I have two internal networks 192.168.9.0/24 and 192.168.0.0/24 each connected to the internet and each connected as a VPN via tinc (device vpn). The gateways are 192.168.9.1 and 192.168.0.1 Attached to the 192.168.9.0/24 network is another network 172.16.1.0/24 via a gateway 192.168.0.1 <==> 172.16.1.1. On 192.168.0.1 gateway I have routes (route -n) like this: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface x.x.x.152 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 172.16.1.0 192.168.9.1 255.255.255.0 UG 0 0 0 vpn 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 vpn 0.0.0.0 x.x.x.158 0.0.0.0 UG 0 0 0 eth0 And on 192.168.9.1 route -n like this: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface y.y.y.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 vpn 0.0.0.0 y.y.y.1 0.0.0.0 UG 0 0 0 eth0 The gateway for 172.16.1.0/24 has a route for 192.168.0.0/16 that points to the 192.168.9.1 machine. I can ping hosts on 172.16.1.0/24 from 192.168.9.1. I can ping hosts on 192.168.9.0/24 from 172.16.1.0/24. This tells me that my routes between these two networks are correct. I can ping hosts on 192.168.0.0/24 from 192.168.9.0/24. I can ping hosts on 192.168.9.0/24 from 192.168.0.0/24. This tells me that the tinc vpn is working between these two networks. The problem I am having is that on any host in 172.16.1.0/24 if I attempt to ping a host on 192.168.0.0/24 the packets get dropped somewhere. Traceroute shows. $ tracert 192.168.15.201 Tracing route to 192.168.0.10 over a maximum of 30 hops 1 <10 ms <10 ms <10 ms 172.16.1.1 2 * * * Request timed out. This shows that the route to 192.168.0.0/24 is going to the right location on the local network it just isn't going across the tinc vpn. I get similar behavior pinging hosts on 172.16.1.0/24 from 192.168.0.0/24. Does tinc support gateway routing to other networks across its interfaces? Otherwise it works great and I enjoy using it. Clark -- TINC development list, tinc-devel@nl.linux.org Archive: http://mail.nl.linux.org/tinc-devel/
On Fri, Oct 10, 2003 at 08:41:24AM -0500, Clark Rawlins wrote:> Does tinc support gateway routing to other networks across its interfaces?In router mode (the default), no. But on the other hand, you don't need gateway routes when running tinc in router mode, and normally gateway routes do work but the gateway address is ignored (either by the kernel or by tinc). If you explicitly want traffic from 172.16.1.0/24 to go to 192.168.0.0/24 via the tinc daemon on 192.168.9.1, you should add "IndirectData = yes" to the host config file of the tinc daemon of 172.168.1.0/24, otherwise tinc will send traffic from 172.168.1.0/24's tinc daemon directly to 192.168.0.0/24's daemon, without sending it first to 192.168.9.1.> The problem I am having is that on any host in 172.16.1.0/24 if I > attempt to ping a host on 192.168.0.0/24 the packets get dropped somewhere. > Traceroute shows.You can get more information from tinc using the -d and -D options. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://brouwer.uvt.nl/pipermail/tinc-devel/attachments/20031010/0980ff12/attachment.pgp
I'll try that but to clear up an apparent misunderstanding: The 192.168.9.1 machine is multi-homed with 172.16.1.1 so they are the same machine. I added IndirectData = yes and I still get the same results. What I had hoped would happen is that traffic from 192.168.0.0/24 headed for 172.16.1.0/24 would be routed via the vnc device to the gateway specified for 172.16.1.0/24 which is 192.168.9.1 from there the traffic would be routed to the eth2 interface which is the local subnet on the multi-homed host 192.168.9.1 - 172.16.1.1 and from there to its final destination. This doesn't seem to happen for some reason. You said that the gateway router gets ignored by either the kernel or by the tinc daemon? My understanding (which may be flawed) was that for a gateway route the kernel receives a packet, examines it's destination, and then compares it to the entries in the routing table. For each entry in the routing table it bit wise ands the destination address with the subnet mask for the routing entry and then if the result is equal to the network in the routing entry it is sent to the interface and in the case of gateway route to the host specified as the gateway. Then in the case of ethernet the kernel would look up the hardware address for the gateway router in the arp table and if not found arp on the destination interface for the gateway address. Once it has the hardware address for the gateway address it sends the packet to the gateway address as an ethernet unicast message. I don't know how this