Alex & others, My network is illustrated here now. http://carnot.pathology.ubc.ca/Network.jpg
Forwarding is always on. dalton:~# cat /proc/sys/net/ipv4/ip_forward 1 as> ... routing tables commands have a look at man ip OK; I've read route.man and ip.man. as> for a machine at local lan a (say 192.168.0.100) ... ip r a 192.168.2.0/24 via 192.168.1.2 Even without such a command this is the routing table on Dalton. dalton:~# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface joule.petershou * 255.255.255.255 UH 0 0 0 tun0 142.103.107.128 * 255.255.255.128 U 0 0 0 eth0 172.24.1.0 * 255.255.255.0 U 0 0 0 eth3 default 142.103.107.254 0.0.0.0 UG 0 0 0 eth0 According to the first line, Dalton knows that the route to joule.petershouse.invalid is through the tun0 interface. To the best of my knowledge,"joule.petershouse.invalid" appears only in /etc/hosts on joule. I'll guess that openvpn sends it from Joule to Dalton. So Cantor should be get a POP3 connection to joule.petershouse.invalid? It gets only "no connection". as> you will still need to look at your firewall I guess there are two possibilities. Either (1) routing to the "invalid" domain is not allowed or (2) the firewall on Dalton or on Joule is blocking the connection. Dalton has this policy. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc vpn ACCEPT Joule has this rule. #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP POP3/ACCEPT net $FW Which rules out case (2) above. So only (1) left? Someone please shoot down one of my ideas or give another hint. Thanks, ... Peter E. -- http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/ Desktops.OpenDoc http://members.shaw.ca/peasthope/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]