I can’t seem to find info about layer 2 tinc tap interface bridge with local physical nic. I have successfully created two nodes configuration with tinc acting as switch. My problem is ethernet packets only flow between two nodes and not to hosts on bridged nic. Example: Server 1 - eth0 bridged with tinc tap device, then bridge gets IP via dhcp server on physical nic subnet. Server 2 - local virtual VM tap device bridged with tinc tap device. Server 2 can’t discover dhcp on Server 1 physical network, however Server 2 sees Server 1 directly. (Bridge sort of working. I can manually set IP on VM tap device on Server 2 and ping Server 1 IP) However I can’t ping any devices on Server 1 network, like layer 2 packets for them are discarded. I still see these packets in tinc debug. It is probably not tinc fault but some tweaking needs to be done to bridge. Still maybe some examples for such use case will be good for tinc vpn project. Below is my config: Server 1 /etc/network/interfaces ----------------------------------------------------- root at debianserver:~# cat /etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback # Local physical nic - bridge to br0 auto eth0 iface eth0 inet manual # Bridge for physical nic and tinc (on tinc-up will add tinc tap device here) auto br0 iface br0 inet dhcp bridge_ports eth0 bridge_stp off bridge_waitport 0 bridge_fd 0 Server 1 /etc/tinc/netname/tinc.conf ----------------------------------------------------- root at debianserver:~# cat /etc/tinc/netname/tinc.conf Name = debianserver AddressFamily = ipv4 Mode = switch ConnectTo = hetznerpve Compression = 0 PMTU = 1492 PMTUDiscovery = yes Server 1 /etc/tinc/netname/tinc-up ----------------------------------------------------- #!/bin/sh brctl addif br0 $INTERFACE ip link set dev $INTERFACE up Server 1 /etc/tinc/netname/tinc-down ----------------------------------------------------- #!/bin/sh ip link set dev $INTERFACE down brctl delif br0 $INTERFACE Server 2 /etc/network/interfaces ----------------------------------------------------- root at pve:~# cat /etc/network/interfaces auto lo iface lo inet loopback iface enp2s0 inet manual # Public network IP (enp2s0 interface bridge) auto vmbr0 iface vmbr0 inet static address 88.198.xx.xxx netmask 255.255.255.224 gateway 88.198.xx.xxx bridge_ports enp2s0 bridge_stp off bridge_fd 0 # Bridge for VM private network # (on vm stratup will add VM tap device here and on tinc-up will add tinc tap device here) auto vmbr2 iface vmbr2 inet manual bridge_ports none bridge_stp off bridge_fd 0 Server 2 /etc/tinc/netname/tinc.conf ----------------------------------------------------- root at pve:~# cat /etc/tinc/netname/tinc.conf Name = hetznerpve AddressFamily = ipv4 Mode = switch ConnectTo = debianserver Compression = 0 PMTU = 1492 PMTUDiscovery = yes Server 2 /etc/tinc/netname/tinc-up ----------------------------------------------------- #!/bin/sh brctl addif vmbr2 $INTERFACE ip link set dev $INTERFACE up Server 2 /etc/tinc/netname/tinc-down ----------------------------------------------------- #!/bin/sh ip link set dev $INTERFACE down brctl delif vmbr2 $INTERFACE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180818/2e18a53e/attachment.sig>
Hello Alexander, Am Sat, 18 Aug 2018 13:36:39 +0300 schrieb Alexander Donets <alex at dreamisdead.tk>:> I can’t seem to find info about layer 2 tinc tap interface bridge with local physical nic.just wild guessing: maybe you need to add explicit firewall rules for allowing the flow of traffic over the bridge? Or maybe disable filtering over the bridge via sysctl? net.bridge.bridge-nf-call-iptables=0 net.bridge.bridge-nf-call-ip6tables=0 (see "grep . /proc/sys/net/bridge/bridge-nf-call-*") Cheers, Lars -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: Digitale Signatur von OpenPGP URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180818/eb9114a2/attachment.sig>
Thanks, I looked into it but both hosts have it disabled. Server 1 (debian) is actually a VM running on hyper-v on windows host, host nic is then bridged with VM and VM then bridges it to tinc <- here I think some problem happened Server 2 (debian) is actually a host running on debian (proxmox), and have private virtual nic bridged with tinc for VMs there. I figured out that this is very overcomplicated setup, and to simplify things I moved tinc on Server 1 from VM to hyper-V host, since tinc supports windows, then I bridged tinc tap device and host nic directly. Voila! Problem solved. I see packets on both hosts bridged lans. Speed is decent, I’m not expecting wonders here since its layer 2 vpn network. I’m using old stable tinc tho from debian repositories with RSA keys, maybe there were some speed improvements to get on 1.1 So yeah, problem was with bridge and not tinc fault, actually I don’t think one can configure tinc wrong. Tinc is very easy to setup! Thanks everyone involved for making such great vpn software!> 18 Aug 2018 г., 19:15, Lars Kruse <lists at sumpfralle.de> : > > Hello Alexander, > > > Am Sat, 18 Aug 2018 13:36:39 +0300 > schrieb Alexander Donets <alex at dreamisdead.tk>: > >> I can’t seem to find info about layer 2 tinc tap interface bridge with local physical nic. > > just wild guessing: maybe you need to add explicit firewall rules for allowing > the flow of traffic over the bridge? > Or maybe disable filtering over the bridge via sysctl? > net.bridge.bridge-nf-call-iptables=0 > net.bridge.bridge-nf-call-ip6tables=0 > (see "grep . /proc/sys/net/bridge/bridge-nf-call-*") > > Cheers, > Lars > >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180819/4112794a/attachment.sig>
Reasonably Related Threads
- snat
- Proper setup for a router with 2 interfaces and a bridge on one?
- Multi-homed Samba 4 file server on Samba 4 AD domain - cross network authentication
- received packet with own address as source address
- Unable to connect VMs to a bridge over bonded network on Debian 9 (works fine on Centos 7.4)