help with routing and multiple subnets
Patrick E. Bennett, Jr.
patrick at pebcomputing.com
Mon Apr 5 04:46:59 CEST 2010
Oh wait! Just in case someone else one day needs this: I also had to
"route add -net 192.168.254.0 netmask 255.255.255.0 gw 10.57.137.1" on
the Central VPN server. -p
On 4/4/2010 7:25 PM, Patrick E. Bennett, Jr. wrote:
> Guus, it worked! Adding "Subnet = 192.168.254.0/24" to the Lab's tinc
> host file on each side did the trick - fantastic! Thanks a ton. -p
>
> On 4/4/2010 3:33 PM, Guus Sliepen wrote:
>> On Sun, Apr 04, 2010 at 12:49:01PM -0700, Patrick E. Bennett, Jr. wrote:
>>
>>>> It seems either masquerading is not done for packets going to the
>>>> VPN, or some
>>>> firewall rule is blocking them. The routes seem fine.
>>> I'm using Arno's iptables firewall script; perhaps it does something
>>> behind the scenes that needs to be tweaked out. As I mentioned, I
>>> tried setting it to masq 10.57.137.0 and to not masq it and neither
>>> allowed the Lab clients to access the central vpn hosts. Hopefully
>>> the iptables output will shed some light on this.
>>>
>>> Chain POSTROUTING (policy ACCEPT 32524 packets, 2262428 bytes)
>>> pkts bytes target prot opt in out
>>> source destination
>>> 22 1372 TCPMSS tcp -- * ppp+
>>> 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS
>>> clamp to PMTU
>>> 186 13658 NAT_POSTROUTING_CHAIN all -- * *
>>> 0.0.0.0/0 0.0.0.0/0
>>> 0 0 ACCEPT all -- * ppp+
>>> 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
>>> 24 1746 MASQUERADE all -- * ppp+
>>> 192.168.254.0/24 !192.168.254.0/24
>>> 0 0 MASQUERADE all -- * ppp+
>>> 10.57.137.0/24 !10.57.137.0/24
>>> 162 11912 POST_NAT_POSTROUTING_CHAIN all -- *
>>> * 0.0.0.0/0 0.0.0.0/0
>> It is set to only masquerade traffic that goes out via the ppp+
>> interface. You
>> should add a rule to also masquerade traffic from 192.168.254.0/24
>> going to the
>> c4svpn interface.
>>
>> I have no idea how Arno's iptables script works.
>>
>>>> If you want the central VPN to connect to Lab clients, you should
>>>> add "Subnet =
>>>> 192.168.254.0/24" to the host config file of the Lab server,
>>>> otherwise tinc
>>>> doesn't know to which node to send those packets to. But, since you
>>>> want
>>>> masquerading, you shouldn't try this at all.
>>> You can add "Subnet = 192.168.254.0/24" to the tinc hosts file of
>>> the Lab server even though the VPN is running over the 10.57.0.0
>>> subnet!?!? Would this be instead of using 10.57.137.0/24 or in
>>> addition to it?? Either way, I didn't think that was possible!
>> You can have multiple Subnet lines in one host config file.
>>
>>> If the Lab VPN remains dual homed, 192.168.254.0/24 for all non-tinc
>>> traffic and 10.57.0.0 for all tinc traffic, for my purposes it does
>>> not matter whether 10.57.137.0/24 is masq'd or not (I think, any
>>> way).
>> If you want to do it without masquerading, then add the extra Subnet,
>> and
>> ensure the servers running tinc have correct routes to each other.
>> The filter
>> table generated by Arno's script looks very complicated, but I don't
>> think it
>> will block any of that traffic.
>>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
More information about the tinc
mailing list