help with routing and multiple subnets

Patrick E. Bennett, Jr. patrick at pebcomputing.com
Sun Apr 4 21:49:01 CEST 2010 

Guus, thanks so much for your help.  Responses inline....

On 4/4/2010 6:04 AM, Guus Sliepen wrote:
> On Sat, Apr 03, 2010 at 05:18:27PM -0700, Patrick E. Bennett, Jr. wrote:
>
> [...]
>    
>> The Lab Server tincd is connecting to the Central Tinc Server and is
>> able to ping/telnet/ssh etc to any client on 10.57.132.0/24.
>> The Lab server is doing NAT for the 192.168.254 subnet (doesn't seem
>> to matter if NAT is enabled for only 192.168.254.0 or for both it
>> and 10.57.132.0).  Internet access for the lab clients through the
>> NAT is working.
>>      
> Can you show us the output of these commands on the Lab Server:
>
> iptables -L -vxn
> iptables -t nat -L -vxn
>    
See attached.

>    
>> The Lab clients are receiving ip addresses in the 192.168.254.0/24
>> subnet (which can't be changed)
>> The Lab clients can ping the Lab Server Tinc ip address (ie. 10.57.137.1).
>> The Lab clients /cannot/ ping or otherwise reach the server or
>> clients on the other side of the vpn (10.57.132.1,2,3,etc)
>>      
> It seems either masquerading is not done for packets going to the VPN, or some
> firewall rule is blocking them. The routes seem fine.
>    
I'm using Arno's iptables firewall script; perhaps it does something 
behind the scenes that needs to be tweaked out.  As I mentioned, I tried 
setting it to masq 10.57.137.0 and to not masq it and neither allowed 
the Lab clients to access the central vpn hosts.  Hopefully the iptables 
output will shed some light on this.

>    
>> I have tried:
>>
>>     * from the central tinc vpn setting "route add -net 192.168.254.0
>>       netmask 255.255.255.0 gw 10.57.137.1" and/or "route add -net
>>       192.168.254.0 netmask 255.255.255.0 dev c4svpn".  Neither seemed
>>       to help - ping to 192.168.254.1 yields "Destination Net Unknown".
>>      
> If you want the central VPN to connect to Lab clients, you should add "Subnet =
> 192.168.254.0/24" to the host config file of the Lab server, otherwise tinc
> doesn't know to which node to send those packets to. But, since you want
> masquerading, you shouldn't try this at all.
>    
You can add "Subnet = 192.168.254.0/24" to the tinc hosts file of the 
Lab server even though the VPN is running over the 10.57.0.0 subnet!?!?  
Would this be instead of using 10.57.137.0/24 or in addition to it??  
Either way, I didn't think that was possible!

If the Lab VPN remains dual homed, 192.168.254.0/24 for all non-tinc 
traffic and 10.57.0.0 for all tinc traffic, for my purposes it does not 
matter whether 10.57.137.0/24 is masq'd or not (I think, any way).

Thanks Guus!
Patrick

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: iptLvxn.txt
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100404/ff68b82b/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: iptNatLvxn.txt
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100404/ff68b82b/attachment-0003.txt>

More information about the tinc mailing list