Bridging on windows networks
Guus Sliepen
guus at tinc-vpn.org
Wed Feb 3 00:01:17 CET 2010
On Sun, Jan 31, 2010 at 11:27:34PM -0800, Anon wrote:
> 192.168.0.155 (corresponds to 10.20.30.1)
> 192.168.1.155 (corresponds to 10.20.40.1)
> 192.168.2.155 (corresponds to 10.20.50.1)
>
> I have another computer on the 192.168.0.x LAN, with IP address
> 192.168.0.188. 192.168.0.188 can ping 192.168.0.155 with no problem (and
> vice versa). But it can't ping 10.20.30.1 (or any of the others).
It will be much easier if you could just use 192.168.x.y addresses for the VPN
as well. But first let me tell you what needs to be done to get it working with
10.20.x.y addresses on the VPN.
HARD WAY:
When 192.168.0.188 sends a packet to 10.20.x.y, it needs to have an entry in
its routing table that says that packets for 10.20.0.0/16 should go to
192.168.0.155.
Then, you should be able to ping 10.20.30.1. However, pinging any other node on
the VPN will not work yet. Suppose 192.168.0.188 tries to ping 10.20.40.1. Tinc
on 192.168.0.155 will pick the ping packets up and forward them to 10.20.40.1.
There, the kernel will generate an ICMP reply, and will try to send it back to
192.168.0.188. For that, it needs to have an entry in its routing table that
says packets for 192.168.0.0/16 should go to the VPN adapter.
Tinc on 192.168.1.155 will then pick it up, but it needs to know where to send
packets with destination address 192.168.0.188 to. For that, the tinc daemon on
192.168.0.155 should have Subnet = 192.168.0.0/24 in its host config file.
Suppose there are more hosts on the other LANs as well, and 192.168.0.188 wants
to ping 192.168.1.199. Then 192.168.0.188 must have an entry in its routing
table that says packets for 192.168.0.0/16 should go via the VPN, 192.168.1.155
must have Subnet = 192.168.1.0/24 in its host config file, and 192.168.1.199
must also have an entry in its routing table that says packets for
192.168.0.0/16 should go via the VPN.
If any host should be able to communicate with any other host on the VPN, you
are going to have to add a lot of routes... If you can control the routing
table of the gateway of each LAN (I assume having IP address 192.168.0.1,
192.168.1.1 and 192.168.2.1), you can add an entry in each of them directing
packets with destination 10.20.0.0/16 and 192.168.0.0/16 to the host running
tinc on each LAN. But, then packets will be sent twice over the LAN, which is
not so efficient.
EASIER WAY:
It is much easier to use tinc's switch mode, and to bridge the LAN to the VPN
interface on each host running tinc. Then, you don't need to configure Subnets
and you don't need to add any routes. You also won't get any address conflicts.
You will only use 192.168.x.y addresses this way. However, you need to change
the netmask of the LAN interface of all the hosts from 255.255.255.0 to
255.255.0.0, otherwise they will still send packets for a different LAN to
their default gateway instead of to the local tinc node.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100203/29d193cc/attachment.pgp>
More information about the tinc
mailing list