Routing setup with pfSense package

Corey Boyle coreybrett at gmail.com
Thu Aug 30 02:35:31 CEST 2018 

I'm using the recommended config for the pfS package which suggests using
the LAN IP as the tunnel IP and a mask that covers the entire VPN. It just
seems like an odd setup to me.

I did some testing and assigned a unique address to the TUN, and that
seemed to work fine as well. (Even when the same IP and mask was used for
the TUN on both routers.)




__
Corey

On Wed, Aug 29, 2018, 5:05 PM Lars Kruse <lists at sumpfralle.de> wrote:

> Hello Corey,
>
>
> Am Wed, 29 Aug 2018 16:33:30 -0400
> schrieb Corey Boyle <coreybrett at gmail.com>:
>
> > I just found that the VPN Netmask option in the pfSense tinc GUI is
> > related to the "netmask" option in /usr/local/etc/tinc/tinc-up
> >
> > ifconfig $INTERFACE 192.168.117.1 netmask 255.255.0.0
> >
> > What exactly is this line doing? Is it assigning the address that my
> > lan adapter has to the tunnel interface as well?
>
> Above you see the environment variable "INTERFACE". It is described in
> "man tinc.conf".
> The command above assigns an IP address to the network interface provided
> by the tinc daemon.
> In your forum thread you mentioned, that 192.168.117.0/24 is the address
> range
> of your LAN interface. Thus the "ifconfig" line above is probably a
> mistake,
> since you will end up with two network interfaces using the same address
> range.
> This is not impossible, but most likely not your goal :)
>
> Instead you probably want to pick an address range for the tinc network
> interface. Each node should have one IP in this network. This IP needs to
> be
> mentioned in two places for each node:
> * as a Subnet line in the node's host file ("Subnet = w.x.y.z/32")
>   (make sure that all host files are in sync in order to reduce confusion)
> * as part of an "ifconfig" command (see above) in "tinc-up"
>
> Maybe you could also get away without assigning an IP address to the tinc
> interface at all, but this would surely make debugging harder.
>
> Afterwards you will be able to ping the other tinc nodes and direct traffic
> over this interface.
>
> Have fun investigating!
> Cheers,
> Lars
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180829/450da898/attachment-0001.html>

More information about the tinc mailing list