I am running tinc v. 1.1pre (truly as I read somewhere, ?one of the internet?s best kept secrets?) on some consumer home routers flashed with tomato firmware. I have a whole network of these, but for the purposes of this question I will focus on just three Router A (subnet 192.168.5.0/24) is connected via a standard tinc ?router? mode network with Router B (subnet 192.168.15.0/24). Router B, in addition to its connection with Router A in ?router? mode, is also connected to Router C via a ?switch? mode tinc network. Router C?s IP address is 192.168.15.101. The switch mode network is using a separate device in tap mode and is configured manually on a different port from the ?router? mode network. Routers A & B can mutually ping each other and I also have iptables forwarding rules so that any devices connected to them can ping eachother across the tinc mesh as well. Routers B & C can mutually ping each other and all broadcast traffic from each side of the bridge passes over (i.e. one can see windows network shares on devices connected to router C from devices connected to router B). The problem is that Router A and Router C cannot see eachother (nor any of their connected hosts see the other?s connected hosts). I would have expected that since the switch-mode network is functioning at layer 2 that Router C would be visible to Router A (or any hosts connected to Router A) on the router-mode network just like all the hosts that are directly connected to Router B. What am I missing? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150604/6ba07718/attachment.sig>
Etienne Dechamps
2015-Jun-04 22:52 UTC
bridging tinc router mode network and switch mode network
Are you sure B is correctly configured to forward packets at the layer 3 level between the interface of the "router" tinc and the interface of the "switch" tinc? (iptables, etc.) On router B, are you sure the node file for B on the "router" tinc is configured to announce the entire 192.168.15.0/24 subnet (i.e. Subnet = 192.168.15.0/24)? Otherwise B won't get the packets destined for C on the "router mode" tinc network. If you run tcpdump (or any other sniffer) on B's "router" tinc interface while you're doing your tests, what do you see? Same question for the interface of the "switch" tinc. It should make it easier to see where the packets are getting lost. On 4 June 2015 at 20:53, pjv <pjv at pjv.me> wrote:> I am running tinc v. 1.1pre (truly as I read somewhere, ?one of the internet?s best kept secrets?) on some consumer home routers flashed with tomato firmware. I have a whole network of these, but for the purposes of this question I will focus on just three > > Router A (subnet 192.168.5.0/24) is connected via a standard tinc ?router? mode network with Router B (subnet 192.168.15.0/24). > > Router B, in addition to its connection with Router A in ?router? mode, is also connected to Router C via a ?switch? mode tinc network. Router C?s IP address is 192.168.15.101. The switch mode network is using a separate device in tap mode and is configured manually on a different port from the ?router? mode network. > > Routers A & B can mutually ping each other and I also have iptables forwarding rules so that any devices connected to them can ping eachother across the tinc mesh as well. > > Routers B & C can mutually ping each other and all broadcast traffic from each side of the bridge passes over (i.e. one can see windows network shares on devices connected to router C from devices connected to router B). > > The problem is that Router A and Router C cannot see eachother (nor any of their connected hosts see the other?s connected hosts). I would have expected that since the switch-mode network is functioning at layer 2 that Router C would be visible to Router A (or any hosts connected to Router A) on the router-mode network just like all the hosts that are directly connected to Router B. What am I missing? > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >
> On Jun 4, 2015, at 5:52 PM, Etienne Dechamps <etienne at edechamps.fr> wrote: > > Are you sure B is correctly configured to forward packets at the layer > 3 level between the interface of the "router" tinc and the interface > of the "switch" tinc? (iptables, etc.) >No, I am not sure about this and I think this is what I don?t understand properly (and where I am missing something in my config). For me conceptually, I expect the link with Router C (switch) to be the same thing as if I plugged router C into a LAN port on router B with an ethernet cable. Can you tell me what kind of iptables rules I would need to forward packets back and forth between these two interfaces?> On router B, are you sure the node file for B on the "router" tinc is > configured to announce the entire 192.168.15.0/24 subnet (i.e. Subnet > = 192.168.15.0/24)? Otherwise B won't get the packets destined for C > on the "router mode" tinc network. >Yes, I am pretty sure about this. I have that Subnet line in the router-mode tinc config and I can reach every device that is directly connected to B from devices that are directly connected to A.> If you run tcpdump (or any other sniffer) on B's "router" tinc > interface while you're doing your tests, what do you see? Same > question for the interface of the "switch" tinc. It should make it > easier to see where the packets are getting lost. >Here?s some tcpdump output. Never used it before so I don?t know if I am looking at the right thing? I set up tcpdump in two sessions to simultaneously look at the router-mode interface and the switch-mode interface for packets destined for the LAN-side IP address of C. Then I pinged that IP address from a host on A. Here is the output: tcpdump -n -i router-mode host 192.168.15.101 06:05:54.444595 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 5, length 64 06:05:55.448664 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 6, length 64 06:05:56.456557 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 7, length 64 tcpdump -n -i switch-mode host 192.168.15.101 06:05:54.444753 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 5, length 64 06:05:55.448801 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 6, length 64 06:05:56.456694 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 7, length 64 06:05:59.424665 ARP, Request who-has 192.168.15.101 tell 192.168.15.1, length 28 06:05:59.426907 ARP, Reply 192.168.15.101 is-at xx:xx:xx:xx:xx:xx, length 28 06:06:01.704496 ARP, Request who-has 192.168.15.101 tell 192.168.15.116, length 46 06:06:02.393069 ARP, Request who-has 192.168.15.101 tell 192.168.15.211, length 46 (I xx?d out the MAC address which was proper in the output). Are those ARP requests significant? The host that was pinging (my laptop) got no reply, though if I instead ping hosts directly connected to B, it works fine.> On 4 June 2015 at 20:53, pjv <pjv at pjv.me> wrote: >> I am running tinc v. 1.1pre (truly as I read somewhere, ?one of the internet?s best kept secrets?) on some consumer home routers flashed with tomato firmware. I have a whole network of these, but for the purposes of this question I will focus on just three >> >> Router A (subnet 192.168.5.0/24) is connected via a standard tinc ?router? mode network with Router B (subnet 192.168.15.0/24). >> >> Router B, in addition to its connection with Router A in ?router? mode, is also connected to Router C via a ?switch? mode tinc network. Router C?s IP address is 192.168.15.101. The switch mode network is using a separate device in tap mode and is configured manually on a different port from the ?router? mode network. >> >> Routers A & B can mutually ping each other and I also have iptables forwarding rules so that any devices connected to them can ping eachother across the tinc mesh as well. >> >> Routers B & C can mutually ping each other and all broadcast traffic from each side of the bridge passes over (i.e. one can see windows network shares on devices connected to router C from devices connected to router B). >> >> The problem is that Router A and Router C cannot see eachother (nor any of their connected hosts see the other?s connected hosts). I would have expected that since the switch-mode network is functioning at layer 2 that Router C would be visible to Router A (or any hosts connected to Router A) on the router-mode network just like all the hosts that are directly connected to Router B. What am I missing? >> >> _______________________________________________ >> tinc mailing list >> tinc at tinc-vpn.org >> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >>-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150605/2dc5296c/attachment.sig>