[Firehol-support] Bridged OpenVPN

Daniel L. Miller dmiller at amfes.com
Tue May 16 05:19:38 BST 2006


I just figured out something that's been driving me NUTS - thought I'd 
share it just in case somebody else has been struggling with this.  
Intermittently, I found that my firewall permissions would quit working 
- and about the only way I could get the back was to reboot my firewall 
server.  Obviously, this is totally unacceptable.

While I was checking everything else I could think of, I noticed 
something.  Because I'm using OpenVPN with a bridged interface, I have 
two LAN routable interfaces on my firewall.  For purposes of illustration:

foxy:/etc/iproute2# ip route
<snip>
192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.9
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
<snip>

I thought to myself, "Self, you might remember that the routing table is 
processed in order.  So if the bridged interface appears first . . . 
routing Internet requests to internal hosts might get routed via the 
bridged interface.  Do you HAVE any bridge interface definitions in you 
firehol.conf file?"

I answered myself, "No.  I didn't know I needed that . . . ."

So, changing the related router definition to:
router x2lan inface "${EXT_X_IF}" outface "${LAN_IF} ${BR_IF}"

And pre-defining my variables of course - seems to have solved my 
problem.  I'm assuming that my problems have come from re-starting the 
OpenVPN server, which would change the routing table.  This should end 
that particular problem.

Moral of the story:  if you have more than one interface connected to 
the same network - make sure they're all accounted for in your firewall 
definitions.
--
Daniel




More information about the Firehol-support mailing list