Configuring MonoWall

From SixXS Wiki
Jump to: navigation, search

This concerns m0n0wall 1.32 which is currently (January 2011) the latest stable version available.

Essential steps are:

  • Install m0n0wall (m0n0wall 1.3b16 or higher) on your device.
  • Request an heartbeat or AICCU tunnel (AICCU/AYIYA is supported since 1.31) and a subnet which is needed to provide IPv6 to your LAN.
  • On the m0n0wall menu Advanced, check "Enable IPv6 Support".
  • In the WAN menu, set "IPv6 mode" to AICCU, enter username in format <handle>/<tunnel id>, password and tunnel ID including "T" and check the AYIYA checkbox, if necessary.
  • Do not check the "Send IPv6 router advertisements" on the WAN port. This is normally not what you want, as long as you want to use IPv6 in your LAN.
  • In the LAN menu, set the "IPv6 mode" to static and define an IPv6 address out of your subnet range to the LAN interface (maybe <subnetprefix>::1/64).
  • If you want to use IPv6 autoconfiguration or DHCPv6, check the appropriate checkboxes. DHCPv6 has to be configured separately in the DHCP server menu.
  • In the IPv6 Rules menu, add a firewall rule to allow everything on the LAN pass to the internet.
  • Reboot m0n0wall to finally enable the IPv6 support set in the advanced menu.

You should now be able to access IPv6 sites. If you are having problems, go to m0n0wall's Diagnostics->Logs->DHCP. It will say either "sixxs-aiccu: Succesfully retrieved tunnel information for TXXXXX" or indicate whatever the problem may be, like clock off by XXX seconds, etc.

Debugging Tips

To check address configuration and other low-level information goto :

 http://<m0n0wall-ip>/status.php

or goto

 http://<m0n0wall-ip>/exec.php

and use the command :

 ifconfig -a

you should see an entry for the "gif0" interface with your SixXS IPv4 & IPv6 addresses when using heartbeat or a "tun0" device with your tunnel IPv6 address, when using AYIYA.

Check Tunnel

On your SixXS home page both your tunnel should show a recent alive time. Also test the tunnel with "aiccu test" by running the aiccu client. All tests should complete except for the first one which you may ignore.

Check the M0n0wall DHCP log (under the Diagnostics section) for a AICCU transaction completed successfully. Reboot M0n0wall if the AICCU transaction did not complete successfully.

Also check the m0n0wall clock by going to the exec.php page and typing "date". The clock must be synchronized within two minutes for a heartbeat account otherwise the tunnel will be dropped. You can reestablish the tunnel by renewing your IP address. For some it is enough to reboot the M0n0wall box.

Accumulating Credits

If you don't have enough credits for a subnet, enable IPv6 as above and run the AICCU client. Alternatively you can add an IPv6 address on the LAN interface of your m0n0wall to enable the tunnel temporarily for a week. The good thing is that m0n0wall IPv6 firewall rules are in effect enabling the AICCU to communicate.