# Connecting via ssh to a machine on a VPN

## don quixada

Hi, I'm trying to connect to my PC from the outside using ssh. I can connect to it normally when the PC is not on VPN but I'm a bit over my head in configuring the PC to port-forward and such. Basically I'm not sure where to start. 

I have configured OpenVPN according to this guide:

http://wiki.gentoo.org/wiki/VPN_Services

I also have shorewall running for my firewall.

Do I need to configure OpenVPN or Shorewall to get this to work? Thanks!

dq

----------

## szatox

Do you mind showing ifconfig -a and iptables-save?

And route -n

----------

## don quixada

OK, here it is (while not connected to the VPN since I am remotely ssh'd in now). I had to mess around with my firewall in order to get it to play nicely with the VPN...

```
# ifconfig -a

enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.2.151  netmask 255.255.255.0  broadcast 192.168.2.255

        inet6 fe80::62a4:4cff:fe64:1a90  prefixlen 64  scopeid 0x20<link>

        ether 60:a4:4c:64:1a:90  txqueuelen 1000  (Ethernet)

        RX packets 29082634  bytes 35249514072 (32.8 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 19788860  bytes 4582166724 (4.2 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0nnnnn

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 3933  bytes 377230 (368.3 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 3933  bytes 377230 (368.3 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit0: flags=128<NOARP>  mtu 1480

        sit  txqueuelen 0  (IPv6-in-IPv4)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
```

```
# iptables-save

# Generated by iptables-save v1.4.21 on Thu Jan 29 13:14:47 2015

*nat

:PREROUTING ACCEPT [3492:1552714]

:INPUT ACCEPT [163:8498]

:OUTPUT ACCEPT [61594:5891022]

:POSTROUTING ACCEPT [61754:5897422]

:tun0_masq - [0:0]

-A POSTROUTING -o tun0 -j tun0_masq

-A tun0_masq -s 192.168.2.0/24 -j MASQUERADE

COMMIT

# Completed on Thu Jan 29 13:14:47 2015

# Generated by iptables-save v1.4.21 on Thu Jan 29 13:14:47 2015

*raw

:PREROUTING ACCEPT [7168295:9226094783]

:OUTPUT ACCEPT [4253510:838519763]

COMMIT

# Completed on Thu Jan 29 13:14:47 2015

# Generated by iptables-save v1.4.21 on Thu Jan 29 13:14:47 2015

*mangle

:PREROUTING ACCEPT [7168295:9226094783]

:INPUT ACCEPT [7168295:9226094783]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [4253510:838519763]

:POSTROUTING ACCEPT [4280865:846810749]

:tcfor - [0:0]

:tcin - [0:0]

:tcout - [0:0]

:tcpost - [0:0]

:tcpre - [0:0]

-A PREROUTING -j tcpre

-A INPUT -j tcin

-A FORWARD -j MARK --set-xmark 0x0/0xff

-A FORWARD -j tcfor

-A OUTPUT -j tcout

-A POSTROUTING -j tcpost

COMMIT

# Completed on Thu Jan 29 13:14:47 2015

# Generated by iptables-save v1.4.21 on Thu Jan 29 13:14:47 2015

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:Broadcast - [0:0]

:Reject - [0:0]

:dynamic - [0:0]

:fw2net - [0:0]

:fw2vpn - [0:0]

:logdrop - [0:0]

:logreject - [0:0]

:net2fw - [0:0]

:net2vpn - [0:0]

:net_frwd - [0:0]

:reject - [0:0]

:sfilter - [0:0]

:shorewall - [0:0]

:vpn2fw - [0:0]

:vpn2net - [0:0]

:vpn_frwd - [0:0]

-A INPUT -i enp3s0 -j net2fw

-A INPUT -i tun0 -j vpn2fw

-A INPUT -i lo -j ACCEPT

-A INPUT -j Reject

-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6

-A INPUT -g reject

-A FORWARD -i enp3s0 -j net_frwd

-A FORWARD -i tun0 -j vpn_frwd

-A FORWARD -j Reject

-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6

-A FORWARD -g reject

-A OUTPUT -o enp3s0 -j fw2net

-A OUTPUT -o tun0 -j fw2vpn

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -j ACCEPT

-A Broadcast -d 127.255.255.255/32 -j DROP

-A Broadcast -d 192.168.2.255/32 -j DROP

-A Broadcast -d 255.255.255.255/32 -j DROP

-A Broadcast -d 224.0.0.0/4 -j DROP

-A Reject

-A Reject -j Broadcast

-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT

-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A Reject -m conntrack --ctstate INVALID -j DROP

-A Reject -p udp -m multiport --dports 135,445 -j reject

-A Reject -p udp -m udp --dport 137:139 -j reject

-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject

-A Reject -p tcp -m multiport --dports 135,139,445 -j reject

-A Reject -p udp -m udp --dport 1900 -j DROP

-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

-A Reject -p udp -m udp --sport 53 -j DROP

-A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A fw2net -j ACCEPT

-A fw2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A fw2vpn -j ACCEPT

-A logdrop -j DROP

-A logreject -j reject

-A net2fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic

-A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A net2fw -p tcp -m tcp --dport 80 -j ACCEPT

-A net2fw -p tcp -m tcp --dport 443 -j ACCEPT

-A net2fw -p tcp -m tcp --dport 110 -j ACCEPT

-A net2fw -p tcp -m tcp --dport 1050 -j ACCEPT

-A net2fw -p udp -m udp --dport 137 -j DROP

-A net2fw -p udp -m udp --dport 138 -j DROP

-A net2fw -j Reject

-A net2fw -j LOG --log-prefix "Shorewall:net2fw:REJECT:" --log-level 6

-A net2fw -g reject

-A net2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A net2vpn -j Reject

-A net2vpn -j LOG --log-prefix "Shorewall:net2vpn:REJECT:" --log-level 6

-A net2vpn -g reject

-A net_frwd -o enp3s0 -g sfilter

-A net_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic

-A net_frwd -o tun0 -j net2vpn

-A reject -d 127.255.255.255/32 -j DROP

-A reject -d 192.168.2.255/32 -j DROP

-A reject -d 255.255.255.255/32 -j DROP

-A reject -s 224.0.0.0/4 -j DROP

-A reject -p igmp -j DROP

-A reject -p tcp -j REJECT --reject-with tcp-reset

-A reject -p udp -j REJECT --reject-with icmp-port-unreachable

-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable

-A reject -j REJECT --reject-with icmp-host-prohibited

-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6

-A sfilter -j DROP

-A vpn2fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic

-A vpn2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A vpn2fw -j Reject

-A vpn2fw -j LOG --log-prefix "Shorewall:vpn2fw:REJECT:" --log-level 6

-A vpn2fw -g reject

-A vpn2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A vpn2net -j Reject

-A vpn2net -j LOG --log-prefix "Shorewall:vpn2net:REJECT:" --log-level 6

-A vpn2net -g reject

-A vpn_frwd -o tun0 -g sfilter

-A vpn_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic

-A vpn_frwd -o enp3s0 -j vpn2net

COMMIT

# Completed on Thu Jan 29 13:14:47 2015
```

```
# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.2.1     0.0.0.0         UG    2      0        0 enp3s0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 enp3s0
```

