Bright Zhao
2017-Aug-19 00:09 UTC
How to set tinc not to forward Subnet learned from other nodes?
Hi, Reason behind that is we have some use cases wouldn’t like to make some nodes to become the transit node, but there’re some other nodes in the topology act as the transit nodes. So if the tinc node forward subnet update it learning from one side to the other side, then it possible to become transit node if one side only have route to go through it. That node I would call it “spoke-only” node, which dual/triple connection go to multiple “hub” node, “hub” definitely need to forward traffic for the “spoke”, but “spoke” shouldn’t forward subnets learning from one “hub” to another. Any idea to achieve this in one tinc “network”?
Guus Sliepen
2017-Aug-23 06:12 UTC
How to set tinc not to forward Subnet learned from other nodes?
On Sat, Aug 19, 2017 at 08:09:52AM +0800, Bright Zhao wrote:> Reason behind that is we have some use cases wouldn’t like to make some nodes to become the transit node, but there’re some other nodes in the topology act as the transit nodes. > > So if the tinc node forward subnet update it learning from one side to the other side, then it possible to become transit node if one side only have route to go through it. > > That node I would call it “spoke-only” node, which dual/triple connection go to multiple “hub” node, “hub” definitely need to forward traffic for the “spoke”, but “spoke” shouldn’t forward subnets learning from one “hub” to another. > > Any idea to achieve this in one tinc “network”?You can use the TunnelServer option on the hub to prevent it from forwarding Subnet updates from spokes. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170823/442535f8/attachment-0001.sig>
Bright Zhao
2017-Aug-23 07:58 UTC
How to set tinc not to forward Subnet learned from other nodes?
Great, that's exactly what I has been looking for. Will give it a try. Guus Sliepen <guus at tinc-vpn.org>于2017年8月22日 周二下午11:12写道:> On Sat, Aug 19, 2017 at 08:09:52AM +0800, Bright Zhao wrote: > > > Reason behind that is we have some use cases wouldn’t like to make some > nodes to become the transit node, but there’re some other nodes in the > topology act as the transit nodes. > > > > So if the tinc node forward subnet update it learning from one side to > the other side, then it possible to become transit node if one side only > have route to go through it. > > > > That node I would call it “spoke-only” node, which dual/triple > connection go to multiple “hub” node, “hub” definitely need to forward > traffic for the “spoke”, but “spoke” shouldn’t forward subnets learning > from one “hub” to another. > > > > Any idea to achieve this in one tinc “network”? > > You can use the TunnelServer option on the hub to prevent it from > forwarding Subnet updates from spokes. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-- Sent from iPhone -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170823/9fc99862/attachment.html>