Notes on m0n0wall (Monowall) firewall: NAT, VPN and Real IPs

My Setup

My config is slightly unusual in that I have 32 real IP addresses that are routed to me by my provider (Clarinet Internet Solutions). I also wanted to have PPTP for a mobile VPN on NATed addresses (PPTP's encryption is awful, but the VPN usually works and IPsec is still fiddly). Unfortunately, this made the config process somewhat more involved as most of the examples don't deal with both a routed network and NATed network.

Stumbling blocks

The big secret to making this setup work is installing 3 network cards in the firewall (I suspect that an additional VLAN would have worked also). The firewall does not appear to be able to NAT on a Secondary IP on a single interface. By installing the third physical interface, I was able to create a working NAT range.

It is also necessary to Enable advanced outbound NAT and add a specific mapping. By enabling advanced outbound NAT you removed the NATing of all your internal addresses to the address provided by your ADSL provider and it allows you to map your private address range (172.16.1.0/24 in my case) via the WAN address provided by your ADSL provider.


Notes on m0n0wall Maurice Castro's Home Page