From owner-freebsd-questions@FreeBSD.ORG Fri Dec 15 22:40:16 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2897716A4D4 for ; Fri, 15 Dec 2006 22:40:16 +0000 (UTC) (envelope-from lane@joeandlane.com) Received: from elasmtp-dupuy.atl.sa.earthlink.net (elasmtp-dupuy.atl.sa.earthlink.net [209.86.89.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEB2F43CA9 for ; Fri, 15 Dec 2006 22:38:26 +0000 (GMT) (envelope-from lane@joeandlane.com) Received: from [66.47.111.183] (helo=joeandlane.com) by elasmtp-dupuy.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1GvLip-0006Kr-Pk for freebsd-questions@freebsd.org; Fri, 15 Dec 2006 17:40:07 -0500 Received: from joeandlane.com (localhost.localnet.local [127.0.0.1]) by joeandlane.com (8.13.8/8.13.1) with ESMTP id kBFMgabw087333 for ; Fri, 15 Dec 2006 16:42:36 -0600 (CST) (envelope-from lane@joeandlane.com) Received: from localhost (localhost [[UNIX: localhost]]) by joeandlane.com (8.13.8/8.13.1/Submit) id kBFMgZ2w087332 for freebsd-questions@freebsd.org; Fri, 15 Dec 2006 16:42:35 -0600 (CST) (envelope-from lane@joeandlane.com) X-Authentication-Warning: joeandlane.com: lholcombe set sender to lane@joeandlane.com using -f From: Lane To: freebsd-questions@freebsd.org Date: Fri, 15 Dec 2006 16:42:35 -0600 User-Agent: KMail/1.9.4 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200612151642.35712.lane@joeandlane.com> X-CD-SOLUTIONS-MailScanner-Information: Please contact the ISP for more information X-CD-SOLUTIONS-MailScanner: Found to be clean X-CD-SOLUTIONS-MailScanner-From: lane@joeandlane.com X-ELNK-Trace: e56a4b6ca9bdfda11aa676d7e74259b7b3291a7d08dfec7964c5856f03301c89a17c37d4171a11ba350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 66.47.111.183 Subject: Route spagetti X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Dec 2006 22:40:16 -0000 Hello, I have a routing problem ... I think. I have an established OpenVPN hosted on FreeBSD 6.1 using tun0 configured for 10.11.13.x. The OpenVPN configuration currently uses the "client-to-client" directive so that vpn Windows clients could access a separate central proprietary (Windows) database (also on the vpn). Response time and security have prompted me to investigate the use of qemu, hosted on FreeBSD, to house the proprietary database. I configured the qemu Windows image on my development machine and configured it to use tap0 10.11.12.150->10.11.12.151. The Windows side of the interface is 10.11.12.151 and FreeBSD keeps 10.11.12.150. I have used netmask 255.255.255.0 and 255.255.255.252 with no discernible change in behaviour (which I'm getting to). Everything worked correctly in development - I could establish a Terminal Services session with the Windows client and do whatever I needed to do, including access the internet from the qemu-hosted session. However when I pushed the image out to the vpn server, I found something odd: When logged into the remote qemu-hosted Windows session via Terminal services, I can ping any interface on the vpn host (10.11.12.150, 10.11.13.1, and defaultrouter). I can also ping any client connected to the vpn tun device (10.11.13.X). However I cannot route from the Windows session to the public internet. Typically there is a tight firewall in place on the vpn host, but I have disabled the firewall rules and stil been unable to access the public internet from within the qemu-hosted session, while I *am* able to access the internet from a shell on the vpn host. Is this necessarily a job for natd? Or is there some simpler way to get 10.11.12.150 to forward 10.11.13.x packets to tun0 and all others to the defaultrouter on the host machine? I'm looking at "ipfw add forward ..." but it does not look promising. Thanks for your time. I know I can be long-winded. lane