Re: Error trying to create gre tunnel

2017-08-12 Thread Michael Parson 

On 2017-08-11 17:53, D'Arcy Cain wrote:




Is there some way to do this?  I can port forward but I suspect that
that won't work as it doesn't use TCP or UDP over the tunnel.  I
looked at OpenVPN but that only allows individual hosts to connect.  I
am trying to join two internal networks.


Instructions for doing LAN-to-LAN with OpenVPN:

https://community.openvpn.net/openvpn/wiki/RoutedLans

--
Michael Parson
Pflugerville, TX
KF5LGQ

Re: Error trying to create gre tunnel

2017-08-12 Thread Robert Elz 
Date:Sat, 12 Aug 2017 10:20:00 -0400
From:"D'Arcy Cain" 
Message-ID:  <875c4376-5649-1e0e-7b7f-be9de9b5f...@netbsd.org>

  | > 2) in the man page example address C is
  | > not mentioned at all in the configuration of "Router A"

  | As I said, I am going by someone else's statement.

That was me (off list) -- and the two of you are talking about different
things, the address that has to be local is 'B', Valery is talking about 'C'
which needs only to be an address that will (somehow, how does not matter)
result in the packet arriving at the remote end (and such that when it
arrives, the dest addr that is then in the packet is one that matches its
GRE config.)

  | Also, DMZ didn't help.  It may be that the Linksys WRT router only 
  | handles TCP and UDP protocols.  I may just have to put the NetBSD box as 
  | the public gateway.

While the latter could bring a host of other management benefits, if that
is not the planned config, then I'd stull suggest trying GRE over UDP rather
than GRE over IP.   NAT should fix the IP addresses as needed - you just need
to make sure that the NAT doesn't randomly reassign UDP port numbers, or
there will be no way to properly configure things.

kre

Re: Error trying to create gre tunnel

2017-08-12 Thread D'Arcy Cain 

On 08/12/2017 09:08 AM, Valery Ushakov wrote:

I don't think so.  I am pretty sure that I read that the first argument to
tunnel must be an address on the host server.  Not sure where I read that
though as I have been doing a lot of research in the last day or two.  I
couldn't find it in the man page.


Two points here: 1) the example I gave is adapted from the actual
working configuration I use; 2) in the man page example address C is
not mentioned at all in the configuration of "Router A".  How can
router A divine it, as it obviously needs to send the GRE packets to
the address C (remote-outer-ip).


As I said, I am going by someone else's statement.  I do know that if I 
put an address not on a local interface I get the error that started 
this thread.


Also, DMZ didn't help.  It may be that the Linksys WRT router only 
handles TCP and UDP protocols.  I may just have to put the NetBSD box as 
the public gateway.


--
D'Arcy J.M. Cain 
http://www.NetBSD.org/ IM:da...@vex.net

Re: Error trying to create gre tunnel

2017-08-12 Thread Valery Ushakov 
On Sat, Aug 12, 2017 at 08:48:24 -0400, D'Arcy Cain wrote:

> On 08/12/2017 12:16 AM, Valery Ushakov wrote:
> > You can forward all trafic from the consumer gizmo internet facing
> > router (with single public IP address from the provider) to the
> > internal netbsd router.  It's usually called "DMZ host" in the web
> > interface.
> 
> I considered that but it seems insecure.  I do have a few ports pointing to
> the device already though so that would just open all of them.  I suppose it
> would be no worse than using the NetBSD box as my gateway router.

Yes, the netbsd router is effectively the gateway router.


> > PS: Hmm, looking at gre(4), shouldn't the example be fixed to say
> > 
> >ifconfig greN tunnel B C
> 
> I don't think so.  I am pretty sure that I read that the first argument to
> tunnel must be an address on the host server.  Not sure where I read that
> though as I have been doing a lot of research in the last day or two.  I
> couldn't find it in the man page.

Two points here: 1) the example I gave is adapted from the actual
working configuration I use; 2) in the man page example address C is
not mentioned at all in the configuration of "Router A".  How can
router A divine it, as it obviously needs to send the GRE packets to
the address C (remote-outer-ip).

-uwe

Re: Error trying to create gre tunnel

2017-08-12 Thread D'Arcy Cain 

On 08/12/2017 12:16 AM, Valery Ushakov wrote:

You can forward all trafic from the consumer gizmo internet facing
router (with single public IP address from the provider) to the
internal netbsd router.  It's usually called "DMZ host" in the web
interface.


I considered that but it seems insecure.  I do have a few ports pointing 
to the device already though so that would just open all of them.  I 
suppose it would be no worse than using the NetBSD box as my gateway router.


I will try your suggestions.


PS: Hmm, looking at gre(4), shouldn't the example be fixed to say

   ifconfig greN tunnel B C


I don't think so.  I am pretty sure that I read that the first argument 
to tunnel must be an address on the host server.  Not sure where I read 
that though as I have been doing a lot of research in the last day or 
two.  I couldn't find it in the man page.


OK, found it.  It was a statement in an email from kre@.  Robert - can 
you give us a citation?  Should the man page be updated?


--
D'Arcy J.M. Cain 
http://www.NetBSD.org/ IM:da...@vex.net