Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

Security

Something you have to pay attention to when allowing unknown clients access to your networks and Internet connection is security. m0n0wall is relatively secure by default, however there are a few things to consider:

  1. Don't allow the portal subnet access to ANY in a firewall rule
    Using ANY will grant access to all networks connected to the firewall, including the network on your LAN interface and any other optional interfaces.
  2. Block direct access to your PORTAL interface IP address and your WAN interface IP address from your portal network
    This will prevent Portal clients from being able to access the m0n0wall administration GUI.
  3. Block access to SMTP (port 25) from the Portal network
    Since most people have access to web mail, this will prevent users from intentionally (Spammers) or unintentionally (those inadvertently infected with Viruses, Trojans and Worms) sending out bulk email from your Internet connection.
  4. Limit the bandwidth available to your portal network with Traffic Shaping
    If you are using your Internet connection for other purposes than the Captive Portal - providing Internet access to your LAN for example - limit the bandwidth available to your Portal network with m0n0wall's Traffic Shaping features. This will prevent clients on the portal network from using all available bandwidth.

Figure 9 shows the firewall rules I placed on the PORTAL interface that adequately protect my network while still allowing fairly free access to the Internet for the portal clients. The first three rules block all NetBIOS traffic - an essential practice on all Internet-facing connections. These are followed by a rule blocking all outbound SMTP (Port 25) connections. 

m0n0wall Firewall Rules on the PORTAL interface

Figure 9: m0n0wall Firewall Rules on the PORTAL interface
(click on the image for a larger view)

The fifth rule down blocks HTTP connections to the PORTAL interface itself (m0n0wall will allow Web Admin on all interfaces if firewall rules allow). This is followed by a similar rule that blocks HTTP connections to the small subnet between the WAN interface of the firewall and the inside interface of my DSL router, again stopping Web Admin access on both the m0n0wall and my DSL router.

Second to last is a rule that allows access to my LAN, but only for HTTP to a server (HOMER) that hosts the images for the portal page. The last rule allows any connection (if not previously blocked) to anywhere other than the LAN network.

Tip! Tip: Blocking SMTP on a Captive Portal has been the subject of discussion on the m0n0wall mailing lists in recent weeks. While some see it as protecting the network they are providing from being used for spamming, others see it as being at odds with providing free, unrestricted access to the Internet.

Dana Spiegel, director of the community-based organization NYCwireless, has stated: "NYCwireless has a totally unrestricted network where we've never seen a spammer send out millions of spam messages".

One approach suggested is to severely limit the bandwidth available for SMTP mail to discourage anyone from sending bulk email. In the end, it is the decision of whoever provides the Portal / HotSpot and what they are comfortable with.

More Wireless

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

i'm trying to run an aimesh of two 86u's and one 68u. so i setup my old and trusty 86u as a main and the two other routers as nodes. everything goes w...
Hi, I'm new around here.I have this configuration:Router ISP: Bridge mode (192.168.0.1)Router ASUS AC68U :Firmware: Asuswrt-Merlin 834.13 (Thank you M...
Hi, I have a question around multi-subnet environment and routing via OpenVPN on Merlin. I have a few internal networks for desktop, vms and wifi clie...
Hi, I can not use IGMP proxy on my AX88U with the last Merlin firmware, I got this message : "Due to hardware limitation, IGMP proxy cannot co-exist w...
My custom VPN configuration would be 577 bytes long.However, this does not fit completely into the input field.I just happened to see that because a s...

Don't Miss These

  • 1
  • 2
  • 3