switch mode, how to give a public IP behing a NAT

Donald Pearson donaldwhpearson at gmail.com
Thu Mar 22 19:29:03 CET 2012 

2012/3/22 Cédric Lemarchand <cedric.lemarchand at ixblue.com>

>  Le 22/03/12 17:09, Donald Pearson a écrit :
>
> Cédric.
>
>  When you say GATE, do you mean "GATE/NAT" or "GATE/PUB" ?
>
> 2012/3/22 Cédric Lemarchand <cedric.lemarchand at ixblue.com>
>
>>  Le 22/03/12 12:29, Guus Sliepen a écrit :
>>
>>  Video (V1) <==> Node 1 (N1) <=GATE / NAT=> WWW <=GATE / PUB=> Node 2 (N2)
>>
>> V1 has fixed public IP in the range of N2, and the ip of GATE has
>> default gateway.
>>
>>  Hm, but if you want any host on the internet to be able to reach V1, the
>> default gateway for V1 should be N2, not GATE.
>>
>>  This is the goal yes.
>>
>> "N2" and "GATE PUB" are on the same public range, GATE is the default
>> gateway for this public subnet, as i try to extend the ethernet segment of
>> this subnet, V1 should has this default gateway too, right ?
>>
>
>  I think you mean "gate/pub" here..
>
> Yes.
>
>
>  Only if you want V1 to use gate/pub to reach the internet.  V1 will
> still need it's own "normal" gateway in order for the VPN to be established
> over the internet so you will at least need a /32 route for N2's IP address
> to use V1's "normal" gateway.  Unless you have a very good reason, you will
> also want V1 to continue to use it's normal gateway to reach other nodes on
> the internet.  You probably want V1 to use the VPN only for access to N2's
> subnet.
>
> The VPN is established by N1 via its interface eth0, providing the
> ethernet VPN on its interface eth1 (which is bridged with the tinc
> interface). V1 only "see" the provided ethernet segment by N1, and got is
> interface directly configured with a fixed public IP, and the default
> gateway "GATE PUB" (the provider's gateway for this publix subnet)
>
>
Oh I see, sorry that I missed the detail that N1 owns the Tinc interface.
 So yes the Tinc interface on N1 should be bridged with eth1.  N1's eth1
should have a physical connection to V1, either directly or through a
switch.   If V1 has no other interfaces, and you don't want to multi-home
its interface, and you do want it to be able to route out to the internet;
 Yes it will need to use the IP of gate/pub for its default gateway.

So network configurations should look something like this?

V1:
Eth0 1.0.0.1/24  <-- vpn participating, default route 1.0.0.254 (but not
necessary)

N1:
Eth0 10.10.10.1 <-- default route 10.10.10.254
Br0 1.0.0.2/24  <-- vpn participating
 - eth1
 - tinc

Gate/Nat:
Eth0 10.10.10.254
Eth1 1.2.3.4 (provided by ISP)

------- internet --------

Gate/Pub:
Eth0 1.0.0.254/24

N2:
Br0 1.0.0.3/24 <-- vpn particpating, default route 1.0.0.254
 - eth0
 - tinc


>  So, V1 will have an interface on the same subnet has gate/nat and it's
> default gateway will be gate/nat.  V1 will also have a tinc interface on
> the same subnet as N2.    Now, if you are trying to extend N2's subnet to
> multiple node's at V1's physical location, then you will have a 2nd
> interface on V1, bridged with the tinc interface, and the bridge interface
> (as well as the interfaces of any other nodes in V1's physical location
> that you wanted to participate in the VPN) will have an IP on N2's subnet.
>
> Like i have tried to explain before, the VPN is established by N1, not V1.
> V1 has only one interface with the fixed public IP.
>
>    N1 has eth0 on the lan, br0 is a bridge of eth1 (where i want to plug
>> the video device) and the tinc interface.
>> N2 has is public IP on br0, which is  a bridge of eth0 and the tinc
>> interface.
>>
>>  [...]
>>
>>  When i try to ping GATE from V1, i can see arp request crossing the VPN
>> (on both br0 interfaces), packet capture on GATE show the arp reply, but
>> this arp reply never come back on the bridge br0 of N2. (N2 is using
>> GATE has default gateway too)
>>
>>  I think that is normal. The ARP request is a broadcast packet, so you should
>> see that on all the interfaces. But the ARP reply is a unicast packet, so it is
>> only sent to V1. The bridge on N1 should therefore not forward it to the VPN
>> interface, so N2 will never see this ARP reply.
>>
>>  Ok, but the thing is i dont anderstand is even if the ARP reply is
>> unicast, it should cross the VPN to go back to the machine that request it
>> ? (i use packet capture on promiscuous mode on the bridge, so i should see
>> it)
>>
>
>  Yes you should.
>
> Ok.
>
>
>>  But you seem to be implying that you cannot ping GATE from V1. It would help if
>> you could show is the routing tables on V1, N1 and N2, and which IP addresses
>> V1 and GATE have.
>>
>>  Has i said, V1 is on the same ethernet segment / same subnet provided
>> by the VPN, so if i am right, routing cannot be a part of the problem, the
>> only needed routes are local and default gateway.
>>
>
>  When everything works, yes.  V1 and N2 will "see" each-other as members
> of the same LAN, however we're still doing this over the internet so plenty
> of routing is still involved and needs to be correct. :)
>
>>
>>
>>
>> _______________________________________________
>> tinc mailing listtinc at tinc-vpn.orghttp://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>>
>>  --
>>  Cédric Lemarchand
>> System & Network Engineer
>> iXBlue
>> 52, avenue de l'Europe
>> 78160 Marly le Roi
>> France
>> Tel. +33 1 30 08 88 88 <%2B33%201%2030%2008%2088%2088>
>> Mob. +33 6 37 23 40 93 <%2B33%206%2037%2023%2040%2093>
>> Fax +33 1 30 08 88 00 <%2B33%201%2030%2008%2088%2000>
>> www.ixblue.com
>>
>> _______________________________________________
>> tinc mailing list
>> tinc at tinc-vpn.org
>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>
>
> _______________________________________________
> tinc mailing listtinc at tinc-vpn.orghttp://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
>
> --
>  Cédric Lemarchand
> System & Network Engineer
> iXBlue
> 52, avenue de l'Europe
> 78160 Marly le Roi
> France
> Tel. +33 1 30 08 88 88
> Mob. +33 6 37 23 40 93
> Fax +33 1 30 08 88 00
> www.ixblue.com
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120322/678136b2/attachment-0001.html>

More information about the tinc mailing list