<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Le 22/03/12 12:29, Guus Sliepen a écrit :
<blockquote cite="mid:20120322112944.GY30850@sliepen.org"
type="cite">
<blockquote type="cite">
<pre wrap="">Video (V1) <==> Node 1 (N1) <=GATE / NAT=> WWW <=GATE / PUB=> Node 2 (N2)
V1 has fixed public IP in the range of N2, and the ip of GATE has
default gateway.
</pre>
</blockquote>
<pre wrap="">
Hm, but if you want any host on the internet to be able to reach V1, the
default gateway for V1 should be N2, not GATE.</pre>
</blockquote>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
This is the goal yes.<br>
<br>
"N2" and "GATE PUB" are on the same public range, GATE is the
default gateway for this public subnet, as i try to extend the
ethernet segment of this subnet, V1 should has this default gateway
too, right ?
<blockquote cite="mid:20120322112944.GY30850@sliepen.org"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">N1 has eth0 on the lan, br0 is a bridge of eth1 (where i want to plug
the video device) and the tinc interface.
N2 has is public IP on br0, which is a bridge of eth0 and the tinc
interface.
</pre>
</blockquote>
<pre wrap="">[...]
</pre>
<blockquote type="cite">
<pre wrap="">When i try to ping GATE from V1, i can see arp request crossing the VPN
(on both br0 interfaces), packet capture on GATE show the arp reply, but
this arp reply never come back on the bridge br0 of N2. (N2 is using
GATE has default gateway too)
</pre>
</blockquote>
<pre wrap="">
I think that is normal. The ARP request is a broadcast packet, so you should
see that on all the interfaces. But the ARP reply is a unicast packet, so it is
only sent to V1. The bridge on N1 should therefore not forward it to the VPN
interface, so N2 will never see this ARP reply.</pre>
</blockquote>
Ok, but the thing is dont anderstand is even if the ARP reply is
unicast, it should cross the VPN to go back to the machine that
request it ? (i use packet capture on promiscuous mode on the
bridge, so i should see it)<br>
<blockquote cite="mid:20120322112944.GY30850@sliepen.org"
type="cite">
<pre wrap="">
But you seem to be implying that you cannot ping GATE from V1. It would help if
you could show is the routing tables on V1, N1 and N2, and which IP addresses
V1 and GATE have.</pre>
</blockquote>
Has i said, V1 is on the same ethernet segment / same subnet
provided by the VPN, so if i am right, routing cannot be a part of
the problem, the only needed routes are local and default gateway.<br>
<blockquote cite="mid:20120322112944.GY30850@sliepen.org"
type="cite">
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
tinc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a>
<a class="moz-txt-link-freetext" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<div style="font:bold 13px Arial;color:#003F80;margin-top:10px;">
<div>Cédric Lemarchand</div>
<div style="font-weight:normal;color:#7E7C83;">System &
Network Engineer</div>
<div style="margin-top:12px;">iXBlue</div>
<div style="font-weight:normal;font-size:10px;color:#7E7C83">52,
avenue de l'Europe<br>
78160 Marly le Roi<br>
France</div>
<div style="font-weight:normal;font-size:12px;margin:12px 0 12px
0;">Tel. +33 1 30 08 88 88<br>
Mob. +33 6 37 23 40 93<br>
Fax +33 1 30 08 88 00</div>
<div style="margin-bottom:20px;"><a href="http://www.ixblue.com"
style="font:normal 12px Arial;color:#003F80;">www.ixblue.com</a></div>
</div>
</div>
</body>
</html>