Dear all, I would like to ask if someone could point me out to a solution for problem that is fooling me from some days. This is my situation:
--- NET 192.168.1.0/24 ---/MULTIPLE HOST | _______|___________ | LAN 192.168.1.1 | | --- VPN GW ---- | | WAN 192.168.100.7 | |__________________| | | | ___________________________________ | ETH1 192.168.100.2 | | --- SERVER --- | | ETH0 10.0.0.1 + TAP0 192.168.2.38 | |___________________________________| | | __________ | *10.0.0.2* | | --- PC --- | |_________| On SERVER side I have a port forwarding on tcp 80 to 10.0.0.2, so from eth1 I can reach PC on 192.168.100.2:80 and this is working fine. As a new upgrade to my server I added a vpn connection from SERVER to NET 192.168.1.0 behind VPN GW, this also is working fine and host on 192.168.1.0 net can reach SERVER on 192.168.2.38 and vice versa. The problem is that port forwarding is not working on vpn, so if I try to reach PC from 192.168.1.x to 192.168.2.38:80 it fail. The vpn client used on SERVER is ShrewSoft, he bring up tap0 interface when vpn is established, anyway tcpdump show packet flowing only on eth1 (type ESP). This is my iptables, really stripped down: # Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012 *mangle :PREROUTING ACCEPT [2107490:2462265619] :INPUT ACCEPT [2006646:2354121292] :FORWARD ACCEPT [100696:108135052] :OUTPUT ACCEPT [1234102:150431085] :POSTROUTING ACCEPT [1334795:258565885] COMMIT # Completed on Wed Mar 28 15:17:11 2012 # Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012 *nat :PREROUTING ACCEPT [8148:633084] :POSTROUTING ACCEPT [798:50506] :OUTPUT ACCEPT [759:47902] -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.254.254.2:80 COMMIT # Completed on Wed Mar 28 15:17:11 2012 # Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012 *filter :INPUT ACCEPT [2006634:2354120173] :FORWARD ACCEPT [100696:108135052] :OUTPUT ACCEPT [1234099:150430833] COMMIT # Completed on Wed Mar 28 15:17:11 2012 Any help will be very appreciated Thank you -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAMRjn=Ox1Rzq8fEnvCMs=_=-k_pdbcg4mzz2jtetqtuxfln...@mail.gmail.com