[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] NAT and VPN - chicken and egg
 Date:  Tue, 10 Jan 2006 13:28:14 -0600
George Farris wrote:
> On Tue, 2006-10-01 at 13:45 -0500, Chris Buechler wrote:
>> On 1/10/06, George Farris <farrisg at mala dot bc dot ca> wrote:
>>> When setting up a VPN and with the firewall set to NAT all LAN
>>> traffic to the WAN address, does the NAT happen before traffic goes
>>> out across the VPN? 
>>> 
>> 
>> No.  The traffic crosses the VPN without hitting NAT.
> 
> Ah, this explains why the Cisco box works then.  Apparently they can
> NAT before going through the vpn which means you can effectively have
> identical subnets on both ends.  Too bad Monowall can't do this but...
> 
> Thanks

It is my opinion that having "identical subnets on both ends" would be a
bad design. You would need to make sure IP were not duplicated. DHCPs on
both ends would need to not overlap. You would only be able half of the
subnet on either end - so you might of well setup separate different
subnets...

By setting up a site to site VPN you in affect have a static route that
states that to get from Network A to Network B - use the tunnel. Local
DNS (or worst case - WINS) could be used on both ends to resolve
addresses on remote networks. This will take some coordination, but that
is why we make the big bucks...

_________________________________
James W. McKeand