switch mode, how to give a public IP behing a NAT

Cédric Lemarchand cedric.lemarchand at ixblue.com
Thu Mar 22 19:53:17 CET 2012 

Le 22/03/12 19:29, Donald Pearson a écrit :
>
>>
>>     Only if you want V1 to use gate/pub to reach the internet.  V1
>>     will still need it's own "normal" gateway in order for the VPN to
>>     be established over the internet so you will at least need a /32
>>     route for N2's IP address to use V1's "normal" gateway.  Unless
>>     you have a very good reason, you will also want V1 to continue to
>>     use it's normal gateway to reach other nodes on the internet.
>>      You probably want V1 to use the VPN only for access to N2's subnet.
>     The VPN is established by N1 via its interface eth0, providing the
>     ethernet VPN on its interface eth1 (which is bridged with the tinc
>     interface). V1 only "see" the provided ethernet segment by N1, and
>     got is interface directly configured with a fixed public IP, and
>     the default gateway "GATE PUB" (the provider's gateway for this
>     publix subnet)
>
>
> Oh I see, sorry that I missed the detail that N1 owns the Tinc
> interface.  So yes the Tinc interface on N1 should be bridged with
> eth1.  N1's eth1 should have a physical connection to V1, either
> directly or through a switch.   If V1 has no other interfaces, and you
> don't want to multi-home its interface, and you do want it to be able
> to route out to the internet;  Yes it will need to use the IP of
> gate/pub for its default gateway. 
>
> So network configurations should look something like this?
>
> V1:
> Eth0 1.0.0.1/24 <http://1.0.0.1/24>  <-- vpn participating, default
> route 1.0.0.254 (but not necessary)
>
> N1:
> Eth0 10.10.10.1 <-- default route 10.10.10.254
> Br0 1.0.0.2/24 <http://1.0.0.2/24>  <-- vpn participating
>  - eth1
>  - tinc
>
> Gate/Nat:
> Eth0 10.10.10.254
> Eth1 1.2.3.4 (provided by ISP)
>
> ------- internet --------
>
> Gate/Pub:
> Eth0 1.0.0.254/24 <http://1.0.0.254/24>
>
> N2:
> Br0 1.0.0.3/24 <http://1.0.0.3/24> <-- vpn particpating, default route
> 1.0.0.254
>  - eth0
>  - tinc
Yes you got it, and yes V1 is directly connected to N1-eth1.
>
>>
>>     So, V1 will have an interface on the same subnet has gate/nat and
>>     it's default gateway will be gate/nat.  V1 will also have a tinc
>>     interface on the same subnet as N2.    Now, if you are trying to
>>     extend N2's subnet to multiple node's at V1's physical location,
>>     then you will have a 2nd interface on V1, bridged with the tinc
>>     interface, and the bridge interface (as well as the interfaces of
>>     any other nodes in V1's physical location that you wanted to
>>     participate in the VPN) will have an IP on N2's subnet.
>     Like i have tried to explain before, the VPN is established by N1,
>     not V1. V1 has only one interface with the fixed public IP.
>>
>>>>         N1 has eth0 on the lan, br0 is a bridge of eth1 (where i want to plug
>>>>         the video device) and the tinc interface.
>>>>         N2 has is public IP on br0, which is  a bridge of eth0 and the tinc
>>>>         interface.
>>>         [...]
>>>>         When i try to ping GATE from V1, i can see arp request crossing the VPN
>>>>         (on both br0 interfaces), packet capture on GATE show the arp reply, but
>>>>         this arp reply never come back on the bridge br0 of N2. (N2 is using
>>>>         GATE has default gateway too)
>>>         I think that is normal. The ARP request is a broadcast packet, so you should
>>>         see that on all the interfaces. But the ARP reply is a unicast packet, so it is
>>>         only sent to V1. The bridge on N1 should therefore not forward it to the VPN
>>>         interface, so N2 will never see this ARP reply.
>>         Ok, but the thing is i dont anderstand is even if the ARP
>>         reply is unicast, it should cross the VPN to go back to the
>>         machine that request it ? (i use packet capture on
>>         promiscuous mode on the bridge, so i should see it)
>>
>>
>>     Yes you should.
>     Ok.
>
>>
>>>         But you seem to be implying that you cannot ping GATE from V1. It would help if
>>>         you could show is the routing tables on V1, N1 and N2, and which IP addresses
>>>         V1 and GATE have.
>>         Has i said, V1 is on the same ethernet segment / same subnet
>>         provided by the VPN, so if i am right, routing cannot be a
>>         part of the problem, the only needed routes are local and
>>         default gateway.
>>
>>
>>     When everything works, yes.  V1 and N2 will "see" each-other as
>>     members of the same LAN, however we're still doing this over the
>>     internet so plenty of routing is still involved and needs to be
>>     correct. :) 
>>
>>
>>>
>>>
>>>         _______________________________________________
>>>         tinc mailing list
>>>         tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>>>         http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>>         -- 
>>         Cédric Lemarchand
>>         System & Network Engineer
>>         iXBlue
>>         52, avenue de l'Europe
>>         78160 Marly le Roi
>>         France
>>         Tel. +33 1 30 08 88 88 <tel:%2B33%201%2030%2008%2088%2088>
>>         Mob. +33 6 37 23 40 93 <tel:%2B33%206%2037%2023%2040%2093>
>>         Fax +33 1 30 08 88 00 <tel:%2B33%201%2030%2008%2088%2000>
>>         www.ixblue.com <http://www.ixblue.com>
>>
>>         _______________________________________________
>>         tinc mailing list
>>         tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>>         http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>
>>
>>
>>
>>     _______________________________________________
>>     tinc mailing list
>>     tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>>     http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
>     -- 
>     Cédric Lemarchand
>     System & Network Engineer
>     iXBlue
>     52, avenue de l'Europe
>     78160 Marly le Roi
>     France
>     Tel. +33 1 30 08 88 88 <tel:%2B33%201%2030%2008%2088%2088>
>     Mob. +33 6 37 23 40 93 <tel:%2B33%206%2037%2023%2040%2093>
>     Fax +33 1 30 08 88 00 <tel:%2B33%201%2030%2008%2088%2000>
>     www.ixblue.com <http://www.ixblue.com>
>
>     _______________________________________________
>     tinc mailing list
>     tinc at tinc-vpn.org <mailto:tinc at tinc-vpn.org>
>     http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc


-- 
Cédric Lemarchand
System & Network Engineer
iXBlue
52, avenue de l'Europe
78160 Marly le Roi
France
Tel. +33 1 30 08 88 88
Mob. +33 6 37 23 40 93
Fax +33 1 30 08 88 00
www.ixblue.com <http://www.ixblue.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120322/b6ec2325/attachment-0001.html>

More information about the tinc mailing list