Shorewall users - Aug 2005 - Problem with openvpn/bridged connection.

Hey all,

I''m trying to setup roadwarrior connection to my internal network. So
I''ve setup openvpn to create a tap0 connection and also have bridged
the eth1 (leads to my internal computers 192.168.2.10-30 and tap0
which is the VPN connection. On my shorewall setup I have br0 maped to
zone loc and eth0 to be my internet and I have masqing on my br0 to
get my internal computers internet access. So once I start up my
openvpn/bridge/shorewall setup. Here is what works. I can ping from my
openvpn server to my vpn client and I can ping from my vpn client to
my openvpn server. This took quite sometime to get working. Now the
problem is that if I try to ping one of my internal computers the ones
normally behind eth1 but currently behind br0. I get this:

Pinging 192.168.2.30 with 32 bytes of data:

Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.

Now the reason I am posting here is because I know that somehow
shorewall is blocking this connection. The reason I know this is
because if I issue a shorewall clear command the ping starts working
instantly. So obviously something is blocking it. I''ve tried
everything I can think of in the policy file. I''ve included it below

/etc/shorewall/policy:
loc             net             ACCEPT
net             all             DROP
fw              fw              ACCEPT
fw              net             ACCEPT
fw              loc             ACCEPT
loc             fw              ACCEPT
vpn             loc             ACCEPT
loc             vpn             ACCEPT
locnic          loc             ACCEPT
locnic          vpn             ACCEPT
loc             locnic          ACCEPT
vpn             locnic          ACCEPT
all             all             REJECT

/etc/shorewall/interfaces
net      eth0           detect          dhcp,routefilter,norfc1918
loc      br0            detect
vpn      tap0
locnic   eth1

/etc/shorewall/zones:
net     Net             Internet
loc     Local           Local networks
vpn     VPN
locnic  LocalNic        Local Nic

/etc/shorewall/tunnels:
openvpn:1194            net     0.0.0.0/0

/etc/shorewall/rules
ACCEPT   net            fw              udp     1194


If it helps another oddity I''ve noticed is that even though I can ping
my openvpn server on 192.168.2.1 I cannot access my samba share
\\192.168.2.1 until I again shorewall clear.

If someone could please help me out I''d appreciate it. I''ve
spent
hours on this and I''m so close. Thanks


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

A shorewall status would of been nice, but at any rate...
Once you bridge an interface, you can''t refer to it as tapX ethX,
it''s brX,
unless your using that in the hosts file.
http://www.shorewall.net/bridge.html
>I''m trying to setup roadwarrior connection to my internal network.
So
>I''ve setup openvpn to create a tap0 connection and also have
bridged
>the eth1 (leads to my internal computers 192.168.2.10-30 and tap0
>which is the VPN connection. On my shorewall setup I have br0 maped to
>zone loc and eth0 to be my internet and I have masqing on my br0 to
>get my internal computers internet access. So once I start up my
>openvpn/bridge/shorewall setup. Here is what works. I can ping from my
>openvpn server to my vpn client and I can ping from my vpn client to
>my openvpn server. This took quite sometime to get working. Now the
>problem is that if I try to ping one of my internal computers the ones
>normally behind eth1 but currently behind br0. I get this:
>
>Pinging 192.168.2.30 with 32 bytes of data:
>
>Reply from 192.168.2.1: Destination host unreachable.
>Reply from 192.168.2.1: Destination host unreachable.
>Reply from 192.168.2.1: Destination host unreachable.
>Reply from 192.168.2.1: Destination host unreachable.
>
>Now the reason I am posting here is because I know that somehow
>shorewall is blocking this connection. The reason I know this is
>because if I issue a shorewall clear command the ping starts working
>instantly. So obviously something is blocking it. I''ve tried
>everything I can think of in the policy file. I''ve included it
below
>
>/etc/shorewall/policy:
>loc             net             ACCEPT
>net             all             DROP
>fw              fw              ACCEPT
>fw              net             ACCEPT
>fw              loc             ACCEPT
>loc             fw              ACCEPT
>vpn             loc             ACCEPT
>loc             vpn             ACCEPT
>locnic          loc             ACCEPT
>locnic          vpn             ACCEPT
>loc             locnic          ACCEPT
>vpn             locnic          ACCEPT
>all             all             REJECT
Try: (reasons below)

loc             loc              ACCEPT
loc             fw              ACCEPT
loc             net             ACCEPT
fw              net             ACCEPT
fw              loc             ACCEPT
net             all             DROP
all             all             REJECT
>/etc/shorewall/interfaces
>net      eth0           detect          dhcp,routefilter,norfc1918
>loc      br0            detect
These are not needed here, part of br0.
>vpn      tap0
>locnic   eth1
/etc/shorewall/interfaces
net      eth0           detect          dhcp,routefilter,norfc1918
loc      br0            detect            routeback

