<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Donald, thank you for this. <br>
<br>
Do i read you right that to be able to receive broadcasts across
LANs I have to use the address space that I already have and make
sure that this space is the same for both LANs?<br>
<br>
What I'm trying to do is to define a *completely new subnet* that
will act as the common LAN foR both LAN A and LAN B.<br>
<br>
To re-iterate:<br>
I have one router that is 10.1.1.1 and gives out DHCP 10.1.1.* and
the other router 192.168.0.1 that gives out DHCP 192.168.0.*. <br>
I would like to leave these address spaces alone and define a new on
10.30.1.* that computer from both networks can participate in
effectively forming a new virtual LAN.<br>
<br>
Is this possible with tinc? I know this possible with other
software, I'm just having hard time figuring out if this is
something I can configure tinc to do.<br>
<br>
Andrew<br>
<br>
<br>
<br>
On 7/10/2010 1:13 p.m., Donald Pearson wrote:
<blockquote
cite="mid:AANLkTinQ2MG9pwXpT61k47aGL6nDKrmo17grwHDLArzr@mail.gmail.com"
type="cite">Sorry you're right. I was looking at the IP address
schema where all nodes would use the <a moz-do-not-send="true"
href="http://10.30.0.0/24">10.30.0.0/24</a> network.<br>
<br>
There's no need to install tap adapters on the other devices. You
have basically 2 realistic options if you want the LAN function<br>
<br>
You can specify multiple IP addresses for a single interface, even
in Windows. You'll find this under the TCP/IP properties of the
network adapter. And clicking on the Advanced button on the page
where you can set a static IP or designate DHCP.<br>
<br>
A 2nd option would be to re-ip one of your locations so that they
all use the same subnet natively.<br>
<br>
Bridging the tap adapter allows your network frames received by
your physical interface to reach the TAP adapter and therefore
traverse the VPN. This enables later 2 connectivity, the same way
a real switch does. Virtual Ethernet over the Internet is how I
like to describe it. This is how I have my VPN configured
personally.<br>
<br>
Without the bridge, a frame that is received at the physical
interface has the frame stripped off and the packet inspected.
Now we're talking layer 3. If the packet is destined for a
network on the other side of the VPN, your Tinc node frames the
packet back up with a new frame, and sends it over the VPN. This
act of stripping the frame, reading the packet for the network
destination, and applying a new frame to get it there is what
Routing is. Without the bridge in place, your Tinc node is
literally routing between the physical interface and the tap
interface. With the bridge, you're creating a layer 2 pathway so
the frames can shoot across directly. Of course this means both
sides need to be on the same subnet which you obviously already
know.<br>
<br>
Be warned that this configuration comes with it's drawbacks. DHCP
will traverse your VPN. I had location A computers getting
addresses from location B which makes for some really inefficient
internet traffic.<br>
<br>
Regards,<br>
Donald<br>
<div class="gmail_quote">On Wed, Oct 6, 2010 at 7:57 PM, Andrew
Savinykh <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:andrews@brutsoft.com">andrews@brutsoft.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> Donald, thank you for
the explanation.<br>
<br>
I understand the part about the switch mode and absence of
subnet in tinc.config.<br>
However, could you please explain what bridging the tap
adapter will achieve and what kind of ip address will be
used on tinc nodes and in the rest of the network.<br>
<br>
In my example one household has local network addresses of
192.168.1.* and the other has 10.1.1.*<br>
If we don't install tap interfaces on other PC's this means
that the other PCs won't have another ip address.<br>
I understand that bridging is going to solve this somehow,
but I still don't see how broadcast from 10.1.1.7 can reach
192.168.1.5 in the other LAN.<br>
<br>
In short I don't understand how bridging to adapters work.
