Re: VPN / Bridge
On Tue, 24 Jan 2006 16:01:11 +0100 Bob Kersten [EMAIL PROTECTED] wrote: Hello, I've been trying to create a tunnel/bridge between two networks which both reside behind a FreeBSD router using NAT. I've achieved it using the handbook example in chapter 14.10. Clients on network A are able to ping clients on network B and clients on network A are able to map samba shares on the NAT box/gateway of network B. The example however uses two different subnets to route traffic between both networks. Unfortunately broadcasts will not travel through the tunnel which causes Apple's bonjour (called rendezvous earlier) not being able to discover clients on the other network. What I want to achieve is what I believe a bridge between both networks. The entire network A should be on the same subnet as network B: network A range 192.168.100.100 - 192.168.100.199 / 255.255.255.0 | FreeBSD gateway A en1: IP: 192.168.100.101 / 255.255.255.0 en0: public IP: 25.25.25.1 | Internet | FreeBSD gateway B en0: public IP: 25.25.25.2 en1: IP: 192.168.100.1 / 255.255.255.0 | Network B range 192.168.100.1 - 192.168.100.99 / 255.255.255.0 Using the example from the handbook there was no additional configuration necessary on the clients on both networks, the FreeBSD gateways handled all the necessary routing. It would be great if this new setup should also not require any additional settings on the clients aswell. Can anyone give me an example or the necessary steps to create this kind of VPN? I would use openvpn. You need to select one to be a vpn server and another to be a vpn client. You just create a basic vpn connection that connect the two together. Then on each one add a route for that points at the vpn address as the gateway for that subnet. BTW the addressing is wrong there. You can't one one be 192.168.100.1-192.168.100.99 and the other be 192.168.100.100-192.168.100.199. The That netmask is not possible. You can do a 28 bit netmask, which will give 126 address to play with on both networks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VPN / Bridge
Hi, On 25-jan-2006, at 11:57, Fabian Keil wrote: [EMAIL PROTECTED] ~ #ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up [EMAIL PROTECTED] ~ #ifconfig bridge0 create [EMAIL PROTECTED] ~ #ifconfig bridge0 addm ndis0 addm gif0 up [EMAIL PROTECTED] ~ #ifconfig bridge0 bridge0: flags=8043UP,BROADCAST,RUNNING,MULTICAST mtu 1500 ether ac:de:48:f4:4e:9c priority 32768 hellotime 2 fwddelay 15 maxage 20 member: gif0 flags=3LEARNING,DISCOVER member: ndis0 flags=3LEARNING,DISCOVER BTW: man if_config says all members of the bridge are required to have the same MTU, but ifconfig doesn't seem to check it. My setup wouldn't work as gif0 has a MTU of 1280. Gjee ... I'm still not able to add the gif0 device to my bridge0. I'm using FreeBSD6.0 and I've fixed the mtu on my gif0 device to be 1500. These are the steps that I take: [/] [EMAIL PROTECTED] ifconfig gif0 create [/] [EMAIL PROTECTED] ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 mtu 1500 up [/] [EMAIL PROTECTED] ifconfig bridge0 create [/] [EMAIL PROTECTED] ifconfig bridge0 addm fxp0 [/] [EMAIL PROTECTED] ifconfig bridge0 addm gif0 ifconfig: BRDGADD gif0: Invalid argument [/] [EMAIL PROTECTED] ifconfig fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::202:a5ff:fe26:6e45%fxp0 prefixlen 64 scopeid 0x1 inet 192.168.100.101 netmask 0xff00 broadcast 192.168.100.255 ether 00:02:a5:26:6e:45 media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::2e0:::%rl0 prefixlen 64 scopeid 0x2 inet 1.2.3.4 netmask 0xfe00 broadcast 83.160.3.255 ether 00:e0:4c:a2:b5:f6 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 tunnel inet 1.2.3.4 -- 5.6.7.8 inet6 fe80::202:a5ff::%gif0 prefixlen 64 scopeid 0x4 bridge0: flags=8000MULTICAST mtu 1500 ether ac:de:48:ee:6a:cf priority 32768 hellotime 2 fwddelay 15 maxage 20 member: fxp0 flags=3LEARNING,DISCOVER The 'fake' ip addresses don't matter, it doesn't work with real addresses either. It seems as if gif0 is not accepted as 'real' ethernet device when trying to add it to the bridge. Maybe this isn't the right way to achive the VPN with all clients in the same subnet. Maybe there's a different solution necessary, or I'm doing something wrong, I don't know. Maybe someone could shed some light on this? Cheers, Bob. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VPN / Bridge
