m0n0wall 1.22, Soekris net4801, WAN, LAN, DMZ
I had a common problem with others here, using IPSec mobile clients
and the resulting split horizon, ie. only traffic to your local
network is sent over the tunnel, all other traffic is sent direct, un-
The particular problem for me was my public POP3 and SMTP servers.
One solution would be to run some sort of local proxy for these
services, but I prefer this solution as last resort.
I have solved this problem, and all comments are welcome.
In my IPSec client (IPSecuritas 3.0 on Mac OS 10.4) I define my local
endpoint as "Host" and remote endpoint as "Networks" (plural).
I need to specify a local address for the "Host" (so the routing
works), so I use an unused address in the DMZ. (Would a static route
be a better thing to do?)
The Networks are:
192.168.100.0/24 # local LAN
216.x.y.z/32 # public POP3 server
68.a.b.c/32 # public SMTP server
The final 'trick' is in the 'Options' tab is to check "Unique SAs".
This forces m0n0wall to make policies for each of these networks.
In this scenario, remote traffic to the private LAN and public POP3
and SMTP servers are included in the IPSec tunnel.
Hope this helps others.