Windows subnets
Andrew Savinykh
andrews at brutsoft.com
Thu Oct 7 03:04:13 CEST 2010
Donald, thank you for this.
Do i read you right that to be able to receive broadcasts across LANs I
have to use the address space that I already have and make sure that
this space is the same for both LANs?
What I'm trying to do is to define a *completely new subnet* that will
act as the common LAN foR both LAN A and LAN B.
To re-iterate:
I have one router that is 10.1.1.1 and gives out DHCP 10.1.1.* and the
other router 192.168.0.1 that gives out DHCP 192.168.0.*.
I would like to leave these address spaces alone and define a new on
10.30.1.* that computer from both networks can participate in
effectively forming a new virtual LAN.
Is this possible with tinc? I know this possible with other software,
I'm just having hard time figuring out if this is something I can
configure tinc to do.
Andrew
On 7/10/2010 1:13 p.m., Donald Pearson wrote:
> Sorry you're right. I was looking at the IP address schema where all
> nodes would use the 10.30.0.0/24 <http://10.30.0.0/24> network.
>
> There's no need to install tap adapters on the other devices. You
> have basically 2 realistic options if you want the LAN function
>
> You can specify multiple IP addresses for a single interface, even in
> Windows. You'll find this under the TCP/IP properties of the network
> adapter. And clicking on the Advanced button on the page where you
> can set a static IP or designate DHCP.
>
> A 2nd option would be to re-ip one of your locations so that they all
> use the same subnet natively.
>
> Bridging the tap adapter allows your network frames received by your
> physical interface to reach the TAP adapter and therefore traverse the
> VPN. This enables later 2 connectivity, the same way a real switch
> does. Virtual Ethernet over the Internet is how I like to describe
> it. This is how I have my VPN configured personally.
>
> Without the bridge, a frame that is received at the physical interface
> has the frame stripped off and the packet inspected. Now we're
> talking layer 3. If the packet is destined for a network on the other
> side of the VPN, your Tinc node frames the packet back up with a new
> frame, and sends it over the VPN. This act of stripping the frame,
> reading the packet for the network destination, and applying a new
> frame to get it there is what Routing is. Without the bridge in
> place, your Tinc node is literally routing between the physical
> interface and the tap interface. With the bridge, you're creating a
> layer 2 pathway so the frames can shoot across directly. Of course
> this means both sides need to be on the same subnet which you
> obviously already know.
>
> Be warned that this configuration comes with it's drawbacks. DHCP
> will traverse your VPN. I had location A computers getting addresses
> from location B which makes for some really inefficient internet traffic.
>
> Regards,
> Donald
> On Wed, Oct 6, 2010 at 7:57 PM, Andrew Savinykh <andrews at brutsoft.com
> <mailto:andrews at brutsoft.com>> wrote:
>
> Donald, thank you for the explanation.
>
> I understand the part about the switch mode and absence of subnet
> in tinc.config.
> However, could you please explain what bridging the tap adapter
> will achieve and what kind of ip address will be used on tinc
> nodes and in the rest of the network.
>
> In my example one household has local network addresses of
> 192.168.1.* and the other has 10.1.1.*
> If we don't install tap interfaces on other PC's this means that
> the other PCs won't have another ip address.
> I understand that bridging is going to solve this somehow, but I
> still don't see how broadcast from 10.1.1.7 can reach 192.168.1.5
> in the other LAN.
>
> In short I don't understand how bridging to adapters work. I'll
> try to google this topic to get a better understanding, meanwhile,
> could you please explain
> how this applies to our tinc configuration case.
>
> Also can you briefly describe what we achieve by setting
> PMTUDiscovery = Yes. I read the description in manual but it
> didn't tell me much.
>
> Thank you again for all your help,
> Andrew
>
>
>
>
> On 7/10/2010 11:40 a.m., Donald Pearson wrote:
>> Oh okay. Yes you can make it appear as a single LAN. Your Tinc
>> nodes will behave as bridges instead of routers (or gateways as
>> you put it).
