On 2011-09-28, Nick Holland <[email protected]> wrote: > On 09/28/11 03:13, Wesley M. wrote: >> Hi, >> >> I have at work: >> TS Server : 10.100.1.100 his gateway is 10.100.1.254 (router for private >> network) > > bzzt. Bad. > (I'm guessing that's a windows terminal server) > >> Firewall : 10.100.1.250 (OpenBSD 4.9, ADSL : sis0, Lan (10.100.1.0/24) >> :sis2 >> >> On the firewall, i can ping 10.100.1.100 and telnet 10.100.1.100 3389 -> >> OK > > right. no gateway involved. > >> When i am at home, i connect to firewall using "thegreenbow" vpn is ok, i >> can ping 10.100.1.250, use ssh on the firewall, but i can't ping >> 10.100.1.100 and can't use rdp on this address. >> >> my pf rules: >> ... >> set skip on {lo,enc0} >> pass out on sis2 inet proto tcp from $remote to 10.100.1.100 port 3389 >> pass out inet proto icmp all icmp-type echoreq >> ... > > because your packets come from your machine, through your firewall, to > the "TS Server", but they are still "off-network" packets. When it > responds to an off-network address, it routes them to the gateway > machine...which is 10.100.1.254, not the firewall. > > Fixes: 1) fix the default gateway on the TS Server machine, add a custom > route for whatever that "private network" thingie is. > 2) instead of your VPN, use an SSH tunnel to your firewall, then > redirect 3389 to the TS Server. This way, your remote desktop session > is between the gateway and the firewall, which are both on the same subnet.
or 3) nat the vpn traffic..
