routing over a vpn network (tinc)

From: Clark Rawlins (clark_at_bit63.org)
Date: 08/30/03

Previous message: Marc Onrust: "packet loss; what's acceptable/normal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 30 Aug 2003 12:27:27 GMT

I've got two networks using private ip blocks
192.168.1.0/24 and 192.168.0.0/24.

The nat is on network 192.168.254.0/24
>From router a I can ping 192.168.254.1 and from router b I can ping
192.168.254.2. But from router a I can't ping 192.168.0.1 or any other
address in the 192.168.0.0/24 network. And the same from b, I can't
ping 192.168.1.1 or anything in the 192.168.1.0/24 network.

I've gone over the routeing tables over and over and can't see any
problems there. I don't think I need any of the advanced routing stuff
(I may be wrong). It doesn't seem that my iptables configuration
prevents packets from getting where they need to be so I think I am
missing something simple :)

Any ideas.
Is there more information to consider.

Clark

The two routers are setup like this:
Router A (192.168.1.0/24)

#ipconfig
vpn Link encap:Ethernet HWaddr 00:FF:D0:1B:1C:66
          inet addr:192.168.254.2 Bcast:192.168.254.255 Mask:255.255.255.0
          inet6 addr: fe80::2ff:d0ff:fe1b:1c66/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:6432 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6201 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2514291 (2.3 MiB) TX bytes:1165183 (1.1 MiB)

eth0 Link encap:Ethernet HWaddr 00:40:33:D2:B1:16
          inet addr:xx.xxx.xx.144 Bcast:255.255.255.255 Mask:255.255.248.0
          inet6 addr: fe80::240:33ff:fed2:b116/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:1840566 errors:0 dropped:48 overruns:0 frame:0
          TX packets:137261 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:260679719 (248.6 MiB) TX bytes:12666278 (12.0 MiB)
          Interrupt:3 Base address:0x7f00

eth1 Link encap:Ethernet HWaddr 00:07:95:FF:8B:2C
          inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
          inet6 addr: fe80::207:95ff:feff:8b2c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:2686000 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2350171 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1749459536 (1.6 GiB) TX bytes:951750009 (907.6 MiB)
          Interrupt:5 Base address:0xd000

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:67579 errors:0 dropped:0 overruns:0 frame:0
          TX packets:67579 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:14012214 (13.3 MiB) TX bytes:14012214 (13.3 MiB)

# iptables-save
# Generated by iptables-save v1.2.8 on Sat Aug 30 07:06:39 2003
*nat
:PREROUTING ACCEPT [29828:10374173]
:POSTROUTING ACCEPT [2056:213995]
:OUTPUT ACCEPT [3757:337440]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Aug 30 07:06:39 2003
# Generated by iptables-save v1.2.8 on Sat Aug 30 07:06:39 2003
*mangle
:PREROUTING ACCEPT [479813:295971745]
:INPUT ACCEPT [2140284:1747050100]
:FORWARD ACCEPT [169734:129748097]
:OUTPUT ACCEPT [360371:180304635]
:POSTROUTING ACCEPT [2304498:942555051]
COMMIT
# Completed on Sat Aug 30 07:06:39 2003
# Generated by iptables-save v1.2.8 on Sat Aug 30 07:06:39 2003
*filter
:INPUT ACCEPT [360209:192411181]
:FORWARD ACCEPT [91277:93385353]
:OUTPUT ACCEPT [360380:180305791]
-A INPUT -i eth0 -p tcp -m tcp --dport 79 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 705 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 32769 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 901 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 37 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 840 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 9 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 843 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 843 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 13 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 79 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 111 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 850 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 627 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 2809 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 953 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 666 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 445 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 32768 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 445 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 9 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 138 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 699 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 702 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 960 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 836 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 68 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 69 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 838 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 841 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 847 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 111 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 624 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 123 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 847 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.0.0/255.255.255.0 -j LOG
-A FORWARD -s 192.168.0.0/255.255.255.0 -j LOG
COMMIT
# Completed on Sat Aug 30 07:06:39 2003

Router B
# ifconfig
vpn Link encap:Ethernet HWaddr 00:FF:E4:FC:DB:08
          inet addr:192.168.254.1 Bcast:192.168.254.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:6362 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6711 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1159840 (1.1 MiB) TX bytes:2539153 (2.4 MiB)

eth0 Link encap:Ethernet HWaddr 00:05:5D:CF:1C:6D
          inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:13498396 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11723006 errors:3 dropped:0 overruns:0 carrier:6
          collisions:5742144 txqueuelen:100
          RX bytes:2401637781 (2.2 GiB) TX bytes:3190561402 (2.9 GiB)
          Interrupt:10 Base address:0x2000

eth1 Link encap:Ethernet HWaddr 00:05:5D:CF:20:3E
          inet addr:yyy.yy.yyy.254 Bcast:yyy.yy.yyy.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:8792069 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4438177 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2216349584 (2.0 GiB) TX bytes:808343263 (770.8 MiB)
          Interrupt:11 Base address:0x4000

eth1:225 Link encap:Ethernet HWaddr 00:05:5D:CF:20:3E
          inet addr:yyy.yy.yyy.225 Bcast:yyy.yy.yyy.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          Interrupt:11 Base address:0x4000

eth1:253 Link encap:Ethernet HWaddr 00:05:5D:CF:20:3E
          inet addr:yyy.yy.yyy.253 Bcast:yyy.yy.yyy.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          Interrupt:11 Base address:0x4000

