[ previous ] [ next ] [ threads ]
 
 From:  Adam Stasiak <palesius at gmail dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Static routes issue with two gateways.
 Date:  Sat, 23 Apr 2011 22:23:16 -0400
I posted in the forum with image so here is link to that image.
http://forum.m0n0.ch/index.php?action=dlattach;topic=4958.0;attach=693;image

I simplified my question a bit on the email list compared to the forum post, which is why the
diagram shows 3 sites. The 3rd site can safely be ignored for the purposes of my question I
think.

As to the whys and wherefores.
We have 2 sites w/ a VPN link in between. one is 10.100.1.0/24 subnet, other is 10.100.2.0/24.
We recently added a second internet connection (cable) as a backup on top of an existing T1 at site
1. (We're not doing any sort of automated failover, just an emergency manual backup.)
I had a spare monowall box (our backup FW) lying around, which I hooked up to the new cable
connection. So we now have 2 firewalls there. One has VPN tunnels set up to our second site and goes
out through the T1. The second has no VPN and goes out through cable.
I want to point the desktops at the firewall that goes out over the cable, so the T1 bandwidth will
be reserved for the servers. (Plus the cable has much faster download for web browsing). But I need
the desktops to still be able to reach the secondary site over the VPN connection. (And everything
at the
secondary site to be able to reach everything at the primary site regardless of how it gets out to
the general internet).

As I said I can add static routes for the secondary subnet (to use the
original firewall w/vpn) to the PCs and it works fine, but would like to have something more
global that doesn't require touching each device. (Plus I can't necessarily set static routes on all
of the devices as they don't have that capability.)
I have a solution for the PCs (anything that can receive static routes over DHCP using the option
249 on a Win 2k3 DHCPserver). But ideally I'd like to handle it all on the monowall boxes in order
to keep things transparent to the client devices. I'd like it to be as simple as changing the
default gateway to determine which connection they use for general internet access, w/o impacting
access to either of the internal subnets.

If I add the static route on the cable firewall (pointing to T1 firewall for 10.100.2.0/24), it
works for the pc at the main Site, but nothing at the secondary site can reach that pc unless it had
previously initiated contact (and had a route added by the ICMP redirect).
I've tried messing around with the advanced setting on m0n0 that seemed relevant (disabled
anti-spoofing and ignore FW rules for packets that are going in and out on the same interface).
Incidentally the 2nd one (ignore fw rules) causes it to not even work one way (i assume because it
doesn't know to route it over the vpn).

Hopefully that makes things a bit clearer. Thanks for the input. It's nice to know the proper name
for the magic routes popping up on the PCs "route print" on windows incidentally.

