EFW Support

Hi to all, I'm new here and my english is not so good, however I will try to explain my situation because I'm sure that I have made something wrong in somewhere.

SCENARIO:


Internal clients (DHCP) ----- [SBS 2003 Premium with ISA 2004] ----------- [EFW 2.4 full updated] ------------ [Zyxel ADSL] ----------------- Internet
10.1.0.0/16 <-----------------> NIC1 10.1.0.6
default GW:    10.1.0.6                             |
default DNS:   10.1.0.6                    (ISA 2004 SP2)
default WINS: 10.1.0.6                             |
                                                                 | -> NIC2 172.16.0.200  --------> ORANGE: 172.16.0.254
                                                                                                                                |
                                                                                                                                |   
                                                                                                                                |
                                                                                                                                |
                                                                                                                      RED: 192.168.0.253 ----(GW)-----> 192.168.0.254
                                                                                                                                                                                         |             
                                                                                                                                                                                         |
                                                                                                                                                                                         |
                                                                                                                                                                                         |--- Dynamic ISP IP: 123.123.123.123
                      <----------------------------------------------------------------------->  GREEN: 10.3.0.254/16
                                                                                                                                  10.1.0.254/16 (Alias IP)

Now I would like to permit remote clients to connect to internal LAN (10.1.0.0/16) through EFW OpenVPN Server.
So I have setup the efw to assign dynamic pool IP from 10.3.0.100 to 10.3.0.200.
I use OpenVPN client GUI 2.0.9 from openvpn.se


STRANGE BEHAVIOR:
- Remote VPN Client connects correctly and receive dynamic IP: 10.3.0.100, 10.3.0.101, 10.3.0.102 etc etc etc
- Remote PC can access internal LAN: ping works and other services too. Obviously internal Lan PC receive a static route from DHCP (option 249) like this: route ADD 10.3.0.0 MASK 255.255.0.0 10.1.0.254
- THE PING FROM INTERNAL LAN TO REMOTE VPN CLIENT doesn't work at all. When Remote client is connected with 10.3.0.102 (for example) from a internal lan PC (example: 10.1.0.115) I can ping the remote pc (10.3.0.102) only if I write ping 10.3.0.100!!!!!

I post my configuration:
OPENVPN SERVER:
; daemon configuration
daemon
mode server
tls-server
proto tcp
port 1827
multihome
user openvpn
group openvpn

cd /var/openvpn
client-config-dir clients

script-security 2 system

; tunnel configuration

dev tap0
server-bridge 10.3.0.254 255.255.0.0 10.3.0.100 10.3.0.200
push "route-gateway 10.3.0.254"

push "route 10.1.0.0 255.255.0.0"

passtos
comp-lzo
management 127.0.0.1 5555
keepalive 8 30

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

persist-key
persist-tun
persist-local-ip
persist-remote-ip


; logging and status

writepid /var/run/openvpn/openvpn.pid
ifconfig-pool-persist openvpn.leases
status /var/log/openvpn/openvpn-status.log
verb 1


client-connect "/usr/local/bin/dir.d-exec /etc/openvpn/client-connect.d/"
client-disconnect "/usr/local/bin/dir.d-exec /etc/openvpn/client-disconnect.d/"


; certificates and authentication

dh /var/efw/openvpn/dh1024.pem
pkcs12 /var/efw/openvpn/pkcs12.p12

client-cert-not-required
auth-user-pass-verify "/usr/bin/openvpn-auth" via-file
username-as-common-name

client-to-client



OPENVPN CLIENT CONFIG:
client
dev tap

proto tcp
;proto udp

remote XXXXXX.dyndns.org 1827

resolv-retry infinite
nobind
persist-key
persist-tun

ca firewall.pem
auth-user-pass

comp-lzo

verb 3

I have create a "source NAT" too as follow:
[SOURCE] ALL (OpenVPN Clients)
[DESTINATION] GREEN
[SERVICE] Any
[NAT IN] Auto

But it doesn't resolve my issue

From Remote PC (10.3.0.150)
I can:
- ping internal LAN 10.1.0.0/16
- ping SBS 2003 (10.1.0.6)
- VNC to SBS 2003 (10.1.0.6) and other Server with static route  to 10.3.0.0 added manually
I can't:- VNC to internal PC with IP received from DHCP server

From Internal LAN (10.1.0.0/16):
- If I ping remote VPN PC to 10.3.0.150 i received:
     Reply from 10.1.0.254: Destination host unreachable.
- If I ping the same remote VPN PC to 10.3.0.100 (instead of 10.3.0.150) the ping works fine and I can reach the remote PC with VNC for example.
- Same situation if I ping the remote PC from Server SBS. The difference is that remote PC can VNC to SBS correctly even if the SBS is not able to ping the remote host. Instead remote PC is not able to VNC to each internal PC with IP assigned from DHCP.

I post ipconfig /ALL of the SBS 2003:
Host Name . . . . . . . . . . . . : server01
Primary DNS Suffix  . . . . . . . : xxxx.local
Node Type . . . . . . . . . . . . : Unknow
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : xxxx.local

Ethernet adapter LAN-SBS:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : VMWare accelerated AMD PCNet adapterr
        Physical Address. . . . . . . . . : 00-17-A4-8F-AF-3E
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.1.0.6
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 127.0.0.1
        Primary WINS Server . . . . . . . : 10.1.0.6

Ethernet adapter LAN-DMZ:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : VMWare accelerated AMD PCNet adapterr
        Physical Address. . . . . . . . . : 00-17-A4-8F-AF-4E
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 172.16.0.200
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 172.16.0.254
        DNS Servers . . . . . . . . . . . : 172.16.0.254
        Primary WINS Server . . . . . . . : 10.1.0.6
        NetBIOS over TCPIP . . . . . . . : disabled

ROUTING TABLE OF SBS:

===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     172.16.0.254     172.16.0.200     10
         10.1.0.0      255.255.0.0         10.1.0.6         10.1.0.6     10
         10.1.0.6  255.255.255.255        127.0.0.1        127.0.0.1     10
       10.1.0.109  255.255.255.255        127.0.0.1        127.0.0.1     50
         10.3.0.0      255.255.0.0       10.1.0.254         10.1.0.6      1
   10.255.255.255  255.255.255.255         10.1.0.6         10.1.0.6     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
       172.16.0.0    255.255.255.0     172.16.0.200     172.16.0.200     10
     172.16.0.200  255.255.255.255        127.0.0.1        127.0.0.1     10
   172.16.255.255  255.255.255.255     172.16.0.200     172.16.0.200     10
        224.0.0.0        240.0.0.0         10.1.0.6         10.1.0.6     10
        224.0.0.0        240.0.0.0     172.16.0.200     172.16.0.200     10
  255.255.255.255  255.255.255.255         10.1.0.6         10.1.0.6      1
  255.255.255.255  255.255.255.255     172.16.0.200     172.16.0.200      1
Default Gateway:     172.16.0.254
===========================================================================
Persistent Routes:
  None

Where is my mistake?
Is something related to ISA 2004? (I have only add to internal network the subnet 10.3.0.0/16)
Maybe I have to add 10.3.0.0 netmask 255.255.255.0 instead of 255.255.0.0?

Thank you to all for the attetion

Sincerely

regards

Patrick