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:15290709 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15290709 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1363158918 (1.2 GiB) TX bytes:1363158918 (1.2 GiB)

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.191.191.0 192.168.0.220 255.255.255.0 UG 0 0 0 eth0
192.168.1.0 192.168.254.2 255.255.255.0 UG 0 0 0 vpn
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
yyy.yy.yyy.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.254.0 0.0.0.0 255.255.255.0 U 0 0 0 vpn
0.0.0.0 yyy.yy.yyy.1 0.0.0.0 UG 0 0 0 eth1

# iptables-save
# Generated by iptables-save v1.2.6a on Sat Aug 30 06:27:48 2003
*mangle
:PREROUTING ACCEPT [26525:3817063]
:INPUT ACCEPT [18181752:1854615422]
:FORWARD ACCEPT [13077333:7771031160]
:OUTPUT ACCEPT [12826:1870928]
:POSTROUTING ACCEPT [30857308:9429427029]
COMMIT
# Completed on Sat Aug 30 06:27:48 2003
# Generated by iptables-save v1.2.6a on Sat Aug 30 06:27:48 2003
*filter
:INPUT ACCEPT [17632:2252725]
:FORWARD ACCEPT [8895:1564442]
:OUTPUT ACCEPT [12598:1840741]
-A INPUT -s yyy.yy.yyy.69 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s 209.25.210.70 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5432 -j DROP
COMMIT
# Completed on Sat Aug 30 06:27:48 2003
# Generated by iptables-save v1.2.6a on Sat Aug 30 06:27:48 2003
*nat
:PREROUTING ACCEPT [9655:1116649]
:POSTROUTING ACCEPT [925:82046]
:OUTPUT ACCEPT [635:66834]
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 42 -j DNAT --to-destination 192.168.0.2:42
-A PREROUTING -d yyy.yy.yyy.254 -p udp -m udp --dport 42 -j DNAT --to-destination 192.168.0.2:42
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 43 -j DNAT --to-destination 192.168.0.2:43
-A PREROUTING -d yyy.yy.yyy.254 -p udp -m udp --dport 43 -j DNAT --to-destination 192.168.0.2:43
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.0.2:53
-A PREROUTING -d yyy.yy.yyy.254 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.0.2:53
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.2:25
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.2:110
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 5631 -j DNAT --to-destination 192.168.0.49:5631
-A PREROUTING -d yyy.yy.yyy.254 -p udp -m udp --dport 5632 -j DNAT --to-destination 192.168.0.49:5632
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.0.15:5900
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 5432 -j DNAT --to-destination 192.168.0.17:5432
-A PREROUTING -d yyy.yy.yyy.253 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.17:80
-A PREROUTING -d yyy.yy.yyy.225 -p tcp -j DNAT --to-destination 192.168.254.2
-A PREROUTING -d yyy.yy.yyy.225 -p udp -j DNAT --to-destination 192.168.254.2
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 42 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p udp -m udp --dport 42 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 43 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p udp -m udp --dport 43 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 53 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p udp -m udp --dport 53 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 25 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 110 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.49 -p tcp -m tcp --dport 5631 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.49 -p udp -m udp --dport 5632 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.15 -p tcp -m tcp --dport 5900 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.17 -p tcp -m tcp --dport 5432 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.17 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -d 192.168.254.2 -p tcp -j SNAT --to-source 192.168.254.1
-A POSTROUTING -d 192.168.254.2 -p udp -j SNAT --to-source 192.168.254.1
COMMIT
# Completed on Sat Aug 30 06:27:48 2003

Next message: Adrian Inman: "logs"

Previous message: Marc Onrust: "packet loss; what's acceptable/normal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: Networking problem
... machine 2# HP Z8000 laptop xp media center on board lan and 802.11 windows firewall off. ... router linksys befw11s4 ... Network activity lights flash on the router on the port in use. ... I finally got it to the point that from the desktop i can ping the ip ...
(microsoft.public.windowsxp.general)
Re: Cannot get IP address from Router DHCP
... > - I can ping both the preferred and alternate DNS servers from the ... > Ethernet adapter Wireless Network Connection: ... > the router by typing its address on a browser but I cannot get to the ... >> What DNS server did you assign? ...
(microsoft.public.win2000.networking)
Re: Cannot get IP address from Router DHCP
... - I can ping both the preferred and alternate DNS servers from the ... Ethernet adapter Wireless Network Connection: ... router by typing its address on a browser but I cannot get to the ...
(microsoft.public.win2000.networking)
Re: Networking problem
... I finally got it to the point that from the desktop i can ping the ip ... of the laptop and get a response. ... It seems some network configuration is not ok on the laptop. ... each machine hooked to ethernet ports of wireless router. ...
(microsoft.public.windowsxp.general)
Re: moved a working network, now it doesnt work
... router I can ping the internet with no problem. ... From one of your Linux machines can you ping the FA 0/1 interface (default ... are NOT natting so if CAN ping from the router, ...
(comp.dcom.sys.cisco)