In this document I will describe how I setup a filtering bridge using the m0n0wall software to transparently protect our server farm, and create encrypted access to our private management network.

WARNING: What follows below is a solution that worked well for me. In other word don’t blame me if you: lose data, lose a server, lose clients, kill your network, kill your workstation, kill your boss, lose your job or otherwise destroy or mame anything using this document. THE BLAME IS YOURS, NOT MINE!

Project requirements:

• Firewall must be able to push at a minimum of 45Mbps
• Firewall should not cause too much packet delay when passing packets
• Should be configurable offsite as well as in the datacenter
• VPN for accessing a management network
• Should work on off the shelf hardware

With the requirements set above I setout to create the firewall/bridge. The software choice was easy having previously used m0n0wall for numerous other setups I knew it was up to the task. I also tested out an install of OpenBSD doing similar bridging but it just did not cut it. (it worked great but needed far to many custom tweaks to match our requirements)

This m0n0wall setup is very simple to start with so I leave most everything out on initial m0n0wall setup because the m0n0wall site has great details on all of it. GO TO THE m0n0Wall SITE NOW!

Here is the hardware setup I chose for this setup. I came to the choices by researching usage on my other m0n0wall systems as well as recommendation from the m0n0wall disscussion list.

Server Specs:

• Shuttle Motherboard
• P4 1.6Ghz with 400Mhz FSB
• 1024Mb PC2700 ram
• 3 Intel 10/100 Pro NICS
• MB has 1 onboard nic from sis (vr0 driver)
• SanDisk 32MB CF card
• IDE to CF adapter (generic ebay)

Machine setup is fairly straight forward, just like building any other PC, except no hard drive, instead you have a CF apapter.

NOTE: The choice of Intel NIC cards was crucial, other NICs will work but you don’t get nearly the throughput with them. The Intel boards have good onboard processors, which keep system levels very low. All of this equals good throughput, not to mention FreeBSD has one of the best fxp0 drivers.

First things first, make sure your machine runs and is set to boot from the CF card.

Now take your CF card to another machine and put the .img onto the card. This step is basic and outlined well on the m0n0wall site.

OK now we have m0n0wall on a CF disk, go ahead and pop it into the new machine and boot it up. You will see a normal FreeBSD 4.10 screen go by and do all of its hardware magic. You should end up with a small menu screen where you begin your setup.

Now all of the first startup stuff is covered well on the m0n0wall site so I won’t go into screen shot level detail with you on this one. Here is the NIC layout I used for my setup.

WAN: fxp0 - backbone
LAN: vr0 - private_lan
OPT1: fxp1 - server_lan
OPT2: fxp2 - colo_lan

Now you have that all done, go ahead and connect a laptop or other such computer to the LAN port. Boot up and set to DHCP, so you can get an address on the private lan network. This is where we do our configuration.

MORE TO FOLLOW >>>>