On Wed, 1 Sep 2004, David Turner wrote:
> I have no static routes at the moment. What should I add a static route
> for and why? It's only SNMP that seems to be a problem. The web
> interface is accessible via the tunnel and ping works fine to the LAN
> interface from the other end of the tunnel.
Due to the way IPsec tunnels are kludged into the FreeBSD kernel, any
traffic *initiated* by m0n0wall to go through an IPsec tunnel gets the
wrong source IP (and typically doesn't go through the tunnel at all as a
result). Theoretically this *shouldn't* be an issue for the *server* side
of SNMP, but perhaps the server has a bug (well, deficiency, at least)
where it doesn't send the response out through a socket bound to the
You can fake it out by adding a bogus static route to the remote end of
the tunnel via the m0n0wall's LAN IP (assuming that's within the near-end
tunnel range). A good test is to see whether you can ping something at
the remote end of the tunnel (e.g. the SNMP remote) *from* the m0n0wall.
There's an annoying but mostly harmless side-effect to this - every LAN
packet to the tunnel elicits a no-change ICMP Redirect.