I can honestly see your issue being anywhere in layers 2-7 of the OSI model. Layer 1 seems fine. I think before you can assume that it's iptables that is the cause of the issue, you need to take it step by step through each layer.

Layer 1 - Physical, you have ruled out because of what you've said.

Layer 2 - Data Link Layer (which has 2 sub-layers, Logical Link Control and MAC) could be the issue, but I doubt it in this case, unless you are using MAC filtering or something of that nature. Bridges do work at this layer though, as do layer 2 switches.

Layer 3 - Network - lots to chew on here. Switches and routers operate here. Do you have a managed switch involved?

Layer 4 - Transport - maybe. It could be a protocol issue, but you need to work through the lower layers first.

Layer 5 - Session - since you are using VPN, that creates a session (just like applications create sessions too. Could it be something like the session isn't being fully established? Again.. more information is needed.)

Layer 6 - Presentation.

Layer 7 - Application.

As for what you wrote....

So eth0 is LAN-side and ppp0 is WAN side, but the vpn clients can connect but can't ping the server or any other pc on my lan and the server or my lan pcs can't ping the clients."

Are you connecting your VPN clients from outside your LAN or testing this from within it? Is the server in a DMZ? Is the server in a DMZ that is completely isolated from the LAN or not? Did you subnet something somewhere?

Again... more information is needed. We need to rule some things out, gather more data to properly assess the situation.

"The bridge is setup correctly and the setup of the openvpn server looks right and the clients got an ip from my lan and a route to it so routing looks fine"

These are assumptions. From what you've described thus far, I doubt that things are setup correctly in these areas or on this network or it would all work. Do not rule anything out based on assumptions. When you said the client PCs on the LAN get an IP, I am reading that as you are using DHCP vs. static IPs on your LAN, correct?

"problem must be the iptables firewall."

Do not assume that. Work through the OSI layers first and be methodical, not jumping around from here to there guessing what it may or may not be. Rule things out after researching and testing first. then move onto the next layer.

"The requirements for the firewall are : my Lan can do anything except receiving or posting windows shares, netbios etc over the internet or vpn the vpn clients can do anything except receiving or posting windows shares, netbios etc over the vpn and they can not access the internet over the vpn."

So you have blocked port 445 and opened port 1723, correct? How are you enforcing these rules of what people can and cannot do? Solely via iptables or do you have other methods of control involved? Other permissions set elsewhere may be part of, or the cause of your issue.

More information is required.

Starting at Layer 2, please research, test, confirm that it's working and then post your results here.

the vpn clients connect from wan side, my dhcp server is configured to provide 192.168.1.2 - 192.168.1.127 to the pcs on my lan and the openvpn internal dhcp gives the clients an ip from 192.168.1.129 - 192.168.1.254, so no collision of those dhcp servers. The only static ip i have is 192.168.1.1 (the server/router/gateway). There is no DMZ, managed routers or switches or what so ever. The vpn session is fully established says the clients log. As you can see in the firewall script i am blocking ports 137-139, 445 (windows shares/netbios stuff) on nearly every interface and opening port 1195 for vpn on ppp0 so that the vpn clients could connect over the internet.

something worked out now, the vpn clients can ping each other and the server but no pc on my lan, the server and the pcs on my lan CAN NOT ping the vpn clients. i changed the firewall a litle :

The iptables command. Shorter and sure.

ipt="/sbin/iptables"

The network interface.

ifWan=ppp0 ifVpnB=br0 ifVpn=tap+

VPN_PORT=1195

FIREWALL STOP

...

FIREWALL START/RELOAD/RESTART

echo "Building firewall..."

Modules

modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_MASQUERADE modprobe ipt_state modprobe ipt_LOG modprobe iptable_nat modprobe iptable_filter

Flush current rules.

$ipt -F INPUT $ipt -F OUTPUT $ipt -F FORWARD $ipt -t nat -F PREROUTING $ipt -t nat -F POSTROUTING $ipt -t nat -F OUTPUT $ipt -F $ipt -X

Set default policies

$ipt --policy INPUT DROP $ipt --policy OUTPUT ACCEPT $ipt --policy FORWARD DROP $ipt -t nat --policy PREROUTING ACCEPT $ipt -t nat --policy POSTROUTING ACCEPT

SYN flood protection

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

LOOPBACK

echo "Setting LOOPBACK rules" $ipt -A INPUT -i lo -j ACCEPT

$ipt -A OUTPUT -o lo -j ACCEPT

WAN

echo "Setting WAN rules" $ipt -A INPUT -i $ifWan -p udp --dport $VPN_PORT -m state --state NEW -j ACCEPT $ipt -A INPUT -p tcp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p tcp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -i $ifWan -j ACCEPT

$ipt -A OUTPUT -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p tcp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -o $ifWan -j ACCEPT

$ipt -A FORWARD -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p tcp --dport 445 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 445 -o $ifWan -j DROP

$ipt -A FORWARD -i $ifWan -o $ifVpnB -j ACCEPT $ipt -A FORWARD -i $ifWan -o $ifVpn -j ACCEPT

VPN

echo "Setting VPN rules" $ipt -A INPUT -i $ifVpn -j ACCEPT

$ipt -A OUTPUT -o $ifVpn -j ACCEPT

$ipt -A FORWARD -i $ifVpn -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpn -o $ifVpnB -j ACCEPT

BRIDGE

echo "Setting BRIDGE rules" $ipt -A INPUT -i $ifVpnB -j ACCEPT

$ipt -A OUTPUT -o $ifVpnB -j ACCEPT

$ipt -A FORWARD -i $ifVpnB -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpnB -o $ifVpn -j ACCEPT

Portforwarding

...

Masquerading

$ipt -t nat -A POSTROUTING -j MASQUERADE echo "Done!"

Firstly, why are you using Bridged mode if you are blocking NetBIOS communication between clients and network? This is the main reason to use bridged mode in my opinion. If you don't need to access Windows shares over the VPN then I would suggest routed mode which will simplify the configuration.

Having said that, far be it from me to tell you what to do so, have you checked that the network interface adaptor used as part of your bridged interface has sucessfully enabled promiscuous mode? This is a requirement for bridged networking, and a common reason why traffic is not passed from the LAN to the VPN clients.

Regards, Lozman.