Hello, I've been using tinc v1.0 for the last few weeks in router mode - to great success. It's EXACTLY what I was looking for in a VPN at the time - most of the security of IPSEC with none of the interoperability issues. However, a few days ago, I got a VOIP phone that doesn't use IP without paying several thousand extra dollars on top of what we've already spent on the phone system. Checking sniff dumps of the phone <-> phone protocol, I found that the phones appear to use MAC addresses as their only identifier. Therefore, no routing. Therefore, router mode won't work. Therefore, I tried out switch mode. I checked the documentation on http://tinc.nl.linux.org/examples/bridging and from that example, it appears to be a Linux system using 802.1d bridging. However, I don't see any place in the documentation that tells you how to set that up under Linux (or any other OS for that matter) - there appears to be just that one page that gives any information about the switch setup. If I ignored a document, could you please point it out to me? Otherwise, I have a few questions: 1) Is the bridge device necessary - it was my understanding that the tap device was able to "see" frames like a pcap device, so I'd THINK it would be possible to perform the actions of a switch without the bridge device - that is, grab & forward ARP reqests & replies between networks, use that information to build a MAC table & use the MAC table to determine when to transmit traffic over the VPN. 2) If the bridge device IS necessary, is an extra interface with no IP address assigned to it necessary? By extra I mean do you need more than one interface on both bridge endpoints, and do both the interface This appears to be the case in the bridging example. 3) Of course this whole project relies on whether or not tinc's switch mode can even do what I require - I assume it can properly pass packets from one network to another with their MAC addresses intact (like a switch) :) Hopefully I haven't been wasting my time :) Here's the information on the two current networks: Two networks, both with hosts setup to run tinc which are configured as linux 2.4.21 (universal tun/tap), with tinc v1.0. "Total" network: 10.3.0.0/16 Network A: 10.3.1.0/24, interface I want to run tinc on (eth0) 10.3.1.1 netmask 255.255.0.0 broadcast 10.3.255.255 Network B: 10.3.2.0/24, interface I want to run tinc on (eth0) 10.3.2.1 netmask 255.255.0.0 broadcast 10.3.255.255 I use TCPonly mode because my firewall at one location is NOT iptables, and therefore does not have a way to set the NAT'd source port.>From what the bridging doc says, it would seem like I should set eth0 onboth tinc boxes to 0.0.0.0 and set the bridge running on each to the 10.3.x.1 IPs. Would I also set the tinc-created tun/tap virtual interface to 0.0.0.0 as well? Any hints, pointers to more in-depth resources (if the bridging document isn't the most representitive of all of the available options). Brian Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://tinc.nl.linux.org/
On Sun, Aug 24, 2003 at 03:40:07PM -0700, Brian Costello wrote:> I checked the documentation on > http://tinc.nl.linux.org/examples/bridging and from that example, it > appears to be a Linux system using 802.1d bridging. However, I don't > see any place in the documentation that tells you how to set that up > under Linux (or any other OS for that matter) - there appears to be just > that one page that gives any information about the switch setup. If I > ignored a document, could you please point it out to me? Otherwise, I > have a few questions:There are no ignored documents.> 1) Is the bridge device necessary - it was my understanding that the tap > device was able to "see" frames like a pcap device, so I'd THINK it > would be possible to perform the actions of a switch without the bridge > device - that is, grab & forward ARP reqests & replies between networks, > use that information to build a MAC table & use the MAC table to > determine when to transmit traffic over the VPN.The tap device doesn't work like a pcap device. It doesn't capture packets from other network devices, it is a network device in itself. You can think of it as an extra Ethernet card in your computer, except that there is no UTP cable sticking out but tinc will handle all the packets it sends/receives. You don't have to use a bridge device, but then only traffic originating from the computers running tinc will go via the VPN. If you have a real Ethernet card in your computer and you want the LAN attached to it be able to access the VPN, then you have to use the bridge to make a "connection" between the real Ethernet interface and the virtual Ethernet interface.> 2) If the bridge device IS necessary, is an extra interface with no IP > address assigned to it necessary? By extra I mean do you need more than > one interface on both bridge endpoints, and do both the interface This > appears to be the case in the bridging example.If you need to bridge, you always have two or more interfaces, all of which should have their IP addresses removed. Only the bridge interface will have an IP address.> 3) Of course this whole project relies on whether or not tinc's switch > mode can even do what I require - I assume it can properly pass packets > from one network to another with their MAC addresses intact (like a > switch) :)Yes :)> Here's the information on the two current networks:[...] Looks ok.> From what the bridging doc says, it would seem like I should set eth0 on > both tinc boxes to 0.0.0.0 and set the bridge running on each to the > 10.3.x.1 IPs. Would I also set the tinc-created tun/tap virtual > interface to 0.0.0.0 as well?Yes.> Any hints, pointers to more in-depth resources (if the bridging document > isn't the most representitive of all of the available options).If it doesn't work the first time, just try out different things to get a feeling for it. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030825/566553d9/attachment.pgp