<div dir="ltr"><div>Can you post details of your tinc configuration? Especially the Mode (is it "switch" or "router"?) and the DeviceType (is it "tun" or "tap"?).<br><br></div>If operating in "router" Mode, does hostc have a "Subnet = ipaddressx" in its host configuration file? That would be required for things to work you expect them to. (Also, does hostb have a Subnet that encompasses ipaddressx? That would explain why packets are being misrouted, not just dropped.)<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 10 April 2018 at 14:36, Hans de Groot <span dir="ltr"><<a href="mailto:hansg@dandy.nl" target="_blank">hansg@dandy.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello List,<br>
<br>
I have this setup:<br>
<br>
hosta <--> hostb <--> hostc<br>
<br>
Hosta and hostc are not directly connected via tinc. But both are conncted via hostb (I called my network tincnet). This works fine I can ssh from hosta to hostc and vice versa without any problems.<br>
<br>
hostc is in a whitelisted iprange at some service provider.<br>
<br>
I need hosta to talk to a certain ip (lets call it ipaddressx) via hostc.<br>
<br>
I added the iptables mangle rule to mark all traffic to ipaddressx at port 700.<br>
<br>
-A OUTPUT -p 6 -m tcp -d ipaddressx/<a href="http://255.255.255.255" rel="noreferrer" target="_blank">255.255.255.255</a> --dport 700 -j MARK --set-mark 0x1<br>
<br>
I added:<br>
ip route add default via iphostc dev tincnet table hostc<br>
ip rule add from <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> fwmark 1 table hostc<br>
<br>
Now when I try this:<br>
<br>
traceroute -T -n ipaddressx -p 700<br>
<br>
The route goes via the ip of hostb and not via the ip of hostc as I would have expected.<br>
If I remove the iptables rule the route goes directly via the ip of hosta. So the mangle rule and ip rule lines are okay I think.<br>
Of course I also checked this via telnet ipaddressx 700 and watched via tcpdump what happened on hostb and hostc.<br>
<br>
A weird thing is when I try the add route with any ip in the tincnet subnet the route gets added even if that ip is not in use and all traffic still goes via the ip of hostb.<br>
ie: ip route add default via any_ip_in_the_tincnet_subnet dev tincnet table hostc<br>
<br>
Does any one know what is happening here?<br>
<br>
Is it tincd at hostb that intercepts the traffic actually meant for hostc and thinks it's meant for hostb and rewrites stuff automaticaly? Or am I missing something in the ip route / ip rules part?<br>
<br>
I am using tinc a lot but so far it was between tinc nodes that are also directly connected. and never had this problem before.<br>
<br>
If I just use iptables on hosta and hostc with nat en prerouting it works fine. I just tell iptables on hosta that all traffic to ipaddressx has to be dnatted to hostc and at hostc I just dnat this to the destination ip.<br>
<br>
But I really would like to understand how to do this via mangle/fwmark and ip route / ip rule way.<br>
<br>
hosta is centos 7 tinc 1.0.31<br>
hostb is centos 5 tinc 1.0.25<br>
hostc is centos 5 tinc 1.0.13<br>
<br>
I hope someone can help me on my way.<br>
<br>
Thx<br>
<br>
Hans de Groot<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
______________________________<wbr>_________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a><br>
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank">https://www.tinc-vpn.org/cgi-b<wbr>in/mailman/listinfo/tinc</a><br>
</blockquote></div><br></div>