>>
>> Your tinc nodes will have the same subnet mask and default router
>> as all your other devices at that location.
>>
>> You will need to run the add-tap script only on the tinc nodes on
>> each side.
>>
>> You will then need to bridge the tap adapter to the local area
>> connection on the tinc nodes on each side.
>>
>> This will create a bridge network object under your network
>> connections. This bridge will have the IP configuration you
>> illustrated.
>>
>> You have the right idea in segregating the IP distribution while
>> still using the 255.255.255.0 subnet mask.
>>
>> One both nodes are up and connected, and the interfaces have been
>> bridged on the Tinc nodes for each location, you will have a
>> virtual LAN between the two locations.
>>
>> Your Tinc configuration will be Switch mode. This means no
>> Subnet configurations are required in your tinc.conf
>>
>> Your tinc.conf will be something like
>>
>> Name = NodeA
>> ConnectTo = NodeB
>> Interface = <something>
>> Mode = switch
>> PrivateKeyFile = <path to the rsa_key.priv>
>>
>> Host files will be something like
>> For the host file named "NodeA"
>>
>> Address = <host.dyndns.org <http://host.dyndns.org>>
>> PMTUDiscovery = Yes
>>
>> --Begin RSA etc. etc.--
>>
>>
>> On Wed, Oct 6, 2010 at 6:17 PM, Andrew Savinykh
>> <andrews at brutsoft.com <mailto:andrews at brutsoft.com>> wrote:
>>
>> Donald,
>>
>> thank you, while I still have some questions, your answer is
>> definitely a step in the right direction.
>> In the other reply I was asked what I'm trying to achieve.
>> Let's consider the following scenario (which is quite similar
>> to the one that described in the tinc manual).
>>
>> Let's assume we have two households, each has 3-5 computers
>> in it. Both house holds have similar network configuration:
>> They are connected to internet with an ADSL line and a router.
>> The computers in the local network access internet via the
>> router.
>> The router is configured so that one of the computers have
>> port 665 forwarded to be accessible outside.
>> The external IP is changed rarely and there is dynamic DNS
>> service (external) in use to accommodate for the change of IP
>> when it happens.
>>
>> One household has local network addresses of 192.168.1.* and
>> the other has 10.1.1.*
>> I'm installing tinc on one computer in each household.
>>
>> The goal is to let all computers in both house holds to see
>> each other by ip address. Also it is desired that for
>> computer games purposes
>> all computers appear to be on the same LAN (for broadcasts).
>> But this is not mandatory. (it appears that it's not possible
>> without installing tinc on every PC
>> as every tinc daemon serves a subnet and two tinc daemons
>> can't serve a part of subnet each)
>>
>> All computers run different flavours of Windows, most being
>> Windows 7.
>>
>> I have two ideas how to set this up, although I'm not sure if
>> any of these two works:
>>
>> IDEA1.
>> =====
>> Household A
>> Gateway IP: 10.30.0.1
>> Gateway Mask: 255.255.255.0
>> Gateway Default Gateway: ????
>>
>> Other PCs IP: 10.30.0.2,3,4 etc
>> Other PCs Mask: 255.255.255.0
>> Other PCs Deafult Gateway: 10.30.0.1
>>
>> Tinc Subnet: 10.30.0.0/25 <http://10.30.0.0/25>
>>
>> Household B
>> Gateway IP: 10.30.0.129
>> Gateway Mask: 255.255.255.0
>> Gateway Default Gateway: ????
>>
>> Other PCs IP: 10.30.0.130,131,132 etc
>> Other PCs Mask: 255.255.255.0
>> Other PCs Default Gateway: 10.30.0.129
>>
>> Tinc Subnet: 10.30.0.128/25 <http://10.30.0.128/25>
>>
>>
>> IDEA2.
>> =====
>> Household A
>> Gatway IP: 10.30.0.1
>> Gateway Mask: 255.255.255.0
>> Gateway Default Gateway: ????
