Daniel J. Grinkevich
2015-Sep-07 16:43 UTC
Asymmetric routing and firewalls dropping UDP packets
We are running tinc (v. 1.0.26) in switch mode with bmx6 (another mesh protocol) running on top of the tap0 interface on about 25 devices. The asymmetric routing of UDP packets is causing my firewall and I presume others to drop some of the packets, since there are no outbound SYN packets originating from the device running tinc. Is there any way to mitigate this issue besides enabling tcponly (and not putting the tinc device in the dmz)? tcplonly would defeat the purpose of a mesh network. Thanks, Dan -- --- GPG Key: 0x160B24D1C08FB4E4 <https://pgp.mit.edu/pks/lookup?op=get&search=0x160B24D1C08FB4E4> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150907/41362e7c/attachment.html>
On Mon, Sep 07, 2015 at 12:43:24PM -0400, Daniel J. Grinkevich wrote:> We are running tinc (v. 1.0.26) in switch mode with bmx6 (another mesh > protocol) running on top of the tap0 interface on about 25 devices. The > asymmetric routing of UDP packets is causing my firewall and I presume > others to drop some of the packets, since there are no outbound SYN packets > originating from the device running tinc. Is there any way to mitigate > this issue besides enabling tcponly (and not putting the tinc device in the > dmz)? tcplonly would defeat the purpose of a mesh network.There is nothing tinc can do here. Either make sure you don't do asymetric routing, or change your firewall rules to not do stateful filtering of TCP connections. Why do you have asymmetric routing? -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150908/288c512a/attachment.sig>