Quoting Adam Stasiak <palesius at gmail dot com>:
> I posted in the forum with image so here is link to that image.
> I simplified my question a bit on the email list compared to the
> forum post, which is why the diagram shows 3 sites. The 3rd site can
> safely be ignored for the purposes of my question I
> As to the whys and wherefores.
> We have 2 sites w/ a VPN link in between. one is 10.100.1.0/24
> subnet, other is 10.100.2.0/24.
> We recently added a second internet connection (cable) as a backup
> on top of an existing T1 at site 1. (We're not doing any sort of
> automated failover, just an emergency manual backup.)
> I had a spare monowall box (our backup FW) lying around, which I
> hooked up to the new cable connection. So we now have 2 firewalls
> there. One has VPN tunnels set up to our second site and goes out
> through the T1. The second has no VPN and goes out through cable.
> I want to point the desktops at the firewall that goes out over the
> cable, so the T1 bandwidth will be reserved for the servers. (Plus
> the cable has much faster download for web browsing). But I need the
> desktops to still be able to reach the secondary site over the VPN
> connection. (And everything at the
> secondary site to be able to reach everything at the primary site
> regardless of how it gets out to the general internet).
> As I said I can add static routes for the secondary subnet (to use the
> original firewall w/vpn) to the PCs and it works fine, but would
> like to have something more
> global that doesn't require touching each device. (Plus I can't
> necessarily set static routes on all of the devices as they don't
> have that capability.)
> I have a solution for the PCs (anything that can receive static
> routes over DHCP using the option 249 on a Win 2k3 DHCPserver). But
> ideally I'd like to handle it all on the monowall boxes in order to
> keep things transparent to the client devices. I'd like it to be as
> simple as changing the default gateway to determine which connection
> they use for general internet access, w/o impacting access to either
> of the internal subnets.
> If I add the static route on the cable firewall (pointing to T1
> firewall for 10.100.2.0/24), it works for the pc at the main Site,
> but nothing at the secondary site can reach that pc unless it had
> previously initiated contact (and had a route added by the ICMP
> I've tried messing around with the advanced setting on m0n0 that
> seemed relevant (disabled anti-spoofing and ignore FW rules for
> packets that are going in and out on the same interface).
> Incidentally the 2nd one (ignore fw rules) causes it to not even
> work one way (i assume because it doesn't know to route it over the
I see, that makes things a bit clearer.
If FW1B has 3 interfaces, then you could do the following and this
should sort out your problem:
What about putting the FW1B inline of the connection? That means
creating a transport network between FW1A LAN interface and FW1B
interface #1. Hook up the cable modem to interface #2 on FW1B, and
interface #3 is the internal gateway then, with the previous IP of
The default gateway of FW1B is the Cable modem. There are static
routes on there to point to FW1A to reach the VPN tunnel for all sites.
I think this should work. It would give you the benefit
1) dont have to reconfigure all internal machines
2) Non VPN traffic (internet down- and upstream) goes through cable
3) VPN goes through FW1A.
If FW1B does not have 3 interfaces, then you could achieve something
similar with VLAN switches - m0n0wall is VLAN capable. I think so...