I'm having some issues with static routes that are beyond my abilities (w/networking or google) to resolve.
I did a basic diagram in the attached PNG file.
Basically I have three sites (1,2, & 3). Site 1 is 10.100.1.0/24 Site 2 is 10.100.2.0/24 Site 3 is 10.100.3.0/24
Each one has a monowall firewall, with various methods of internet connectivity. FW1 10.100.1.1 FW2 10.100.2.1 FW3 10.100.3.1
There are IPSec VPN links between each firewall that are working just fine. All PCs in this example are running Windows XP.
I've added in a second internet connection at one site (#1), with yet another monowall box (FW1B). If I have two PCs at site 1, one (PC1A) using the original firewall (1A) as default gateway, and the other (PC1B) using the new firewall (1B).
I haven't added any IPSec VPN links to firewall 1B.
Now if I have a third PC (PC2) at one of the other sites, I can ping PC1A fine, but can't ping PC1B. This is as expected. If I add static routes like: 10.100.2.0/24 -> 10.100.1.1 10.100.3.0/24 -> 10.100.1.1 directly to PC1B (so that it routes traffic for the other sites to 10.100.1.1 and thence over the VPN), I can ping just fine from PC2.
Here is where I am stumped though. I would like to avoid having to touch all PCs at Site1. So I added the same two static routes to the FW1B itself directly. That allows me to ping from PC1B to PC2. However I cannot ping from PC2 to PC1B unless I have first pinged in the other direction. This appears to set up a temporary route like (10.100.2.10/32 -> 10.100.1.1) on the PC. Is there a way to allow the PC at the other site to initiate the connection or am I SOL? I would imagine that I could solve this by segregating the PCs at Site1 into two different subnets based on their default gateway. But that would be a major headache I would like to avoid.
Alternately (and this would be a far more complex solution). I have 2 additional interfaces available of FW1A, so I could hook both internet connections up to the same box. But, last I checked monowall doesn't support multiple WAN interfaces, so I would have to move over to pfsense.
|