I use do something similar with my offices in the uk ...
I have block EVERYTHING from getting to the wan from the lan interface,
and have a proxy server at HQ, all clients use the proxy server to surf
via ipsec vpn, this means I only have to have 1 proxy, 1 antispam server
etc etc however, it does increase load on the hq connection ..
Just chuck a squid box in, that'll do the job for you ... and easy to
From: Louis Koutsovitis [mailto:louis dot koutsovitis at senecac dot on dot ca]
Sent: Tuesday, 8 February 2005 1:05 PM
To: Fred Wright
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Private site to site IPSEC VPN
Thanks for the suggestion, we tried everything we could but the Internet
traffic still missed the VPN tunnel. OPENVPN looks like it has the
feature we need, we will be testing that next. The purpose of routing
WAN traffic through the tunnel is to provide the same firewall,
antispam, spyware and other vulnerability protection (from the Internet)
to the small branch office network as is provided to the main campus
network, using a less expensive DSL link. If it doesn't work we go back
to the point to point ISDN service.
Fred Wright wrote:
>On Sat, 5 Feb 2005, Vincent Fleuranceau wrote:
>>>Is it possible to create a private site to site IPSEC VPN over the
>>>internet between two points with Monowall. We are trying to route all
>>>packets from a small branch office over a VPN on the internet to a
>>>campus regardless of the destination, emulating a point to point
>>>We are using DSL link for the office and a dedicated Internet
>>>for the main campus. Using 1.2b3 we created a tunnel between the two
>>>locations but any packets from the office destined for the Internet
>>>not making it to the campus Monowall server, they are hitting the
>>>Monowall server and then being routed directly to and from the
>>>Packets to and from the main campus do travel over the IPSEC tunnel.
>>>Is this possible with Monowall?
>>Being able to bind your default route to a dedicated interface would
>>help, but unfortunately IPsec implementation in m0n0wall does not use
>>such a special interface... (NOTE: you may have the same limitation
>>other IPsec implementations, not only with racoon/m0n0wall)
>It may work to specify 0.0.0.0/0 as one tunnel endpoint to get this
>effect. But this could be dangerous if IPsec is applied recursively
>(though it should escape as long as the WAN IP is outside the tunnel
>range). It would also become important for m0n0wall's internal
>for m0n0wall<->LAN" policy to take precedence (i.e. be earlier).
>>In conclusion, only traffic destined to the remote LAN can be routed
>>through the tunnel.
>Though the question arises as to why routing WAN traffic through the
>tunnel is considered desirable.
> Fred Wright
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Dore Achievement Centres (Pty) Ltd - Hotline: 1300 55 77 11
This e-mail message may contain confidential or privileged information
and is intended solely for the individual to whom it is addressed. If you
are not the named addressee you should not disseminate, distribute or
copy this e-mail. If you have received it in error please notify us
immediately by telephoning 1300 55 77 11 and destroy this e-mail and
any attachments. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message, which arise as a result of e-mail transmission.
The content of this email is not necessarily that of the Dore Acievement
Centres unless otherwise specified. This email was scanned for possible
viruses and was sent on 8/2/2005 by barry dot mather at dorecentres dot com dot au to m0n0wall at lists dot m0n0 dot ch