Last edited by don quixada on Fri Jan 30, 2015 3:41 pm; edited 1 time in total

----------

## don quixada

If it helps, here is the info while connected to the VPN:

```
# ifconfig -a

enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.2.151  netmask 255.255.255.0  broadcast 192.168.2.255

        inet6 fe80::62a4:4cff:fe64:1a90  prefixlen 64  scopeid 0x20<link>

        ether 60:a4:4c:64:1a:90  txqueuelen 1000  (Ethernet)

        RX packets 29385881  bytes 35499237766 (33.0 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 20073989  bytes 4680792501 (4.3 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 3963  bytes 380805 (371.8 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 3963  bytes 380805 (371.8 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit0: flags=128<NOARP>  mtu 1480

        sit  txqueuelen 0  (IPv6-in-IPv4)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 10.107.1.10  netmask 255.255.255.255  destination 10.107.1.9

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 3760  bytes 4219242 (4.0 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 3430  bytes 399991 (390.6 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
```

```
# iptables-save

# Generated by iptables-save v1.4.21 on Fri Jan 30 07:57:18 2015

*nat

:PREROUTING ACCEPT [5013:2257706]

:INPUT ACCEPT [240:12502]

:OUTPUT ACCEPT [72693:6921313]

:POSTROUTING ACCEPT [72853:6927713]

:tun0_masq - [0:0]

-A POSTROUTING -o tun0 -j tun0_masq

-A tun0_masq -s 192.168.2.0/24 -j MASQUERADE

COMMIT

# Completed on Fri Jan 30 07:57:18 2015

# Generated by iptables-save v1.4.21 on Fri Jan 30 07:57:18 2015

*raw

:PREROUTING ACCEPT [7485765:9481050061]

:OUTPUT ACCEPT [4541164:933547418]

COMMIT

# Completed on Fri Jan 30 07:57:18 2015

# Generated by iptables-save v1.4.21 on Fri Jan 30 07:57:18 2015

*mangle

:PREROUTING ACCEPT [7485765:9481050061]

:INPUT ACCEPT [7485765:9481050061]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [4541164:933547418]

:POSTROUTING ACCEPT [4580715:945548980]

:tcfor - [0:0]

:tcin - [0:0]

:tcout - [0:0]

:tcpost - [0:0]

:tcpre - [0:0]

-A PREROUTING -j tcpre

-A INPUT -j tcin

-A FORWARD -j MARK --set-xmark 0x0/0xff

-A FORWARD -j tcfor

-A OUTPUT -j tcout

-A POSTROUTING -j tcpost

COMMIT

# Completed on Fri Jan 30 07:57:18 2015

# Generated by iptables-save v1.4.21 on Fri Jan 30 07:57:18 2015

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:Broadcast - [0:0]

:Reject - [0:0]

:dynamic - [0:0]

:fw2net - [0:0]

:fw2vpn - [0:0]

:logdrop - [0:0]

:logreject - [0:0]

:net2fw - [0:0]

:net2vpn - [0:0]

:net_frwd - [0:0]

:reject - [0:0]

:sfilter - [0:0]

:shorewall - [0:0]

:vpn2fw - [0:0]

:vpn2net - [0:0]

:vpn_frwd - [0:0]

-A INPUT -i enp3s0 -j net2fw

-A INPUT -i tun0 -j vpn2fw

-A INPUT -i lo -j ACCEPT

-A INPUT -j Reject

-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6

-A INPUT -g reject

-A FORWARD -i enp3s0 -j net_frwd

-A FORWARD -i tun0 -j vpn_frwd

-A FORWARD -j Reject

-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6

-A FORWARD -g reject

-A OUTPUT -o enp3s0 -j fw2net

-A OUTPUT -o tun0 -j fw2vpn

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -j ACCEPT

-A Broadcast -d 127.255.255.255/32 -j DROP

-A Broadcast -d 192.168.2.255/32 -j DROP

-A Broadcast -d 255.255.255.255/32 -j DROP

-A Broadcast -d 224.0.0.0/4 -j DROP

-A Reject

-A Reject -j Broadcast

-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT

