[ previous ] [ next ] [ threads ]
 
 From:  Thomas Preissler <thomas at preissler dot co dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Static Routes issue with two gateways.
 Date:  Sat, 23 Apr 2011 20:00:32 +0100
Adam,

Quoting Adam Stasiak <palesius at gmail dot com>:

> I'm having some issues with static routes that are beyond my abilities
> (w/routing or google) to resolve.
>
> Basically I have three sites (1,2, & 3).
> Site 1 is 10.100.1.0/24
> Site 2 is 10.100.2.0/24
>
> Each one has a monowall firewall, with various methods of internet
> connectivity.
> FW1 10.100.1.1
> FW2 10.100.2.1
>
> There are IPSec VPN links between each firewall that are working just fine.
> All PCs in this example are running Windows XP.
>
> I've added in a second internet connection at one site (#1), with yet
> another monowall box (FW1B).
> If I have two PCs at site 1, one (PC1A) using the original firewall (1A) as
> default gateway, and the other (PC1B) using the new firewall (1B).
>
> I haven't added any IPSec VPN links to firewall 1B.
>
> Now if I have a third PC (PC2) at one of the other sites, I can ping PC1A
> fine, but can't ping PC1B. This is as expected. If I add static routes like:
> 10.100.2.0/24 -> 10.100.1.1
> directly to PC1B (so that it routes traffic for the other sites to
> 10.100.1.1 and thence over the VPN), I can ping just fine from PC2.
>
> Here is where I am stumped though. I would like to avoid having to touch all
> PCs at Site1. So I added the same two static routes to the FW1B itself
> directly. That allows me to ping from PC1B to PC2. However I cannot ping
> from PC2 to PC1B unless I have first pinged in the other direction. This
> appears to set up a temporary route like (10.100.2.10/32 -> 10.100.1.1) on
> the PC. Is there a way to allow the PC at the other site to initiate the
> connection or am I SOL?
> I would imagine that I could solve this by segregating the PCs at Site1 into
> two different subnets based on their default gateway. But that would be a
> major headache I would like to avoid.

Whats happening here is called ICMP redirects, please see

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml

for a detailed explanation.

To proceed further, I do not exactly understand what you want to  
achieve - why do you have two firewalls and internet connections and  
why do you want do change the gateways to FW1B, even though the VPN  
terminates on FW1A which is causing problems in any case.

You can show on a Linux box via "route -C" those injected routes,  
there is a way on Windows as well with "route" somehow, check it out.


m0n0wall rocks

Thomas