Hi, I searched the internet for a solution to this problem, but I can't get it to work. This is my situation: - fixed ip on one interface of a thomson router/modem - all traffic on the modem is forwarden to an internal server at the IP address: 192.168.254.2 - the server is an opensuse 10.2 server with SuSEfirewall2 enabled - the server has an IP on a second interface 192.168.1.100 which is the internal network - in the network there is also a VPN MS server with VPN enabled (RAS) INTERNET <-> MODEM <-> OPENSUSE 10.2 LINUX <-> WINDOWS VPN SERVER fix ip <-> fix ip / 192.168.254.1 <-> 192.168.254.2 / 192.168.1.100 <-> 192.168.1.1 All I want is to forward all vpn traffic from external clients to the VPN MS server. This is what I already checked: - when I'm connected to the network it is possible to create a VPN connection, so I know the VPN is working. - I forwarded port 1723 and 500 over TCP to the IP of the VPN server. - I also altered the /etc/sysconfig/SuSEfirewall2 script so that GRE (protocol 47) is forwarded. No when I try to connect from outside my Windows clients gets stuck at Busy checking username and password and ends in an error 721 after a while. Also when I try to connect I can read this info from the /var/log/firewall logfile: Jan 21 20:07:36 balrog kernel: SFW2-FWDext-ACC-REVMASQ IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=29457 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204056401010402) Jan 21 20:07:36 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0 SRC=192.168.1.1 DST=213.219.146.220 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15089 PROTO=TCP SPT=1723 DPT=2370 WINDOW=16384 RES=0x00 ACK SYN URGP=0 OPT (020405B401010402) Jan 21 20:07:36 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=196 TOS=0x00 PREC=0x00 TTL=119 ID=29458 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16560 RES=0x00 ACK PSH URGP=0 Jan 21 20:07:36 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0 SRC=192.168.1.1 DST=213.219.146.220 LEN=196 TOS=0x00 PREC=0x00 TTL=127 ID=15090 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65379 RES=0x00 ACK PSH URGP=0 Jan 21 20:07:36 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=208 TOS=0x00 PREC=0x00 TTL=119 ID=29459 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16404 RES=0x00 ACK PSH URGP=0 Jan 21 20:07:36 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0 SRC=192.168.1.1 DST=213.219.146.220 LEN=72 TOS=0x00 PREC=0x00 TTL=127 ID=15091 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65211 RES=0x00 ACK PSH URGP=0 Jan 21 20:07:36 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=64 TOS=0x00 PREC=0x00 TTL=119 ID=29460 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16372 RES=0x00 ACK PSH URGP=0 Jan 21 20:07:37 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0 SRC=192.168.1.1 DST=213.219.146.220 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=15092 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65187 RES=0x00 ACK URGP=0 Jan 21 20:08:11 balrog kernel: SFW2-INint-ACC-ALL IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:3c:43:4f:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=238 TOS=0x00 PREC=0x00 TTL=128 ID=15235 PROTO=UDP SPT=138 DPT=138 LEN=218 Jan 21 20:08:13 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=56 TOS=0x00 PREC=0x00 TTL=119 ID=29577 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16372 RES=0x00 ACK PSH URGP=0 Jan 21 20:08:13 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0 SRC=192.168.1.1 DST=213.219.146.220 LEN=188 TOS=0x00 PREC=0x00 TTL=127 ID=15247 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65171 RES=0x00 ACK PSH URGP=0 Jan 21 20:08:13 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=56 TOS=0x00 PREC=0x00 TTL=119 ID=29578 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16224 RES=0x00 ACK PSH URGP=0 Jan 21 20:08:13 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0 SRC=192.168.1.1 DST=213.219.146.220 LEN=56 TOS=0x00 PREC=0x00 TTL=127 ID=15248 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65155 RES=0x00 ACK PSH URGP=0 Jan 21 20:08:13 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=29580 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16208 RES=0x00 ACK FIN URGP=0 Jan 21 20:08:13 balrog kernel: SFW2-FWDint-ACC-MASQ IN=eth1 OUT=eth0 SRC=192.168.1.1 DST=213.219.146.220 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=15249 DF PROTO=TCP SPT=1723 DPT=2370 WINDOW=65155 RES=0x00 ACK FIN URGP=0 Jan 21 20:08:14 balrog kernel: SFW2--ACC-MASQ IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=29581 DF PROTO=TCP SPT=2370 DPT=1723 WINDOW=16208 RES=0x00 ACK URGP=0 But also this: Jan 21 19:55:47 balrog kernel: SFW2-FWDext-ACC-REVMASQ IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=25402 DF PROTO=TCP SPT=2325 DPT=1723 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204056401010402) Jan 21 19:55:47 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119 ID=25406 PROTO=47 Jan 21 19:55:49 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119 ID=25409 PROTO=47 Jan 21 19:55:52 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119 ID=25413 PROTO=47 Jan 21 19:55:56 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119 ID=25418 PROTO=47 Jan 21 19:56:00 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119 ID=25422 PROTO=47 Jan 21 19:56:08 balrog kernel: SFW2-FWDext-DROP-DEFLT IN=eth0 OUT=eth1 SRC=213.219.146.220 DST=192.168.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=119 ID=25434 PROTO=47 In my config file I have the following: # ALLOW HTTPS, ISAKMP AND PPTP TRAFFIC TO SBS FW_FORWARD_MASQ="0/0,192.168.1.1,tcp,443,443,192.168.254.2 0/0,192.168.1.1,tcp,1723,1723,192.168.254.2 0/0,192.168.1.1,udp,500,500,192.168.254.2" FW_SERVICES_EXT_IP="gre" FW_SERVICES_INT_IP="gre" FW_SERVICES_DMZ_IP="gre" because there is info that says: # For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set # FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols) I also tried to add the following rules in /etc/sysconfig/scripts/SuSEfirewall2-custom iptables -A PREROUTING -t nat -p gre -d 192.168.254.2 -j DNAT --to-destination 192.168.1.1 iptables -A PREROUTING -t nat -p tcp --dport 1723 -d 192.168.254.2 -j DNAT --to-destination 192.168.1.1:1723 also without success... I must be doing something wrong. Can anybody help me? Thanks, Arthur -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org