<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Le 22/03/12 19:29, Donald Pearson a écrit :
<blockquote
cite="mid:CAC=t97Bdx2jfjSBoASPjiqF4jnWn+_z8oOZCUY5rgj6eT-pVcg@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im">
<blockquote type="cite">
<div class="gmail_quote">
<div><br>
</div>
<div>Only if you want V1 to use gate/pub to reach the
internet. V1 will still need it's own "normal"
gateway in order for the VPN to be established over
the internet so you will at least need a /32 route
for N2's IP address to use V1's "normal" gateway.
Unless you have a very good reason, you will also
want V1 to continue to use it's normal gateway to
reach other nodes on the internet. You probably
want V1 to use the VPN only for access to N2's
subnet.</div>
</div>
</blockquote>
</div>
The VPN is established by N1 via its interface eth0,
providing the ethernet VPN on its interface eth1 (which is
bridged with the tinc interface). V1 only "see" the provided
ethernet segment by N1, and got is interface directly
configured with a fixed public IP, and the default gateway
"GATE PUB" (the provider's gateway for this publix subnet)
<div class="im"><br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Oh I see, sorry that I missed the detail that N1 owns the
Tinc interface. So yes the Tinc interface on N1 should be
bridged with eth1. N1's eth1 should have a physical
connection to V1, either directly or through a switch. If V1
has no other interfaces, and you don't want to multi-home its
interface, and you do want it to be able to route out to the
internet; Yes it will need to use the IP of gate/pub for its
default gateway. </div>
<div><br>
</div>
<div>So network configurations should look something like this?</div>
<div><br>
</div>
<div>V1:</div>
<div>Eth0 <a moz-do-not-send="true" href="http://1.0.0.1/24">1.0.0.1/24</a>
<-- vpn participating, default route 1.0.0.254 (but not
necessary)</div>
<div><br>
</div>
<div>N1:</div>
<div>Eth0 10.10.10.1 <-- default route 10.10.10.254</div>
<div>Br0 <a moz-do-not-send="true" href="http://1.0.0.2/24">1.0.0.2/24</a>
<-- vpn participating</div>
<div> - eth1</div>
<div> - tinc</div>
<div><br>
</div>
<div>Gate/Nat:</div>
<div>Eth0 10.10.10.254</div>
<div>Eth1 1.2.3.4 (provided by ISP)</div>
<div><br>
</div>
<div>------- internet --------</div>
<div><br>
</div>
<div>Gate/Pub:</div>
<div>Eth0 <a moz-do-not-send="true" href="http://1.0.0.254/24">1.0.0.254/24</a></div>
<div><br>
</div>
<div>N2:</div>
<div>Br0 <a moz-do-not-send="true" href="http://1.0.0.3/24">1.0.0.3/24</a>
<-- vpn particpating, default route 1.0.0.254</div>
<div> - eth0</div>
<div> - tinc</div>
</div>
</blockquote>
Yes you got it, and yes V1 is directly connected to N1-eth1.<br>
<blockquote
cite="mid:CAC=t97Bdx2jfjSBoASPjiqF4jnWn+_z8oOZCUY5rgj6eT-pVcg@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im">
<blockquote type="cite">
<div class="gmail_quote">
<div><br>
</div>
<div>So, V1 will have an interface on the same subnet
has gate/nat and it's default gateway will be
gate/nat. V1 will also have a tinc interface on the
same subnet as N2. Now, if you are trying to
extend N2's subnet to multiple node's at V1's
physical location, then you will have a 2nd
interface on V1, bridged with the tinc interface,
and the bridge interface (as well as the interfaces
of any other nodes in V1's physical location that
you wanted to participate in the VPN) will have an
IP on N2's subnet. <br>
</div>
</div>
</blockquote>
</div>
Like i have tried to explain before, the VPN is established
by N1, not V1. V1 has only one interface with the fixed
public IP.<br>
<blockquote type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im">
<div>
<blockquote type="cite">
<blockquote type="cite">
<pre>N1 has eth0 on the lan, br0 is a bridge of eth1 (where i want to plug
the video device) and the tinc interface.
N2 has is public IP on br0, which is a bridge of eth0 and the tinc
interface.
</pre>
</blockquote>
<pre>[...]
</pre>
<blockquote type="cite">
<pre>When i try to ping GATE from V1, i can see arp request crossing the VPN
(on both br0 interfaces), packet capture on GATE show the arp reply, but
this arp reply never come back on the bridge br0 of N2. (N2 is using
GATE has default gateway too)
</pre>
</blockquote>
<pre>I think that is normal. The ARP request is a broadcast packet, so you should
see that on all the interfaces. But the ARP reply is a unicast packet, so it is
only sent to V1. The bridge on N1 should therefore not forward it to the VPN
interface, so N2 will never see this ARP reply.</pre>
</blockquote>
</div>
</div>
Ok, but the thing is i dont anderstand is even if
the ARP reply is unicast, it should cross the VPN to
go back to the machine that request it ? (i use
packet capture on promiscuous mode on the bridge, so
i should see it)</div>
</blockquote>
<div><br>
</div>
<div>Yes you should. <br>
</div>
</div>
</blockquote>
Ok.
