[ previous ] [ next ] [ threads ]
 From:  Thomas Preissler <thomas at preissler dot co dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Static routes issue with two gateways.
 Date:  Sun, 24 Apr 2011 12:05:32 +0100

Quoting Adam Stasiak <palesius at gmail dot com>:

> I posted in the forum with image so here is link to that image.
> http://forum.m0n0.ch/index.php?action=dlattach;topic=4958.0;attach=693;image
> I simplified my question a bit on the email list compared to the  
> forum post, which is why the diagram shows 3 sites. The 3rd site can  
> safely be ignored for the purposes of my question I
> think.
> As to the whys and wherefores.
> We have 2 sites w/ a VPN link in between. one is  
> subnet, other is
> We recently added a second internet connection (cable) as a backup  
> on top of an existing T1 at site 1. (We're not doing any sort of  
> automated failover, just an emergency manual backup.)
> I had a spare monowall box (our backup FW) lying around, which I  
> hooked up to the new cable connection. So we now have 2 firewalls  
> there. One has VPN tunnels set up to our second site and goes out  
> through the T1. The second has no VPN and goes out through cable.
> I want to point the desktops at the firewall that goes out over the  
> cable, so the T1 bandwidth will be reserved for the servers. (Plus  
> the cable has much faster download for web browsing). But I need the  
> desktops to still be able to reach the secondary site over the VPN  
> connection. (And everything at the
> secondary site to be able to reach everything at the primary site  
> regardless of how it gets out to the general internet).
> As I said I can add static routes for the secondary subnet (to use the
> original firewall w/vpn) to the PCs and it works fine, but would  
> like to have something more
> global that doesn't require touching each device. (Plus I can't  
> necessarily set static routes on all of the devices as they don't  
> have that capability.)
> I have a solution for the PCs (anything that can receive static  
> routes over DHCP using the option 249 on a Win 2k3 DHCPserver). But  
> ideally I'd like to handle it all on the monowall boxes in order to  
> keep things transparent to the client devices. I'd like it to be as  
> simple as changing the default gateway to determine which connection  
> they use for general internet access, w/o impacting access to either  
> of the internal subnets.
> If I add the static route on the cable firewall (pointing to T1  
> firewall for, it works for the pc at the main Site,  
> but nothing at the secondary site can reach that pc unless it had  
> previously initiated contact (and had a route added by the ICMP  
> redirect).
> I've tried messing around with the advanced setting on m0n0 that  
> seemed relevant (disabled anti-spoofing and ignore FW rules for  
> packets that are going in and out on the same interface).  
> Incidentally the 2nd one (ignore fw rules) causes it to not even  
> work one way (i assume because it doesn't know to route it over the  
> vpn).

I see, that makes things a bit clearer.

If FW1B has 3 interfaces, then you could do the following and this  
should sort out your problem:

What about putting the FW1B inline of the connection? That means  
creating a transport network between FW1A LAN interface and FW1B  
interface #1. Hook up the cable modem to interface #2 on FW1B, and  
interface #3 is the internal gateway then, with the previous IP of  
FW1A internally.
The default gateway of FW1B is the Cable modem. There are static  
routes on there to point to FW1A to reach the VPN tunnel for all sites.

I think this should work. It would give you the benefit
1) dont have to reconfigure all internal machines
2) Non VPN traffic (internet down- and upstream) goes through cable
3) VPN goes through FW1A.

If FW1B does not have 3 interfaces, then you could achieve something  
similar with VLAN switches - m0n0wall is VLAN capable. I think so...