Help with 'switch' mode
Brian Costello
bc at preventsys.com
Mon Aug 25 00:40:07 CEST 2003
Hello,
I've been using tinc v1.0 for the last few weeks in router mode - to
great success. It's EXACTLY what I was looking for in a VPN at the time
- most of the security of IPSEC with none of the interoperability
issues. However, a few days ago, I got a VOIP phone that doesn't use IP
without paying several thousand extra dollars on top of what we've
already spent on the phone system. Checking sniff dumps of the phone
<-> phone protocol, I found that the phones appear to use MAC addresses
as their only identifier. Therefore, no routing. Therefore, router
mode won't work. Therefore, I tried out switch mode.
I checked the documentation on
http://tinc.nl.linux.org/examples/bridging and from that example, it
appears to be a Linux system using 802.1d bridging. However, I don't
see any place in the documentation that tells you how to set that up
under Linux (or any other OS for that matter) - there appears to be just
that one page that gives any information about the switch setup. If I
ignored a document, could you please point it out to me? Otherwise, I
have a few questions:
1) Is the bridge device necessary - it was my understanding that the tap
device was able to "see" frames like a pcap device, so I'd THINK it
would be possible to perform the actions of a switch without the bridge
device - that is, grab & forward ARP reqests & replies between networks,
use that information to build a MAC table & use the MAC table to
determine when to transmit traffic over the VPN.
2) If the bridge device IS necessary, is an extra interface with no IP
address assigned to it necessary? By extra I mean do you need more than
one interface on both bridge endpoints, and do both the interface This
appears to be the case in the bridging example.
3) Of course this whole project relies on whether or not tinc's switch
mode can even do what I require - I assume it can properly pass packets
from one network to another with their MAC addresses intact (like a
switch) :) Hopefully I haven't been wasting my time :)
Here's the information on the two current networks:
Two networks, both with hosts setup to run tinc which are configured as
linux 2.4.21 (universal tun/tap), with tinc v1.0.
"Total" network: 10.3.0.0/16
Network A: 10.3.1.0/24, interface I want to run tinc on (eth0) =
10.3.1.1 netmask 255.255.0.0 broadcast 10.3.255.255
Network B: 10.3.2.0/24, interface I want to run tinc on (eth0) =
10.3.2.1 netmask 255.255.0.0 broadcast 10.3.255.255
I use TCPonly mode because my firewall at one location is NOT iptables,
and therefore does not have a way to set the NAT'd source port.
>From what the bridging doc says, it would seem like I should set eth0 on
both tinc boxes to 0.0.0.0 and set the bridge running on each to the
10.3.x.1 IPs. Would I also set the tinc-created tun/tap virtual
interface to 0.0.0.0 as well?
Any hints, pointers to more in-depth resources (if the bridging document
isn't the most representitive of all of the available options).
Brian
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/
More information about the Tinc
mailing list