Hallo list, I'm using openvpn and SuSEfirewall. Oenvpn is running fine, but my routing won't work. My local network (eth0) is 192.168.1.0/24 My tunnel net (tun1) is 192.168.2.0/24 So I'm trying to route the both nets, but I get for every protocol from the SuSEfirewall: SFW2-FWDint-DROP-DEFLT IN=tun1 OUT=eth0 SRC=192.168.2.1 DST=192.168.1.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF PROTO=ICMP TYPE=8 CODE=0 ID=2365 SEQ=3 Any Ideas, what is wrong? My SuSEfirewall config: My SuSEfirewall: FW_QUICKMODE="no" FW_DEV_EXT="ppp0" FW_DEV_INT="eth0 tun1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="8890:8893 http https ssh" FW_SERVICES_EXT_UDP="isakmp" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="esp" FW_SERVICES_INT_RPC="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.1.0/24 192.168.2.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="int" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="ppp0,125" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="int" FW_IPSEC_MARK="" FW_LOG="" My SuSEfirewall-custom: fw_custom_before_masq() { iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT true } Best regards, Hans