FW: Help with 'switch' mode

Brian Costello bc at preventsys.com
Mon Aug 25 10:57:36 CEST 2003 

Guus:

Thank you for your explanation!  My confusion was based on my
misunderstanding of the tun/tap device - I thought it was exactly like a
pcap device, and therefore should've "just worked" in that mode.  So,
once you explained how the tun/tap device actually worked, the use of
bridges immediately made sense.  I was then able to setup bridges on my
single interface linux workstation and, after turning on IP forwarding,
I was able to use my phone as if I was plugged directly into my switch
at work.  Yay - tinc comes through again!!  :)  Thank you and the rest
of your development team for creating such a fantastic & flexible piece
of software!  If I'd tried this with IPSEC, I'd have gone insane a long
time ago :)

I have some free cycles coming up, and if you would like, I would be
happy to write up some documentation on how I got the switch mode up &
running (in English only, I'm afraid).  When trying to find other
documentation on my switch mode woes, I didn't see too many other
mentions of switch mode, but I feel it might be a useful nugget of
information nonetheless.

Thank you again for your help,

Brian

On Sun, Aug 24, 2003 at 03:40:07PM -0700, Brian Costello wrote:

> I checked the documentation on 
> http://tinc.nl.linux.org/examples/bridging and from that example, it 
> appears to be a Linux system using 802.1d bridging.  However, I don't 
> see any place in the documentation that tells you how to set that up 
> under Linux (or any other OS for that matter) - there appears to be 
> just that one page that gives any information about the switch setup.

> If I ignored a document, could you please point it out to me?  
> Otherwise, I have a few questions:

There are no ignored documents.

> 1) Is the bridge device necessary - it was my understanding that the 
> tap device was able to "see" frames like a pcap device, so I'd THINK 
> it would be possible to perform the actions of a switch without the 
> bridge device - that is, grab & forward ARP reqests & replies between 
> networks, use that information to build a MAC table & use the MAC 
> table to determine when to transmit traffic over the VPN.

The tap device doesn't work like a pcap device. It doesn't capture
packets from other network devices, it is a network device in itself.
You can think of it as an extra Ethernet card in your computer, except
that there is no UTP cable sticking out but tinc will handle all the
packets it sends/receives.

You don't have to use a bridge device, but then only traffic originating
from the computers running tinc will go via the VPN. If you have a real
Ethernet card in your computer and you want the LAN attached to it be
able to access the VPN, then you have to use the bridge to make a
"connection" between the real Ethernet interface and the virtual
Ethernet interface.

> 2) If the bridge device IS necessary, is an extra interface with no IP

> address assigned to it necessary?  By extra I mean do you need more 
> than one interface on both bridge endpoints, and do both the interface

> This appears to be the case in the bridging example.

If you need to bridge, you always have two or more interfaces, all of
which should have their IP addresses removed. Only the bridge interface
will have an IP address.

> 3) Of course this whole project relies on whether or not tinc's switch

> mode can even do what I require - I assume it can properly pass 
> packets from one network to another with their MAC addresses intact 
> (like a
> switch) :)

Yes :)

> Here's the information on the two current networks:
[...]

Looks ok.


> From what the bridging doc says, it would seem like I should set eth0 
> on both tinc boxes to 0.0.0.0 and set the bridge running on each to 
> the 10.3.x.1 IPs.  Would I also set the tinc-created tun/tap virtual 
> interface to 0.0.0.0 as well?

Yes.

> Any hints, pointers to more in-depth resources (if the bridging 
> document isn't the most representitive of all of the available 
> options).

If it doesn't work the first time, just try out different things to get
a feeling for it.

-- 
Met vriendelijke groet / with kind regards,
    Guus Sliepen <guus at sliepen.eu.org>
Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://tinc.nl.linux.org/

More information about the Tinc mailing list