8.2. Prerequisites

Before getting started, you need to take care of the following.

  1. Your m0n0wall must be setup and working properly for your network environment.

  2. Both locations must be using non-overlapping LAN IP subnets.

    i.e. if both sites are using 192.168.1.0/24 on the LAN, no site to site VPN will work. This is not a limitation in m0n0wall, it's basic IP routing. When any host on either of your networks tries to communicate with 192.168.1.0/24, it will consider that host to be on its local LAN and the packets will never reach m0n0wall to be passed over the VPN connection. Similarly, if one site is using, for example, 192.168.0.0/16 and one using 192.168.1.0/24, these subnets are also overlapping and a site to site VPN will not work.

    Keep in mind the more networks you link together the more important this basic fact becomes. Do not use unnecessarily large subnet masks. If you setup your LAN as 10.0.0.0/8, but only have 100 hosts on it, you're unnecessarily limiting your ability to add VPN networks anywhere in the 10.x.x.x space.

  3. If m0n0wall is not the default gateway on the LAN where it is installed, you must add static routes to whatever system is the default gateway, pointing the remote VPN subnet to the LAN IP of m0n0wall.

  4. You will need to either control or be in contact with the person who does control the other VPN concentrator. If it is another m0n0wall system, then share this document with the other administrator. If it isn't then have them consult the documentation that came with the IPsec device they are using.

  5. Host and application level security become more important when connecting multiple networks, how much depending on how much you trust the other network. The VPN tunnel will not respond to firewall rules at the time of this writing, so you will not be able to limit which hosts can be accessed by users across the VPN connection. If a worm would get into the network you are connected to via VPN, it could easily spread to your network. If a system on the remote network is compromized by an attacker, he could easily hop over the VPN to attack your systems without any firewall protection.

  6. Pay attention to what you are doing! If you have a VPN to your office, and a VPN to your friend's home network, your friend can now hop over to your company's network from your network. Or, if your friend gets infected with a worm, it could then infect your machines and continue to propagate over the VPN connection to your office. Most companies would probably fire you if your friend was caught on their network. Best bet here is if you have a site to site VPN into your network at work, do not connect with friends, or use one network and firewall for accessing work and one for accessing your friend's network.

Ok now that we have the basics let's get started on the firewall settings.