---------- Forwarded message ----------

> From: Lee Sharp <leesharp at hal dash pc dot org>
> To: m0n0wall at lists dot m0n0 dot ch
> Date: Sat, 23 Apr 2011 14:06:58 -0400
> Subject: Re: [m0n0wall] Static Routes issue with two gateways.
> On 04/23/2011 11:14 AM, Adam Stasiak wrote:
>
>> I'm having some issues with static routes that are beyond my abilities
>> (w/routing or google) to resolve.
>>
>
> I am fairly good with routing, and have some complex networks set up. That
> said, after reading it twice, I still do not follow you.  Any chance at a
> diagram?
>
>                        Lee
>
>
> ---------- Forwarded message ----------
> From: Thomas Preissler <thomas at preissler dot co dot uk>
> To: m0n0wall at lists dot m0n0 dot ch
> Date: Sat, 23 Apr 2011 20:00:32 +0100
> Subject: Re: [m0n0wall] Static Routes issue with two gateways.
> Adam,
>
> Quoting Adam Stasiak <palesius at gmail dot com>:
>
>  I'm having some issues with static routes that are beyond my abilities
>> (w/routing or google) to resolve.
>>
>> Basically I have three sites (1,2, & 3).
>> Site 1 is 10.100.1.0/24
>> Site 2 is 10.100.2.0/24
>>
>> Each one has a monowall firewall, with various methods of internet
>> connectivity.
>> FW1 10.100.1.1
>> FW2 10.100.2.1
>>
>> There are IPSec VPN links between each firewall that are working just
>> fine.
>> All PCs in this example are running Windows XP.
>>
>> I've added in a second internet connection at one site (#1), with yet
>> another monowall box (FW1B).
>> If I have two PCs at site 1, one (PC1A) using the original firewall (1A)
>> as
>> default gateway, and the other (PC1B) using the new firewall (1B).
>>
>> I haven't added any IPSec VPN links to firewall 1B.
>>
>> Now if I have a third PC (PC2) at one of the other sites, I can ping PC1A
>> fine, but can't ping PC1B. This is as expected. If I add static routes
>> like:
>> 10.100.2.0/24 -> 10.100.1.1
>> directly to PC1B (so that it routes traffic for the other sites to
>> 10.100.1.1 and thence over the VPN), I can ping just fine from PC2.
>>
>> Here is where I am stumped though. I would like to avoid having to touch
>> all
>> PCs at Site1. So I added the same two static routes to the FW1B itself
>> directly. That allows me to ping from PC1B to PC2. However I cannot ping
>> from PC2 to PC1B unless I have first pinged in the other direction. This
>> appears to set up a temporary route like (10.100.2.10/32 -> 10.100.1.1)
>> on
>> the PC. Is there a way to allow the PC at the other site to initiate the
>> connection or am I SOL?
>> I would imagine that I could solve this by segregating the PCs at Site1
>> into
>> two different subnets based on their default gateway. But that would be a
>> major headache I would like to avoid.
>>
>
> Whats happening here is called ICMP redirects, please see
>
>
> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
>
> for a detailed explanation.
>
> To proceed further, I do not exactly understand what you want to achieve -
> why do you have two firewalls and internet connections and why do you want
> do change the gateways to FW1B, even though the VPN terminates on FW1A which
> is causing problems in any case.
>
> You can show on a Linux box via "route -C" those injected routes, there is
> a way on Windows as well with "route" somehow, check it out.
>
>
> m0n0wall rocks
>
> Thomas
>
>
>
> ---------- Forwarded message ----------
> From: Joseph Commisso <commissoje at gmail dot com>
> To: m0n0wall at lists dot m0n0 dot ch
> Date: Sat, 23 Apr 2011 15:24:04 -0400
> Subject: https gui on wan only?
> Is it easy to set up the web gui on https port on the WAN (external) port
> only and still have the web gui use http on the LAN?
>
> Can someone please provide the instructions to set this up?
>
> Thank you all in advance
>
>
> ---------- Forwarded message ----------
> From: Mike Nichols <mike at myownsoho dot net>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Date: Sat, 23 Apr 2011 15:39:45 -0400
> Subject: Re: [m0n0wall] https gui on wan only?
> Firewall rules.
> block or drop
>
> On Sat, 23 Apr 2011 15:24:04 -0400, Joseph Commisso wrote:
>
>> Is it easy to set up the web gui on https port on the WAN (external) port
>> only and still have the web gui use http on the LAN?
>>
>> Can someone please provide the instructions to set this up?
>>
>> Thank you all in advance
>>
>
> --
> Mike Nichols
> My Own SOHO
> mike at myownsoho dot net
> http://myownsoho.com
> 212 202-2194
>
>
> ---------- Forwarded message ----------
> From: Lee Sharp <leesharp at hal dash pc dot org>
> To: m0n0wall at lists dot m0n0 dot ch
> Date: Sat, 23 Apr 2011 16:54:33 -0400
> Subject: Re: [m0n0wall] https gui on wan only?
> On 04/23/2011 03:24 PM, Joseph Commisso wrote:
>
>> Is it easy to set up the web gui on https port on the WAN (external) port
>> only and still have the web gui use http on the LAN?
>>
>
> Nope.  You are either http or https, not both.  However, you can have it be
> one port inside and a different port outside if you wish.  Use NAT on the
> outside port...
>
>                        Lee
>
>

--bcaec51d2b22984ba804a1a07498
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I posted in forum with image so here is link to that image.<br><a href=3D"h=
ttp://forum.m0n0.ch/index.php?action=3Ddlattach;topic=3D4958.0;attach=3D693=
;image">http://forum.m0n0.ch/index.php?action=3Ddlattach;topic=3D4958.0;att=
ach=3D693;image</a><br>
<br>I simplifies my question from the forum post, which is why diagram show=
s 3 sites. The 3rd site can safely be ignored for the purposes of my questi=
on I think.<br><br>As to the whys and wherefores. <br>We have 2 sites w/ a =
VPN link in between. one is <a href=3D"http://10.100.1.0/24">10.100.1.0/24<=
/a> subnet, other is <a href=3D"http://10.100.2.0/24">10.100.2.0/24</a>.<br=
>
We recently added a second internet connection (cable) as a backup on top o=
f an existing T1 at site 1. (We&#39;re not doing any sort of automated fail=
over, just an emergency manual backup.)<br>I had a spare monowall box (our =
backup FW) lying around, which I hooked up to the new cable connection. So =
we now have 2 firewalls there. One has VPN tunnels set up to our second sit=
e and goes out through the T1. The second has no VPN and goes out through c=
able.<br>
I want to point the desktops at the firewall that goes out on the cable, so=
 the T1 bandwidth will be reserved for the servers. (Plus the cable has muc=
h faster download for web browsing). But I need the desktops to still be ab=
le to reach the secondary site over the VPN connection. (And everything at =
the secondary site to be able to reach everything at the primary site (rega=
rdless of how it gets out to the general internet).<br>
<br>As I said I can add static routes for the secondary subnet (to use the =
original firewall w/vpn) to the PCs, but would like to have something more =
global that doesn&#39;t require touching each device. (Plus I can&#39;t nec=
essarily set static routes on all of the devices as they don&#39;t have tha=
t capability.) I have a solution for the PCs (anything that can receive sta=
tic routes over DHCP using the option 249 on a Win 2k3 DHCPserver). But ide=
ally I&#39;d like to handle it all on the monowall boxes, to keep things tr=
ansparent to the client devices.<br>
<br>Hopefully that makes things a bit clearer. Thanks for the input. It&#39=
;s nice to know the proper name for the magic routes popping up on the PCs =
&quot;route print&quot; on windows incidentally.<br><br>---------- Forwarde=
d message ----------<br>
<div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margi=
n: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-le=
ft: 1ex;">From:=A0Lee Sharp &lt;<a href=3D"mailto:leesharp at hal dash pc dot org">lees=
harp at hal dash pc dot org</a>&gt;<br>
To:=A0<a href=3D"mailto:m0n0wall at lists dot m0n0 dot ch">m0n0wall at lists dot m0n0 dot ch</a><=
br>Date:=A0Sat, 23 Apr 2011 14:06:58 -0400<br>Subject:=A0Re: [m0n0wall] Sta=
tic Routes issue with two gateways.<br>On 04/23/2011 11:14 AM, Adam Stasiak=
 wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I&#39;m having some issues with static routes that are beyond my abilities<=
br>
(w/routing or google) to resolve.<br>
</blockquote>
<br>
I am fairly good with routing, and have some complex networks set up. That =
said, after reading it twice, I still do not follow you. =A0Any chance at a=
 diagram?<br>
<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Lee<br>
<br><br>---------- Forwarded message ----------<br>From:=A0Thomas Preissler=
 &lt;<a href=3D"mailto:thomas at preissler dot co dot uk">thomas at preissler dot co dot uk</a>&g=
t;<br>To:=A0<a href=3D"mailto:m0n0wall at lists dot m0n0 dot ch">m0n0wall@lists.m0n0.c=
h</a><br>
Date:=A0Sat, 23 Apr 2011 20:00:32 +0100<br>Subject:=A0Re: [m0n0wall] Static=
 Routes issue with two gateways.<br>Adam,<br>
<br>
Quoting Adam Stasiak &lt;<a href=3D"mailto:palesius at gmail dot com" target=3D"_b=
lank">palesius at gmail dot com</a>&gt;:<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I&#39;m having some issues with static routes that are beyond my abilities<=
br>
(w/routing or google) to resolve.<br>
<br>
Basically I have three sites (1,2, &amp; 3).<br>
Site 1 is <a href=3D"http://10.100.1.0/24" target=3D"_blank">10.100.1.0/24<=
/a><br>
Site 2 is <a href=3D"http://10.100.2.0/24" target=3D"_blank">10.100.2.0/24<=
/a><br>
<br>
Each one has a monowall firewall, with various methods of internet<br>
connectivity.<br>
FW1 10.100.1.1<br>
FW2 10.100.2.1<br>
<br>
There are IPSec VPN links between each firewall that are working just fine.=
<br>
All PCs in this example are running Windows XP.<br>
<br>
I&#39;ve added in a second internet connection at one site (#1), with yet<b=
r>
another monowall box (FW1B).<br>
If I have two PCs at site 1, one (PC1A) using the original firewall (1A) as=
<br>
default gateway, and the other (PC1B) using the new firewall (1B).<br>
<br>
I haven&#39;t added any IPSec VPN links to firewall 1B.<br>
<br>
Now if I have a third PC (PC2) at one of the other sites, I can ping PC1A<b=
r>
fine, but can&#39;t ping PC1B. This is as expected. If I add static routes =
like:<br>
<a href=3D"http://10.100.2.0/24" target=3D"_blank">10.100.2.0/24</a> -&gt; =
10.100.1.1<br>
directly to PC1B (so that it routes traffic for the other sites to<br>
10.100.1.1 and thence over the VPN), I can ping just fine from PC2.<br>
<br>
Here is where I am stumped though. I would like to avoid having to touch al=
l<br>
PCs at Site1. So I added the same two static routes to the FW1B itself<br>
directly. That allows me to ping from PC1B to PC2. However I cannot ping<br=
>
from PC2 to PC1B unless I have first pinged in the other direction. This<br=
>
appears to set up a temporary route like (<a href=3D"http://10.100.2.10/32"=
 target=3D"_blank">10.100.2.10/32</a> -&gt; 10.100.1.1) on<br>
the PC. Is there a way to allow the PC at the other site to initiate the<br=
>
connection or am I SOL?<br>
I would imagine that I could solve this by segregating the PCs at Site1 int=
o<br>
two different subnets based on their default gateway. But that would be a<b=
r>
major headache I would like to avoid.<br>
</blockquote>
<br>
Whats happening here is called ICMP redirects, please see<br>
<br>
<a href=3D"http://www.cisco.com/en/US/tech/tk365/technologies_tech_note0918=
6a0080094702.shtml" target=3D"_blank">http://www.cisco.com/en/US/tech/tk365=
/technologies_tech_note09186a0080094702.shtml</a><br>
<br>
for a detailed explanation.<br>
<br>
To proceed further, I do not exactly understand what you want to achieve - =
why do you have two firewalls and internet connections and why do you want =
do change the gateways to FW1B, even though the VPN terminates on FW1A whic=
h is causing problems in any case.<br>

