I apologize that this is long. But I think the details may have a clue to what is going on. I've been fighting a TomatoUSB OpenVPN issue for just over a week now. I've spent many many hours pouring over the details. I built up two e2000 routers using the 1.28 beta code: tomato-E2000-1.28.9054MIPSR2-beta-vpn3.6.bin I followed the directions here: http://www.wasagacomputers.com/home/2010/8/10/tutorial-site-to-site-vpn-using-tomato-firmware-and-openvpn.html In the lab, the two VPNs configurations acted just fine. The lab being just over a switch in my internal network. Each had a 192.168.x.x internal address range and were able to completely function. I thought that was it. Tomato has always been excellent quality, no issues ever. So, I bring the systems into router production for a couple small offices. They replaced the sole gateway for each network. Router A (vpn server) in the local town comes online and works fine in it's non VPN features. Later that day, the second router (vpn client) arrives on Office B in another city, comes online, connect to router A, all is well. The VPN connects and everything can ping everything. Yay, instant victory! The night comes, I add a test/lab TomatoVPN to the mix from a 3rd location. It works just fine. All three network are having a ping fest, pinging away. No settings changed (other than adding the 3rd network to the "Allow Client<->Client" list. I play with the pings/access and eventually disconnect the lab. I'm as happy as an admin can be. Come morning, the router A and router B stop allowing pings to the devices behind themselves. For example. Router A can ping Router B (internally) but can ping none of the hosts behind Router B. And likewise in the other direction. But each router can ping the hosts behind itself... for example: Router A can ping all the clients on Network A. And Router B can ping all the hosts on network B. I've seen this problem described time and time again on the forums. But none of the solutions have applied. I've toggled NAT on and off, toggled on what networks are in the "Allow Client<->Client" lists, and so many others. So, I get a third e2000 router. rebuild it's configuration identical to the server setup on Router A. Bring it into the office, put it online in place of the original Router A. Suddenly, all sorts of weirdness starts happening. Now, SOME hosts on each network can be pinged by the remote side. But not all of them. And unfortunately, not the most important one to this office. For example. Now 192.168.1.1 (Router B) can ping 192.168.200.84 (LAN printer), 192.168.200.140 (wireless laptop), 192.168.200.180 (network drive), and 192.168.200.197 (wireless iphone), and a few others. But it can't ping the primary server 192.168.200.7 and several other clients. Yet all of these systems can be pinged by the local router A, so I know they have ICMP enabled. And the same happens in the opposite order. Router A can ping a few of the hosts on Network B, but not all of them. Again, some of the unpingable hosts are pingable on the local network so I know their ICMP is not disabled. I'm pulling what little hair I have out over this. Any help is greatly appreciated. VPN Server config pages: Page One Page Two Page Three Page Four VPN Client config pages: Page One Page Two Page Three Page Four Only difference to my lab configuration is that the external interface is getting it's IP from PPPoE rather than just a DHCP pull. But I don't see how that would impact a specific section of the network from routing. Thanks for any help.