SuSe-2network interface-NAT?

Dear everybody!

Given a suse server (11.1) 2 pcs. network card.
Managed to do that from outside the server’s external network card (with no public IP for example: 80.60.40.20) connect to your OpenVPN, can ping the internal network card (192.168.1.254).
The external ovpn client’s IP address will be 10.0.0.4, long live! We can ping the server’s internal network card.
The Szever in / etc / sysctl.conf, was complemented with the following:

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
#net.ipv6.conf.all.forwarding = 1
fs.inotify.max_user_watches = 65536
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1

The internal interface is a DHCP (192.168.1.254) server, it assigns IP (192.168.1.1-250).
5 is the client’s internal network.
The error is: We can not ping the internal clients (eg, 192.168.1.135) connected to an external client ovpn.
Get out that Internet users in the internal clients, so get out there to masqurade, port forwarding, which was established in yast in [yast-> Firewall-> masquerading].
As for the internal network card for example comes. To port 80, requests are forwarded to the external halocarban the same port.
(Tammy squid, therefore, exceptionally, to 80 in 3128-on going, but in this case is not important, because this is an important and outgoing connections.)
http://takrisz.fw.hu/1/ovpn/alcazas.jpg
They told Debian that NAT should be.
YaST can be placed somewhere so that it can be avoided writing iptables lines?
Objective: 80.60.40.20 network card ovpn client we are connected to the outside, see the internal network of computers, for example, 192.168.1.135 can ping a machine.

I gave a / etc/sysconfig/SuSEFirewall2 file, the following script (iptables) running down the firewall starts.

/ Etc/sysconfig/scripts/SuSEFirewall2-custom into awkward how to write iptables rules?

Advance, thank you very much for your help!