I have a working configuration, but a question is bugging me.
The question centers around having multiple subnets on a single
interface.
LAN: 10.10.10.1/24 OpenVPN Server LAN IP: 10.10.10.250 OpenVPN Server virtual subnet: 10.11.10.0/24 LAN Static Route: (NET) 10.11.10.0/24 (GW) 10.10.10.250
With the Advanced option "Bypass firewall rules for traffic on the
same interface" is checked, everything works as expected.
But, If I uncheck "Bypass firewall rules...", and start a UDP or TCP
session from the 10.11.10.0 net to the 10.10.10.0 net, the forward
path works, but the return bath is blocked in m0n0wall. Even with
LAN Firewall Rules:
"Pass" any LAN-subnet to any/any
"Pass" any OpenVPN-subnet to any/any
The return (destination 10.11.10.XX) is always blocked in m0n0wall
(per firewall logging).
I am quite satisfied keeping "Bypass firewall rules..." checked, but
I want to understand why m0n0wall is dropping LAN subnet1 to LAN
subnet2 traffic in the firewall.
I've seen this same exact question posed multiple times elsewhere but never any sort of response. Hoping you guys can help.
Thanks in advance.
Where "Bypass firewall rules .." fixes things of that nature, it's most always because you have asymmetric routing. If the firewall only sees half of the connection it can't properly track state and ends up dropping traffic, hence the reason for that option (which passes that traffic without trying to keep state).