.3 LAN

LAN

LAN

14.3.5.4

14.3.6

site to site VPN

M0n0wall IPsec site-to-site VPN

IPsec VPN

m0n0wall

m0n0wall

There is a section of the wiki dedicated to configurations for this chapter.

15.1 Cisco PIX Firewall

m0n0wall PIX IPsec

http://wiki.m0n0.ch/wikka.php?wakka=ExampleVPNs

15.1.1 PIX

PIX 3DES

pixfirewall# sh ver

Cisco PIX Firewall Version 6.3(3)

Cisco PIX Device Manager Version 2.0(2)

Compiled on Wed 13-Aug-03 13:55 by morlee

pixfirewall up 157 days 5 hours

Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz

VPN-3DES-AESEnablePIX 3DES keyPIX

CISCO 3DES Key

http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl 3DES/AES

Encryption LicenseVPNDESDES

http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl

PIX VPN

pixfirewall# sh isakmp policy

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit

keys).

VPN VPN

VPN

PIX IPSec

pixfirewall(config)# sysopt connection permit-ipsec

outside ISAKMP( outside internet ):

pixfirewall(config)# isakmp enable outside

PIX isakmp policy

pixfirewall(config)# isakmp policy ?

Usage: isakmp policy %lt;priority> authen %lt;pre-share|rsa-sig>

isakmp policy %lt;priority> encrypt %lt;aes|aes-192|aes-256|des|3des>

isakmp policy %lt;priority> hash %lt;md5|sha>

isakmp policy %lt;priority> group %lt;1|2|5>

isakmp policy %lt;priority> lifetime %lt;seconds>

PIX ISAKMP :

isakmp policy 10 authen pre-share

isakmp policy 10 encrypt 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

pre-shared keys3DES MD5 HASH 86400

VPN pre-shared keys 1.1.1.1 m0n0wall

IPqwertyuiop

isakmp key qwertyuiop address 1.1.1.1 netmask 255.255.255.255

access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

VPN

crypto ipsec transform-set monovpnset esp-3des esp-md5-hmac

monovpnset

SA

VPN (crypto map)monovpnmap 1.1.1.1 m0n0wall IP

crypto ipsec security-association lifetime seconds 86400 kilobytes 50000

crypto map monovpnmap 10 ipsec-isakmp

crypto map monovpnmap 10 set peer 1.1.1.1

crypto map monovpnmap 10 set transform set monovpnset

VPN ipsec-isakmp IP1.1.1.1(monovpnset,

) monovpn() VPN

PIX VPN NAT

NAT

pixfirewall# sh nat

nat (inside) 0 access-list no-nat

nat (inside) 0no-nat

NAT DMZ

access-list no-nat permit ip 10.0.0.1 255.255.255.0 10.0.1.0 255.255.255.0

access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0

sh natnat (inside) 0no-nat

no-nat

nat (interface-name) 0 access-list no-nat

LAN interface-name

15.1.2 m0n0wall

webGUI VPN IPSec

IPSec

+ IPSec

WAN

NAT-T NAT

LAN

10.0.0.0/24 PIX

PIX IP

PIX VPN

1

Aggressive

My IP Address

3DES

HASH MD5

DH Key Group: 2

86400

qwertyuiop ( PIX )

2

ESP

3DES

HASH MD5

PFS key group: 2

86400

m0n0wall 1.2 beta

PFS key group :OFF

m0n0wall

Cisco Cisco VPN

concentrator

15.2 Smoothwall

15.3 FreeS/WAN (OpenSwan)

15.4 Sonicwall

15.5 Nortel

(FAQ)

1.1 m0n0wall 1.2 m0n0wall 1.3 1.4 1.4.1 1.4.2

1.5 ()1.5.1

1.6 1.6.1 1.6.2

2.1 2.2 PC2.2.12.2.2 BIOS2.2.3

2.3 2.3.1. Soekris Engineering2.3.2. PC Engines WRAP2.3.3. Nokia IPxxx boxes2.3.4. NexCom NexGate Appliances

2.4 2.5 2.5.1 2.5.1.1. Soekris 45xx2.5.1.2. Soekris 48xx2.5.1.3. WRAP

2.5.2 2.5.3 CPU2.5.4 2.5.5 2.5.6

2.6 2.6.1 2.6.2 2.6.3 /

2.7 2.7.1 2.7.2 ISA

. 3.1 3.2 3.3 3.3.1 CD3.3.2 CFIDE 3.3.3

4.1 4.2 WEB GUI4.3 4.3.1 4.3.2 4.3.3 4.3.4

4.4 4.4.2 LAN4.4.3 WAN4.4.4 4.4.5

4.5 4.5.1 DNS4.5.2 4.5.3 DHCP4.5.3.1 DHCP

4.5.4 SNMP4.5.5 ARP4.5.6 Captive Portal4.5.7 LAN

4.6 VPN4.6.1 IPsec4.6.2 PPTP4.6.3 PPTP

4.7 4.7.1 4.7.2 4.7.3 4.7.4

4.8 4.8.1 4.8.2 DHCP4.8.3 IPsec4.8.4 SIP4.8.5 ping/traceroute4.8.6 4.8.7 4.8.8 4.8.9

. 5.1 5.1.1 Action5.1.2 5.1.3 5.1.4 5.1.5 ICMP5.1.6 (source)5.1.7 5.1.8 Destination5.1.9 5.1.10 5.1.11 5.1.12

5.2 NAT5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 NAT IP5.2.6 5.2.7 5.2.8 NAT5.2.9

5.3 NAT5.3.1 NAT5.3.2 NAT5.3.3 ARP

5.4. 1:1NAT5.4.1 1:1NAT5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4

5.5 NAT5.5.1 NAT

5.6 5.6.1 5.6.2 5.6.3 5.6.4

5.7 5.7.1 5.7.1.1 5.7.1.2 5.7.1.3 5.7.1.4

5.7.2

NAT()NAT

() IPsec8.1 IPsec8.2 IPsec 1 28.3 IKE KEY8485 HASH86 8.78.8 8.9 Diffie-Hellman Groups8.9 IKE(Main Mode)8.10 IKEAggressive Mode8.11 IKE

8.12 PFS Perfect Forward Secrecy8.13 IPsec over NAT-T8.13.1 NAT-T

8.14 IPsec8.15 IPsec VPN

PPTP9.1 9.2 9.3 9.4 VLAN9.5 PPTP9.6 PPTP9.7 PPTP9.7.1 PPTP

9.8 windows XP PPTP9.9 PPTP

OPenVPN Captive Portal 14.1 DMZNAT14.1.1 14.1.2 14.1.3 14.1.4 DMZ14.1.5 DMZLAN14.1.6 NAT14.1.6.1 1:1NAT14.1.6.2 1:1NAT14.1.6.3 NAT

14.2 DMZ14.3 14.3.1 14.3.2 WAN14.3.3 OPT14.3.4 14.3.5 1.4.3.5.1 OPT14.3.5.2 WAN14.3.5.3 LAN14.3.5.4

14.3.6

site to site VPN15.1 Cisco PIX Firewall15.1.1 PIX15.1.2 m0n0wall

15.2 Smoothwall15.3 FreeS/WAN (OpenSwan)15.4 Sonicwall15.5 Nortel

(FAQ)

Documents

m0n0wall中文手册 handbook chinese.pdf · m0n0wall中文手册 作者: Chris Buechler Manuel Kasper 译文：Ben Zeng m0n0wall 的作者是Manuel Kasper。大部分文档由Chris

m0n0wall中文手册 handbook chinese.pdf · m0n0wall中文手册作者: Chris Buechler Manuel Kasper 译文：Ben Zeng m0n0wall 的作者是Manuel Kasper。大部分文档由Chris