-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A Reject -m conntrack --ctstate INVALID -j DROP

-A Reject -p udp -m multiport --dports 135,445 -j reject

-A Reject -p udp -m udp --dport 137:139 -j reject

-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject

-A Reject -p tcp -m multiport --dports 135,139,445 -j reject

-A Reject -p udp -m udp --dport 1900 -j DROP

-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

-A Reject -p udp -m udp --sport 53 -j DROP

-A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A fw2net -j ACCEPT

-A fw2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A fw2vpn -j ACCEPT

-A logdrop -j DROP

-A logreject -j reject

-A net2fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic

-A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A net2fw -p tcp -m tcp --dport 80 -j ACCEPT

-A net2fw -p tcp -m tcp --dport 443 -j ACCEPT

-A net2fw -p tcp -m tcp --dport 110 -j ACCEPT

-A net2fw -p tcp -m tcp --dport 1050 -j ACCEPT

-A net2fw -p udp -m udp --dport 137 -j DROP

-A net2fw -p udp -m udp --dport 138 -j DROP

-A net2fw -j Reject

-A net2fw -j LOG --log-prefix "Shorewall:net2fw:REJECT:" --log-level 6

-A net2fw -g reject

-A net2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A net2vpn -j Reject

-A net2vpn -j LOG --log-prefix "Shorewall:net2vpn:REJECT:" --log-level 6

-A net2vpn -g reject

-A net_frwd -o enp3s0 -g sfilter

-A net_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic

-A net_frwd -o tun0 -j net2vpn

-A reject -d 127.255.255.255/32 -j DROP

-A reject -d 192.168.2.255/32 -j DROP

-A reject -d 255.255.255.255/32 -j DROP

-A reject -s 224.0.0.0/4 -j DROP

-A reject -p igmp -j DROP

-A reject -p tcp -j REJECT --reject-with tcp-reset

-A reject -p udp -j REJECT --reject-with icmp-port-unreachable

-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable

-A reject -j REJECT --reject-with icmp-host-prohibited

-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6

-A sfilter -j DROP

-A vpn2fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic

-A vpn2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A vpn2fw -j Reject

-A vpn2fw -j LOG --log-prefix "Shorewall:vpn2fw:REJECT:" --log-level 6

-A vpn2fw -g reject

-A vpn2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A vpn2net -j Reject

-A vpn2net -j LOG --log-prefix "Shorewall:vpn2net:REJECT:" --log-level 6

-A vpn2net -g reject

-A vpn_frwd -o tun0 -g sfilter

-A vpn_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic

-A vpn_frwd -o enp3s0 -j vpn2net

COMMIT

# Completed on Fri Jan 30 07:57:18 2015
```

Of course that last outside IP address changes all the time...

```
# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         10.165.1.5      128.0.0.0       UG    0      0        0 tun0

0.0.0.0         192.168.2.1     0.0.0.0         UG    2      0        0 enp3s0

10.165.1.1      10.165.1.5      255.255.255.255 UGH   0      0        0 tun0

10.165.1.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0

50.23.115.95    192.168.2.1     255.255.255.255 UGH   0      0        0 enp3s0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

128.0.0.0       10.165.1.5      128.0.0.0       UG    0      0        0 tun0

192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 enp3s0
```

----------

## szatox

Of course it's connected setup that matters. It is the part you have some problems with  :Wink: 

Well, it's pretty complex, so let's do that step by step.

