> Quoting Adam Stasiak <palesius at gmail dot com>:
> > I posted in the forum with image so here is link to that image.
> > http://forum.m0n0.ch/index.php?action=dlattach;topic=4958.0;attach=693;image
> > I simplified my question a bit on the email list compared to the
> > forum post, which is why the diagram shows 3 sites. The 3rd site can
> > safely be ignored for the purposes of my question I
> > think.
> > As to the whys and wherefores.
> > We have 2 sites w/ a VPN link in between. one is 10.100.1.0/24
> > subnet, other is 10.100.2.0/24.
> > We recently added a second internet connection (cable) as a backup
> > on top of an existing T1 at site 1. (We're not doing any sort of
> > automated failover, just an emergency manual backup.)
> > I had a spare monowall box (our backup FW) lying around, which I
> > hooked up to the new cable connection. So we now have 2 firewalls
> > there. One has VPN tunnels set up to our second site and goes out
> > through the T1. The second has no VPN and goes out through cable.
> > I want to point the desktops at the firewall that goes out over the
> > cable, so the T1 bandwidth will be reserved for the servers. (Plus
> > the cable has much faster download for web browsing). But I need the
> > desktops to still be able to reach the secondary site over the VPN
> > connection. (And everything at the
> > secondary site to be able to reach everything at the primary site
> > regardless of how it gets out to the general internet).
> > As I said I can add static routes for the secondary subnet (to use the
> > original firewall w/vpn) to the PCs and it works fine, but would
> > like to have something more
> > global that doesn't require touching each device. (Plus I can't
> > necessarily set static routes on all of the devices as they don't
> > have that capability.)
> > I have a solution for the PCs (anything that can receive static
> > routes over DHCP using the option 249 on a Win 2k3 DHCPserver). But
> > ideally I'd like to handle it all on the monowall boxes in order to
> > keep things transparent to the client devices. I'd like it to be as
> > simple as changing the default gateway to determine which connection
> > they use for general internet access, w/o impacting access to either
> > of the internal subnets.
> > If I add the static route on the cable firewall (pointing to T1
> > firewall for 10.100.2.0/24), it works for the pc at the main Site,
> > but nothing at the secondary site can reach that pc unless it had
> > previously initiated contact (and had a route added by the ICMP
> > redirect).
> > I've tried messing around with the advanced setting on m0n0 that
> > seemed relevant (disabled anti-spoofing and ignore FW rules for
> > packets that are going in and out on the same interface).
> > Incidentally the 2nd one (ignore fw rules) causes it to not even
> > work one way (i assume because it doesn't know to route it over the
> > vpn).
> I see, that makes things a bit clearer.
> If FW1B has 3 interfaces, then you could do the following and this
> should sort out your problem:
> What about putting the FW1B inline of the connection? That means
> creating a transport network between FW1A LAN interface and FW1B
> interface #1. Hook up the cable modem to interface #2 on FW1B, and
> interface #3 is the internal gateway then, with the previous IP of
> FW1A internally.
> The default gateway of FW1B is the Cable modem. There are static
> routes on there to point to FW1A to reach the VPN tunnel for all sites.
> I think this should work. It would give you the benefit
> 1) dont have to reconfigure all internal machines
> 2) Non VPN traffic (internet down- and upstream) goes through cable
> 3) VPN goes through FW1A.
> If FW1B does not have 3 interfaces, then you could achieve something
> similar with VLAN switches - m0n0wall is VLAN capable. I think so...
> I don't understand how this would act differently from the curent setup.
Cable modem on FW1B Wan: Check
Cable modem default gateway on FW1B: Check
Static routes on FW1B for VPN tunnel: Check
The only difference is rather than FW1B reaching FW1A over the lan (from
10.100.10.2 to 10.100.10.1). I would be creating another IP for FW1B also on
the lan but on another interface. (Say 10.100.10.3) Would this really make
a difference in packets being routed properly from the remote sites to PCs
with FW1B as their gateway? Are there additional rules or routes that would
need to be put on FW1B or FW1A (or FW2 for that matter to make it behave