Thanks for the reply. I was considering the non-symmetric routes as a
problem, but since TCP connections are identified by source, source port,
destination and destination port I didn't think that it would be a problem
as long as the other host received it's packets. As far as I know the whole
idea of the Internet is that the host doesn't care how the packets are
routed to their destination.
There seems to be some confusion about states since the m0n0wall are
dropping packets that are clearly allowed in my firewall rules and my guess
is that if these packets made it to their destination the destination would
A static route on all hosts on the LAN works fine, but the 172.16.0.0/16 was
just an example. We have over 30 subnets on that MPLS connection and over 40
workstations on the LAN. Managing static routes is something that I would
prefer to be without :)
Putting the router on a separate interface on the m0n0wall is something we
will do in the future, but right now we just need something that works as it is.
> Hi Michael,
> this problem is due to the non-symmetric route the packets are following
> (well, at leastI think it is). Not all protocols are so happy about that, or
> m0n0wall could get confused about states and start blocking packets
> (somebody please correct me if I'm wrong).
> In fact, all your hosts on the LAN network should have a static route to
> that 172.16.0.0/16 network, or you should put your router on a separate
> interface of the m0n0.
>>From: Michael Østergaard Pedersen [mailto:michael at bytopia dot dk]
>>Sent: zaterdag 15 mei 2004 13:27
>>To: m0n0wall at lists dot m0n0 dot ch
>>Subject: [m0n0wall] Problem with static routes
>>I have a strange problem with m0n0wall and static routes. My
>> Default GW
>> LAN----192.168.1.254--.. ..-172.16.1.1
>>My LAN subnet is 192.168.1.0/24 and the .254 machine is a
>>router that can
>>reach the 172.16.0.0/16 network via some MPLS network.
>>I have added a static route to the LAN interface on the
>>m0n0wall to reach
>>the 172.16.0.0/16 network via 192.168.1.254.
>>When I try to reach 172.16.1.1 from my LAN using the m0n0wall
>>as a default
>>gateway strange things happen. If I ping 172.16.1.1 from LAN
>>I get a reply
>>and I can see that ICMP redirects are being sent to tell me that
>>192.168.1.254 is a more direct route to that host. This is
>>fine. If I try to
>>SSH to that host I am prompted for a password. If I enter the
>>correctly the connection hangs. When I check the logs on the
>>m0n0wall I see
>>22:29:23.387117 dc0 @0:68 b 192.168.1.201,40452 ->
>>172.16.1.1,22 PR tcp len
>>20 64 -A IN
>>22:29:23.349785 dc0 @0:68 b 192.168.1.201,40452 ->
>>172.16.1.1,22 PR tcp len
>>20 436 -AP IN
>>Does this mean that this traffic is being dropped by the m0n0wall? It
>>doesn't make sense to me since dc0 is my LAN interface and I
>>have a rule to
>>permit all traffic coming in on the LAN interface.
>>Also since I do get the password prompt from SSH some packets
>>do in fact get
>>through. Perhaps only the first one or two?
>>Any help is appreciated. I can post more info if you need it.