Bob Kersten [EMAIL PROTECTED] wrote: On 25-jan-2006, at 11:57, Fabian Keil wrote: [EMAIL PROTECTED] ~ #ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up [EMAIL PROTECTED] ~ #ifconfig bridge0 create [EMAIL PROTECTED] ~ #ifconfig bridge0 addm ndis0 addm gif0 up [EMAIL PROTECTED] ~ #ifconfig bridge0 bridge0: flags=8043UP,BROADCAST,RUNNING,MULTICAST mtu 1500 ether ac:de:48:f4:4e:9c priority 32768 hellotime 2 fwddelay 15 maxage 20 member: gif0 flags=3LEARNING,DISCOVER member: ndis0 flags=3LEARNING,DISCOVER BTW: man if_config says all members of the bridge are required to have the same MTU, but ifconfig doesn't seem to check it. My setup wouldn't work as gif0 has a MTU of 1280. Gjee ... I'm still not able to add the gif0 device to my bridge0. I'm using FreeBSD6.0 and I've fixed the mtu on my gif0 device to be 1500. These are the steps that I take: [/] [EMAIL PROTECTED] ifconfig gif0 create [/] [EMAIL PROTECTED] ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 mtu 1500 up [/] [EMAIL PROTECTED] ifconfig bridge0 create [/] [EMAIL PROTECTED] ifconfig bridge0 addm fxp0 [/] [EMAIL PROTECTED] ifconfig bridge0 addm gif0 ifconfig: BRDGADD gif0: Invalid argument [/] [EMAIL PROTECTED] ifconfig fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::202:a5ff:fe26:6e45%fxp0 prefixlen 64 scopeid 0x1 inet 192.168.100.101 netmask 0xff00 broadcast 192.168.100.255 ether 00:02:a5:26:6e:45 media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::2e0:::%rl0 prefixlen 64 scopeid 0x2 inet 1.2.3.4 netmask 0xfe00 broadcast 83.160.3.255 ether 00:e0:4c:a2:b5:f6 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 tunnel inet 1.2.3.4 -- 5.6.7.8 inet6 fe80::202:a5ff::%gif0 prefixlen 64 scopeid 0x4 bridge0: flags=8000MULTICAST mtu 1500 ether ac:de:48:ee:6a:cf priority 32768 hellotime 2 fwddelay 15 maxage 20 member: fxp0 flags=3LEARNING,DISCOVER The 'fake' ip addresses don't matter, it doesn't work with real addresses either. It seems as if gif0 is not accepted as 'real' ethernet device when trying to add it to the bridge. Maybe this isn't the right way to achive the VPN with all clients in the same subnet. I don't know if it means anything, but our bridges seem to be different. Yours doesn't have the broadcast flag. Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature
Re: VPN / Bridge
On Friday 27 January 2006 16:07, Fabian Keil wrote: Bob Kersten [EMAIL PROTECTED] wrote: On 25-jan-2006, at 11:57, Fabian Keil wrote: [EMAIL PROTECTED] ~ #ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up [EMAIL PROTECTED] ~ #ifconfig bridge0 create [EMAIL PROTECTED] ~ #ifconfig bridge0 addm ndis0 addm gif0 up [EMAIL PROTECTED] ~ #ifconfig bridge0 bridge0: flags=8043UP,BROADCAST,RUNNING,MULTICAST mtu 1500 ether ac:de:48:f4:4e:9c priority 32768 hellotime 2 fwddelay 15 maxage 20 member: gif0 flags=3LEARNING,DISCOVER member: ndis0 flags=3LEARNING,DISCOVER BTW: man if_config says all members of the bridge are required to have the same MTU, but ifconfig doesn't seem to check it. My setup wouldn't work as gif0 has a MTU of 1280. Gjee ... I'm still not able to add the gif0 device to my bridge0. I'm using FreeBSD6.0 and I've fixed the mtu on my gif0 device to be 1500. These are the steps that I take: [/] [EMAIL PROTECTED] ifconfig gif0 create [/] [EMAIL PROTECTED] ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 mtu 1500 up [/] [EMAIL PROTECTED] ifconfig bridge0 create [/] [EMAIL PROTECTED] ifconfig bridge0 addm fxp0 [/] [EMAIL PROTECTED] ifconfig bridge0 addm gif0 ifconfig: BRDGADD gif0: Invalid argument [/] [EMAIL PROTECTED] ifconfig fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::202:a5ff:fe26:6e45%fxp0 prefixlen 64 scopeid 0x1 inet 192.168.100.101 netmask 0xff00 broadcast 192.168.100.255 ether 00:02:a5:26:6e:45 media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::2e0:::%rl0 prefixlen 64 scopeid 0x2 inet 1.2.3.4 netmask 0xfe00 broadcast 83.160.3.255 ether 00:e0:4c:a2:b5:f6 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 tunnel inet 1.2.3.4 -- 5.6.7.8 inet6 fe80::202:a5ff::%gif0 prefixlen 64 scopeid 0x4 bridge0: flags=8000MULTICAST mtu 1500 ether ac:de:48:ee:6a:cf priority 32768 hellotime 2 fwddelay 15 maxage 20 member: fxp0 flags=3LEARNING,DISCOVER The 'fake' ip addresses don't matter, it doesn't work with real addresses either. It seems as if gif0 is not accepted as 'real' ethernet device when trying to add it to the bridge. Maybe this isn't the right way to achive the VPN with all clients in the same subnet. I don't know if it means anything, but our bridges seem to be different. Yours doesn't have the broadcast flag. Adding gifs to bridge came after 6.0-RELEASE. It's in 6.0-STABLE though. http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/if_bridge.c Fabian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VPN / Bridge
