help with routing and multiple subnets
Guus Sliepen
guus at tinc-vpn.org
Sun Apr 4 15:04:59 CEST 2010
On Sat, Apr 03, 2010 at 05:18:27PM -0700, Patrick E. Bennett, Jr. wrote:
[...]
> The Lab Server tincd is connecting to the Central Tinc Server and is
> able to ping/telnet/ssh etc to any client on 10.57.132.0/24.
> The Lab server is doing NAT for the 192.168.254 subnet (doesn't seem
> to matter if NAT is enabled for only 192.168.254.0 or for both it
> and 10.57.132.0). Internet access for the lab clients through the
> NAT is working.
Can you show us the output of these commands on the Lab Server:
iptables -L -vxn
iptables -t nat -L -vxn
> The Lab clients are receiving ip addresses in the 192.168.254.0/24
> subnet (which can't be changed)
> The Lab clients can ping the Lab Server Tinc ip address (ie. 10.57.137.1).
> The Lab clients /cannot/ ping or otherwise reach the server or
> clients on the other side of the vpn (10.57.132.1,2,3,etc)
It seems either masquerading is not done for packets going to the VPN, or some
firewall rule is blocking them. The routes seem fine.
> I have tried:
>
> * from the central tinc vpn setting "route add -net 192.168.254.0
> netmask 255.255.255.0 gw 10.57.137.1" and/or "route add -net
> 192.168.254.0 netmask 255.255.255.0 dev c4svpn". Neither seemed
> to help - ping to 192.168.254.1 yields "Destination Net Unknown".
If you want the central VPN to connect to Lab clients, you should add "Subnet =
192.168.254.0/24" to the host config file of the Lab server, otherwise tinc
doesn't know to which node to send those packets to. But, since you want
masquerading, you shouldn't try this at all.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100404/2b6407bb/attachment.pgp>
More information about the tinc
mailing list