[ previous ] [ next ] [ threads ]
 From:  "Fred Weston" <fred at daytonawan dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IP Tunneling between two m0n0walls
 Date:  Wed, 17 Dec 2003 03:21:02 -0500
I've got a rather odd design I'm trying to implement, and was wondering
if any m0n0wallers could lend some assistance.

I've got a m0n0wall running on a T1 connection with a static IP, I'll
call it the host firewall.  I've got another m0n0wall connected to a
cable modem at a friend's house which I'll call the client firewall, it
has a dynamic IP.

What I'd like to accomplish is setting up an IP tunnel to share private
address space between the two networks.  Currently both firewalls are
set up with the Internet on WAN and the local network on LAN, doing NAT
between them.  Ideally, I'd like to bridge the two LANs together and
share a single private subnet between them.

Assuming I can get that much working, I'd also like to turn NAT off on
the client firewall.  In essence this would make hosts on the LAN there
only able to talk to my LAN.  The purpose for doing that is creating
some sort of default route to my m0n0wall.  What I want to accomplish is
routing all traffic from the client LAN though the host firewall's
Internet connection.

It sounds to me like I want to create a layer 2 bridge between the two
LANs, but do it over layer 3.  I realize the performance implications of
doing that (broadcast traffic, etc), and am open to suggestions to
reduce/avoid them.  I know SonicWALL boxes can do this, but they require
each LAN to have it's own subnet.  Not to mention they cost $400+.

In case you're wondering why I'd want to do this, it's to mask the ISP
at my friend's house.  He wants to set up a wireless hot spot, but he
has Road Runner and it's against their TOS.  By routing everything
through the other firewall, anyone at the hotspot should see a
traceroute going out through it's ISP, and not his Road Runner.  I
realize this introduces a huge performance hit, but it's not critical to
our application.  I think SeattleWireless does something similar using
GRE tunneling, but I'm not clear if their IP tunnels are only for LAN
communication or if they actually route Internet requests from node to

12 pack of your choice plus my gratitude to whoever figures this one


Fred Weston
DaytonaWAN Networks Inc.
Ph. 386-673-2514
Fax 386-255-2060