a few problems/questions with tinc

Donald Pearson donaldwhpearson at gmail.com
Wed Feb 15 16:28:49 CET 2012 

1. Sounds like routing is broken.  Does ping work from Server A to Server B
traversing the same route?

2. I'm pretty sure in iptables you need to define the table first, then the
chain.  You've defining the chain first.. so the table may be assumed as
something other than mangle.. and there you go.

3. No idea.  Can you describe what you mean by "the network wasn't as good
as before"?  How did you know it wasn't as good?  What were you measuring,
or what were the symptoms of the problem?

4. No you do not want 2 nodes in the same physical location connecting to
each other.  That will not provide you with any redundancy.  Your fail-over
idea is feasible.  Some creating scripting could accomplish this through
crontab with the backup server pinging the primary every X seconds,
bringing up the WAN interface and executing tincd when the ping fails X
number of times, and shutting down the WAN interface and tincd once the
ping is successful again.  The WAN interface and Tinc configurations would
be identical on both boxes. This would mean you have a switch between your
wan gateway and these 2 tinc boxes. Or there are solutions like linux-ha.org.
 If you can spare 3 wan IP addresses per site, you could stand up Tinc on
pfsense firewalls, and let pfsense handle failover for you via CARP.
But I would ask myself if I really need redundancy on Tinc like this.  This
design is an upside-down pyramid.  You're still going to have a single
switch between the gateway and the Tinc boxes, that's a single point of
failure.  You're still going to have a single gateway, another single point
of failure.  Building redundancy on top of single points of failure is not
a good approach.  If you really want high availability it needs to start
with a WAN solution with multiple WAN circuits utilizing protocols like BGP.

5. Sorry I don't know anything about the Tinc routing table.

6. Sorry I don't know.

On Wed, Feb 15, 2012 at 3:59 AM, Siavash Sameni <siavash.sameni at gmail.com>wrote:

> Hi everyone ,
> i have a few questions/problems with tinc , which i need to address ASAP ,
> so i'll make it brief .
> i have 33 sites , connected with each other using wan ,
> in each site , there are two linux firewalls + 3-4 more servers , i
> preferred to have a full mesh within my network ,
> but unfortunately it was not possible , when i wanted every site to be
> connected to every other , as the number of hosts increased there was some
> unexplainable abnormalities , so i decided to connect every site to 3-4
> other firewalls . so with this approach the whole network is unified , of
> course not directly .
> so right now my unsolved problems are as follows :
>
> 1. SIP/IAX doesn't work over the tinc network , but on tinc edge it works
> , imagine the following situation:
> SIP/IAX Server A --network A---- > Firewall A  ---tinc---> Firewall B
> ---Network B--> SIP/IAX Server B
> this approach doesn't work !!
> but if i put SIP/IAX server on the firwall B , and use the tinc internal
> ip address , the trunk works ..
>
> 2. i want to use 2 firewalls in each site  , as failover tinc routers , so
> what i've basically done is that i've put two tinc nodes in every site ,
> and configured them with the same Subnet in tinc hosts , but the problem
> arises with the fact that , the other nodes in each site , only have one of
> the servers as default gateway and if the request comes from the other it's
> unanswered , i wanted to fix this problem with iptables mangle , *iptables
> * -A PREROUTING -t *mangle* -i tci  -j *MARK* --set-*mark* 1 , but
> strange enough iptables didn't mark it (why?)
> so i thought of another solution which is that i'd use keepalived with
> tinc , like copy the same private key on two servers , bring one up , if
> the server goes down , keepalive would bring tinc down , and *bring the
> other server's tinc up* , is it possible ?
>
> 3. i have concerns about not having a full mesh , the problem was that ,
> when the number of concurrent connection went above 12 , the network wasn't
> as good as before , am i doing something wrong ? is it possible to fix it
> another how ?
>
> 4. should i connect the two firewalls in each provience together , if i
> don't use keepalived ofcourse , like add a connect to from server A1 to A2
> ????
>
> 5. i have concerns about tinc routing table , can someone point me to the
> right documentation ??
>
> 6. in a mesh , is there any utility which would make it easy to identify
> which hosts are directly connected to (hosts from connectto)
>
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120215/1b6123a4/attachment.html>

More information about the tinc mailing list