[Firehol-support] Bridged OpenVPN

Daniel L. Miller dmiller at amfes.com
Tue May 16 08:24:41 BST 2006

Goetz Bock wrote:
> On Mon, May 15 '06 at 21:19, Daniel L. Miller wrote:
>> While I was checking everything else I could think of, I noticed 
>> something.  Because I'm using OpenVPN with a bridged interface, I have 
>> two LAN routable interfaces on my firewall.  For purposes of illustration:
>> foxy:/etc/iproute2# ip route
>> <snip>
>> dev br0  proto kernel  scope link  src
>> dev eth0  proto kernel  scope link  src
>> <snip>
>> I thought to myself, "Self, you might remember that the routing table is 
>> processed in order.  So if the bridged interface appears first . . . 
>> routing Internet requests to internal hosts might get routed via the 
>> bridged interface.  Do you HAVE any bridge interface definitions in you 
>> firehol.conf file?"
> Stupid question: why do you have two interfaces on your "lan".
> I'm running a simmilar configuration, but for me the OpenVPN uses tap0
> and my lan eth0, both are part of br0 and only br0 appears in the
> routing table.
> root at box:~# ip route
> ...
> dev br0  proto kernel  scope link  src 
> ...
> route at box~# ip addr
> ...
> 2: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether fe:fd:c0:a8:ff:03 brd ff:ff:ff:ff:ff:ff
> 3: tap0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue qlen 100
>     link/ether ca:fa:08:6c:c9:0f brd ff:ff:ff:ff:ff:ff
> 4: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
>     link/ether ca:fa:08:6c:c9:0f brd ff:ff:ff:ff:ff:ff
>     inet brd scope global br0
> route at box: brctl show
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.cafa086cc90f       yes             eth0
>                                                         tap0
> I use br0 in my firehol rules, and keep in mind you need a router from
> br0 to br0.
To your "stupid" question - I give this wise and well thought-out 
answer:  I'm chicken.

VPN stuff gave me such a headache - especially when trying to 
re-configure my office server via my home connection - that I gave 
myself a weasel way out.  My firewall actually has three NIC's in it - 
one connected to my Internet T-1 and two connected to my LAN.  With this 
method, I can screw around with one interface and still preserve the 
other if something goes haywire with the VPN setup.


More information about the Firehol-support mailing list