How to block tinc node advertise it's neighbor/edge/subnet info to another node?
Bright Zhao
startryst at gmail.com
Wed Jul 26 04:43:21 CEST 2017
Hi, Raul
Thank you.
In addition, there’s another information I didn’t mention earlier that B have the default route to Internet, where B will advertise this default route to both A and C, so that A and C can go to Internet through B, but A and C wouldn’t have each other’s route accordingly. You can think about A and C share the same internet gateway, but they wouldn’t know each other.
Assume A and C wouldn't add route to each other using B as gateway, so no additional firewall configuration on B required, right?
> On 26 Jul 2017, at 10:26 AM, Raul Dias <raul at dias.com.br> wrote:
>
>
>
> On 7/25/17 10:51 PM, Bright Zhao wrote:
>> I can think of run two tinc network which are two processes, other than this, any other easier way to make it as one network, but B doesn’t advertise the info from one side to the other side?
> Yep, create a different network ( /etc/tinc/network2 ) and make it
> listen (if listening) on a different port.
>
> A <---------------> B <-----------> C
> 10.1.2.X/24 | 10.1.2.X/24
> | 10.2.2.X/24 | 10.2.2.X/24
>
> So each tinc daemon with a /16 is fine.
> No way for A <--> C, unless, A and C know about each other and add
> routes using B as gateway.
>
> So B explicitly needs to firewall this situation if necessary.
>
>
> -rsd
>
>
>
More information about the tinc
mailing list