Hello!
I've setup tinc almost succesfully, but there is one problem remaining
with a routing issue.
Short Description of the situation :
Workstation A (192.168.1.3)
|
|
Tinc Host "50K" (192.168.1.1)
|
|
<Unknown Firewall>
+
+
+
<Masq Firewall (Linux)>
and Tinc Host "oeoe" (192.168.2.1)
|
|
Workstation B (192.168.2.3)
-
Tinc Host "50K" initiates the connection through the unkown firewall
-
All the hosts have the TCPOnly = yes configuration value
-
Connection is succesfull, the Masq firewall / Tinc Host "oeoe" can
connect(ping) to Tinc Host "50K" as well as to Workstation A.
-
Workstation A can connect (ping) to Masq firewall / Tinc Host "oeoe"
as
well as to Workstation B. And Tinc Host "50K" is able to connect to
Workstation B
-
The problem : Workstation B cannot connect to Tinc Host "50K" nor to
Workstation A. It could be that the Workstation B packets are not
correctly routed, however : When I run both tinc daemons in debug mode,
I see packets logged, so the packets are arriving via the virtual
network. Because Workstation A can connect to Workstation B , routing
should be ok right? Has this something to do with the unknown firewall?
And if so, why are the packets then arriving on the other subnet (logged
in tincd debug mode)?
I've also tried to disable Masquerading on the Masquerading Firewall
"oeoe" without succes. And I've checked
/proc/sys/net/ipv4/ip_forward.
I'm out of idea's, so If any of you guys have a suggestion what could be
wrong?
===============Routing table of Host "50K":
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.0.0 U 0 0 0
fourdigits
default 10.0.0.254 0.0.0.0 UG 0 0 0 eth0
Routing table of Host "OEOE":
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
82.161.58.0 * 255.255.254.0 U 0 0 0 eth0
192.168.0.0 * 255.255.0.0 U 0 0 0
fourdigits
default bbned-10k-07.ro 0.0.0.0 UG 0 0 0 eth0
Host "50K" tinc-up:
echo "1" > /proc/sys/net/ipv4/ip_forward
ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0
Host "Oeoe" tinc-up :
ifconfig $INTERFACE 192.168.2.1 netmask 255.255.0.0
===============
--
Martijn Jacobs
Four Digits, internet solutions
e-mail: martijn@fourdigits.nl | web: http://www.fourdigits.nl
tel: +31 (0)26 44 22 700 | fax: +31 (0)84 22 06 117
On Wed, Oct 05, 2005 at 06:27:07PM +0200, Martijn Jacobs wrote:> Connection is succesfull, the Masq firewall / Tinc Host "oeoe" can > connect(ping) to Tinc Host "50K" as well as to Workstation A. > - > Workstation A can connect (ping) to Masq firewall / Tinc Host "oeoe" as > well as to Workstation B. And Tinc Host "50K" is able to connect to > Workstation B > - > The problem : Workstation B cannot connect to Tinc Host "50K" nor to > Workstation A. It could be that the Workstation B packets are not > correctly routed, however : When I run both tinc daemons in debug mode, > I see packets logged, so the packets are arriving via the virtual > network. Because Workstation A can connect to Workstation B , routing > should be ok right? Has this something to do with the unknown firewall? > And if so, why are the packets then arriving on the other subnet (logged > in tincd debug mode)?I suspect it is a firewall issue on host 50K. Can you send the output of "iptables -L -v -x -n" and "iptables -t nat -L -v -x -n"? -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20051005/291437eb/attachment.pgp
Hello Guus.>I suspect it is a firewall issue on host 50K. Can you send the output >of "iptables -L -v -x -n" and "iptables -t nat -L -v -x -n"? >These are the outputs for both hosts : 50K : 50k:/home/martijn# iptables -L -v -x -n Chain INPUT (policy ACCEPT 55004 packets, 7867251 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 4 packets, 336 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16770 packets, 4354458 bytes) pkts bytes target prot opt in out source destination 50k:/home/martijn# iptables -t nat -L -v -x -n Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Oeoe (but I tried without): oeoe:/home/martijn# iptables -L -v -x -n Chain INPUT (policy ACCEPT 64179 packets, 12143420 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 1 packets, 84 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8890 state NEW,ESTABLISHED 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 192.168.2.0/24 0 0 ACCEPT all -- eth1 eth0 192.168.2.0/24 0.0.0.0/0 231248 146076045 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 217283 91435384 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 66851 packets, 35604720 bytes) pkts bytes target prot opt in out source destination oeoe:/home/martijn# iptables -t nat -L -v -x -n Chain PREROUTING (policy ACCEPT 40246232 packets, 2368999301 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8890 to:10.0.0.18:3389 Chain POSTROUTING (policy ACCEPT 3078454 packets, 232733571 bytes) pkts bytes target prot opt in out source destination 7870 384652 MASQUERADE tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp masq ports: 655 0 0 MASQUERADE all -- * eth0 10.0.0.2 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.4 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.11 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.12 0.0.0.0/0 2604 158803 MASQUERADE all -- * eth0 10.0.0.13 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.18 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.30 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.28 0.0.0.0/0 1303 84265 MASQUERADE all -- * eth0 10.0.0.14 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.15 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.16 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.35 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.38 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.39 0.0.0.0/0 0 0 MASQUERADE all -- * eth0 10.0.0.20 0.0.0.0/0 43 7456 MASQUERADE all -- * eth0 10.0.0.21 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1977499 packets, 151302593 bytes) pkts bytes target prot opt in out source destination -- Martijn Jacobs Four Digits, internet solutions e-mail: martijn@fourdigits.nl | web: http://www.fourdigits.nl tel: +31 (0)26 44 22 700 | fax: +31 (0)84 22 06 117
Hello Eric, Guus.> It could be your linux masq firewall, does A have a route for it? > Because B's packets will look like they are coming from that. > > EricI've managed to make connections both ways now. I had to explicitly make a route to the 192.168.1.x (or 192.168.x.x) network from workstation B. Some magic occured on workstation A where there was already a route available. There is probably a way when this is not needed (making explicit routes), like for 2 masq firewalls who are the gateway already, but it works and that's the important part. Thank you both for your time! I'm a happy VPN'er now :) -- Martijn Jacobs Four Digits, internet solutions e-mail: martijn@fourdigits.nl | web: http://www.fourdigits.nl tel: +31 (0)26 44 22 700 | fax: +31 (0)84 22 06 117