VPN

I have looked everywhere, but cannot find any guidance on this.

The question comes in 3 parts.

There is only 1 IP address on the internet.

Internet -> ADSL Router / NAT / DHCP (allocates 192.xxxx addresses)
                  * PC-1 192.168.1.xx
                  * PC-2 192.168.1.xx
                  * IP Printer 192.168.1.xx
                  * etc
                  * Monowall / NAT / DHCP -> (2nd subnet allocates 10.xxxx addresses)
                                                               * PC-A 10.1.1.xx
                                                               * PC-B 10.1.1.xx
                                                               * etc

Part 1:  Will this work??  The object of the exercise is so that the 2nd subnet of computers (behind Monowall), cannot be "seen" by the first subnet of computers, yet they can all share the same internet connection.

However, the 2nd subnet of computers will need to (at least) see IP printer on the first subnet,  (this is a stand-alone device with its own IP address).

(I think from what I've read that this should be possible using the basic firewall rules - but I would appreciate some confirmation that running a "Nat behind a Nat" is allowed by monowall).

Part 2:  The second part of this question is how would you then configure the ADSL router and monowall so that an external client can establish a VPN link to the 2nd subnet of computers?  (No external VPN route is needed to the first subnet - although it doesn't matter if that happens as a consequence).

Part 3:  Wireless!  To complicate things slightly further, I would like to add a wireless interface to use the captive portal ability of monowall so that "guests" can connect to the internet.  However, these guests should have NO access to any of the other computers on the network, although it would be handy if they could print to the IP printer.

    Part 3a:  Not essential... but is it possible to use monowall to log wireless guest user's internet activity or block certain websites?

Any guidance would be greatly appreciated.

This should all be fairly easy.  you just need to be careful with the rules.
My first comment would be that you don't need to use NAT on the monowall.  If there are no rules to allow the traffic, then it won't get passed.  My feeling is that if NOT is not needed, then don't use it or it will add complication down the line.

Enable Advanced NAT to remove all default NAT rules.

Part 1
LAN rules on Mono.
Allow  LAN to DSL router
Allow LAN to IP Printer

Part 2
Either DMZ to Mono from the DSL router or Pass PPTP port and GRE to Mono WAN interface.
Rule on WAN to allow PPTP and GRE to WAN interface

Part 3
Allow OPT1 to DSL router
Allow OPT1 to IP Printer
Block OPT1 to Any

Part 3a
Not with mono. Look into a squid box. or alternate content control.

Hope this points you in the right direction.
 

Many thanks for this Mark,

Do you mind me just asking, if I don't use NAT on the monowall, then how would the PC's behind the monowall LAN and Wireless interfaces obtain an IP address?  I'm assuming the ADSL router won't be able to allocate IPs via DHCP because the monowall will be in the way?

Secondly, if the range of IP addresses behind monowall is the same as the range on the WAN side of Monowall, then how would monowall know which interface to route to?

Thanks again and Kind regards.

Use the monowall as your DHCP server.  NAT doesn't get involved.  NAT is simply a mechanism that lets several devices share a single external IP address. As both your segments are on Private ranges, the number of IP addresses is not an issue.  The only thing that you will have to do that I forgot, is that you will need a static route on the DSL router pointing to the Mono WAN ip address for the 10.1.1.0/24 segment.  This is because when you don't use NAT the router (Mono) will pass the source IP address through.

Also,
Looking again, the rules on part 3 were wrong.  They should be.

Part 3
Allow OPT1 Network to DSL router (Needed to get to internet)
Allow OPT1 Network to IP Printer  (For Printing)
Block OPT1 Network to 192.168.1.0/24  (1st Subnet) (Blocks access to everything not already mentioned on Seg 1)
Allow OPT1 Network to Any NOT LAN (Allow to internet and not to LAN can be done with 2 separate rules if desired)
Block OPT1 Network to Any (Block everything rule for good practice)

Many thanks again Mark.

That's really Good information!

Kind Regards