[ previous ] [ next ] [ threads ]
 From:  "Mitch \(WebCob\)" <mitch at webcob dot com>
 To:  "Christiaens Joachim" <jchristi at oce dot be>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] RE: Firewalling /filtering IPSec tunnels...
 Date:  Sat, 24 Apr 2004 13:02:47 -0700
> > > I'm wondering if I need to NAT the traffic before sending it, so
> > > that the remote end only see's the VPN endpoint it is aware of...
> > >
> > > Not sure how to glue it all together though...
> > >
> > > m/
> >
> > Just in case it's the abscence of a picture that's keeping me
> > from finding
> > an answer... ;-)
> >
> > PC A ---> MONO A ---> INTERNET ---> IPSEC ---> MONO C ---> PC C
> >                                                 ^
> > PC B ---> MONO B ---> INTERNET ---> IPSEC ------/
> >
> > So with this config, PC A can communicate with PC C acter
> > establishing an
> > IPSEC tunnel.
> > PC B can also see PC C after the same setup...
> >
> > What I need to do is allow PC A to see PC B THROUGH MONO C -
> > like I'm trying
> > to route over IPSEC.
> >
> > Haven't had any luck yet...
> >
> > Ideas? Is it possible?
> >
> > Thanks again...
> Are you able to reach m0n0 A from m0n0 B (ping) and vice-versa?
> Did you try adding static routes to m0n0 A and B for PC A and PC B
> (like on m0n0 B: dest=PC A gw=m0n0 A and on m0n0 A: dest=PC B gw=m0n0 B)?
> Joachim

Thanks Joachim - but that's the whole point of the problem... A can't see B,
B can't see A. This is an ADSL over ATM limitation caused the way ATM point
to point links are generated - they don't allow network broadcast, only
point to point, or in this case one modem to the router - TCP doesn't send
to the router (and even if it did I'd expect the router would probably
ignore the traffic cause it SHOULDN'T need to be routed - right?) because A
and B are on the same subnet (on the WAN side).

As I said at the beginning, this is an example, simplified... if it was JUST
A & B I could ask for IP's on different subnets, and be ok - BUT, it's A
through Z or more ;-) And the ISP doesn't have enough subnets to grant me
addresses on.

I had asked before if someone could tell me anything about some trick I've
heard of referred to as /32 subnetting, which supposedly makes all traffic
sent to the router, regardless of if it is on the local WAN subnet or not,
but I never heard from anyone who had heard of that trick.