General Questions

I just installed the m0n0wall beta and I was initially confused by a problem which I have now solved, but I would like further elucidation if possible. 

My config is a WAN and a LAN port on a soekris, and a Netscreen VPN on the LAN.  When I had Linux on my soekris, it would route traffic over the VPN using ICMP redirects.  If a host on the LAN sent traffic to the soekris bound from 192.168.0.10 to 10.0.0.10, then the soekris would send an ICMP redirect to 192.168.0.10 telling it to use the VPN, and everything worked fine. 

With m0n0wall on the soekris, this doesn't work.  m0n0wall actually forwards the traffic through the VPN.  If a connection was initiated from my LAN, this works fine, because all the TCP state information is sane.  However, connections initiated from the other side of the VPN don't work.  The first packet goes directly from the VPN to the host on the LAN, but the reply goes through m0n0wall, which didn't see the first packet and therefore doesn't have the TCP state information it needs.  So m0n0wall discards the reply.

The solution was to add the static routes on every host on the LAN.  This was somewhat annoying, as there are about a dozen such routes.

Is there a way I can make m0n0wall issue ICMP redirects when a static route is via a host on the LAN subnet?

I had this similar if not exact problem last night.  For me the fix was under System / Advanced.  Check the box for "Bypass firewall rules for traffic on the same interface"

Additionally I found that even though enabling that feature allowed me to access other devices on the lan from the vpn network, it would not allow me to access the m0n0wall for dns.  To resolve I had to put in a rule on the lan to permit any for the vpn network.  It all works perfectly now.

jwb,

How about creating a third interface, OPT1 on the Soekris, and only connect the Netscreen to that interface.

Lonnie