On 09/28/11 03:13, Wesley M. wrote:
> Hi,
>
> I have at work:
> TS Server : 10.100.1.100 his gateway is 10.100.1.254 (router for private
> network)
bzzt. Bad.
(I'm guessing that's a windows terminal server)
> Firewall : 10.100.1.250 (OpenBSD 4.9, ADSL : sis0, Lan (10.100.1.0/24)
> :sis2
>
> On the firewall, i can ping 10.100.1.100 and telnet 10.100.1.100 3389 ->
> OK
right. no gateway involved.
> When i am at home, i connect to firewall using "thegreenbow" vpn is ok, i
> can ping 10.100.1.250, use ssh on the firewall, but i can't ping
> 10.100.1.100 and can't use rdp on this address.
>
> my pf rules:
> ...
> set skip on {lo,enc0}
> pass out on sis2 inet proto tcp from $remote to 10.100.1.100 port 3389
> pass out inet proto icmp all icmp-type echoreq
> ...
because your packets come from your machine, through your firewall, to
the "TS Server", but they are still "off-network" packets. When it
responds to an off-network address, it routes them to the gateway
machine...which is 10.100.1.254, not the firewall.
Fixes: 1) fix the default gateway on the TS Server machine, add a custom
route for whatever that "private network" thingie is.
2) instead of your VPN, use an SSH tunnel to your firewall, then
redirect 3389 to the TS Server. This way, your remote desktop session
is between the gateway and the firewall, which are both on the same subnet.
Nick.
