15.15. Why can't I query SNMP over VPN?

With an out of the box configuration, you cannot query SNMP on the LAN interface of a remote m0n0wall over a VPN connection. Fred Wright explained in a post to the mailing list on September 12, 2004 why this is.

Due to the way IPsec tunnels are kludged into the FreeBSD kernel, any
traffic *initiated* by m0n0wall to go through an IPsec tunnel gets the
wrong source IP (and typically doesn't go through the tunnel at all as a
result).  Theoretically this *shouldn't* be an issue for the *server* side
of SNMP, but perhaps the server has a bug (well, deficiency, at least)
where it doesn't send the response out through a socket bound to the
request packet.

You can fake it out by adding a bogus static route to the remote end of
the tunnel via the m0n0wall's LAN IP (assuming that's within the near-end
tunnel range).  A good test is to see whether you can ping something at
the remote end of the tunnel (e.g. the SNMP remote) *from* the m0n0wall.

There's an annoying but mostly harmless side-effect to this - every LAN
packet to the tunnel elicits a no-change ICMP Redirect.

To do this, click "Static Routes" in the webGUI. Click the + to add a static route. In the Interface box, choose LAN, for destination network, enter the remote end VPN subnet, and for the gateway put in the LAN IP address of your local m0n0wall.