[ previous ] [ next ] [ threads ]
 From:  "Joshua Coombs" <jcoombs at gwi dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: No split tunneling...
 Date:  Fri, 5 May 2006 11:12:04 -0400
> My initial guess would be to change the default route for the Branch
> m0n0wall from the ISP gateway to the HQ m0n0wall (firewall). How to 
> do,
> not sure...

> _________________________________
> James W. McKeand

I was just about to ask the same question. : )

I think (and I'm hoping someone can correct me if my assumptions are 
wrong) what will happen is this.  The Central HQ m0n0wall will be 
setup normally, doing NAT and an ipsec link.  The NAT conf may need to 
be tweaked to accept the additional netblocks going through it.  It's 
default route will point to it's public uplink, as normal.

The remote office m0n0wall will have it's default route pointing at 
the Central HQ box's private IP.  I dunno as you can add that route 
until the link is established though?  You will then need to setup a 
custom route for the public IP of the Central HQ box, with a next hop 
of the upstream public gateway.  This way the box has enough routing 
to get the ipsec tunnel lit, but any traffic for any other IP will go 
via the ipsec link.  The remote node should then NAT it as hoped.  In 
theory anyways... : )

Joshua Coombs