This is wrong, you can only use one default gateway at any time.

 *Quote:*   

> 0.0.0.0         10.165.1.5      128.0.0.0       UG    0      0        0 tun0
> 
> 0.0.0.0         192.168.2.1     0.0.0.0         UG    2      0        0 enp3s0 

 

You either use enp3s0 as default gw and think about vpn as your LAN, or you use tun0 as default gw and don't think about enp3s0 at all: like use it only for a single host you use as the other endpoint for your tunel.

The firewall rules look weird to me. I don't understand what do you want to achieve. What setup do you want? Where should ssh be available?

----------

## don quixada

I'm not surprised that you find the firewall rules to be weird, they are a result of many iterations of trying to get things to work over the years. Normally I connect to my PC remotely using SSH. So the OpenSSH server is on my (Gentoo) PC and I connect to it from outside. The server is set-up and running and I can connect no problem. Also, I have a cron job similar to dyndns that updates a domain name that points to my ip address if the ip address changes. However, recently I subscribed to an anonymizing VPN service and I want to do the same thing while the PC connected to the VPN (which won't always be the case). 

So just to rephrase, the new situation is this:

1. Home PC (Gentoo) running a firewall (shorewall setup) connected to an anonymizing VPN provider

2. Laptop outside of network connecting to the home PC via SSH (putty)

Apparently it is possible to connect through the VPN by port-forwarding but I'm not sure how to set it up. The VPN provider offers an ip-forwarding script but it is specific to Ubuntu so it doesn't work for Gentoo. I've been trying to configure manually but have had no luck due to my lack of knowledge in this area. I found this thread which contains an adapted script that may be useful but I haven't tried it yet:

https://www.privateinternetaccess.com/forum/discussion/3359/port-forwarding-without-application-pia-script-advanced-users/p2

I hope that all makes sense. Is what I'm trying to do even possible? The VPN provider offers little help in this area since it is a rather advanced situation. I don't always plan to be connected to the VPN on my home PC but sometimes it will be and I want to be able to connect to it.

Thanks for your help so far...

dq

----------

## szatox

Ok, so what you want is setup like this:

Your PC ==VPN_over_ethernet==> anonimizer =====> internet

for this setup you want tun0 to be your default gateway

You also want to have enp3s0 to have a route to host providing you with VPN

Finaly, you need some route between your laptop and pc.  That script you linked doesn't look very ubuntu speciffic. What does it print? Perhaps some information you need to connect from the internet to your PC through that tunnel?

Bypassing VPN would require your PC to know the public IP of your laptop in advance, as you would have to set another direct route: the very same way you hae to set direct route to VPN provider, one that bypases tunel so you can send traffic it generates from stuff you send via tunnel

----------

## don quixada

Hmm, the laptop ip would be variable. Could I use the dyndns-type service to point to the VPN ip-address? Or if I knew this address beforehand. I could be wrong, but I think that if I can port forward to this VPN address then I can see it from the outside...

dq

----------

## szatox

Don't you think using dyndns defeats the purpose of anonymizing VPN?

You can easily bypass VPN with routing table if you know the IP. Within LAN it's easy, as you can simply create a route to a subnet. Over WAN it's getting more tricky as the IP is no longer predictable.

One idea is to use steppng-stone machine with fixed IP and NAT. This way incoming connections can be translated to a predefined IP.

As you seem to know your WAN adress, another idea is to send UDP packed from your laptop to PC WAN address instead of VPN one to let it know what side route should it create. Of course you'd have to handle such a packet and process it with some daemon on your PC. Probably not the cleanest solution, but a simple shell script involving netcat can make it work.

----------

## don quixada

Sorry I've been away on business. I may have figured-out my problem. But I need a second opinion. I have a cron job running on my PC and checking my ip every hour or so. When my PC is anonymized it is returning a different external ip; however, the local ip is still the same for my machine and the router is the device that actually has the external ip (with the respective ports being opened etc.) and the router is not being anonymized. So I think the cron is updating the ip address when it shouldn't. I have yet to test this theory but I will and get back to you...

dq

----------