compares to what tinc does perhaps you could enlighten me? Clark> -----Original Message----- > From: Gus Sliepen [mailto:guus@sliepen.eu.org] > Sent: Friday, October 10, 2003 9:13 AM > To: tinc-devel@nl.linux.org > Cc: Clark Rawlins > Subject: Re: tinc and routing > > > On Fri, Oct 10, 2003 at 08:41:24AM -0500, Clark Rawlins wrote: > > > Does tinc support gateway routing to other networks across > its interfaces? > > In router mode (the default), no. But on the other hand, you > don't need > gateway routes when running tinc in router mode, and normally gateway > routes do work but the gateway address is ignored (either by > the kernel > or by tinc). > > If you explicitly want traffic from 172.16.1.0/24 to go to > 192.168.0.0/24 via the tinc daemon on 192.168.9.1, you should add > "IndirectData = yes" to the host config file of the tinc daemon of > 172.168.1.0/24, otherwise tinc will send traffic from 172.168.1.0/24's > tinc daemon directly to 192.168.0.0/24's daemon, without sending it > first to 192.168.9.1. > > > The problem I am having is that on any host in 172.16.1.0/24 if I > > attempt to ping a host on 192.168.0.0/24 the packets get > dropped somewhere. > > Traceroute shows. > > You can get more information from tinc using the -d and -D options. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus@sliepen.eu.org> >-- TINC development list, tinc-devel@nl.linux.org Archive: http://mail.nl.linux.org/tinc-devel/
After talking to Guus offline the answer is to let tinc know it needs to handle packets for additional networks. In the host file (on each machine in the vpn) Adding an additional Subnet line Subnet = 172.16.1.0/24 lets tinc know to route packets for that network to that host. Clark> -----Original Message----- > From: Guus Sliepen [mailto:guus@sliepen.eu.org] > Sent: Friday, October 10, 2003 10:37 AM > To: tinc-devel@nl.linux.org > Cc: Clark Rawlins > Subject: Re: tinc and routing > > > On Fri, Oct 10, 2003 at 09:46:31AM -0500, Clark Rawlins wrote: > > > I'll try that but to clear up an apparent misunderstanding: > > The 192.168.9.1 machine is multi-homed with 172.16.1.1 so they > > are the same machine. > > Ah okay, that explains why IndirectData doesn't have any effect :) > > > What I had hoped would happen is that traffic from 192.168.0.0/24 > > headed for 172.16.1.0/24 would be routed via the vnc device to the > > gateway specified for 172.16.1.0/24 which is 192.168.9.1 from there > > the traffic would be routed to the eth2 interface which is the local > > subnet on the multi-homed host 192.168.9.1 - 172.16.1.1 and > from there > > to its final destination. > > Hm. Could you send me your tinc-up scripts and the configuration files > in the hosts/ directory? > > > This doesn't seem to happen for some reason. > > You said that the gateway router gets ignored by either the > kernel or > > by the tinc daemon? My understanding (which may be flawed) > was that for > [...] > > Once it has the hardware address for the gateway address it > sends the packet > > to the gateway address as an ethernet unicast message. > > Correct. > > > I don't know how this compares to what tinc does perhaps > > you could enlighten me? > > Why the kernel would ignore the gateway address: > > If you use tinc 1.0 or later and the universal tun/tap device from the > Linux kernel, tinc will use that device in tun mode, which means it is > not an Ethernet interface, but a pure IP interface. In that > case, there > are no Ethernet addresses involved, and the gateway address > is not used > at all by the kernel. > > Why tinc would "ignore" the gateway address: > > Well in router mode, tinc can only route IPv4 and IPv6 packets. ARP is > not an IPv4 protocol, it is something Ethernet specific. It does not > forward broadcast ARP requests to all other tinc daemons in the VPN. > However, tinc has built-in proxy-arp that will fake replies > for ARP requests it > receives on the virtual network device. If you specify a > gateway address > for the route, then the kernel will send ARP requests for that gateway > address. If you omit it, then the kernel will send ARP > requests for the > destination address of the packets you send. Tinc responds to both > requests, the kernel is happy because it now knows an > Ethernet address, > sends it to the virtual network device, and tinc will route > the packets > to the correct destination tincd (without looking at the Ethernet > address, just at the IP addresses in the packets). > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus@sliepen.eu.org> >-- TINC development list, tinc-devel@nl.linux.org Archive: http://mail.nl.linux.org/tinc-devel/