Can't Route LAN Traffic Behind Tinc Network
Kismet Agbasi
kagbasi at centraltruck.net
Thu Oct 6 15:48:54 CEST 2016
Keith,
Thanks for the reply and the pointers.
> Did you remember to activate kernel ip forwarding?
> i.e. echo 1 > /proc/sys/net/ipv4/ip_forward ?
I actually forgot to do this, but I have enabled it now in /etc/systctl.conf and can confirm now after a reboot that it's enabled. Unfortunately, still can't ping the node on the LAN.
> and when I saw that I was about to cancel my reply, but.. maybe I can get you to confirm what you mean by INSIDE node?
> Do you mean the node on the LAN that runs tinc, or a node that does not run tinc?
What I meant by INSIDE node is that this is the node running tinc, it sits on my LAN and it's the one all the other nodes connect to. To expound further, this box has two interfaces - eth0 (WAN) and eth1 (LAN). Its LAN IP is 172.23.6.149 and it's tinc IP is 10.9.0.1. As you can see from the below results, I can ping it from my workstation on the LAN as well as from one of the external tinc nodes (residing in a VM in the cloud). Finally, MTR also confirms that the ping packet is indeed reaching the tinc node on my LAN. So all seems to be pointing to a routing issue on that LAN node, but I can't seem to figure it out. Probably something really simple, but it's not jumping up at me...lol.
***************************************************************
C:\Users\kagbasi>ping -t 172.23.6.149
Pinging 172.23.6.149 with 32 bytes of data:
Reply from 172.23.6.149: bytes=32 time<1ms TTL=64
Reply from 172.23.6.149: bytes=32 time<1ms TTL=64
Reply from 172.23.6.149: bytes=32 time<1ms TTL=64
Ping statistics for 172.23.6.149:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
root at web1:~# ping 10.9.0.1
PING 10.9.0.1 (10.9.0.1) 56(84) bytes of data.
64 bytes from 10.9.0.1: icmp_seq=1 ttl=64 time=17.1 ms
64 bytes from 10.9.0.1: icmp_seq=2 ttl=64 time=16.5 ms
64 bytes from 10.9.0.1: icmp_seq=3 ttl=64 time=17.2 ms
^C
--- 10.9.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 16.530/16.978/17.207/0.351 ms
My traceroute [v0.85]
web1 (0.0.0.0) Thu Oct 6 09:36:52 2016
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 10.9.0.1 0.0% 25 16.4 17.6 15.8 35.5 3.9
2. ???
**************************************************************************
This is the kernel routing table for the INSIDE node. One thing, however, that peaks my attention is that the entry for the 172.23.6.0/24 subnet shows * as the gateway, which I'm thinking means it's using the default gateway, but I could be wrong. If it is, then it means the packets are being routed out the wrong interface.:
root at ubuntu2:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 50-242-184-134- 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.9.0.0 * 255.255.255.0 U 0 0 0 tinc0
50.242.184.128 * 255.255.255.248 U 0 0 0 eth0
172.23.6.0 * 255.255.255.0 U 0 0 0 eth1
172.23.7.0 172.23.6.1 255.255.255.0 UG 0 0 0 eth1
207.187.53.0 172.23.6.1 255.255.255.0 UG 0 0 0 eth1
Very Respectfully,
Kismet Agbasi
-----Original Message-----
From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Keith
Sent: Thursday, October 6, 2016 8:35 AM
To: tinc at tinc-vpn.org
Subject: Re: Can't Route LAN Traffic Behind Tinc Network
On 05/10/2016 16:13, Kismet Agbasi wrote:
> I have a 4 Node Tinc VPN setup with 2 nodes on my LAN and the other 2
> outside the LAN in the cloud. Everything has been working great for
> about 5 years now, until today when I decided to move one of the nodes
> to another box.
Hi Kismet, Just thought I'd jump in here as I do a lot of this kind of thing, and in case you haven't got a solution yet, I'd like to verify a couple of simple things before you go down any of the wrong rabbit-holes. :)
> I basically, copied over the /etc/tinc folder to the new server and
> also moved the /etc/network/interfaces file, so that the new server
> was an exact mirror (more or less).
Fine, but yes, there are a number of things missing to qualify for exact mirror.
>
>
> But I think I may have forgotten something because while all my nodes
> can ping each other using the VPN IPs (i.e., 10.9.0.x), I can't seem
> to ping my LAN (i.e., 172.23.6.x) from any of the external nodes.
> At this point I'm unsure of which information to provide in order to
> elicit some assistance,
The two other keys pieces of information that were missing about your new server are the firewall rules and kernel forwarding.
Did you remember to activate kernel ip forwarding?
i.e. echo 1 > /proc/sys/net/ipv4/ip_forward ?
Now, I note that in a later post you have said:
> I was able to confirm that the packets are indeed reaching the INSIDE
> node
and when I saw that I was about to cancel my reply, but.. maybe I can get you to confirm what you mean by INSIDE node?
Do you mean the node on the LAN that runs tinc, or a node that does not run tinc?
k/
_______________________________________________
tinc mailing list
tinc at tinc-vpn.org
https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
More information about the tinc
mailing list