<div>
<div class="h5"><br>
<blockquote type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div><br>
<blockquote type="cite">
<pre>But you seem to be implying that you cannot ping GATE from V1. It would help if
you could show is the routing tables on V1, N1 and N2, and which IP addresses
V1 and GATE have.</pre>
</blockquote>
</div>
Has i said, V1 is on the same ethernet segment /
same subnet provided by the VPN, so if i am
right, routing cannot be a part of the problem,
the only needed routes are local and default
gateway.</div>
</blockquote>
<div><br>
</div>
<div>When everything works, yes. V1 and N2 will
"see" each-other as members of the same LAN,
however we're still doing this over the internet
so plenty of routing is still involved and needs
to be correct. :) </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div><br>
<blockquote type="cite"> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
tinc mailing list
<a moz-do-not-send="true" href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a>
<a moz-do-not-send="true" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
</blockquote>
<br>
<br>
</div>
<font color="#888888">
<div>-- <br>
<div style="font:bold 13px
Arial;color:#003f80;margin-top:10px">
<div>Cédric Lemarchand</div>
<div
style="font-weight:normal;color:#7e7c83">System
& Network Engineer</div>
<div style="margin-top:12px">iXBlue</div>
<div
style="font-weight:normal;font-size:10px;color:#7e7c83">52,
avenue de l'Europe<br>
78160 Marly le Roi<br>
France</div>
<div
style="font-weight:normal;font-size:12px;margin:12px
0 12px 0">Tel. <a
moz-do-not-send="true"
href="tel:%2B33%201%2030%2008%2088%2088"
value="+33130088888" target="_blank">+33
1 30 08 88 88</a><br>
Mob. <a moz-do-not-send="true"
href="tel:%2B33%206%2037%2023%2040%2093"
value="+33637234093" target="_blank">+33
6 37 23 40 93</a><br>
Fax <a moz-do-not-send="true"
href="tel:%2B33%201%2030%2008%2088%2000"
value="+33130088800" target="_blank">+33
1 30 08 88 00</a></div>
<div style="margin-bottom:20px"><a
moz-do-not-send="true"
href="http://www.ixblue.com"
style="font:normal 12px
Arial;color:#003f80" target="_blank">www.ixblue.com</a></div>
</div>
</div>
</font></div>
<br>
_______________________________________________<br>
tinc mailing list<br>
<a moz-do-not-send="true"
href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a><br>
<a moz-do-not-send="true"
href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br>
</blockquote>
</div>
<br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
tinc mailing list
<a moz-do-not-send="true" href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a>
<a moz-do-not-send="true" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
</blockquote>
<br>
<br>
<div>-- <br>
<div style="font:bold 13px
Arial;color:#003f80;margin-top:10px">
<div>Cédric Lemarchand</div>
<div style="font-weight:normal;color:#7e7c83">System
& Network Engineer</div>
<div style="margin-top:12px">iXBlue</div>
<div
style="font-weight:normal;font-size:10px;color:#7e7c83">52,
avenue de l'Europe<br>
78160 Marly le Roi<br>
France</div>
<div
style="font-weight:normal;font-size:12px;margin:12px
0 12px 0">Tel. <a moz-do-not-send="true"
href="tel:%2B33%201%2030%2008%2088%2088"
value="+33130088888" target="_blank">+33 1 30 08
88 88</a><br>
Mob. <a moz-do-not-send="true"
href="tel:%2B33%206%2037%2023%2040%2093"
value="+33637234093" target="_blank">+33 6 37 23
40 93</a><br>
Fax <a moz-do-not-send="true"
href="tel:%2B33%201%2030%2008%2088%2000"
value="+33130088800" target="_blank">+33 1 30 08
88 00</a></div>
<div style="margin-bottom:20px"><a
moz-do-not-send="true"
href="http://www.ixblue.com" style="font:normal
12px Arial;color:#003f80" target="_blank">www.ixblue.com</a></div>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
tinc mailing list<br>
<a moz-do-not-send="true" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a><br>
<a moz-do-not-send="true"
href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc"
target="_blank">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
<br>
</blockquote>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
tinc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tinc@tinc-vpn.org">tinc@tinc-vpn.org</a>
<a class="moz-txt-link-freetext" href="http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc">http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a>
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<div style="font:bold 13px Arial;color:#003F80;margin-top:10px;">
<div>Cédric Lemarchand</div>
<div style="font-weight:normal;color:#7E7C83;">System &
Network Engineer</div>
<div style="margin-top:12px;">iXBlue</div>
<div style="font-weight:normal;font-size:10px;color:#7E7C83">52,
avenue de l'Europe<br>
78160 Marly le Roi<br>
France</div>
<div style="font-weight:normal;font-size:12px;margin:12px 0 12px
0;">Tel. +33 1 30 08 88 88<br>
Mob. +33 6 37 23 40 93<br>
Fax +33 1 30 08 88 00</div>
<div style="margin-bottom:20px;"><a href="http://www.ixblue.com"
style="font:normal 12px Arial;color:#003F80;">www.ixblue.com</a></div>
</div>
</div>
</body>
</html>