Note the routeback
>/etc/shorewall/zones:
>net     Net             Internet
>loc     Local           Local networks
>vpn     VPN
>locnic  LocalNic        Local Nic
Don''t need vpn, locnic part of loc because of br0

You could but that needs the hosts file, in interfaces
net      eth0           detect          dhcp,routefilter,norfc1918
-      br0            detect            routeback

and then in hosts:
loc       br0:eth1
vpn      br0:tap0

You''d need to modify the policies for this zone
>/etc/shorewall/tunnels:
>openvpn:1194            net     0.0.0.0/0
>
>/etc/shorewall/rules
>ACCEPT   net            fw              udp     1194
>
>
>If it helps another oddity I''ve noticed is that even though I can
ping
>my openvpn server on 192.168.2.1 I cannot access my samba share
>\\192.168.2.1 until I again shorewall clear.
http://www.shorewall.net/samba.html
>If someone could please help me out I''d appreciate it.
I''ve spent
>hours on this and I''m so close. Thanks
Should get you closer now.

Jerry




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

J P escribió:
> Hey all,
> 
> I''m trying to setup roadwarrior connection to my internal network.
So
> I''ve setup openvpn to create a tap0 connection and also have
bridged
> the eth1 (leads to my internal computers 192.168.2.10-30 and tap0
> which is the VPN connection. On my shorewall setup I have br0 maped to
> zone loc and eth0 to be my internet and I have masqing on my br0 to
If you are using Fedora make you sure you have the latests kernel.. and 
FYI: Kernel is broken using bridge+IPSEC. wish you luck...

Jerry Vonau or shorewall-users,

Hey man thanks that routeback did the trick in the interfaces file.
However in the interface file you said to use
- br0 detect routeback
If I use this "-" it gives me this error message. However if I leave
the "-" as "loc" it works fine.
   Error: The routeback option may not be specified on a multi-zone interface
There is one small problem which I can live with if I have to, with
your changes I can access my internal computer via 192.168.2.30 and
even by \\biggles and I can access my windows shares. However I still
cannot access my samba share on my openvpn server \\192.168.2.1 even
though I can ping the openvpn server. I''m guess I am still missing
something as if I shorewall clear the \\192.168.2.1.

A second question, My internal network is usually 192.168.2.1 and to
get this vpn working the way it is I had my openvpn use
192.168.2.40-50 as the assignable ips to the connecting computers.
However it would be good if I could use a different ip range for my
connecting computers say 192.168.3.X as this would allow me to
maintain connectivity with my work network. I tried setting the
openvpn to 192.168.3.1 and using the:

push 192.168.2.0 255.255.255.0

However when I bring up my openvpn server and my br0 has 192.168.3.1
as it should. I cannot connect to my internal network because no
interface on my network is 192.168.2.1 to distribute the
communications to my internal computers. Is it possible to assign two
ips to br0 so that this would work?

Thanks


On 8/5/05, Cristian Rodriguez <judas_iscariote@shorewall.net>
wrote:
> J P escribió:
> > Hey all,
> >
> > I''m trying to setup roadwarrior connection to my internal
network. So
> > I''ve setup openvpn to create a tap0 connection and also have
bridged
> > the eth1 (leads to my internal computers 192.168.2.10-30 and tap0
> > which is the VPN connection. On my shorewall setup I have br0 maped to
> > zone loc and eth0 to be my internet and I have masqing on my br0 to
> 
> If you are using Fedora make you sure you have the latests kernel.. and
> FYI: Kernel is broken using bridge+IPSEC. wish you luck...
> 
> 
> 
>

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

>Hey man thanks that routeback did the trick in the interfaces file.
>However in the interface file you said to use
>- br0 detect routeback
>If I use this "-" it gives me this error message. However if I
leave
>the "-" as "loc" it works fine.
>   Error: The routeback option may not be specified on a multi-zone
interface
Opps that should of been removed when you use the hosts file, with "-"
in interfaces.
>There is one small problem which I can live with if I have to, with
>your changes I can access my internal computer via 192.168.2.30 and
>even by \\biggles and I can access my windows shares. However I still
>cannot access my samba share on my openvpn server \\192.168.2.1 even
>though I can ping the openvpn server. I''m guess I am still missing
>something as if I shorewall clear the \\192.168.2.1.
Polishing off the crystal ball, I''d guess your missing, rule for samba.
Post the config files, OK?
>A second question, My internal network is usually 192.168.2.1 and to
>get this vpn working the way it is I had my openvpn use
>192.168.2.40-50 as the assignable ips to the connecting computers.
>However it would be good if I could use a different ip range for my
>connecting computers say 192.168.3.X as this would allow me to
>maintain connectivity with my work network. I tried setting the
>openvpn to 192.168.3.1 and using the:
>
The reason you use a tap device in the bridge is to pass the broadcasts.
If you change the subnet, you change the broadcast address. 
If you what to do routing, use a tun device and no bridge.
>push 192.168.2.0 255.255.255.0
>
>However when I bring up my openvpn server and my br0 has 192.168.3.1
>as it should. I cannot connect to my internal network because no
>interface on my network is 192.168.2.1 to distribute the
>communications to my internal computers. Is it possible to assign two
>ips to br0 so that this would work?
Yes, but that is more complex than needed.

Jerry




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jerry, 

Here is my rules list. However I can access my windows shares on
192.168.2.30 just fine I can use either \\192.168.2.30 or \\biggles.
If I can access that share not sure why I would be blocked from the
other shares.

/etc/shorewall/rules:
ACCEPT   net            fw              tcp     22
DNAT     net            loc:192.168.2.26 tcp    8080
ACCEPT   net            fw              udp     1194
DNAT     net            loc:192.168.2.22 tcp    80
ACCEPT   net            fw              tcp     60000:65535
ACCEPT   net            fw              tcp     21
ACCEPT   net            fw              tcp     20
ACCEPT   net            fw              tcp     1024
ACCEPT   net            fw              udp     1024
ACCEPT   net            fw              tcp     9176
ACCEPT   net            fw              udp     9176
ACCEPT   net            fw              tcp     514
ACCEPT   net            fw              udp     514
DNAT     net            loc:192.168.2.30 tcp    1022
DNAT     net            loc:192.168.2.30 udp    1022
DNAT     net            loc:192.168.2.30 tcp    3784
DNAT     net            loc:192.168.2.30 udp    3784

Also I don''t believe I have any rules applied for samba shares mostly
because in my policy file I have:
loc          fw          ACCEPT
fw           loc         ACCEPT
loc         loc          ACCEPT <-- from your prior post

Thanks again.

John
>>The reason you use a tap device in the bridge is to pass the broadcasts.
>>If you change the subnet, you change the broadcast address.
>>If you what to do routing, use a tun device and no bridge.
I''m not sure if that will work. Here is my ideal "dream" I
want too
hook up an home openvpn server to my brothers openvpn server. so that
we have a shared network so to speak. We can communicate accross both
networks with \\biggles \\192.168.2.30 etc. I also want to have the
ability to attach my laptop to my home openvpn server and since its
attached to the home openvpn server it would be able to communicate
accross to my brothers.

My understand of the reason you bridge a connection and use TAP is
because you cannot do broadcasts or communicate outside of the actual
openvpn server our connected to.

So I assumed you had to use tap/bridge combination to do this. While I
could have everyone change their ip addresses to be 192.168.2.xx range
I would have prefered being able to bridge different subnets since I
thought that was the purpose of bridging so you could attach
192.168.2.0 and 192.168.3.0 so they cross-communicate. If I''m wrong
please feel free to tell me. So if I am correct I should be able to do
multiple subnets if I can specify a second IP on the br0. Which leads
to my next question about what you said.
>>Yes, but that is more complex than needed.
Are you saying there is an easier way to accomplish what I want? It
sounds as if you are saying that I can attach a 2nd ip (ie 192.168.2.1
and 192.168.3.1) to the br0. If there is a simpler way I''m all ears
otherwise juet lset me know that it is possible to attach another ip
address to br0 and if you know any helpful websites I''d appreciate it.

