[Firehol-support] Bridged OpenVPN

Goetz Bock bock at blacknet.de
Tue May 16 06:13:03 BST 2006 

On Mon, May 15 '06 at 21:19, Daniel L. Miller wrote:
> While I was checking everything else I could think of, I noticed 
> something.  Because I'm using OpenVPN with a bridged interface, I have 
> two LAN routable interfaces on my firewall.  For purposes of illustration:
> 
> foxy:/etc/iproute2# ip route
> <snip>
> 192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.9
> 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
> <snip>
> 
> I thought to myself, "Self, you might remember that the routing table is 
> processed in order.  So if the bridged interface appears first . . . 
> routing Internet requests to internal hosts might get routed via the 
> bridged interface.  Do you HAVE any bridge interface definitions in you 
> firehol.conf file?"
Stupid question: why do you have two interfaces on your "lan".

I'm running a simmilar configuration, but for me the OpenVPN uses tap0
and my lan eth0, both are part of br0 and only br0 appears in the
routing table.

root at box:~# ip route
...
192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.3 
...
route at box~# ip addr
...
2: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether fe:fd:c0:a8:ff:03 brd ff:ff:ff:ff:ff:ff
3: tap0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue qlen 100
    link/ether ca:fa:08:6c:c9:0f brd ff:ff:ff:ff:ff:ff
4: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether ca:fa:08:6c:c9:0f brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.3/24 brd 192.168.0.255 scope global br0
route at box: brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.cafa086cc90f       yes             eth0
                                                        tap0
                                                        
I use br0 in my firehol rules, and keep in mind you need a router from
br0 to br0.
--  
/"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
\ /       (c) 2006 Creative Commons, Attribution-ShareAlike 2.0 de
 X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
/ \  [ 3. Reply to the list - 4. Read the archive *before* you post ]

More information about the Firehol-support mailing list