Sorry just for the sake of correctness:
em0 and em1 are the devices on firewall 2, not en0 and en1...
thats a typo.
Jonathan Whiteman wrote:
Thank you both for your responses. I have made this diagram
clearer because I sort of *am* using the same subnet on both
sides of the bridge... or at least that was my intent, but
obviously the address ranges have to be separate on both sides
of the bridge even though the netmasks need to be the same.
Perhaps with this further clarification one of you might be
able to explain to me what exactly I've done wrong here:
|------PUBLIC INTERNET ------|
| |
------|----- -------|-----
| en0 | | dc0 |
| | | |
|firewall 2| |firewall 1 |
| | | |
|{en1 tun0}------------------{tun1 sis0}|
----|------- ---------|---
| |
ip: 192.168.254.1 192.168.250.1
subnet: 255.255.248.0 255.255.248.0
network: 192.168.248.0 192.168.248.0
broadcast:192.168.255.255 192.168.255.255
So, sis0 (192.168.250.1) is the primary gateway (and dns server
actually) for all clients behind both firewalls. The subnet
mask given to all clients as well as the physical devices sis0
on firewall 1 and en1 on firewall 2 is the same as well:
255.255.248.0.
Tun1 on firewall 1 (the openvpn server) does not
have any ip address however I *have* configured the
openvpn server to hand out 192.168.254.1 ONLY to the client
on firewall 2, so en1 and tun0 on firewall 2 both are
configured with the same ip address and subnet mask...
it seemed like I needed this for the actual bridge of en1 and
tun0 to behave but I won't claim that means I did it correctly
in the first place.
Thanks again in advance for everyone's time,
~jon
