Can you try a traceroute from a host on each end to the other end. Also
a traceroute to a non statically routed host in each direction. I want
to be sure that it is actually using the static route. It is possible
that you could be pinging the gateway on the OPT interface via your WAN
If that looks right, you may want to try setting up a static route to
say yahoo.com via the OPT interface and see if you can ping that.
Clearly none of this offers a solution... just troubleshooting.
From: Kev Latimer [mailto:kev at ne23 dot net]
Sent: Tuesday, December 07, 2004 7:04 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Public IP's on OPT
Thanks for the reply Josh, apologies I haven't had a chance to give it a
go, the servers this thing is going to route have absorbed my time.
So, I added a static route to the public IP of a m0n0wall I have out in
the wild (for testing ) via OPT2 (OPT1 is routing direct to our current
production LAN), via. the IP of my DSL router that OPT2 lives on the
same subnet as.
I set up firewall rules to allow anything coming in on OPT2 to see
OPT2's public IP (again, relaxed for testing). However, the remote
m0n0wall still cannot see OPT2's public IP, either for IPSEC or for
I can ping OPT2's IP and the gateway defined in the static route so the
cabling must be okay,and the ADSL connection is live and definitely
Anyone care to point out the obvious mistake? :)
Josh McAllister wrote:
>Have you tried using static routes? This should work:
>For each Interface/ADSL link Add:
>Dest. Network: x.x.x.x / 32
>Gateway: (Gateway for this ADSL link that's in the same subnet as this
>You could also specify the full subnet of the far end for Dest.
>Make sure you setup the appropriate firewall rules, allowing traffic in
>from the far end's host / subnet via this OPT interface.
>Once you get this far, before moving on to the VPN stuff, try some ping
>tests. If they should happen to fail from a host on the LAN side, try
>from m0n0 itself as well.
>I've had no occasion to try this myself, but it seems it should work.
>Let me know either way.
>From: Kev Latimer [mailto:kev at ne23 dot net]
>Sent: Thursday, December 02, 2004 4:24 AM
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: [m0n0wall] Public IP's on OPT
>I posted a question on this sometime last month, but I don't think I
>a very good job of explaining what I wanted to do so I'm having another
>go now that I actually have the kit up and running :)
>I have an EPIA box with 2 onboard NIC's and a D-Link 4-Port card (a
>DFE-580TX if anybody wants a m0n0 compatible one, runs using ste
>The onboard ports are LAN (vr0) and WAN (vr1), which sits on a 2MB ADSL
>line. The four other ports are OPT1-4 (ste0 - ste3) and the intention
>is to have 4 further ADSL lines (just 512down/256up), the logic behind
>this being that I can get 1MB of total upstream over 4 lines for a lot
>cheaper than a 1MB up SDSL line and there's at least some scope for
>fault tolerance should one DSL router die.
>These 4 ADSL lines on the OPT interfaces are to be used for IPSEC only,
>and will link to each of our other offices for a VPN. There is no
>intention of using these for load balancing or failover, all 'regular'
>outgoing traffic will be routed over the 2MB.
>So far, I've got OPT1 on it's public IP, but without being able to
>specify any gateways it's going to have trouble seeing anything, and
>indeed, I can't see the interface from a colo box I've got out in the
>I'm assuming there has to be some way of doing this, simply because you
>can specify OPTx as the local endpoint for an IPSEC tunnel - has anyone
>got any pointers?
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch