# deeper understanding bridges

## nivw

hi all,

In order to connect my own lan and a remote one I run openvpn between the lan's gateways.

so my lan gateway is the openvpn server. The remote lan gateway is running a openvpn client.

As I wanted to use avahi between the two lans I use openvpn in layer 2 so I get tap0 device on both ends.

On my lan gateway I setup a bridge br0:

 *Quote:*   

> bridge name	bridge id		STP enabled	interfaces
> 
> br0		8000.000d6151yyyy	yes		eth1
> 
> 							        wlan2
> ...

 

Now on the remote lan gateway I also setup a bridge, br0:

 *Quote:*   

> bridge name	bridge id		STP enabled	interfaces
> 
> br0		8000.0002b317xxxx	yes		eth1
> 
>                                                                 tap0
> ...

 

I see the remote MAC announcements in the openvpn log, so the server "know" about the remote hosts. 

But, I can't ping the remote gateway (192.168.14.2) from my gateway (192.168.14.70).

why?

----------

## nivw

according to this, I am configuring it right:

http://www.shorewall.net/OPENVPN.html#id36132361

----------

## RNHavens

EDIT: removed stupid questions...

This seems more informative.

http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html

----------

## nivw

ya I already read it. but In this setup I am not using the server's dhcp.

I give the remote server an IP address in the same subnet , as I wrote.

but I can't ping it.

If I take tap0 out of the bridge on the server side and give it this IP address 192.168.14.10/255.255.255.240

and change the bridge to 192.168.14.70/255.255.255.240

I then can ping the client gateway, 192.168.14.2

New thought:

after boot tap0 is not apart of the servers bridge.

I issue:

 *Quote:*   

>  # brctl addif br0 tap0

 

and I only see this line in the /var/log/messages:

 *Quote:*   

>  device tap0 entered promiscuous mode

 

how come it doesnt advance to show forwarding mode?

----------

## AngelKnight

Start with the basics.  On the bridge on the "local" side (192.168.14.70/24), do you or do you not see an ARP entry for 192.168.14.70? ("/sbin/ip neigh show")  If not, find out why packets don't seem to pass the OpenVPN tunnel in L2 mode.

Start simple; take 802.1 bridging out, set up two TAPs (192.168.14.70/32 on the local and 192.168.14.2/32 on the remote), then add direct-connected routes to the companion IP on each side and see whether or not ARP adjacencies form.

----------

## nivw

I am using the default /etc/init.d/openvpn file.

and here is grep tap0 /etc/conf.d/net :

 *Quote:*   

> 
> 
> tuntap_tap0="tap"
> 
> config_tap0=( "null" )
> ...

 

after I boot the client manages to connect to the server. I need to do these three things to get it all working:

1. ifconfig tap0 0.0.0.0

2. brctl addif br0 tap0

3. wait until I see tap0 enters forwarding state in /var/log/messages

how to avoid this , using /etc/conf.d/net ?

----------

## erik258

if you can see remote layer 2 traffic your bridge and vpn are working.

your problem probably lies on layer 3; are your servers configured to allow forwarding?

below you can see that my computer had ip_forwarding disabled.  If I were a routing VPN endpoint I would be refusing to forward local traffic through the VPN.

I turn on ip forwarding (as root) and then show the results with my `cat` testcase.

```

dan@leroy ~ $ cat /proc/sys/net/ipv4/ip_forward 

0

leroy ~ # echo 1 > /proc/sys/net/ipv4/ip_forward 

dan@leroy ~ $ cat /proc/sys/net/ipv4/ip_forward 

1

```

----------

