tinc - Feb 2010 - Can I pass 802.1q (VLAN tagged) through a VPN Tinc in HUB/Switch mode?.

Hello to everybody,

Sorry if my english isn?t very good.

I need pass 802.1q through a VPN between two offices.

I have mounted a WRT54GL, with OpenWRT firmware, conected to a switch trunk
port in both offices.

In the switch of the first office I have created five tagged VLANs and I
need pass these VLAN to the second offices where it has created it too.

Can I do this with Tinc in HUB/Switch mode?

I?m not configured nothing yet.

Made somebody this with WRT54GL?

Can you help me with the configuration with WRT54GL?

I will follow this guide "http://www.tinc-vpn.org/examples/bridging/".


Very thanks and regards,

Ramses

On Thu, Feb 04, 2010 at 08:10:04PM +0100, Ramses II wrote:
> I need pass 802.1q through a VPN between two offices.
> 
> I have mounted a WRT54GL, with OpenWRT firmware, conected to a switch trunk
> port in both offices.
> 
> In the switch of the first office I have created five tagged VLANs and I
> need pass these VLAN to the second offices where it has created it too.
> 
> Can I do this with Tinc in HUB/Switch mode?
Yes.
> Can you help me with the configuration with WRT54GL?
It doesn't seem WRT54GL specific to me.
> I will follow this guide
"http://www.tinc-vpn.org/examples/bridging/".
I think it should just work if you set up bridging like in that example. If
not, let us know.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20100204/bba1d315/attachment.pgp>

Hi everybody again, I go on with the same problem.

I'll tell you again. I have the next configuration:

VLAN1(U)--|   Switch                                  Switch   |-- VLAN1(U)
VLAN5(T)--|-- Trunk -- TincS-01 ---VPN--- TincS-02 -- Trunk  --|-- VLAN5(T)
VLAN10(T)-|   Port                                    Port     |-- VLAN10(T)

(U) = Untagged
(T) = Tagged

I do Ping between the PCs in VLAN1 but I can?t do Ping between the PCs in
VLAN5 or VLAN10, that both are tagged.

In both Tinc Servers, the VLAN5 has asociated to sub-interface eth0.5 and
the VLAN10 to the eth0.10.

Each server is connected to the other by the sub-interface eth0.1 (Internet
interface).

Both servers have installed Openwrt firmware.

I have this config in both servers:

--------------
root at RT-VPN-01:/# cat /etc/tinc/tinc.conf Name = Central (in the other
Server - SedeA) Device = /dev/net/tun Mode = switch ConnectTo = SedeA (in
the other Server - Central)
--------------
--------------
root at RT-VPN-01:/# cat /etc/tinc/tinc-up
#!/bin/sh

ifconfig $INTERFACE 0.0.0.0
brctl addif br-lan $INTERFACE
ifconfig $INTERFACE up
---------------

In the bridge I have:

--------------
root at RT-VPN-01:/# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          8000.00259c63fbdf       no              eth0.0
                                                        tap0
--------------

So, can you tell me what can i do to pass the VLAN5 and VLAN10 through the
Tinc tunel?

I know I'm close but can not find the solution.


Regards,

Ramses

> -----Mensaje original-----
> De: Guus Sliepen [mailto:guus at tinc-vpn.org]
> Enviado el: mi?rcoles, 24 de febrero de 2010 14:58
> Para: Ramses II
> CC: jagm at multico.es
> Asunto: Re: Can I pass 802.1q (VLAN tagged) through a VPN Tinc in
> HUB/Switch mode?.
> 
> On Wed, Feb 24, 2010 at 01:01:33PM +0100, Ramses II wrote:
> 
> > Don't you know the Linksys WRT54GL router?
> >
> > This is the internal architecture:
> >
> > http://garycourt.com/wp-
> content/images/WRT54_sw2_internal_architecture.png
> 
> Yes, I know about this architecture, which is used in many routers by the
> way.
> I do not know the details of every router though :)
> 
> > It only have a fisical interface eth0 and two subinterfaces eth0.0
(LAN)
> and
> > eth0.1 (WAN).
> >
> > I can do this with it?
> 
> I see. Yes, in that case you should probably bridge with eth0.0. Anyway,
> tinc
> handles untagged and tagged packets in exactly the same way, because in
> Switch
> mode it will only look at the source and destination MAC address, not at
> the
> rest of the packet. But maybe you should run tcpdump on eth0.0 on both
> sides to
> check what happens when PCs in VLAN5 for example try to ping each other.
> If no
> side sees any ping traffic on eth0.0, then the switch doesn't forward
> VLAN5
> tagged packets to the router. If one sides sees ping traffic, but there is
> nothing on the other side, then perhaps something is wrong with tinc. If
> you
> see packets on both sides, but there are only ping requests, no responses,
> then, assuming PCs on both sides use the same subnet in VLAN5, I would
> guess it
> is still a problem with the switches.
> 
> If the problem still persists, perhaps you could run tcpdump on both
> eth0.0 and
> tap0, capturing the full link-layer headers, and send me the results so I
> can
> have a look at what's happening in your setup?
> 
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ramses II schrieb:
> Michael, do you try tell me that each vlan should be in a separate bridge
> and then create a tinc vpn associating each tinc vpn interface with one
> bridge?
No, the console output I posted should have indicated that
bridge br0 is bridging eth2 and tinc, that means it carries ALL vlans.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkupKBEACgkQja4h02Y9mlcxrwCcDYIrpcUac5+B40Acx9WbhGWW
h20AnRB8NXKfuctjr2SZYmh/dZF9cpke
=pKCo
-----END PGP SIGNATURE-----

