    Please see attached image of setup:

    I want to Bridge Site A and Site B in a way that a PC at Site A can ping, share, etc. with any PC on Site B as if plugged in there. (PC A2 and PC A3 arent in use yet – testing only with PC A1)

    VPN is setup and functions perfectly.

    I created a Bridge00 on each site: VPN-Interface + local-Lan-Interface

    I assigned one IP of the private Network in use to each bridge (,

    LAN interface on PC A1 (Windows 7) is set to automatic and that works fine: PC A1 gets an IP assigned by DCHP-B (from the other site).

    And now here’s the problem:

    PC A1 can ping only and

    ZS-A can ping only ZS-B (but not PC A1)
    ZS-A can arp only PC A1 and ZS-B

    ZS-B can arp and ping ZS-A
    ZS-B can arp, but not ping PC A1

    Any hints or ideas anyone how i get that bridge fully functional?

    Could routing be the problem? At Site B all PCs (except for ZS-B) use GW-B as default GW – as assigned by DHCP-B. ZS-A only has the dynamically assigned GW-A.

    Thank you all very much in advance!


    Looks fine to me.
    You generally cannot ping PC A1, maybe due to a firewall rull on windows.
    Routing has nothing to do here, as all of your network is in the same broadcast domain. You just assign the default gateway for internet reachability and you assign the closest ZS.
    The way I see it your bridge is functioning properly.


    Hi ppalias,

    Thanks for your reply.

    Firewalls etc. crossed my mind too, but that shouldn’t prevent ZS-A successfully arping PC Bn?

    You just assign the default gateway for internet reachability and you assign the closest ZS.

    What exactly do you mean. Can you talk me through the steps as you would have done it?

    The way I see it your bridge is functioning properly.

    Thats the weird thing. The actual bridge is up and running. Just the two sites behind it seem to not fully “see” each other.

    I don’t need any forwarding or other fw rules on the zs, do I?

    Thank you so very much!!!


    ARP is usually not affected by firewalls, at least the common and most used. If you block ARP you are risking to lose connectivity, so blocking it is not that easy.

    Regarding the other one with the gateway, I meant that PC Ax and ZS Site A should use default gateway the GW A and the others GW B. However this doesn’t provide failover in case GW A or B goes down.

    ZS should be fine without messing with the firewall or any other setting on the BRIDGE interface.


    That’s what I thought. Thanks for confirming.

    But it still doesn’t work… Too strange.

    I’ll try to do more testing with linux boxes only 😉

    I’ll keep you posted!


    Problem found and solved.

    ZS at Site B failed to bring up interfaces in promisc mode since it was in fact virtualised. I wasn’t aware of that…

    Activating promisc mode on the respective port group solved all above mentioned issues.

    Thank you very much again for your help!


    Damn those virtual machines…


    really interesting. thanks


    I have a similar configuration, however i defined in site B the default gateway GW A.

    My idea is that all trafic in site B destinated to internet will flow throght the VPN and exit to the intervnet via GW A.

    With this configuration PCs on site B can open only some internet websites. If i do a speedtest ( i can only measure download speed, upload speed test fail all the time.

    Is this firewall problem?

