help with routing and multiple subnets

Guus Sliepen guus at tinc-vpn.org
Mon Apr 5 00:33:26 CEST 2010 

On Sun, Apr 04, 2010 at 12:49:01PM -0700, Patrick E. Bennett, Jr. wrote:

> >It seems either masquerading is not done for packets going to the VPN, or some
> >firewall rule is blocking them. The routes seem fine.
> I'm using Arno's iptables firewall script; perhaps it does something
> behind the scenes that needs to be tweaked out.  As I mentioned, I
> tried setting it to masq 10.57.137.0 and to not masq it and neither
> allowed the Lab clients to access the central vpn hosts.  Hopefully
> the iptables output will shed some light on this.
> 
> Chain POSTROUTING (policy ACCEPT 32524 packets, 2262428 bytes)
>     pkts      bytes target     prot opt in     out     source               destination         
>       22     1372 TCPMSS     tcp  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
>      186    13658 NAT_POSTROUTING_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
>        0        0 ACCEPT     all  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           policy match dir out pol ipsec 
>       24     1746 MASQUERADE  all  --  *      ppp+    192.168.254.0/24    !192.168.254.0/24    
>        0        0 MASQUERADE  all  --  *      ppp+    10.57.137.0/24      !10.57.137.0/24      
>      162    11912 POST_NAT_POSTROUTING_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

It is set to only masquerade traffic that goes out via the ppp+ interface. You
should add a rule to also masquerade traffic from 192.168.254.0/24 going to the
c4svpn interface.

I have no idea how Arno's iptables script works.

> >If you want the central VPN to connect to Lab clients, you should add "Subnet =
> >192.168.254.0/24" to the host config file of the Lab server, otherwise tinc
> >doesn't know to which node to send those packets to. But, since you want
> >masquerading, you shouldn't try this at all.
> You can add "Subnet = 192.168.254.0/24" to the tinc hosts file of
> the Lab server even though the VPN is running over the 10.57.0.0
> subnet!?!?  Would this be instead of using 10.57.137.0/24 or in
> addition to it??  Either way, I didn't think that was possible!

You can have multiple Subnet lines in one host config file.

> If the Lab VPN remains dual homed, 192.168.254.0/24 for all non-tinc
> traffic and 10.57.0.0 for all tinc traffic, for my purposes it does
> not matter whether 10.57.137.0/24 is masq'd or not (I think, any
> way).

If you want to do it without masquerading, then add the extra Subnet, and
ensure the servers running tinc have correct routes to each other. The filter
table generated by Arno's script looks very complicated, but I don't think it
will block any of that traffic.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100405/2c90802e/attachment.pgp>

More information about the tinc mailing list