On 5/23/05, Anastasija Bosiha <anastasija dot bosiha at gmail dot com> wrote:
> Hello to All!
> 
> About 1 month I'm using m0n0wall, and I had following problem. Our LAN
> (192.168.2.0/24) have two gateways/routers:
> - one for Internet (192.168.2.253)
> - second (192.168.254) for tunneling to another office. Second office has
> LAN: 10.2.2.0/16.
> 
> I------------------I ---- 192.168.2.254 (m0n0wall)
> I (192.168.2.0/24) I                               I -------------I
> I------------------I ---- 192.168.2.253 -----------I 10.2.2.0/24  I
>                                                    I -------------I
> All computers from network 192.168.2.0/24 have as default router
> 192.168.2.254.
> 192.168.2.254 has static route for 10.2.2.0/24 network to 192.168.2.253
> router.
> 
> So problems are following:
> 1. Computers from 10.2.2.0/16 network cannot access to 192.168.2.0/24
> network resources. For example computer 10.2.2.5 try to connect to
> 192.168.2.6 computer. When 192.168.2.6 comp recievs packet from 10.2.2.5
> comp, it send reply through 192.168.2.254, and m0n0wall blocks this packet
> because of default firewall rule 19:
> 
> @18 skip 1 in proto tcp from any to any flags S/FSRA
> @19 block in log quick proto tcp from any to any
> 
> How I can modify firewall default ruleset or make network 10.2.2.0/16 as
> trusted network, so that packets from this network will never blocked?
> 

Looks like you're getting hit by the antispoofing rule because you're
missing a static route on m0n0wall to that network.  Add the static
route and it won't hit that rule anymore.

-Chris