help with routing and multiple subnets

Patrick Bennett patrick at pebcomputing.com
Mon Apr 5 00:50:52 CEST 2010 

Thanks Guus!  I'll give it a whirl in a bit.     -p



On Apr 4, 2010, at 3:33 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:

> On Sun, Apr 04, 2010 at 12:49:01PM -0700, Patrick E. Bennett, Jr.  
> wrote:
>
>>> It seems either masquerading is not done for packets going to the  
>>> VPN, or some
>>> firewall rule is blocking them. The routes seem fine.
>> I'm using Arno's iptables firewall script; perhaps it does something
>> behind the scenes that needs to be tweaked out.  As I mentioned, I
>> tried setting it to masq 10.57.137.0 and to not masq it and neither
>> allowed the Lab clients to access the central vpn hosts.  Hopefully
>> the iptables output will shed some light on this.
>>
>> Chain POSTROUTING (policy ACCEPT 32524 packets, 2262428 bytes)
>>    pkts      bytes target     prot opt in     out      
>> source               destination
>>      22     1372 TCPMSS     tcp  --  *      ppp+     
>> 0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS  
>> clamp to PMTU
>>     186    13658 NAT_POSTROUTING_CHAIN  all  --  *      *       0.0.0.0/0 
>>             0.0.0.0/0
>>       0        0 ACCEPT     all  --  *      ppp+     
>> 0.0.0.0/0            0.0.0.0/0           policy match dir out pol  
>> ipsec
>>      24     1746 MASQUERADE  all  --  *      ppp+     
>> 192.168.254.0/24    !192.168.254.0/24
>>       0        0 MASQUERADE  all  --  *      ppp+     
>> 10.57.137.0/24      !10.57.137.0/24
>>     162    11912 POST_NAT_POSTROUTING_CHAIN  all  --  *       
>> *       0.0.0.0/0            0.0.0.0/0
>
> It is set to only masquerade traffic that goes out via the ppp+  
> interface. You
> should add a rule to also masquerade traffic from 192.168.254.0/24  
> going to the
> c4svpn interface.
>
> I have no idea how Arno's iptables script works.
>
>>> If you want the central VPN to connect to Lab clients, you should  
>>> add "Subnet =
>>> 192.168.254.0/24" to the host config file of the Lab server,  
>>> otherwise tinc
>>> doesn't know to which node to send those packets to. But, since  
>>> you want
>>> masquerading, you shouldn't try this at all.
>> You can add "Subnet = 192.168.254.0/24" to the tinc hosts file of
>> the Lab server even though the VPN is running over the 10.57.0.0
>> subnet!?!?  Would this be instead of using 10.57.137.0/24 or in
>> addition to it??  Either way, I didn't think that was possible!
>
> You can have multiple Subnet lines in one host config file.
>
>> If the Lab VPN remains dual homed, 192.168.254.0/24 for all non-tinc
>> traffic and 10.57.0.0 for all tinc traffic, for my purposes it does
>> not matter whether 10.57.137.0/24 is masq'd or not (I think, any
>> way).
>
> If you want to do it without masquerading, then add the extra  
> Subnet, and
> ensure the servers running tinc have correct routes to each other.  
> The filter
> table generated by Arno's script looks very complicated, but I don't  
> think it
> will block any of that traffic.
>
> -- 
> Met vriendelijke groet / with kind regards,
>     Guus Sliepen <guus at tinc-vpn.org>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

More information about the tinc mailing list