On Fri, 13 Aug 2004, Herron, David S wrote:
> I didn't want to over-complicate things by adding the whole network
> structure (at least in the first email), but here it goes.... I'll
> throw in some IP Ranges just so you get an idea of how things route...
> WiFi DMZ/LAN (10.0.3.0/24)
> DMZ2 Segment (10.0.2.0/24)
> | __________
> | | DMZ1 Segment (other use/24)
> Primary Firewall
> | |__________Internet
> Corporate LAN w/ VPN Concentrator (184.108.40.206/24)
> (note public IP's)
> Static entries on firewall allow for routing between networks. Primary
> Firewall has 4 interfaces (one trusted/corporate LAN, one Internet, two
> DMZ's (DMZ2 is used for the wireless network). So let's say that m0n0
> WAN interface is on 10.0.2.2. If I attach my client directly to that
> segment (at, say 10.0.2.3) the PPTP session creates perfectly. However,
> when it is on 10.0.3.<some DHCP address>, the authentication does not
> Because the networks are fully routable, when I get any sort of
> connection from the wireless network to my corporate LAN, I don't apply
> any NAT to those connections, and I see their actual IP's (10.0.3.<some
> DHCP address>). If those same clients go to connect to the Internet,
> they are NAT'ed at the Primary Firewall before traversing the Internet.
> Also note that all other kinds of connections work perfectly after the
> captive portal is satisfied. Either to the Internet or to open services
> on the Corporate LAN work great, and NAT only when necessary. Basically
> what I am saying is that the connection to the VPN Concentrator is not a
> NAT'ed connection.
By default, outbound connections through m0n0wall to its WAN are NATted.
It sounds like they don't need to be for your WiFi<->Corporate cases, so
what you need to do is configure "Advanced Outbound NAT" to avoid NATting
those connections, and also make sure your primary firewall knows that the
route to 10.0.3.0/24 is via the m0n0wall's 10.0.2.x address.
It sounds like you don't need NAT on the m0n0wall at all, as long as your
primary firewall does NAT for "real Internet" connections. In that case,
just enable "Advanced Outbound NAT" and leave the table empty. But if you
do need NAT to Internet at the m0n0wall level, then just add an outbound
NAT entry with "not corporate LAN" (e.g. !220.127.116.11/24) as the