I'll try to google this topic to get a better understanding,
meanwhile, could you please explain<br>
how this applies to our tinc configuration case.<br>
<br>
Also can you briefly describe what we achieve by setting
PMTUDiscovery = Yes. I read the description in manual but it
didn't tell me much.<br>
<br>
Thank you again for all your help,<br>
<font color="#888888"> Andrew</font>
<div>
<div class="h5"><br>
<br>
<br>
<br>
On 7/10/2010 11:40 a.m., Donald Pearson wrote:
<blockquote type="cite">Oh okay. Yes you can make it
appear as a single LAN. Your Tinc nodes will behave
as bridges instead of routers (or gateways as you put
it).<br>
<br>
Your tinc nodes will have the same subnet mask and
default router as all your other devices at that
location.<br>
<br>
You will need to run the add-tap script only on the
tinc nodes on each side.<br>
<br>
You will then need to bridge the tap adapter to the
local area connection on the tinc nodes on each side.<br>
<br>
This will create a bridge network object under your
network connections. This bridge will have the IP
configuration you illustrated.<br>
<br>
You have the right idea in segregating the IP
distribution while still using the 255.255.255.0
subnet mask.<br>
<br>
One both nodes are up and connected, and the
interfaces have been bridged on the Tinc nodes for
each location, you will have a virtual LAN between the
two locations.<br>
<br>
Your Tinc configuration will be Switch mode. This
means no Subnet configurations are required in your
tinc.conf<br>
<br>
Your tinc.conf will be something like<br>
<br>
Name = NodeA<br>
ConnectTo = NodeB<br>
Interface = <something><br>
Mode = switch<br>
PrivateKeyFile = <path to the rsa_key.priv><br>
<br>
Host files will be something like<br>
For the host file named "NodeA"<br>
<br>
Address = <<a moz-do-not-send="true"
href="http://host.dyndns.org" target="_blank">host.dyndns.org</a>><br>
PMTUDiscovery = Yes<br>
<br>
--Begin RSA etc. etc.--<br>
<br>
<br>
<div class="gmail_quote">On Wed, Oct 6, 2010 at 6:17
PM, Andrew Savinykh <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:andrews@brutsoft.com"
target="_blank">andrews@brutsoft.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt
0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> Donald,<br>
<br>
thank you, while I still have some questions,
your answer is definitely a step in the right
direction.<br>
In the other reply I was asked what I'm trying
to achieve. Let's consider the following
scenario (which is quite similar to the one that
described in the tinc manual).<br>
<br>
Let's assume we have two households, each has
3-5 computers in it. Both house holds have
similar network configuration:<br>
They are connected to internet with an ADSL line
and a router.<br>
The computers in the local network access
internet via the router.<br>
The router is configured so that one of the
computers have port 665 forwarded to be
accessible outside.<br>
The external IP is changed rarely and there is
dynamic DNS service (external) in use to
accommodate for the change of IP when it
happens.<br>
<br>
One household has local network addresses of
192.168.1.* and the other has 10.1.1.*<br>
I'm installing tinc on one computer in each
household. <br>
<br>
The goal is to let all computers in both house
holds to see each other by ip address. Also it
is desired that for computer games purposes<br>
all computers appear to be on the same LAN (for
broadcasts). But this is not mandatory. (it
appears that it's not possible without
installing tinc on every PC <br>
as every tinc daemon serves a subnet and two
tinc daemons can't serve a part of subnet each)<br>
<br>
All computers run different flavours of Windows,
most being Windows 7.<br>
<br>
I have two ideas how to set this up, although
I'm not sure if any of these two works:<br>
<br>
IDEA1.<br>
=====<br>
Household A<br>
Gateway IP: 10.30.0.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.2,3,4 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Deafult Gateway: 10.30.0.1<br>
<br>
Tinc Subnet: <a moz-do-not-send="true"
href="http://10.30.0.0/25" target="_blank">10.30.0.0/25</a><br>
<br>
Household B<br>
Gateway IP: 10.30.0.129<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.130,131,132 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway: 10.30.0.129<br>
<br>
Tinc Subnet: <a moz-do-not-send="true"
href="http://10.30.0.128/25" target="_blank">10.30.0.128/25</a><br>
<br>
<br>
IDEA2.<br>
=====<br>
Household A<br>
Gatway IP: 10.30.0.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.0.2-255 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway: 10.30.0.1<br>
<br>
Tinc Subnet: <a moz-do-not-send="true"
href="http://10.30.0.0/24" target="_blank">10.30.0.0/24</a><br>
<br>
Household B<br>
Gateway IP: 10.30.1.1<br>
Gateway Mask: 255.255.255.0<br>
Gateway Default Gateway: ????<br>
<br>
Other PCs IP: 10.30.1.2-255 etc<br>
Other PCs Mask: 255.255.255.0<br>
Other PCs Default Gateway: 10.30.0.129<br>
<br>
Tinc Subnet: <a moz-do-not-send="true"
href="http://10.30.1.0/24" target="_blank">10.30.1.0/24</a><br>
<br>
<br>
So IDEA 1 probably won't work at all. Will it?
