Re: [m0n0wall] gateway not working with vpn

From:	Joe <j dot commisso at verizon dot net>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] gateway not working with vpn
Date:	Fri, 07 May 2010 20:09:07 -0400
Hi Jakob,

First of all, thanks for responding.

I was worried that I wasn't too clear.

Right now this is the working setup:

192.168.x.0/24<->  m0n0wall-1<-- {Internet} -->  monowall-2<->  192.168.y.0/24

Both sites can ping each other because of VPN.

I want to add the "gateway" machine so I can use NTOP and Squid as follows:

192.168.x.0/24<->  gateway<--(192.168.z.0/24)-->  m0n0wall-1<-- {Internet} -->  monowall-2<-> 
192.168.y.0/24

There. Maybe those diagrams are better.

When I added the "gateway", I got the following results:

 From any host on 192.168.x.0/24, I can ping any host on 192.168.y.0/24.
 From any host on 192.168.y.0/24, I cannot ping any host on 192.168.x.0/24.

Your message makes me wonder if I should have set it up like this:

192.168.x.0/24<->  gateway<--(192.168.x.0/24)-->  m0n0wall-1<-- {Internet} -->  monowall-2<-> 
192.168.y.0/24

What do you think? Does that look like it would work?
The "gateway" has two Ethernet ports.

Thanks,
Joe



On 05/07/2010 03:35 AM, Jakob Schwienbacher wrote:
> Hello,
>
> first of all i didn't understand the problem to 100%. Probably of my
> bad English =:)
>
> So on which host did you log on and try to ping site2? (192.168.x.0/24
> or 192.168.z.0/24)
> Traffic between LAN X and LAN Z is working?
> Is there a new Device between LAN X and LAN Z or is LAN X still
> connected to mono wall on another interface.
> Could you please describe the whole configuration of the site1 a bit clearly.
>
> Regards,
>
> Jakob
>
> On 4 May 2010 02:43, Joe<j dot commisso at verizon dot net>  wrote:
>    
>> Correction, where I wrote:
>>
>> I tried this unsuccessfully as follows:
>>
>> 192.168.x.0/24<->    [(192.168.*z*.0/24 = eth0) gateway (192.168.z.0/24 =
>> eth1)]<->    m0n0wall-1<-(Internet)->    monowall-2<->    192.168.y.0/24
>>
>>
>> I meant to write this:
>>
>> I tried this unsuccessfully as follows:
>>
>> 192.168.x.0/24<->    [(192.168.*x*.0/24 = eth0) gateway (192.168.z.0/24 =
>> eth1)]<->    m0n0wall-1<-(Internet)->    monowall-2<->    192.168.y.0/24
>>
>>
>> Can anybody point me to somewhere, where I might find answers to what I'm
>> trying to do?
>>
>> Thanks,
>> Joe
>>
>>
>>
>> On 04/25/2010 12:44 PM, Joe wrote:
>>      
>>> Hi,
>>> I have what I believe is a routing problem.
>>>
>>> First of all, I have a site to site ipsec vpn up and running as follows:
>>>
>>> Site 1 Lan subnet: 192.168.x.0/24
>>> Site 2 Lan subnet: 192.168.y.0/24
>>>
>>> 192.168.x.0/24<->  m0n0wall-1<-(Internet)->  monowall-2<->  192.168.y.0/24
>>>
>>> It works.
>>> The vpn setups are to join the 192.168.x.0 network with the 192.168.y.0
>>> network and vice versa.
>>>
>>> Now, I want to introduce another gateway, so that I can monitor and
>>> control traffic.
>>> I tried this unsuccessfully as follows:
>>>
>>> 192.168.x.0/24<->  [(192.168.z.0/24 = eth0) gateway (192.168.z.0/24 =
>>> eth1)]<->  m0n0wall-1<-(Internet)->  monowall-2<->  192.168.y.0/24
>>>
>>> The internal Lan of monowall-1 was put on the 192.168.z.0 subnet and the
>>> monowall-2 ipsec vpn was changed to have the remote subnet be 192.168.z.0.
>>>
>>> A static route on monowall-1 was added to use the gateway eth1 IP
>>> (192.168.z.20) as a gateway to the Site1 Lan subnet traffic
>>> (192.168.x.0/24).
>>>
>>> Once configured, I could log onto a host at site1 and ping through to
>>> hosts at Site2.
>>> But from site2, I could not ping hosts on the site1 subnet.
>>>
>>> I could however ping the new gateway eth1 IP address (192.168.z.20) from
>>> Site2.
>>> I could also log onto the monowall-1 web interface and ping the Lan
>>> interface to any host of Site1.
>>>
>>> Can anybody suggest what is wrong?
>>>
>>> Note: I will be unable to test out any corrective action until some weeks
>>> in the future as I am dependent on work being done outside of normal
>>> business hours.
>>> The window for this is on some, but not all Sunday mornings.
>>>
>>> Thanks!
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>        
>>      
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>