Thanks.




On 8/5/05, Jerry Vonau <jvonau@shaw.ca> wrote:
> >Hey man thanks that routeback did the trick in the interfaces file.
> >However in the interface file you said to use
> >- br0 detect routeback
> >If I use this "-" it gives me this error message. However if
I leave
> >the "-" as "loc" it works fine.
> >   Error: The routeback option may not be specified on a multi-zone
interface
> 
> Opps that should of been removed when you use the hosts file, with
"-" in interfaces.
> 
> >There is one small problem which I can live with if I have to, with
> >your changes I can access my internal computer via 192.168.2.30 and
> >even by \\biggles and I can access my windows shares. However I still
> >cannot access my samba share on my openvpn server \\192.168.2.1 even
> >though I can ping the openvpn server. I''m guess I am still
missing
> >something as if I shorewall clear the \\192.168.2.1.
> 
> Polishing off the crystal ball, I''d guess your missing, rule for
samba.
> Post the config files, OK?
> 
> >A second question, My internal network is usually 192.168.2.1 and to
> >get this vpn working the way it is I had my openvpn use
> >192.168.2.40-50 as the assignable ips to the connecting computers.
> >However it would be good if I could use a different ip range for my
> >connecting computers say 192.168.3.X as this would allow me to
> >maintain connectivity with my work network. I tried setting the
> >openvpn to 192.168.3.1 and using the:
> >
> 
> The reason you use a tap device in the bridge is to pass the broadcasts.
> If you change the subnet, you change the broadcast address.
> If you what to do routing, use a tun device and no bridge.
> 
> >push 192.168.2.0 255.255.255.0
> >
> >However when I bring up my openvpn server and my br0 has 192.168.3.1
> >as it should. I cannot connect to my internal network because no
> >interface on my network is 192.168.2.1 to distribute the
> >communications to my internal computers. Is it possible to assign two
> >ips to br0 so that this would work?
> 
> Yes, but that is more complex than needed.
> 
> Jerry
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
> Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

>Here is my rules list. However I can access my windows shares on
>192.168.2.30 just fine I can use either \\192.168.2.30 or \\biggles.
>If I can access that share not sure why I would be blocked from the
>other shares.
Lets see a shorewall status, and the config files together, please.

<snip>
>>The reason you use a tap device in the bridge is to pass the broadcasts.
>>If you change the subnet, you change the broadcast address.
>>If you what to do routing, use a tun device and no bridge.
>I''m not sure if that will work. Here is my ideal "dream"
I want too
>hook up an home openvpn server to my brothers openvpn server. so that
>we have a shared network so to speak. We can communicate accross both
>networks with \\biggles \\192.168.2.30 etc. I also want to have the
>ability to attach my laptop to my home openvpn server and since its
>attached to the home openvpn server it would be able to communicate
>accross to my brothers.
You can do that with wins/samba and routing. 
>My understand of the reason you bridge a connection and use TAP is
>because you cannot do broadcasts or communicate outside of the actual
>openvpn server our connected to.
Not sure what you mean here.  Passing the whole frame up the tunnel with 
the tap0 interface, just for samba is a bit of a waste of bandwith IMHO.
Doing that for games, that is a different story. ;-)
>So I assumed you had to use tap/bridge combination to do this. While I
>could have everyone change their ip addresses to be 192.168.2.xx range
>I would have prefered being able to bridge different subnets since I
>thought that was the purpose of bridging so you could attach
>192.168.2.0 and 192.168.3.0 so they cross-communicate. If I''m wrong
>please feel free to tell me. So if I am correct I should be able to do
>multiple subnets if I can specify a second IP on the br0. Which leads
>to my next question about what you said.
Your getting into a complex routing enviroment. 
>>Yes, but that is more complex than needed.
>Are you saying there is an easier way to accomplish what I want? It
>sounds as if you are saying that I can attach a 2nd ip (ie 192.168.2.1
>and 192.168.3.1) to the br0. If there is a simpler way I''m all ears
>otherwise juet lset me know that it is possible to attach another ip
>address to br0 and if you know any helpful websites I''d appreciate
it.
>
>Thanks.
Need to see the layout of both sides of the the common openvpn lans, and 
this is starting to become OT for this list. Adding the second ip address to 
the bridge is just a matter of aliases a second one, just like an eth device.