>>
>> Other PCs IP: 10.30.0.2-255 etc
>> Other PCs Mask: 255.255.255.0
>> Other PCs Default Gateway: 10.30.0.1
>>
>> Tinc Subnet: 10.30.0.0/24 <http://10.30.0.0/24>
>>
>> Household B
>> Gateway IP: 10.30.1.1
>> Gateway Mask: 255.255.255.0
>> Gateway Default Gateway: ????
>>
>> Other PCs IP: 10.30.1.2-255 etc
>> Other PCs Mask: 255.255.255.0
>> Other PCs Default Gateway: 10.30.0.129
>>
>> Tinc Subnet: 10.30.1.0/24 <http://10.30.1.0/24>
>>
>>
>> So IDEA 1 probably won't work at all. Will it? And with IDEA
>> 2 the pc's won't appear on the same LAN and their broadcasts
>> won't reach each other.
>> As far as I understand I need to install TAP interface on
>> each of the participating windows PCs, correct?
>> What is specified in default gateway of the gateways?
>>
>>
>>
>> Thank you in advance,
>> Andrew
>>
>> On 7/10/2010 4:36 a.m., Donald Pearson wrote:
>>> The PCs that you want to participate need to have a route
>>> for the VPN subnet pointing to their local VPN gateway,
>>> which would be the local device with Tinc installed on it.
>>>
>>> Theoretical configuration example.
>>>
>>> VPN subnet is 10.10.10.0/24 <http://10.10.10.0/24>
>>>
>>> At a location, one computer 192.168.1.254/24
>>> <http://192.168.1.254/24> connects to the VPN and serves as
>>> the VPN gateway. This gateway needs to be configured for
>>> TCP/IP forwarding.
>>>
>>> http://support.microsoft.com/kb/315236 - windows
>>> http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ -
>>> linux
>>>
>>> Other computers local to the gateway need a route to the VPN
>>> network added so they know how to get there.
>>>
>>> In windows. route -p add 10.10.10.0 mask 255.255.255.0
>>> 192.168.1.254
>>> This will add the persistent route that remains after reboot.
>>>
>>> Does that answer your question?
>>>
>>> On Wed, Oct 6, 2010 at 6:41 AM, Andrew Savinykh
>>> <andrews at brutsoft.com <mailto:andrews at brutsoft.com>> wrote:
>>>
>>> Thank you for your reply. As far as I can see there is
>>> no point specifying subnet that consists of more than
>>> one PC in tinc config if you are going to install tinc
>>> on every PC in the subnet anyway. Correct me if I'm wrong.
>>> Now, assuming I'm right, there will be PCs in the subnet
>>> that don't have tinc installed on them. How to configure
>>> these PCs so they are a part of the subnet and
>>> participate in routing?
>>>
>>> Cheers,
>>> Andrew
>>>
>>>
>>> On 6/10/2010 10:13 p.m., Cédric Lemarchand wrote:
>>>> Hi,
>>>>
>>>> I am not sure to understand what you mean with
>>>> "joining" a subnet.
>>>>
>>>> But if your "local computer" need to reach the "remote
>>>> subnet" served by tinc, you can set the local IP of the
>>>> local tinc server as the default gateway, or add a
>>>> route to the remote subnet via the local tinc IP. Of
>>>> course, computer located on the remote subnet need the
>>>> same thing.
>>>>
>>>> Cédric
>>>>
>>>> Le 06/10/10 09:37, Andrew Savinykh a écrit :
>>>>> Hello all,
>>>>>
>>>>> I understand that each tinc daemon corresponds to one
>>>>> or more subnets that it "owns" a subnet can be a
>>>>> single ip or more.
>>>>> Could you please tell me what do I need to do to join
>>>>> a computer in local network (windows) to a subnet
>>>>> served by tinc?
>>>>>
>>>>> Thank you in advance,
>>>>> Andrew
>>>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20101007/5f6a5952/attachment-0001.htm>
More information about the tinc
mailing list