And with IDEA 2 the pc's won't appear on the
same LAN and their broadcasts won't reach each
other.<br>
As far as I understand I need to install TAP
interface on each of the participating windows
PCs, correct?<br>
What is specified in default gateway of the
gateways?
<div><br>
<br>
<br>
Thank you in advance,<br>
Andrew<br>
<br>
</div>
<div>
<div> On 7/10/2010 4:36 a.m., Donald Pearson
wrote: </div>
</div>
<blockquote type="cite">
<div>
<div>The PCs that you want to participate
need to have a route for the VPN subnet
pointing to their local VPN gateway, which
would be the local device with Tinc
installed on it.
<div><br>
</div>
<div>Theoretical configuration example.</div>
<div><br>
</div>
<div>VPN subnet is <a
moz-do-not-send="true"
href="http://10.10.10.0/24"
target="_blank">10.10.10.0/24</a></div>
<div><br>
</div>
<div>At a location, one computer <a
moz-do-not-send="true"
href="http://192.168.1.254/24"
target="_blank">192.168.1.254/24</a>
connects to the VPN and serves as the
VPN gateway. This gateway needs to be
configured for TCP/IP forwarding.</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://support.microsoft.com/kb/315236"
target="_blank">http://support.microsoft.com/kb/315236</a> -
windows</div>
<div><a moz-do-not-send="true"
href="http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/"
target="_blank">http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/</a> -
linux</div>
<div><br>
</div>
<div>Other computers local to the gateway
need a route to the VPN network added so
they know how to get there.</div>
<div><br>
</div>
<div>In windows. route -p add 10.10.10.0
mask 255.255.255.0 192.168.1.254</div>
<div>This will add the persistent route
that remains after reboot.</div>
<div><br>
</div>
<div>Does that answer your question?</div>
<div><br>
<div class="gmail_quote">On Wed, Oct 6,
2010 at 6:41 AM, Andrew Savinykh <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:andrews@brutsoft.com"
target="_blank">andrews@brutsoft.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin: 0pt 0pt 0pt 0.8ex;
border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;">
<div bgcolor="#ffffff"
text="#000000"> Thank you for your
reply. As far as I can see there
is no point specifying subnet that
consists of more than one PC in
tinc config if you are going to
install tinc on every PC in the
subnet anyway. Correct me if I'm
wrong.<br>
Now, assuming I'm right, there
will be PCs in the subnet that
don't have tinc installed on them.
How to configure these PCs so they
are a part of the subnet and
participate in routing?<br>
<br>
Cheers,<br>
Andrew
<div>
<div><br>
<br>
On 6/10/2010 10:13 p.m.,
Cédric Lemarchand wrote: </div>
</div>
<blockquote type="cite">
<div>
<div> Hi,<br>
<br>
I am not sure to understand
what you mean with "joining"
a subnet.<br>
<br>
But if your "local computer"
need to reach the "remote
subnet" served by tinc, you
can set the local IP of the
local tinc server as the
default gateway, or add a
route to the remote subnet
via the local tinc IP. Of
course, computer located on
the remote subnet need the
same thing.<br>
<br>
Cédric<br>
<br>
Le 06/10/10 09:37, Andrew
Savinykh a écrit :
<blockquote type="cite"> Hello
all, <br>
<br>
I understand that each
tinc daemon corresponds to
one or more subnets that
it "owns" a subnet can be
a single ip or more. <br>
Could you please tell me
what do I need to do to
join a computer in local
network (windows) to a
subnet served by tinc? <br>
<br>
Thank you in advance, <br>
Andrew <br>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
tinc mailing list<br>
<a moz-do-not-send="true" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a moz-do-not-send="true"
href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br>
</blockquote>
</div>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
tinc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a>
<a class="moz-txt-link-freetext" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
</blockquote>
<br>
</body>
</html>