Jerry




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jerry,

ok nvm the more complex stuff I can play with that you''ve given me
some ideas. attached is the shorewall status its quite larger. Here is
the problem I am in.. although both my external and internal computers
can ping 192.168.2.1 (openvpn server) it appears to be totally
invisible to them and the openvpn server although it can ping the
external / internal computers it cannot say access the windows shares.

I realize that windows shares sounds like a waste but I am just using
that to test.. I am setting this up for games. It''s just easier to
test with this. It''s as if I''ve turned my openvpn server box
into
nothing but a ping device. No server activitys work through it unless
it comes via the internet through eth0.

Hope you can help.

John
On 8/5/05, Jerry Vonau <jvonau@shaw.ca> wrote:
> 
> 
> >Here is my rules list. However I can access my windows shares on
> >192.168.2.30 just fine I can use either \\192.168.2.30 or \\biggles.
> >If I can access that share not sure why I would be blocked from the
> >other shares.
> 
> Lets see a shorewall status, and the config files together, please.
> 
> <snip>
> 
> >>The reason you use a tap device in the bridge is to pass the
broadcasts.
> >>If you change the subnet, you change the broadcast address.
> >>If you what to do routing, use a tun device and no bridge.
> 
> >I''m not sure if that will work. Here is my ideal
"dream" I want too
> >hook up an home openvpn server to my brothers openvpn server. so that
> >we have a shared network so to speak. We can communicate accross both
> >networks with \\biggles \\192.168.2.30 etc. I also want to have the
> >ability to attach my laptop to my home openvpn server and since its
> >attached to the home openvpn server it would be able to communicate
> >accross to my brothers.
> 
> You can do that with wins/samba and routing.
> 
> >My understand of the reason you bridge a connection and use TAP is
> >because you cannot do broadcasts or communicate outside of the actual
> >openvpn server our connected to.
> 
> Not sure what you mean here.  Passing the whole frame up the tunnel with
> the tap0 interface, just for samba is a bit of a waste of bandwith IMHO.
> Doing that for games, that is a different story. ;-)
> 
> >So I assumed you had to use tap/bridge combination to do this. While I
> >could have everyone change their ip addresses to be 192.168.2.xx range
> >I would have prefered being able to bridge different subnets since I
> >thought that was the purpose of bridging so you could attach
> >192.168.2.0 and 192.168.3.0 so they cross-communicate. If I''m
wrong
> >please feel free to tell me. So if I am correct I should be able to do
> >multiple subnets if I can specify a second IP on the br0. Which leads
> >to my next question about what you said.
> 
> Your getting into a complex routing enviroment.
> 
> >>Yes, but that is more complex than needed.
> >Are you saying there is an easier way to accomplish what I want? It
> >sounds as if you are saying that I can attach a 2nd ip (ie 192.168.2.1
> >and 192.168.3.1) to the br0. If there is a simpler way I''m all
ears
> >otherwise juet lset me know that it is possible to attach another ip
> >address to br0 and if you know any helpful websites I''d
appreciate it.
> >
> >Thanks.
> 
> Need to see the layout of both sides of the the common openvpn lans, and
> this is starting to become OT for this list. Adding the second ip address
to
> the bridge is just a matter of aliases a second one, just like an eth
device.
> 
> Jerry
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
> Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

Jerry,

I''ve just realized another problem with this shorewall configuration.
I haven''t been home and so It only just hit me when i remote desktoped
into my home computer windowsxp machine.. I''ve got no internet access
on my internal network. This appears to mean that my internal network
br0(eth1,tap0) is being blocked from accessing the internet through
eth0. this may not be a shorewall problem as if I do shorewall clear..
the problem still persists. But I thought I''d mention it.. wonder what
would happen if I bridged br0(eth1,tap0,eth0) prolly something
horrible :P