Hi again,

I have changed both routers by two servers with CentOS linux and two
physical interfaces (eth0 and eth1).

I have connected both servers by the eth1 interface.

I have created a bridge and I have added the tap0 and the eth0 interface.

Each eth0 interface was connect to a trunk port (802.1q) of a switch.

I have connected a PC to a untagged port (VLAN5) of one of the switches.

I can see the Mac Address of this PC in the trunk port of the other switch
but is asociated to the VLAN1 (Default).

I have captured the traffic of the eth0 interface of the server that is
connected to the trunk interface of the same switch tha is connected the PC
and not show me the VLAN ID:

-----------------------------------------------------------------------
[root@ /]# tcpdump -ne -i eth0 | grep ICMP
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:55:57.984204 00:17:c5:12:f6:80 > 00:19:66:3a:06:a3, ethertype IPv4
(0x0800), length 98: 10.158.3.60 > 10.158.5.50: ICMP echo request, id 16148,
seq 4, length 64
12:55:58.983872 00:17:c5:12:f6:80 > 00:19:66:3a:06:a3, ethertype IPv4
(0x0800), length 98: 10.158.3.60 > 10.158.5.50: ICMP echo request, id 16148,
seq 5, length 64
12:55:59.983579 00:17:c5:12:f6:80 > 00:19:66:3a:06:a3, ethertype IPv4
(0x0800), length 98: 10.158.3.60 > 10.158.5.50: ICMP echo request, id 16148,
seq 6, length 64
12:56:00.983273 00:17:c5:12:f6:80 > 00:19:66:3a:06:a3, ethertype IPv4
(0x0800), length 98: 10.158.3.60 > 10.158.5.50: ICMP echo request, id 16148,
seq 7, length 64
12:56:01.982993 00:17:c5:12:f6:80 > 00:19:66:3a:06:a3, ethertype IPv4
(0x0800), length 98: 10.158.3.60 > 10.158.5.50: ICMP echo request, id 16148,
seq 8, length 64
12:56:02.982721 00:17:c5:12:f6:80 > 00:19:66:3a:06:a3, ethertype IPv4
(0x0800), length 98: 10.158.3.60 > 10.158.5.50: ICMP echo request, id 16148,
seq 9, length 64
12:56:03.982380 00:17:c5:12:f6:80 > 00:19:66:3a:06:a3, ethertype IPv4
(0x0800), length 98: 10.158.3.60 > 10.158.5.50: ICMP echo request, id 16148,
seq 10, length 64
12:56:18.506129 00:17:c5:12:f6:80 > 00:15:e9:86:2a:d9, ethertype IPv4
(0x0800), length 98: 10.158.3.60 > 10.158.5.67: ICMP echo request, id 32789,
seq 1, length 64
12:56:18.657118 00:17:c5:12:f6:80 > 00:19:66:3a:06:a3, ethertype IPv4
(0x0800), length 98: 10.158.3.60 > 10.158.5.50: ICMP echo request, id 43029,
seq 1, length 64
224 packets captured
224 packets received by filter
0 packets dropped by kernel

[root@ /]#
-----------------------------------------------------------------------

Can anybody help me with this?


Best regards,

Ramses

On Thu, Feb 04, 2010 at 08:10:04PM +0100, Ramses II wrote:
> I need pass 802.1q through a VPN between two offices.
I do not know exactly what this does, but there is a new "macvtap"
driver in
Linux 2.6.34 that exposes a macvlan as a tap device, which might be useful for
those who want to selectively tunnel VLANs over their VPN:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=20d29d7a916a47bf533b5709437fe735b6b5b79e

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20100517/772ebed0/attachment.pgp>