On 2006/01/19 10:32, Steven S wrote: > I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default > gw (10.10.0.1/16) for a LAN . VPN users (10.4.0.0/16) come into the LAN > from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN > users hit a server return packets are sent to the default gw. I was > expecting the OpenBSD server to generate an ICMP redirect and all would be > well. Unfortunately that is not happening. Instead the firewall is sending > a host unreachable (yet the fw can ping the VPN host).
Immediate thoughts: firewall rules, net.inet.ip.forwarding setting. > [EMAIL PROTECTED] pfctl -s rules |grep 10.4 > pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16 > pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16 I suspect you will need to allow the packets through in order to get the redirects sent. Are you allowing the outbound from 10.10 to 10.4 to pass in another rule that you didn't include? If not, that's likely to be the problem. If you're not sure, make sure blocked packets are logged, then monitor pflog0.
