Peter Allgeyer wrote:

>BTW: Is an "Ethernet tunnel" a useful scenario on a gateway?
>  
>
That's really a good question... I would have no use for it, but I 
suppose it's reasonable for someone to want to route NetBIOS/BEUI or 
IPX, although I can't imagine how well that would fare. It's definately 
possible to have trusts between windows domains on two IP blocks, but I 
guess that NetBIOS over TCP would take care of that... I guess that 
that's the kind of thing that should be a hidden option; most people 
have no need for it, but some may. Also, it may be usefull for VLANs.

>Still the experienced admins want to have as much
>features as possible to configure through the GUI.
>
I agree, and I don't think that they shouldn't... My point is that the 
VPN should interact with different systems in different ways depending 
on how it's set up... I think that it's easier on everyone if there are 
certain distinct modes of operation, based on how the systems interact 
with eachother. Perhaps there should be hidden *_adv.php for experts, 
rather than forcing them to edit the config file and reboot the 
firewall... and perhaps if they use it, they should be precluded from 
editing a given connection the normal way. That way, they can choose 
what system does what, and know that they're taking a risk of breaking 
something if they're not carefull. It would have one of those red 'This 
page is not supported...' pages.

Another note: if OpenVPN depends on the DHCP server or something else, 
that configuration should be tied to OpenVPN, so when one thing changes, 
so does the other... This goes back to my prior complaint about NAT 
rules not being tied to their firewall rules. If you kill a VPN server, 
it's DHCP and bridging rules should die also, etc.

Sorry if that wasn't entirely coherent, I haven't really slept lately.