# Forwarding failure



## orenbenkiki (May 29, 2010)

My FreeBsd box does not forward packets from the LAN (xl0) through OpenVpn (tun0).
Here's my setup (local address is 192.168.0.7):


```
# netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.1        UGS         0      965   tun0
xxx.xxx.xxx.xxx    192.168.0.1        UGHS        1      654    xl0
127.0.0.1          link#5             UH          0        6    lo0
192.168.0.0/24     link#4             U           3     1903    xl0
192.168.0.7        link#4             UHS         0        0    lo0
192.168.2.0/24     192.168.2.2        UGS         0        0   tun0
192.168.2.1        link#7             UHS         0        0    lo0
192.168.2.2        link#7             UH          0      157   tun0
```

Where xxx.xxx.xxx.xxx is the public static IP address of my OpenVpn server, somewhere out there on the Internet.

In my /etc/rc.conf I have:

```
openvpn_enable="YES"
gateway_enable="YES"
```

My OpenVpn setup is simple:


```
# cat /usr/local/etc/openvpn/openvpn.conf
dev tun
remote xxx.xxx.xxx.xxx
ifconfig 192.168.2.1 192.168.2.2
up /usr/local/etc/openvpn/up
secret /usr/local/etc/openvpn/static.key
port 1194
verb 3
```

What I'm trying to do is to have my FreeBsd box live on my LAN, which has a router for accessing the Internet (192.168.0.1). However, the FreeBsd box does not use this router to access the Internet, it uses the OpenVpn connection instead (via the 192.168.2.x tunnel). On the other side of this tunnel I have a Linux VPS which has a static Internet IP (xxx.xxx.xxx.xxx above). It performs NAT operations (using iptables).

If I try to access the Internet from the FreeBsd box as configured above, all is well. I can ping the other side of the tunnel, google.com, etc. and the packets do flow through the OpenVpn tunnel as expected.

However, if in any other machine on my LAN I set up the FreeBsd box as the default gateway (that is, if on another machine I change the default route from 192.168.0.1 to 192.168.0.7), it doesn't work. A traceroute shows that the packets never reach the 192.168.2.x tunnel. It is as if the FreeBsd box does not forward the packets from the xl0 NIC to the tun0 OpenVpn tunnel.

That is, on the FreeBsd, I can:


```
ping 192.168.2.1
ping 192.168.2.2
ping xxx.xxx.xxx.xxx
ping google.com
```
And they all work.

On a machine with a default route leading to 192.168.0.7, I can:


```
ping 192.168.0.7 - works
ping 192.168.2.1 - works
ping xxx.xxx.xxx.xxx - works (obviously not via the vpn tunnel)
```
But I can not:


```
ping 192.168.2.2 - 100% packet loss
ping 8.8.8.8 - "From 192.168.0.7 ... Destination Host Unreachable"
```
Normally the 1st advice I see in HOWTOs and so on is gateway_enable="YES" but I do have that set up. Also, I _can_ ping 192.168.2.1 (the near side of the vpn tunnel) from outside the FreeBsd box - but not 192.168.2.2 (the far side of the vpn tunnel). Interestingly, when I ping 192.168.2.2 I see packets sent on the FreeBsd OpenVpn (with verb 9). But when I ping 8.8.8.8, I don't see such packets sent.

I'm pretty much stumped at this point. Any ideas will be appreciated...

Thanks,

    Oren Ben-Kiki


----------



## DutchDaemon (May 29, 2010)

Please format your posts.


----------



## orenbenkiki (May 29, 2010)

Thanks. I was thrown off by the rich editor showing the post in fixed-width font. Should have caught it in the preview. My bad.

Anyway, still stumped. I'm on the verge on switching to a Linux server so I'll be able to use pppd and iptables and all that :-(


----------



## orenbenkiki (May 29, 2010)

Never mind, got it. The problem wasn't on the FreeBSD side, it was in the VPS side on the other hand.


----------

