tinc - Jul 2017 - How to block tinc node advertise it's neighbor/edge/subnet info to another node?

Hi, Tinc experts


There’s a requirement, where A connect to B, B connect to C; where B knows all
the subnets from A and C, but A wouldn’t need to know anything about C, and C
wouldn’t need to know anything about A.

Any tinc configuration can make this happen?

You can think of B is not an interconnect/forwarding node, instead, it only
connect to A and C separately.

I can think of run two tinc network which are two processes, other than this,
any other easier way to make it as one network, but B doesn’t advertise the info
from one side to the other side?

On 7/25/17 10:51 PM, Bright Zhao wrote:
> I can think of run two tinc network which are two processes, other than
this, any other easier way to make it as one network, but B doesn’t advertise
the info from one side to the other side?
Yep, create a different network ( /etc/tinc/network2 ) and make it
listen (if listening) on a different port.

A <---------------> B <-----------> C
10.1.2.X/24 |  10.1.2.X/24 
            |  10.2.2.X/24  |  10.2.2.X/24

So each tinc daemon with a /16 is fine.
No way for A <--> C, unless, A and C know about each other and add
routes using B as gateway.

So B explicitly needs to firewall this situation if necessary.


-rsd

Hi, Raul

Thank you.

In addition, there’s another information I didn’t mention earlier that B have
the default route to Internet, where B will advertise this default route to both
A and C, so that A and C can go to Internet through B, but A and C wouldn’t have
each other’s route accordingly. You can think about A and C share the same
internet gateway, but they wouldn’t know each other.

Assume A and C wouldn't add route to each other using B as gateway, so no
additional firewall configuration on B required, right?

> On 26 Jul 2017, at 10:26 AM, Raul Dias <raul at dias.com.br> wrote:
> 
> 
> 
> On 7/25/17 10:51 PM, Bright Zhao wrote:
>> I can think of run two tinc network which are two processes, other than
this, any other easier way to make it as one network, but B doesn’t advertise
the info from one side to the other side?
> Yep, create a different network ( /etc/tinc/network2 ) and make it
> listen (if listening) on a different port.
> 
> A <---------------> B <-----------> C
> 10.1.2.X/24 |  10.1.2.X/24 
>             |  10.2.2.X/24  |  10.2.2.X/24
> 
> So each tinc daemon with a /16 is fine.
> No way for A <--> C, unless, A and C know about each other and add
> routes using B as gateway.
> 
> So B explicitly needs to firewall this situation if necessary.
> 
> 
> -rsd
> 
> 
>