# Bridging tap with em1



## hac3ru (Jun 24, 2015)

Hello,

I've installed an OpenVPN server with a TAP interface, so I can bridge it with the physical network. I can connect to the VPN, if I assign an IP address to the tap interface I can ping it through VPN but I can't really bridge it. I mean, I can ping through VPN the IP on the bridge interface but that's where it stops. From the other end, the network that I'm trying to get to, I can't even ping the bridge interface.

Here's `ifconfig`

```
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
  ether 00:50:56:ac:22:dd
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active

tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=80000<LINKSTATE>
  ether 00:bd:7a:03:00:00
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect
  status: active
  Opened by PID 612

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  ether 02:95:97:96:cc:00
  inet 172.23.0.16 netmask 0xfffff000 broadcast 172.23.15.255
  nd6 options=9<PERFORMNUD,IFDISABLED>
  id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
  maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
  root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
  member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 4 priority 128 path cost 2000000
  member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 2 priority 128 path cost 20000
```

Here is a ping from 172.23.0.1 to 172.23.1.216 (the IP at the other end of the VPN connection). `tcpdump` from the OpenVPN machine.

```
08:38:07.919256 ARP, Request who-has 172.23.1.216 tell 172.23.0.1, length 46
08:38:07.919883 ARP, Reply 172.23.1.216 is-at 12:6d:4b:b0:00:2a, length 28
08:38:08.925555 ARP, Request who-has 172.23.1.216 tell 172.23.0.1, length 46
08:38:08.926207 ARP, Reply 172.23.1.216 is-at 12:6d:4b:b0:00:2a, length 28
08:38:09.956645 ARP, Request who-has 172.23.1.216 tell 172.23.0.1, length 46
08:38:09.957512 ARP, Reply 172.23.1.216 is-at 12:6d:4b:b0:00:2a, length 28
08:38:10.961915 ARP, Request who-has 172.23.1.216 tell 172.23.0.1, length 46
08:38:10.962562 ARP, Reply 172.23.1.216 is-at 12:6d:4b:b0:00:2a, length 28
08:38:11.965183 ARP, Request who-has 172.23.1.216 tell 172.23.0.1, length 46
08:38:11.965848 ARP, Reply 172.23.1.216 is-at 12:6d:4b:b0:00:2a, length 28
```
Still, on 172.23.0.1 I get this:
	
	



```
11:38:07.592573 ARP, Request who-has 172.23.1.216 tell 172.23.0.1, length 28
11:38:08.598917 ARP, Request who-has 172.23.1.216 tell 172.23.0.1, length 28
11:38:09.629812 ARP, Request who-has 172.23.1.216 tell 172.23.0.1, length 28
11:38:10.635227 ARP, Request who-has 172.23.1.216 tell 172.23.0.1, length 28
11:38:11.638515 ARP, Request who-has 172.23.1.216 tell 172.23.0.1, length 28
```
This means that the traffic doesn't leave the OpenVPN machine.

P.S. This are virtual machines, hosted on an ESXi 5.1 host (maybe it matters)
Does anyone have any ideas?


----------



## SirDice (Jun 24, 2015)

They're different types of network that cannot be bridged. You can only bridge two ethernet (or similar) interfaces. A bridge is a layer 2 connection, a VPN usually doesn't have layer 2 (unless you use L2TP).

You will have to use traditional routing to connect the two networks.


----------



## hac3ru (Jun 24, 2015)

SirDice said:


> They're different types of network that cannot be bridged. You can only bridge two ethernet (or similar) interfaces. A bridge is a layer 2 connection, a VPN usually doesn't have layer 2 (unless you use L2TP).
> 
> You will have to use traditional routing to connect the two networks.


Actually, you can bridge a TAP with an ethernet interface. That's the whole point of using TAP, simulating a layer 2 link... 
Anyway, it seems that the problem was the virtualization. The vlan in VDS was set to "Reject Forged Transmissions". Once I allowed the forged transmission to pass through, it was all well... sort of. I'm getting duplicates for some reason. Anyone has any ideas why that might be?


----------



## kpa (Jun 24, 2015)

I vaguely remember that you need to give one of the member interfaces an IP address and things start to work, I never found any explanation why this happens.


----------



## hac3ru (Jun 24, 2015)

kpa said:


> I vaguely remember that you need to give one of the member interfaces an IP address and things start to work, I never found any explanation why this happens.


Yes, you are right. For some reason one of the physical interfaces MUST have an IP address. It doesn't even have to be an IP from the same network. It just needs an IP.
Still, as I said, that's solved but some servers in the network that I'm trying to reach are sending me a duplicate response and some don't. I have no idea why is this happening. Do you have any clue, or any ideas what should I check?


----------

