switch mode, how to give a public IP behing a NAT

Cédric Lemarchand cedric.lemarchand at ixblue.com
Thu Mar 22 15:01:26 CET 2012 

Le 22/03/12 12:29, Guus Sliepen a écrit :
>> Video (V1) <==> Node 1 (N1) <=GATE / NAT=> WWW <=GATE / PUB=> Node 2 (N2)
>>
>> V1 has fixed public IP in the range of N2, and the ip of GATE has
>> default gateway.
> Hm, but if you want any host on the internet to be able to reach V1, the
> default gateway for V1 should be N2, not GATE.
This is the goal yes.

"N2" and "GATE PUB" are on the same public range, GATE is the default
gateway for this public subnet, as i try to extend the ethernet segment
of this subnet, V1 should has this default gateway too, right ?
>
>> N1 has eth0 on the lan, br0 is a bridge of eth1 (where i want to plug
>> the video device) and the tinc interface.
>> N2 has is public IP on br0, which is  a bridge of eth0 and the tinc
>> interface.
> [...]
>> When i try to ping GATE from V1, i can see arp request crossing the VPN
>> (on both br0 interfaces), packet capture on GATE show the arp reply, but
>> this arp reply never come back on the bridge br0 of N2. (N2 is using
>> GATE has default gateway too)
> I think that is normal. The ARP request is a broadcast packet, so you should
> see that on all the interfaces. But the ARP reply is a unicast packet, so it is
> only sent to V1. The bridge on N1 should therefore not forward it to the VPN
> interface, so N2 will never see this ARP reply.
Ok, but the thing is dont anderstand is even if the ARP reply is
unicast, it should cross the VPN to go back to the machine that request
it ? (i use packet capture on promiscuous mode on the bridge, so i
should see it)
>
> But you seem to be implying that you cannot ping GATE from V1. It would help if
> you could show is the routing tables on V1, N1 and N2, and which IP addresses
> V1 and GATE have.
Has i said, V1 is on the same ethernet segment / same subnet provided by
the VPN, so if i am right, routing cannot be a part of the problem, the
only needed routes are local and default gateway.
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc


-- 
Cédric Lemarchand
System & Network Engineer
iXBlue
52, avenue de l'Europe
78160 Marly le Roi
France
Tel. +33 1 30 08 88 88
Mob. +33 6 37 23 40 93
Fax +33 1 30 08 88 00
www.ixblue.com <http://www.ixblue.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120322/a1c656be/attachment.html>

More information about the tinc mailing list