OK, on the shorewall website there''s a guide on how to setup a VPN "BRIDGE." One of the benifits of a bridge over a router IP tunnel is that with a bridge you can have broadcast packets go over the link. Although i now have shorewall working with openvpn this doesn''t seem to be happening. Looking over the setup for an actual bridge connection on openvpn.sourceforge.net it looks like they use a device called br0 for bridinge, shorewall''s config doesn''t. So my question is this.. Is the shorewall setup an actual bridge or does it just route traffic? Any clues on how i can get broadcast packets from clients to transverse the link? _________________________________________________________________ Get MSN 8 and help protect your children with advanced parental controls. http://join.msn.com/?page=features/parental
Hi Dave, On Wed, 3 Sep 2003, Dave B wrote:>OK, on the shorewall website there''s a guide on how to setup a VPN >"BRIDGE."That''s not the kind of bridge you want. You want an Ethernet bridge. The Shorewall document describes a "routed" tunnel. Use the OpenVPN docs at http://openvpn.sf.net to learn how to setup an ethernet bridge. The Ethernet Bridging Mini-HOWTO on the OpenVPN web site is pretty good. If you have a Windows machine in the mix, there''s a separate document for that (see the link at the top of the Ethernet Bridging Mini-HOWTO). Jason
Hi Dave, Please don''t reply off the mailing list. On Thu, 4 Sep 2003, Dave B wrote:>Yes, i know about the bridging howto on the website. I''ve already been >there and done that. But i couldn''t get it to work.. I figured there was >something i had to configure with shorewall to get it to work right with the >bridging. I tried a bunch of stuff but could never get it to go. Would you >have any clues to how to set shorewall up for openvpn.sf.net''s bridging >example?I think that the only Shorewall change I made for ethernet bridging was to change my ''loc'' zone interface to be ''br0'' instead of ''eth1'' as it was previously. This change is done in the ''interfaces'' file, of course. That''s it. Of course you need to make other changes for OpenVPN, but they don''t have anything to do with ethernet bridging. Jason
slightly off topic: Back when I was in school, more than 20 years ago, people used to advise me never to allow a broadcast between geographically separated lans, because of performance problems, collisions, so so. Has this recomendation changed? TIA, Eduardo Jason Maas <maasj@dm.org> Sent by: shorewall-users-bounces@lists.shorewall.net 04/09/2003 16:49 Please respond to Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> To Dave B <dragin33@hotmail.com> cc shorewall-users@lists.shorewall.net Subject RE: [Shorewall-users] Broadcasts with OpenVPN Hi Dave, Please don''t reply off the mailing list. On Thu, 4 Sep 2003, Dave B wrote:>Yes, i know about the bridging howto on the website. I''ve already been >there and done that. But i couldn''t get it to work.. I figured there was >something i had to configure with shorewall to get it to work right withthe>bridging. I tried a bunch of stuff but could never get it to go. Wouldyou>have any clues to how to set shorewall up for openvpn.sf.net''s bridging >example?I think that the only Shorewall change I made for ethernet bridging was to change my ''loc'' zone interface to be ''br0'' instead of ''eth1'' as it was previously. This change is done in the ''interfaces'' file, of course. That''s it. Of course you need to make other changes for OpenVPN, but they don''t have anything to do with ethernet bridging. Jason _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Hi Eduardo, On Thu, 4 Sep 2003, Eduardo Ferreira wrote:>Back when I was in school, more than 20 years ago, people used to advise >me never to allow a broadcast between geographically separated lans, >because of performance problems, collisions, so so. Has this >recomendation changed?Probably not. I''m not an expert on such things. Stupid MS Windows does a lot of its networking via broadcast packets though. I would recommend never using Windows because of performance problems! =) Jason
Hi Dave, On Thu, 4 Sep 2003, Dave B wrote:>Where am i suppose to reply to?The Shorewall Users mailing list. It''s what you first emailed for help. The email address for it is ''shorewall-users@lists.shorewall.net''. Notice that I''ve copied the list (again) to get the discussion back onto it. Jason
So Jason, what you''re saying is that you had the openvpn working with br0, tap0, and eth1 bridged. And all you did to shorewall is change the eth1 interface to br0? (i would probably want to change eth0 to eth1 masq in "masq" to say eth0 to br0 too) But here there anything else you did? did you have to have a vpn zone? or policy? _________________________________________________________________ Try MSN Messenger 6.0 with integrated webcam functionality! http://www.msnmessenger-download.com/tracking/reach_webcam
Hi Dave, On Thu, 4 Sep 2003, Dave B wrote:>So Jason, what you''re saying is that you had the openvpn working with br0, >tap0, and eth1 bridged. And all you did to shorewall is change the eth1 >interface to br0?Actually, I already had some "routed" OpenVPN tunnels setup and working between Linux gateways. Then I''ve worked on adding support to our OpenVPN config for Windows OpenVPN gateways. I decided to use ethernet bridging to help Windows Networking find its way around a little better.>(i would probably want to change eth0 to eth1 masq in >"masq" to say eth0 to br0 too)Yes, you''re absolutely right. I should have checked my config before replying! I also changed the ''routestopped'' file to allow connections from the br0 interface when the firewall is stopped.>But here there anything else you did? did >you have to have a vpn zone? or policy?Yes, you need to do all that, following the OpenVPN and Shorewall documentation. What I meant earlier is that as far as Shorewall is concerned the only thing that''s different in the "routed" vs. "ethernet bridged" OpenVPN scenarios is the ''loc'' interface name in your ''interfaces'' and ''masq'' (and possibly ''routestopped'') files. If you are having problems figuring out the OpenVPN configuration, you should post to the OpenVPN mailing lists. If you are having problems figuring out the Shorewall changes needed to allow OpenVPN to work, study the Shorewall documentation about OpenVPN. If you still can''t get it to work, follow the instructions on these pages: http://shorewall.net/troubleshoot.htm and http://shorewall.net/support.htm -Jason