Hi, ATM I don't use a VPN therefore I can't give you a known to work step-by-step solution. However I couldn't reproduce your problem on 6.0 with the following commands: [EMAIL PROTECTED] ~ #ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up [EMAIL PROTECTED] ~ #ifconfig bridge0 create [EMAIL PROTECTED] ~ #ifconfig bridge0 addm ndis0 addm gif0 up [EMAIL PROTECTED] ~ #ifconfig bridge0 bridge0: flags=8043UP,BROADCAST,RUNNING,MULTICAST mtu 1500 ether ac:de:48:f4:4e:9c priority 32768 hellotime 2 fwddelay 15 maxage 20 member: gif0 flags=3LEARNING,DISCOVER member: ndis0 flags=3LEARNING,DISCOVER Where did your gif0 interface come from? I've added it using 'ifconfig gif0 create', but when I try to add it to the bridge I'm getting the following response: [~] [EMAIL PROTECTED] ifconfig bridge0 addm gif0 ifconfig: BRDGADD gif0: Operation not permitted I've noticed that in /var/log/messages it said that the mtu didn't match, so I've solved that an put both mtu's to 1500. However, the message still pops up when trying to add gif0 to the bridge. Does anyone have clues as to how this can be done? Cheers, Bob. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VPN / Bridge
Bob Kersten [EMAIL PROTECTED] wrote: ATM I don't use a VPN therefore I can't give you a known to work step-by-step solution. However I couldn't reproduce your problem on 6.0 with the following commands: [EMAIL PROTECTED] ~ #ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up [EMAIL PROTECTED] ~ #ifconfig bridge0 create [EMAIL PROTECTED] ~ #ifconfig bridge0 addm ndis0 addm gif0 up [EMAIL PROTECTED] ~ #ifconfig bridge0 bridge0: flags=8043UP,BROADCAST,RUNNING,MULTICAST mtu 1500 ether ac:de:48:f4:4e:9c priority 32768 hellotime 2 fwddelay 15 maxage 20 member: gif0 flags=3LEARNING,DISCOVER member: ndis0 flags=3LEARNING,DISCOVER Where did your gif0 interface come from? I've added it using 'ifconfig gif0 create', but when I try to add it to the bridge I'm getting the following response: [~] [EMAIL PROTECTED] ifconfig bridge0 addm gif0 ifconfig: BRDGADD gif0: Operation not permitted I've noticed that in /var/log/messages it said that the mtu didn't match, so I've solved that an put both mtu's to 1500. However, the message still pops up when trying to add gif0 to the bridge. gif0 was created with 'ifconfig gif0 create', I just forgot to copy and paste it. I get the Operation not permitted error only when I haven't enough privileges: [EMAIL PROTECTED] ~ $ifconfig bridge0 addm gif0 ifconfig: BRDGADD gif0: Operation not permitted Does your user bob have root privileges and did you try it as root? Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature
Re: VPN / Bridge
Hi, On 26-jan-2006, at 13:54, Fabian Keil wrote: gif0 was created with 'ifconfig gif0 create', I just forgot to copy and paste it. I get the Operation not permitted error only when I haven't enough privileges: [EMAIL PROTECTED] ~ $ifconfig bridge0 addm gif0 ifconfig: BRDGADD gif0: Operation not permitted Does your user bob have root privileges and did you try it as root? My mistake; I was trying to reproduce the error too quickly. The actual error message was: ifconfig: BRDGADD gif0: Invalid argument ... when trying to add gif0 to the bridge as root. Cheers, Bob. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VPN / Bridge
CC'd to freebsd-questions@freebsd.org again. Bob Kersten [EMAIL PROTECTED] wrote: On 24-jan-2006, at 17:28, Fabian Keil wrote: What I want to achieve is what I believe a bridge between both networks. The entire network A should be on the same subnet as network B: If you use FreeBSD 6.0 see man if_bridge, else see man bridge. So i've create a tunnel device gif0 and have it set to tunnel between the two public ip addresses. I've got stuck when i've tried to add this gif0 device to the bridge. FreeBSD complained and said that gif0 was not an ethernet device. Maybe you have a step-by-step solution? Maybe someone else could help you if you would post your FreeBSD version, the commands you used and the exact error message. ATM I don't use a VPN therefore I can't give you a known to work step-by-step solution. However I couldn't reproduce your problem on 6.0 with the following commands: [EMAIL PROTECTED] ~ #ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up [EMAIL PROTECTED] ~ #ifconfig bridge0 create [EMAIL PROTECTED] ~ #ifconfig bridge0 addm ndis0 addm gif0 up [EMAIL PROTECTED] ~ #ifconfig bridge0 bridge0: flags=8043UP,BROADCAST,RUNNING,MULTICAST mtu 1500 ether ac:de:48:f4:4e:9c priority 32768 hellotime 2 fwddelay 15 maxage 20 member: gif0 flags=3LEARNING,DISCOVER member: ndis0 flags=3LEARNING,DISCOVER BTW: man if_config says all members of the bridge are required to have the same MTU, but ifconfig doesn't seem to check it. My setup wouldn't work as gif0 has a MTU of 1280. Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature
VPN / Bridge
Hello, I've been trying to create a tunnel/bridge between two networks which both reside behind a FreeBSD router using NAT. I've achieved it using the handbook example in chapter 14.10. Clients on network A are able to ping clients on network B and clients on network A are able to map samba shares on the NAT box/gateway of network B. The example however uses two different subnets to route traffic between both networks. Unfortunately broadcasts will not travel through the tunnel which causes Apple's bonjour (called rendezvous earlier) not being able to discover clients on the other network. What I want to achieve is what I believe a bridge between both networks. The entire network A should be on the same subnet as network B: network A range 192.168.100.100 - 192.168.100.199 / 255.255.255.0 | FreeBSD gateway A en1: IP: 192.168.100.101 / 255.255.255.0 en0: public IP: 25.25.25.1 | Internet | FreeBSD gateway B en0: public IP: 25.25.25.2 en1: IP: 192.168.100.1 / 255.255.255.0 | Network B range 192.168.100.1 - 192.168.100.99 / 255.255.255.0 Using the example from the handbook there was no additional configuration necessary on the clients on both networks, the FreeBSD gateways handled all the necessary routing. It would be great if this new setup should also not require any additional settings on the clients aswell. Can anyone give me an example or the necessary steps to create this kind of VPN? Cheers, Bob. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VPN / Bridge
Bob Kersten [EMAIL PROTECTED] wrote: I've been trying to create a tunnel/bridge between two networks which both reside behind a FreeBSD router using NAT. I've achieved it using the handbook example in chapter 14.10. Clients on network A are able to ping clients on network B and clients on network A are able to map samba shares on the NAT box/gateway of network B. The example however uses two different subnets to route traffic between both networks. Unfortunately broadcasts will not travel through the tunnel which causes Apple's bonjour (called rendezvous earlier) not being able to discover clients on the other network. What I want to achieve is what I believe a bridge between both networks. The entire network A should be on the same subnet as network B: network A range 192.168.100.100 - 192.168.100.199 / 255.255.255.0 | FreeBSD gateway A en1: IP: 192.168.100.101 / 255.255.255.0 en0: public IP: 25.25.25.1 | Internet | FreeBSD gateway B en0: public IP: 25.25.25.2 en1: IP: 192.168.100.1 / 255.255.255.0 | Network B range 192.168.100.1 - 192.168.100.99 / 255.255.255.0 Using the example from the handbook there was no additional configuration necessary on the clients on both networks, the FreeBSD gateways handled all the necessary routing. It would be great if this new setup should also not require any additional settings on the clients aswell. Can anyone give me an example or the necessary steps to create this kind of VPN? If you use FreeBSD 6.0 see man if_bridge, else see man bridge. Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature