News: This forum is now permanently frozen.
Pages: [1]
Topic: Multiple subnets  (Read 3203 times)
« on: March 10, 2008, 11:33:44 »
Grenage *
Posts: 5

Good morning there!

I'm having a few problems, and I was wondering if anyone could tell me where I'm going wrong, or at least point me in the direction.  Our current setup is as follows:

Building one:
192.168.100.0/24 - Data Network
192.168.101.0/24 - VoIP Network
M0n0wall - 192.168.100.11

Building two:
10.0.0.0/24 - Data Network
10.0.1.0/24 - VoIP Network
M0n0wall - 10.0.0.180/24

What I would like to do is connect both of the VoIP networks and Data networks via VPN connections on the m0n0wall.  I initially attempted to do this by changing the IP addresses of the m0n0walls to a /16 subnet, then doing the same thing to the VPN configuration.  The VPN link doesn't establish, but it does if I configure one VPN link over /24 on the Data subnet.

Thinking about it, since subnet gateway needs to have an IP addresses within the client's range, would it ever work, or do I need to setup two m0n0walls at each end, one for each VPN connection?  One VPN for the VoIP and one for the Data.

Sorry if I haven't been very clear!

Russell.
« Reply #1 on: March 10, 2008, 20:42:54 »
fredg
Guest

It might be easier to get an answer if you identified your m0nowalls interface labels in addition to the IP addresses on them.
« Reply #2 on: March 11, 2008, 07:10:30 »
ChainSaw
Guest

create an IPSec tunnel between your m0n0walls. 0n the 192.168 end, set the remote network to 10.0.0.0/23. On the 10.0 end, set the remote network to 192.168.100/23.

Also, my typical IPSec config:

Interface:  WAN
Local Subnet: LAN Subnet
Remote Subnet: xxxxxxxx/x

--- Phase 1 ---
Negotion Mode:  Aggressive
My Identifier:  My IP Address
Encryption Algorithm:  AES
Hash Algorithm:  SHA1
DH Key Group:  2
Lifetime:  172800
Pre-Shared Key:  xxxxxxxx

--- Phase 2 ---
Protocol:  ESP
Encryption Algorithm:  Rijndael (AES)
Hash Algorithm:  SHA1
PFS Key Group:  2
Lifetime:  86400


CS...
« Last Edit: March 11, 2008, 10:10:43 by ChainSaw »
« Reply #3 on: March 11, 2008, 10:24:48 »
Grenage *
Posts: 5

Hi there, thank you for the replies!

Fred:
I'm not quite sure what you mean (sorry if I'm being dim here), what do you mean by labels for the interfaces?

Chainsaw:
Thank you for that information, I've modified the ipsec tunnel settings; it seems to have established!  I know the next question isn't really m0n0wall related, but since you seem to have experience.... Smiley

How would one normally route the two subnets across the VPN tunnel, since you can only have one LAN adapter in each smoothwall, and only one IP addresses for it.  Since a router for a subnet must have an IP in the range of the machines it's routing for, doesn't that mean it will only be able to route for one of the subnets on each end?
« Reply #4 on: March 11, 2008, 19:34:22 »
ChainSaw
Guest

your m0n0walls should take care of routing everything between your subnets without adding any static routes.

CS...
« Reply #5 on: March 11, 2008, 20:09:29 »
Grenage *
Posts: 5

Ah I see, thank you kindly for your help.

Take care.
« Reply #6 on: March 11, 2008, 21:06:35 »
ChainSaw
Guest

I should have added: "as long as your m0n0wall is the client's default gateway"  That way any IP request outside of your local subnet is sent to your m0n0wall and if the IP requested is in the range of the tunnel and the tunnel is up or can be brought up,  the packet will know to use the tunnel as the route.

CS...
« Reply #7 on: March 11, 2008, 22:08:17 »
Grenage *
Posts: 5

Gotcha, since I can't add additional LAN addresses or LAN cards to the m0n0wall, connections from subnets other than the one the m0n0wall's lancard was on wouldn't get routed, would they?
« Reply #8 on: March 11, 2008, 22:32:22 »
ChainSaw
Guest

I know it works from local LAN to remore LAN and OPT1 but I haven't tried it from local OPT1 to remote anything.  would guess that would work because of the above but give it a try and let me know how it goes.

CS...
« Reply #9 on: March 11, 2008, 23:17:58 »
Grenage *
Posts: 5

I shall let you know then! Thanks for the assistance matey, it's helped clear a lot up.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines