On Wed, Feb 07, 2007 at 02:46:57PM -0800, Jonathan Whiteman wrote: > Thank you both for your responses. I have made this diagram > clearer because I sort of *am* using the same subnet on both > sides of the bridge... or at least that was my intent, but > obviously the address ranges have to be separate on both sides > of the bridge even though the netmasks need to be the same.
There mustn't be duplicate addresses, of course, but the client machines on both sides need to use the same subnet mask and have addresses in the same subnet. > Tun1 on firewall 1 (the openvpn server) does not > have any ip address however I *have* configured the > openvpn server to hand out 192.168.254.1 ONLY to the client > on firewall 2, so en1 and tun0 on firewall 2 both are > configured with the same ip address and subnet mask... > it seemed like I needed this for the actual bridge of en1 and > tun0 to behave but I won't claim that means I did it correctly > in the first place. Bridging should work without any addresses specified at all. Try changing the hostname.if config to "up" instead of an IP address unless you need an IP address to manage the machine. Having the same IP on two interfaces bridged together might work but isn't very logical. In any case since it is bridging, the addresses shouldn't matter... You might also want to change the setup so that the clients behind firewall 2 use firewall 2's address as the default gateway, so you don't connect to the rest of the world through the VPN (unless that is what you want for some reason). Even then only en1 should be configured with an IP address and the tun should just be left "link0 up". I doubt the bridge functionality depends on the addresses, it must be something else. You might want to try broadcast pinging in one network, preferably from a machine that is not the firewall and using tcpdump to see where the packets disappear (adding "log" to the default block rule helps).
