bridging tinc router mode network and switch mode network

pjv pjv at pjv.me
Fri Jun 5 16:06:25 CEST 2015 

Some further data now. I put tcpdump on Router C and the pings that are being sent from my laptop attached to A are hitting C. The replies are just not going back and I am guessing the problem is in the layer 3 routing on C.

I think I need a rule to tell C to route packets for the 192.168.0.0/16 network through the tinc switch-mode bridge via Router B (at 192.168.15.1).

> On Jun 5, 2015, at 6:20 AM, pjv <pjv at pjv.me> wrote:
> 
>> 
>> On Jun 4, 2015, at 5:52 PM, Etienne Dechamps <etienne at edechamps.fr> wrote:
>> 
>> Are you sure B is correctly configured to forward packets at the layer
>> 3 level between the interface of the "router" tinc and the interface
>> of the "switch" tinc? (iptables, etc.)
>> 
> 
> No, I am not sure about this and I think this is what I don’t understand properly (and where I am missing something in my config). For me conceptually, I expect the link with Router C (switch) to be the same thing as if I plugged router C into a LAN port on router B with an ethernet cable. Can you tell me what kind of iptables rules I would need to forward packets back and forth between these two interfaces?
> 
>> On router B, are you sure the node file for B on the "router" tinc is
>> configured to announce the entire 192.168.15.0/24 subnet (i.e. Subnet
>> = 192.168.15.0/24)? Otherwise B won't get the packets destined for C
>> on the "router mode" tinc network.
>> 
> 
> Yes, I am pretty sure about this. I have that Subnet line in the router-mode tinc config and I can reach every device that is directly connected to B from devices that are directly connected to A.
> 
>> If you run tcpdump (or any other sniffer) on B's "router" tinc
>> interface while you're doing your tests, what do you see? Same
>> question for the interface of the "switch" tinc. It should make it
>> easier to see where the packets are getting lost.
>> 
> 
> Here’s some tcpdump output. Never used it before so I don’t know if I am looking at the right thing… I set up tcpdump in two sessions to simultaneously look at the router-mode interface and the switch-mode interface for packets destined for the LAN-side IP address of C. Then I pinged that IP address from a host on A. Here is the output:
> 
> tcpdump -n -i router-mode host 192.168.15.101
> 06:05:54.444595 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 5, length 64
> 06:05:55.448664 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 6, length 64
> 06:05:56.456557 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 7, length 64
> 
> tcpdump -n -i switch-mode host 192.168.15.101
> 06:05:54.444753 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 5, length 64
> 06:05:55.448801 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 6, length 64
> 06:05:56.456694 IP 192.168.5.100 > 192.168.15.101: ICMP echo request, id 54821, seq 7, length 64
> 06:05:59.424665 ARP, Request who-has 192.168.15.101 tell 192.168.15.1, length 28
> 06:05:59.426907 ARP, Reply 192.168.15.101 is-at xx:xx:xx:xx:xx:xx, length 28
> 06:06:01.704496 ARP, Request who-has 192.168.15.101 tell 192.168.15.116, length 46
> 06:06:02.393069 ARP, Request who-has 192.168.15.101 tell 192.168.15.211, length 46
> 
> (I xx’d out the MAC address which was proper in the output). Are those ARP requests significant?
> 
> The host that was pinging (my laptop) got no reply, though if I instead ping hosts directly connected to B, it works fine.
> 
>> On 4 June 2015 at 20:53, pjv <pjv at pjv.me> wrote:
>>> I am running tinc v. 1.1pre (truly as I read somewhere, “one of the internet’s best kept secrets”) on some consumer home routers flashed with tomato firmware. I have a whole network of these, but for the purposes of this question I will focus on just three
>>> 
>>> Router A (subnet 192.168.5.0/24) is connected via a standard tinc “router” mode network with Router B (subnet 192.168.15.0/24).
>>> 
>>> Router B, in addition to its connection with Router A in “router” mode, is also connected to Router C via a “switch” mode tinc network. Router C’s IP address is 192.168.15.101. The switch mode network is using a separate device in tap mode and is configured manually on a different port from the “router” mode network.
>>> 
>>> Routers A & B can mutually ping each other and I also have iptables forwarding rules so that any devices connected to them can ping eachother across the tinc mesh as well.
>>> 
>>> Routers B & C can mutually ping each other and all broadcast traffic from each side of the bridge passes over (i.e. one can see windows network shares on devices connected to router C from devices connected to router B).
>>> 
>>> The problem is that Router A and Router C cannot see eachother (nor any of their connected hosts see the other’s connected hosts). I would have expected that since the switch-mode network is functioning at layer 2 that Router C would be visible to Router A (or any hosts connected to Router A) on the router-mode network just like all the hosts that are directly connected to Router B. What am I missing?
>>> 
>>> _______________________________________________
>>> tinc mailing list
>>> tinc at tinc-vpn.org
>>> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>>> 
> 
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150605/2db00bfb/attachment.sig>

More information about the tinc mailing list