Thanks

On 8/5/05, J P <tambujunk@gmail.com> wrote:
> Jerry,
> 
> ok nvm the more complex stuff I can play with that you''ve given me
> some ideas. attached is the shorewall status its quite larger. Here is
> the problem I am in.. although both my external and internal computers
> can ping 192.168.2.1 (openvpn server) it appears to be totally
> invisible to them and the openvpn server although it can ping the
> external / internal computers it cannot say access the windows shares.
> 
> I realize that windows shares sounds like a waste but I am just using
> that to test.. I am setting this up for games. It''s just easier to
> test with this. It''s as if I''ve turned my openvpn server
box into
> nothing but a ping device. No server activitys work through it unless
> it comes via the internet through eth0.
> 
> Hope you can help.
> 
> John
> On 8/5/05, Jerry Vonau <jvonau@shaw.ca> wrote:
> >
> >
> > >Here is my rules list. However I can access my windows shares on
> > >192.168.2.30 just fine I can use either \\192.168.2.30 or
\\biggles.
> > >If I can access that share not sure why I would be blocked from
the
> > >other shares.
> >
> > Lets see a shorewall status, and the config files together, please.
> >
> > <snip>
> >
> > >>The reason you use a tap device in the bridge is to pass the
broadcasts.
> > >>If you change the subnet, you change the broadcast address.
> > >>If you what to do routing, use a tun device and no bridge.
> >
> > >I''m not sure if that will work. Here is my ideal
"dream" I want too
> > >hook up an home openvpn server to my brothers openvpn server. so
that
> > >we have a shared network so to speak. We can communicate accross
both
> > >networks with \\biggles \\192.168.2.30 etc. I also want to have
the
> > >ability to attach my laptop to my home openvpn server and since
its
> > >attached to the home openvpn server it would be able to
communicate
> > >accross to my brothers.
> >
> > You can do that with wins/samba and routing.
> >
> > >My understand of the reason you bridge a connection and use TAP is
> > >because you cannot do broadcasts or communicate outside of the
actual
> > >openvpn server our connected to.
> >
> > Not sure what you mean here.  Passing the whole frame up the tunnel
with
> > the tap0 interface, just for samba is a bit of a waste of bandwith
IMHO.
> > Doing that for games, that is a different story. ;-)
> >
> > >So I assumed you had to use tap/bridge combination to do this.
While I
> > >could have everyone change their ip addresses to be 192.168.2.xx
range
> > >I would have prefered being able to bridge different subnets since
I
> > >thought that was the purpose of bridging so you could attach
> > >192.168.2.0 and 192.168.3.0 so they cross-communicate. If
I''m wrong
> > >please feel free to tell me. So if I am correct I should be able
to do
> > >multiple subnets if I can specify a second IP on the br0. Which
leads
> > >to my next question about what you said.
> >
> > Your getting into a complex routing enviroment.
> >
> > >>Yes, but that is more complex than needed.
> > >Are you saying there is an easier way to accomplish what I want?
It
> > >sounds as if you are saying that I can attach a 2nd ip (ie
192.168.2.1
> > >and 192.168.3.1) to the br0. If there is a simpler way
I''m all ears
> > >otherwise juet lset me know that it is possible to attach another
ip
> > >address to br0 and if you know any helpful websites I''d
appreciate it.
> > >
> > >Thanks.
> >
> > Need to see the layout of both sides of the the common openvpn lans,
and
> > this is starting to become OT for this list. Adding the second ip
address to
> > the bridge is just a matter of aliases a second one, just like an eth
device.
> >
> > Jerry
> >
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software Conference & EXPO
> > September 19-22, 2005 * San Francisco, CA * Development Lifecycle
Practices
> > Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
> > Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
> 
> 
>

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

>Jerry,
>
>I''ve just realized another problem with this shorewall
configuration.
>I haven''t been home and so It only just hit me when i remote
desktoped
>into my home computer windowsxp machine.. I''ve got no internet
access
>on my internal network. This appears to mean that my internal network
>br0(eth1,tap0) is being blocked from accessing the internet through
>eth0. this may not be a shorewall problem as if I do shorewall clear..
>the problem still persists. But I thought I''d mention it.. wonder
what
>would happen if I bridged br0(eth1,tap0,eth0) prolly something
>horrible :P
>
>Thanks
63 11266 DropSMB    all  --  *      *       0.0.0.0/0            0.0.0.0/0

This would be less painful if you just post your config files, and read 
the links I gave you earlier, go back and read them.

Jerry






-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf