tinc - Nov 2015 - Packet loss when using multiple subnet#weight entries

Hello,

I have two servers (A and B) in separate locations. Both are connected
together via two tinc switches to provide two subnets on both servers.
This works pretty good. I can start my VMs on any server connected
to one of those bridges without changing any routes.
The subnets hosted on both servers (each in a bridge) are
172.16.10.0/24 (mainly on A) and 172.16.11.0/24 (mainly on B)

Now I want to connect to those servers from a third location (C) via
tinc router. The idea was to connect to both and have a failover route
if one connection fails.
So I added on A:
 Subnet = 172.16.10.0/24#10
 Subnet = 172.16.11.0/24#20
And on B:
 Subnet = 172.16.11.0/24#10
 Subnet = 172.16.10.0/24#20

Basically it seems to route all correct. But I got packet loss when
both tinc routers on A and B are running.
If I shutdown the tinc router on B, it works.
>From C I try to ping B and got about 20% packet loss. A tcpdump shows
that tinc packets are going to B and back. I can see the port 655 packet
arriving at C, but the decrypted ping-reply does not appear.

What is happening to that packet? Is the tinc on C dropping it? Do I
miss a rule or something.

Two servers run tinc 1.0.24, the other 1.0.26.

Thanks.
Armin

On 11/15/2015 02:28 PM, Armin Schindler wrote:
> Hello,
> 
> I have two servers (A and B) in separate locations. Both are connected
> together via two tinc switches to provide two subnets on both servers.
> This works pretty good. I can start my VMs on any server connected
> to one of those bridges without changing any routes.
> The subnets hosted on both servers (each in a bridge) are
> 172.16.10.0/24 (mainly on A) and 172.16.11.0/24 (mainly on B)
> 
> Now I want to connect to those servers from a third location (C) via
> tinc router. The idea was to connect to both and have a failover route
> if one connection fails.
> So I added on A:
>  Subnet = 172.16.10.0/24#10
>  Subnet = 172.16.11.0/24#20
> And on B:
>  Subnet = 172.16.11.0/24#10
>  Subnet = 172.16.10.0/24#20
> 
> Basically it seems to route all correct. But I got packet loss when
> both tinc routers on A and B are running.
> If I shutdown the tinc router on B, it works.
> 
> From C I try to ping B and got about 20% packet loss. A tcpdump shows
> that tinc packets are going to B and back. I can see the port 655 packet
> arriving at C, but the decrypted ping-reply does not appear.
> 
> What is happening to that packet? Is the tinc on C dropping it? Do I
> miss a rule or something.
> 
> Two servers run tinc 1.0.24, the other 1.0.26.
Please ignore this report about packet loss. After a lot of tests I found out
that the packets got lost somewhere between C and A. Strange that it happened
only with exactly that setup. Anyway, tinc is obviuosly not the cause.

But I have a question regarding "Subnet=" possibilities. When I have
more than
one Server acting as host for VMs and need to have automatic routing to
all VMs on these servers, can I use tinc to create this routing automatically?

My idea is to have a script which is started when a VM is started/stopped
which will add/remove an Subnet=x.x.x.x/32 entry for this VMs IP address in
the local hosts file of that node and send a HUP signal to tincd.
Will tinc announce this new routing destination to all other nodes immediately?

Thank you!
Armin

On Wed, Nov 18, 2015 at 08:25:28AM +0100, Armin Schindler wrote:
> But I have a question regarding "Subnet=" possibilities. When I
have more than
> one Server acting as host for VMs and need to have automatic routing to
> all VMs on these servers, can I use tinc to create this routing
automatically?
> 
> My idea is to have a script which is started when a VM is started/stopped
> which will add/remove an Subnet=x.x.x.x/32 entry for this VMs IP address in
> the local hosts file of that node and send a HUP signal to tincd.
> Will tinc announce this new routing destination to all other nodes
immediately?
Yes, that will work. It might be a bit easier of you use the tinc 1.1
prerelease, or at least use the "tinc" command from 1.1, so you can
add
and remove subnets simply by running:

tinc -n <netname> add Subnet x.x.x.x/32

If you are running a 1.1preX tincd, it will automatically get notified,
if you are running a 1.0.x tincd, you have to do "tincd -n <netname>
-kHUP" to have it update its Subnets.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20151118/e5ffcd73/attachment.sig>