Hi everyone , i have a few questions/problems with tinc , which i need to address ASAP , so i'll make it brief . i have 33 sites , connected with each other using wan , in each site , there are two linux firewalls + 3-4 more servers , i preferred to have a full mesh within my network , but unfortunately it was not possible , when i wanted every site to be connected to every other , as the number of hosts increased there was some unexplainable abnormalities , so i decided to connect every site to 3-4 other firewalls . so with this approach the whole network is unified , of course not directly . so right now my unsolved problems are as follows : 1. SIP/IAX doesn't work over the tinc network , but on tinc edge it works , imagine the following situation: SIP/IAX Server A --network A---- > Firewall A ---tinc---> Firewall B ---Network B--> SIP/IAX Server B this approach doesn't work !! but if i put SIP/IAX server on the firwall B , and use the tinc internal ip address , the trunk works .. 2. i want to use 2 firewalls in each site , as failover tinc routers , so what i've basically done is that i've put two tinc nodes in every site , and configured them with the same Subnet in tinc hosts , but the problem arises with the fact that , the other nodes in each site , only have one of the servers as default gateway and if the request comes from the other it's unanswered , i wanted to fix this problem with iptables mangle , *iptables*-A PREROUTING -t *mangle* -i tci -j *MARK* --set-*mark* 1 , but strange enough iptables didn't mark it (why?) so i thought of another solution which is that i'd use keepalived with tinc , like copy the same private key on two servers , bring one up , if the server goes down , keepalive would bring tinc down , and *bring the other server's tinc up* , is it possible ? 3. i have concerns about not having a full mesh , the problem was that , when the number of concurrent connection went above 12 , the network wasn't as good as before , am i doing something wrong ? is it possible to fix it another how ? 4. should i connect the two firewalls in each provience together , if i don't use keepalived ofcourse , like add a connect to from server A1 to A2 ???? 5. i have concerns about tinc routing table , can someone point me to the right documentation ?? 6. in a mesh , is there any utility which would make it easy to identify which hosts are directly connected to (hosts from connectto) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120215/d044dce6/attachment.html>
1. Sounds like routing is broken. Does ping work from Server A to Server B traversing the same route? 2. I'm pretty sure in iptables you need to define the table first, then the chain. You've defining the chain first.. so the table may be assumed as something other than mangle.. and there you go. 3. No idea. Can you describe what you mean by "the network wasn't as good as before"? How did you know it wasn't as good? What were you measuring, or what were the symptoms of the problem? 4. No you do not want 2 nodes in the same physical location connecting to each other. That will not provide you with any redundancy. Your fail-over idea is feasible. Some creating scripting could accomplish this through crontab with the backup server pinging the primary every X seconds, bringing up the WAN interface and executing tincd when the ping fails X number of times, and shutting down the WAN interface and tincd once the ping is successful again. The WAN interface and Tinc configurations would be identical on both boxes. This would mean you have a switch between your wan gateway and these 2 tinc boxes. Or there are solutions like linux-ha.org. If you can spare 3 wan IP addresses per site, you could stand up Tinc on pfsense firewalls, and let pfsense handle failover for you via CARP. But I would ask myself if I really need redundancy on Tinc like this. This design is an upside-down pyramid. You're still going to have a single switch between the gateway and the Tinc boxes, that's a single point of failure. You're still going to have a single gateway, another single point of failure. Building redundancy on top of single points of failure is not a good approach. If you really want high availability it needs to start with a WAN solution with multiple WAN circuits utilizing protocols like BGP. 5. Sorry I don't know anything about the Tinc routing table. 6. Sorry I don't know. On Wed, Feb 15, 2012 at 3:59 AM, Siavash Sameni <siavash.sameni at gmail.com>wrote:> Hi everyone , > i have a few questions/problems with tinc , which i need to address ASAP , > so i'll make it brief . > i have 33 sites , connected with each other using wan , > in each site , there are two linux firewalls + 3-4 more servers , i > preferred to have a full mesh within my network , > but unfortunately it was not possible , when i wanted every site to be > connected to every other , as the number of hosts increased there was some > unexplainable abnormalities , so i decided to connect every site to 3-4 > other firewalls . so with this approach the whole network is unified , of > course not directly . > so right now my unsolved problems are as follows : > > 1. SIP/IAX doesn't work over the tinc network , but on tinc edge it works > , imagine the following situation: > SIP/IAX Server A --network A---- > Firewall A ---tinc---> Firewall B > ---Network B--> SIP/IAX Server B > this approach doesn't work !! > but if i put SIP/IAX server on the firwall B , and use the tinc internal > ip address , the trunk works .. > > 2. i want to use 2 firewalls in each site , as failover tinc routers , so > what i've basically done is that i've put two tinc nodes in every site , > and configured them with the same Subnet in tinc hosts , but the problem > arises with the fact that , the other nodes in