Tinc clients behind a NAT, tunnels get unstable

[Marcus Schopen]

Hi Guus,

Am Freitag, den 25.09.2015, 09:36 +0200 schrieb Guus Sliepen:
> On Fri, Sep 25, 2015 at 08:41:06AM +0200, Marcus Schopen wrote:
> 
> > I'm running some tinc clients behind a NAT (masquerading, Cisco Router)
> > connecting to a host outside on a public IP in a different network. The
> > tunnels get unstable every few minutes and I see packet loss when
> > pinging the clients on their internal tunnel IPs from the host side. 
> >  Before putting the tinc clients behind the NAT they were running on
> > public IPs too (clients and host in different networks) and the tunnels
> > were rock stable without any problems. As a workaround(?) I added
> > "TCPOnly = yes" [1] to the host's config file and since then all tunnels
> > seem to work stable again, but I can't explain this to me as the NAT
> > should handle UDP connections. Any ideas?
> 
> Maybe the timeout for UDP NAT mappings is a bit short on your Cisco. Try
> adding PingInterval = 30 to the tinc.conf on those clients, perhaps that
> will help.

Thanks for pushing me into the right direction. I disabled "TCPOnly =
yes" on the host and started with "PingInterval = 30" on each client
behind the NAT. The tunnels from the host side were still unstable until
I reduced PingIntervall down to 10 seconds, which seems to work fine for
the moment. I check the manual of the the Cisco NAT for any TCP/UDP
timeout settings, but there is no way to modify anything like "keeps
TCP/UDP connections alive". So should I keep this UDP configuration or
would you go back to TCPOnly? 

And another thing which came up since the clients (all in the same
subnet) are running behind the NAT: the traffic in-between the clients
run through the hosts and not locally/directly anymore, which means
higher latency and outgoing traffic. I don't see any blocked packages on
the client's firewall. Is there a way to let them talk directly again?

Ciao
Marcus