On Fri, Mar 09, 2007 at 01:31:38PM -0800, Bryan Irvine wrote:
> I'm running poptop on my home firewall, but I can't see any of the
> machines on that network (though I can see indivudal machine on
> friends network that are connected via isakmpd). Running tcpdump I
> can see the packets going into those machines but they don't make it
> back.
>
> I'm assuming I'm going to need an arp proxy to properly connect to
> machines on my network.
>
> Anyone doing a similar thing that can recomend a good next step or
> package to install?
I don't really understand the problem, I am afraid. What I understand
is:
1. You have configured poptop, which is a (bad) implementation of a VPN,
on your home network firewall machine
2. Some remote client has connected to this firewall machine, without
any obvious error
3. Said remote client can interact with the firewall without problems.
4. When said firewall tries to interact with any host other than the
firewall on your network:
a. The data is actually sent over the poptop tunnel
b. This data is received by the firewall
c. This data is then sent out by the firewall to whatever host it
was originally destined to
i. This is not blocked by pf or whatever else - it's actually
sent over the proper network interface
d. This data is received by the target host on your network
e. No reply from the target host is seen on the network
If my understanding is correct, you'll first want to verify that the
network behaviour is actually as described (tcpdump is helpful here).
Then, take a good look at the packet sent to the target host: is it
obviously incorrect in some way? (Perhaps the original sender's IP
address is still on it, and hence it gets filtered?)
If this is correct, verify that no firewall or similar mechanism
prevents the target host from receiving the data. If this is not the
case, perform the same analysis in reverse - if the data is actually
received, what prevents the host from sending a reply (if the original
IP is still present, routing tables may need to be configured;
otherwise, consider all sorts of firewall rules).
Reviewing the firewall logs on the target host and tcpdump'ing anything
you can see would be obvious first steps. If nothing helps, post a more
precise description of the problem and the situation you are in.
Joachim