<br>
You can show on a Linux box via &quot;route -C&quot; those injected routes,=
 there is a way on Windows as well with &quot;route&quot; somehow, check it=
 out.<br>
<br>
<br>
m0n0wall rocks<br>
<br>
Thomas<br>
<br>
<br><br>---------- Forwarded message ----------<br>From:=A0Joseph Commisso =
&lt;<a href=3D"mailto:commissoje at gmail dot com">commissoje at gmail dot com</a>&gt;<br=
>To:=A0<a href=3D"mailto:m0n0wall at lists dot m0n0 dot ch">m0n0wall at lists dot m0n0 dot ch</a>=
<br>
Date:=A0Sat, 23 Apr 2011 15:24:04 -0400<br>Subject:=A0https gui on wan only=
?<br>Is it easy to set up the web gui on https port on the WAN (external) p=
ort<br>
only and still have the web gui use http on the LAN?<br>
<br>
Can someone please provide the instructions to set this up?<br>
<br>
Thank you all in advance<br>
<br><br>---------- Forwarded message ----------<br>From:=A0Mike Nichols &lt=
;<a href=3D"mailto:mike at myownsoho dot net">mike at myownsoho dot net</a>&gt;<br>To:=A0=
&lt;<a href=3D"mailto:m0n0wall at lists dot m0n0 dot ch">m0n0wall at lists dot m0n0 dot ch</a>&gt=
;<br>
Date:=A0Sat, 23 Apr 2011 15:39:45 -0400<br>Subject:=A0Re: [m0n0wall] https =
gui on wan only?<br>Firewall rules.<br>
block or drop<br>
<br>
On Sat, 23 Apr 2011 15:24:04 -0400, Joseph Commisso wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Is it easy to set up the web gui on https port on the WAN (external) port<b=
r>
only and still have the web gui use http on the LAN?<br>
<br>
Can someone please provide the instructions to set this up?<br>
<br>
Thank you all in advance<br>
</blockquote>
<br>
-- <br>
Mike Nichols<br>
My Own SOHO<br>
<a href=3D"mailto:mike at myownsoho dot net" target=3D"_blank">mike at myownsoho dot net<=
/a><br>
<a href=3D"http://myownsoho.com" target=3D"_blank">http://myownsoho.com</a>=
<br>
<a href=3D"tel:212%20202-2194" value=3D"+12122022194" target=3D"_blank">212=
 202-2194</a><br>
<br><br>---------- Forwarded message ----------<br>From:=A0Lee Sharp &lt;<a=
 href=3D"mailto:leesharp at hal dash pc dot org">leesharp at hal dash pc dot org</a>&gt;<br>To:=A0<=
a href=3D"mailto:m0n0wall at lists dot m0n0 dot ch">m0n0wall at lists dot m0n0 dot ch</a><br>Date=
:=A0Sat, 23 Apr 2011 16:54:33 -0400<br>
Subject:=A0Re: [m0n0wall] https gui on wan only?<br>On 04/23/2011 03:24 PM,=
 Joseph Commisso wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Is it easy to set up the web gui on https port on the WAN (external) port<b=
r>
only and still have the web gui use http on the LAN?<br>
</blockquote>
<br>
Nope. =A0You are either http or https, not both. =A0However, you can have i=
t be one port inside and a different port outside if you wish. =A0Use NAT o=
n the outside port...<br>
<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Lee<br>
<br></blockquote></div><br>

--bcaec51d2b22984ba804a1a07498--