each site , only have one of > the servers as default gateway and if the request comes from the other it's > unanswered , i wanted to fix this problem with iptables mangle , *iptables > * -A PREROUTING -t *mangle* -i tci -j *MARK* --set-*mark* 1 , but > strange enough iptables didn't mark it (why?) > so i thought of another solution which is that i'd use keepalived with > tinc , like copy the same private key on two servers , bring one up , if > the server goes down , keepalive would bring tinc down , and *bring the > other server's tinc up* , is it possible ? > > 3. i have concerns about not having a full mesh , the problem was that , > when the number of concurrent connection went above 12 , the network wasn't > as good as before , am i doing something wrong ? is it possible to fix it > another how ? > > 4. should i connect the two firewalls in each provience together , if i > don't use keepalived ofcourse , like add a connect to from server A1 to A2 > ???? > > 5. i have concerns about tinc routing table , can someone point me to the > right documentation ?? > > 6. in a mesh , is there any utility which would make it easy to identify > which hosts are directly connected to (hosts from connectto) > > > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120215/1b6123a4/attachment.html>
On Wed, Feb 15, 2012 at 12:29:55PM +0330, Siavash Sameni wrote:> i have a few questions/problems with tinc , which i need to address ASAP , > so i'll make it brief . > i have 33 sites , connected with each other using wan , > in each site , there are two linux firewalls + 3-4 more servers , i > preferred to have a full mesh within my network , > but unfortunately it was not possible , when i wanted every site to be > connected to every other , as the number of hosts increased there was some > unexplainable abnormalities , so i decided to connect every site to 3-4 > other firewalls . so with this approach the whole network is unified , of > course not directly . > so right now my unsolved problems are as follows : > > 1. SIP/IAX doesn't work over the tinc network , but on tinc edge it works , > imagine the following situation:This sounds indeed like a routing problem, or perhaps a firewall problem. Could you send us the output of "ifconfig -a", "route -n", "iptables -vxnL" and "iptables -t nat -vxnL"? The contents of the host config files would also be useful (you can omit the public keys).> 2. i want to use 2 firewalls in each site , as failover tinc routers , so > what i've basically done is that i've put two tinc nodes in every site , > and configured them with the same Subnet in tinc hosts , but the problem > arises with the fact that , the other nodes in each site , only have one of > the servers as default gateway and if the request comes from the other it's > unanswered , i wanted to fix this problem with iptables mangle , > *iptables*-A PREROUTING -t > *mangle* -i tci -j *MARK* --set-*mark* 1 , but strange enough iptables > didn't mark it (why?)I have no idea without the information from above. Having two firewalls running simultaneously might be challenging. You could also have one active firewall, and a backup firewall that is an identical clone, and use heartbeat to have the backup firewall take over the primary one's functionality (including MAC address), see http://www.linux-ha.org/. By the way, although Donald was a bit skeptic, writing "-t mangle" after "-A PREROUTING" works as intended.> so i thought of another solution which is that i'd use keepalived with tinc > , like copy the same private key on two servers , bring one up , if the > server goes down , keepalive would bring tinc down , and *bring the other > server's tinc up* , is it possible ?Yes, although again it might be better to do this for the whole firewall machine instead of just the tinc daemon.> 3. i have concerns about not having a full mesh , the problem was that , > when the number of concurrent connection went above 12 , the network wasn't > as good as before , am i doing something wrong ? is it possible to fix it > another how ?Unless you have a very small upstream bandwidth, there should be no problem with having lots of concurrent ConnectTo's. But tinc will build a full mesh even if you have only a few ConnectTo's in tinc.conf.> 4. should i connect the two firewalls in each provience together , if i > don't use keepalived ofcourse , like add a connect to from server A1 to A2 > ????It depends on your situation, especially on what is most likely to fail. Do you have one connection to the Internet or does each firewall has its own independent connection?> 5. i have concerns about tinc routing table , can someone point me to the > right documentation ??All the documentation is here: http://tinc-vpn.org/docs/. But what exactly is your concern?> 6. in a mesh , is there any utility which would make it easy to identify > which hosts are directly connected to (hosts from connectto)In tinc 1.0.x, this is not very easy, but you can send a signal that will dump a list of all the nodes it knows about to the syslog: tincd -n <netname> -kUSR2 Then you will see something like this in the syslog: Feb 17 12:50:11 server tinc.netname[12345]: Nodes: Feb 17 12:50:11 server tinc.netname[12345]: foo at 192.0.43.10 port 655 cipher 91 digest 64 maclength 4 compression 0 options c status 001a nexthop bar via foo pmtu 1410 (min 1410 max 1410) To see whether you are directly connected, look at the name right after "via". In this case, traffic to node foo goes "via foo", which means they are sent directly to this node. If it would say "via baz", that means there is no direct connection, and traffic will instead be sent to node baz, which will in turn forward it towards foo. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120217/cb9f231a/attachment.pgp>