I'm having some issues with static routes that are beyond my abilities
(w/routing or google) to resolve.
Basically I have three sites (1,2, & 3).
Site 1 is 10.100.1.0/24
Site 2 is 10.100.2.0/24
Each one has a monowall firewall, with various methods of internet
There are IPSec VPN links between each firewall that are working just fine.
All PCs in this example are running Windows XP.
I've added in a second internet connection at one site (#1), with yet
another monowall box (FW1B).
If I have two PCs at site 1, one (PC1A) using the original firewall (1A) as
default gateway, and the other (PC1B) using the new firewall (1B).
I haven't added any IPSec VPN links to firewall 1B.
Now if I have a third PC (PC2) at one of the other sites, I can ping PC1A
fine, but can't ping PC1B. This is as expected. If I add static routes like:
10.100.2.0/24 -> 10.100.1.1
directly to PC1B (so that it routes traffic for the other sites to
10.100.1.1 and thence over the VPN), I can ping just fine from PC2.
Here is where I am stumped though. I would like to avoid having to touch all
PCs at Site1. So I added the same two static routes to the FW1B itself
directly. That allows me to ping from PC1B to PC2. However I cannot ping
from PC2 to PC1B unless I have first pinged in the other direction. This
appears to set up a temporary route like (10.100.2.10/32 -> 10.100.1.1) on
the PC. Is there a way to allow the PC at the other site to initiate the
connection or am I SOL?
I would imagine that I could solve this by segregating the PCs at Site1 into
two different subnets based on their default gateway. But that would be a
major headache I would like to avoid.
Alternately (and this would be a far more complex solution). I have 2
additional interfaces available of FW1A, so I could hook both internet
connections up to the same box. But, last I checked monowall doesn't support
multiple WAN interfaces, so I would have to move over to pfsense.