Hi all, I have managed to get my bridging setup working, but I'm unsure I did everything ok, so I would like someone to double-check what I did. Thanks in advance. Problem: * I have an upstream network connection to my ISP via VPN: I have a dedicate router that gives me a non routable address in the 192.168.120.xxx subnet and that will route in th "non routable" range 192.168.yyy.xxx. * I need to open a VPN (OpenVPN) with a well defined server (192.168.12.74) and I will get my fixed public address (80.79.62.xxx). * I have a front-end machine (ubuntu) that hosts two virtualized clients to act as firewall and "public host" on a DMZ. * The firewall is IPCop. * The host is another ubuntu (server) installation. * All networking is handled via bridging. Solution: /etc/network/interfaces: ==============auto lo iface lo inet loopback # LAN ------------------------------- auto eth0 tap0 br0 iface eth0 inet manual iface tap0 inet manual up ifconfig $IFACE 0.0.0.0 up down ifconfig $IFACE down tunctl_user mauro iface br0 inet static address 192.168.0.5 netmask 255.255.255.0 #gateway 192.168.0.254 bridge_ports eth0 tap0 bridge_maxwait 0 #----------------------------------- # WAN ------------------------------ auto eth2 tap2 tap4 br2 # physical interface to Ydea net iface eth2 inet static address 192.168.120.5 netmask 255.255.255.0 iface tap2 inet manual up ifconfig $IFACE 0.0.0.0 up down ifconfig $IFACE down tunctl_user mauro iface tap4 inet manual up /root/Ydea/tap-up.sh down /root/Ydea/tap-down.sh tunctl_user mauro iface br2 inet manual # address 192.168.120.5 # netmask 255.255.255.0 bridge_ports tap4 tap2 bridge_maxwait 0 #----------------------------------- # DMZ ------------------------------ auto tap1 tap3 br1 iface tap1 inet manual up ifconfig $IFACE 0.0.0.0 up down ifconfig $IFACE down tunctl_user mauro iface tap3 inet manual up ifconfig $IFACE 0.0.0.0 up down ifconfig $IFACE down tunctl_user mauro iface br1 inet static address 192.168.77.5 netmask 255.255.255.0 bridge_ports tap1 tap3 bridge_maxwait 0 #----------------------------------- ==============The idea is: * to have direct connection (using eth2) to my ISP and use that ONLY to setup the VPN tunnel (tap4) connected with the RED interface of IPCop (tap2). * to have a direct bridge between ORANGE if of IPCop (tap2) to the virtual if of my "server" (tap4). * to have the other "real" ethernet (eth0) on host connected to my internal home net bridged to the virtual GREEN if of IPCop (tap0). This *does* work, but I would like to be sure that: * host will only respond to his own internal address (192.168.0.5) and not to other addresses. * None can access the ISP net (192.168.120.xxx); this is currently not true: the cost can access it. I need it in order to setup the VPN. Is there any way to close this door after the VPN is up? * Sometimes some "internal" PC (in the GREEN net 192.168.0.xxx) gets a dhcp address in the range 129.168.120.xxx; probably gettingit from the dhacp server in the ISP's router and not from IPCop. Invariably a "sudo dhclient" cures the issue. What's happening there? * What are the security isues of such a setup? Can someone enlighten me? TiA Mauro