News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  General Questions
linktree Topic: Multiple Internet Gateways Question
Pages: [1]
Topic: Multiple Internet Gateways Question  (Read 1552 times)
« on: April 22, 2011, 19:08:44 »
palesius *
Posts: 1
I'm having some issues with static routes that are beyond my abilities (w/networking or google) to resolve.

I did a basic diagram in the attached PNG file.

Basically I have three sites (1,2, & 3).
Site 1 is 10.100.1.0/24
Site 2 is 10.100.2.0/24
Site 3 is 10.100.3.0/24

Each one has a monowall firewall, with various methods of internet connectivity.
FW1 10.100.1.1
FW2 10.100.2.1
FW3 10.100.3.1

There are IPSec VPN links between each firewall that are working just fine.
All PCs in this example are running Windows XP.

I've added in a second internet connection at one site (#1), with yet another monowall box (FW1B).
If I have two PCs at site 1, one (PC1A) using the original firewall (1A) as default gateway, and the other (PC1B) using the new firewall (1B).

I haven't added any IPSec VPN links to firewall 1B.

Now if I have a third PC (PC2) at one of the other sites, I can ping PC1A fine, but can't ping PC1B. This is as expected. If I add static routes like:
10.100.2.0/24 -> 10.100.1.1
10.100.3.0/24 -> 10.100.1.1
directly to PC1B (so that it routes traffic for the other sites to 10.100.1.1 and thence over the VPN), I can ping just fine from PC2.

Here is where I am stumped though. I would like to avoid having to touch all PCs at Site1. So I added the same two static routes to the FW1B itself directly. That allows me to ping from PC1B to PC2. However I cannot ping from PC2 to PC1B unless I have first pinged in the other direction. This appears to set up a temporary route like (10.100.2.10/32 -> 10.100.1.1) on the PC. Is there a way to allow the PC at the other site to initiate the connection or am I SOL?
I would imagine that I could solve this by segregating the PCs at Site1 into two different subnets based on their default gateway. But that would be a major headache I would like to avoid.

Alternately (and this would be a far more complex solution). I have 2 additional interfaces available of FW1A, so I could hook both internet connections up to the same box. But, last I checked monowall doesn't support multiple WAN interfaces, so I would have to move over to pfsense.

* networka.png (9.65 KB, 800x600 - viewed 341 times.)
« Last Edit: April 22, 2011, 19:12:38 by palesius »
« Reply #1 on: May 08, 2011, 03:02:42 »
notladstyle **
Posts: 53
The problem is because the incoming ping originates from an external network - when pc2 received the request is is attempting to use router 1B to respond and since 1B knows nothing of the VPN tunnels it sends the packet over the internet.

If your network diagram is accurate I would imagine a static route on 1B directing outgoign traffic back to 1A would solve the problem however it would be cleaner to simply move pc2 to a new subnet so that it is properly routed.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines