On Tue, Nov 15, 2005 at 06:53:19PM -0500, Adam Rosi-Kessel wrote: > > > So, setting aside the question of why I wasn't seeing that before, shouldn't > > > I be able to see the incoming packets as they are routed to the internal > > > client machine, even if they are tracked connections? When I watch the > > > inward-facing interface with tcpdump, I don't see any of these packets > > > getting routed to that machine, although I do see the outbound packets. > > I don't clearly understand you here. It is always best to run tcpdump on > > both interfaces so that one can compare what packets are routed properly > > and how they were mangled/NAT-ed by the firewall. If some packets are > > missing from either side then that's a clear sign that those packets were > > dropped by either a matching rule/policy or by the system itself. > > Did the logging produce anything? I should probably also mention that the NAT box has two external IP addresses, both on eth0 (eth0 and eth0:1), although I don't think this should affect anything, maybe there's something I don't know. All outbound traffic from the LAN is SNAT'ed to the eth0:1 external IP address, and the VPN traffic I'm seeing is coming back into that same IP address. -- Adam Rosi-Kessel http://adam.rosi-kessel.org
