Hi, folks:
Here's a good one for you.
I have an IPsec tunnel running between two OpenBSD boxes. One is still
running 3.8 (yes, it needs to be updated) and the other is running 4.1.
There is a functioning tunnel running between the two devices.
Hosts on one end can "see" hosts on the other, and vice versa -- EXCEPT
we just put an HP Jetdirect print server on the OpenBSD 4.1 side. This
device is pingable and accessible from hosts on the same network, but
totally unpingable and inaccessible from hosts on the remote network.
To recap:
Print server is at site A.
Hosts at site A (on the same subnet) can ping and access print server.
Hosts at site B (on a different subnet) *cannot* ping or access this
print server.
And yet - Hosts at site B *can* see every other device at site A (and
vice versa) and all those devices can see the print server.
Note that we're not doing any filtering on the encryption interface (the
line is "pass quick on enc0"); nevertheless, I'm wondering if I need
some special flags somewhere.
Other things I've tried:
- moving the Jetdirect to a different port on the same physical switch
- a variety of static and dynamic IPs in the subnet
I also forwarded the external port 9100 to this print server and tried
to access it from a public host, but this didn't work either.
This leads me to suspect a peculiar interaction between OpenBSD 4.1 and
this particular print server. Of course, it might well be the fault of
HP's IP stack, but I've already talked to them at great length and got
pretty much nowhere: "We don't support JetDirect over WAN connections."
We ended up putting the printer outside on a public IP address as an
ugly, undesirable workaround, and, WAN connection or not, that is
currently working. I'd really like to get this one back on the private
network. I don't need hackers sending mountains of porn to this printer,
even if it *is* in a truck stop.
Any ideas or salient suggestions?
-Stephen-
