VPN

Greetings! =)

Another problem where I am stuck:

Setup:
A simple network: internet --> cable modem --> M0n0wall (with interfaces LAN, WLAN, DMZ and WAN)

What I want:
Building up a VPN-tunnel with mobile client setup to the M0n0wall and lead all internet traffic through this tunnel.

What I think, it should do the trick:
* Setting up my network card with no gateway, DNS=[M0n0-DMZ-interface]
* one single nslookup of my dyndns-adress and appropriate entry in c:\windows\system32\drivers\etc\hosts
* setting one single route to the WAN-interface of my M0n0wall via the gateway "route add [M0n0-WAN-IP] [GW-IP]"
* Building up the tunnel, assigning an IP from the M0n0wall-DMZ-network to the virtual interface
* Setting the DMZ-interface of the M0n0wall as the default gateway "route add 0.0.0.0 mask 0.0.0.0 [M0n0-DMZ-IP]"

What works:
* VPN-tunnel works
* I can ping M0n0-DMZ-IP
* I can ping M0n0-LAN-IP (with the correct entry of a firewall-rule)
* M0n0-DMZ-IP answers, when I do nslookup www.google.de, so DNS through the tunnel already works

What's missing:
I can't tracert or even ping an internet-adress. E.g. ping www.google.de does not work.

What I tried:
For testing purposes i completly opened the firewall for the interfaces "IPSec VPN" and "DMZ". It doesn't change anything. I'm not sure, which Interface needs the rules. "IPSec VPN" should be opened, since this is the interface, my external client connects to. But since I have to set the M0n0wall-DMZ-IP as the default gateway, I also have to assign a DMZ-ip to the virtual network card of the external client. Therefor I opened the firewall for both IPSec VPN and DMZ.
IF: DMZ, Proto: any, Source: DMZ net, Port: any, Destination: any, Port: any
IF: IPSec VPN, Proto: any, Source: any, Port: any, Destination: any, Port: any

Maybe I should play around with outbound NAT? That's a point where I am really not experienced...  So any suggestions would appreciated. Many thanks in advance. :-)

Ok, I did it a bit further, but not much.

Now I can ping all M0n0wall-Interfaces, LAN-Clients, even WAN-adresses like google and such. But I can't open any Website. Traffic seems to be blocked. Playing arround with MTU doesn't change anything. In every firewall-rule I accepted fragmented packages, as well as in the advanced settings (IPSec-section) and in the VPN-client-settings. I had to choose a different network for VPN and activate outbound NAT.

I attached screenshots of the firewall rules, outbound NAT (was neccessary to ping google) and the firewall log. The firewall log showed me the only only hint I could see.
status.php says

Code:

Mar  4 12:35:39 frie ipmon[137]: 12:35:38.898108 sis0 @0:33 b 192.168.10.100,80 -> 10.10.10.111,1094 PR tcp len 20 1500 -AP IN

ipfstat -nio section says to rule no. 33

Code:

@33 block in log quick proto tcp from any to any

That's the point I didn't get since my firewall rules should allow this traffic...

Any ideas anyone?

Hi Kor,

It looks similar to my scenario when i want to access the server in Site A from the WAN IP address of Site B.

Have you sort that out? Would you please give me some advice?

Many Thanks,
Thai