Tinc + bridging

  • I am trying to get a tinc VPN setup between a few pfsense boxes running 2.2.2

    I did fresh installs this morning to ensure there wasn't any old config a buried somewhere.

    I want to replicate the openvpn tap+bridge setup I had before but using tinc instead since its meshing and with remove the single point of failure that is the single openvpn server.

    The LAN subsets for each of the pfsense boxes is the same and thus the reason for the bridging.

    I got tinc setup between two boxes and they are successfully passing updates to each other since I can see each of them learning Mac addresses that aren't present on the local network. Tinc is running in switch mode.

    I added the tap0 interface created to a bridge that includes LAN.

    There are no rules applied on the bridge or the tap0 adapter. And the LAN subnet has an allow all to any rule applied to it.

    So far I haven't gotten anything to work. I can see traffic go across the tunnel and out the lan interface when I send a ping but the response isn't getting back and I don't see it blocked anywhere in the logs.

    I also got traffic flowing once but then noticed that despite putting a deny all on the tap interface I was still able to ping addresses/ssh to devices in the LAN segment on each side. I need to be able to block certain ports like dhcp and upnp but it looks like the packet comes across the tunnel and is matched to the LAN rule since its on the same Subnet.

    I am wondering if anyone has had success using tinc to bridge subnets that are the same while controlling IP traffic to/from the tunnel to keep dhcp and upnp from leaking into the other subnets.

  • Do you find a solution? If yes are you willing to share your config?  ;)

Log in to reply