Hi,
On Sonntag 11 November 2007, Predrag Balorda wrote:
This is my setup - I sincerely hope ascii-art holds up as it took some time to create! :-)
gateway Inet -- 123.456.789.100 router1 10.0.0.1 --- 10.0.0.10 router2 router3 (ath0) 105.0.0.1 --batman-- 105.0.0.2 --batman-- 105.0.0.3 (eth0) 10.0.1.0 10.0.2.0 10.0.3.0 (bat0) 169.254.0.0 --PtP-- 169.254.2.79 (bat0) 169.254.0.0 --------------PtP----------- 169.254.2.80
I have read the bmx pdf and it is excellent. Everything works as it should on batman-exp rv792. But I have a problem. The guide assumes that your gateway to the public internet is my 'router1' and it also assumes that you have a firewall running on all those routers.
just an idea...
The document does not yet mention the option for the old, stateless, batmand-0.2-based one-way-tunnel. The one-way-tunnel only entunnel uplink internet data (from the client node to the gw node). No tunnels are used for downlink internet data (from the GW node to the client). For downlink traffic, the GW node just forwards the data. Therefore the inner IP address must be a valid and known IP address in your mesh - usually the batman address of the client node. With rv 795, the source address of the entunneled packets at the client side can also be an addresses from a non-batman interface (like eth0 in your setup) if this address ranges have been HNA announced by the client node.
You can enable them at the gw side with --one-way-tunnel 1 At the client side, you can enable --one-way-tunnel <value> with a value larger than 0. The value defines a preference for the tunnel types offerred by the selected GW (higher value = more preferred). You can disable the 0.3-default-two-way-tunnel with --two-way-tunnel 0 (see also --dangerous for very short help)
This way it should be possible to:
- do SNAT only on your gateway. No (S)NAT on any batman node
- configure a default route at router 1 to your gateway
- configure a 10.0.0.0/16 route at the gateway to router 1
- for the uplink traffic packets from client-node-dhcp-clients are entunnelled at the client-node but with the original client-node-dhcp-clients ip address as the inner tunnel src address.
- the client-node-dhcp-clients ip address ranges are announced by the corresponding clients
- for the downlink traffic let the batman daemon on router 1 choose the correct next hop towards the client node which announced the correspoding network destination address.
- maybe other (dis)advantages, depending on your personal preferences like: no blackhole-GW-detection, no means for a GW node to control the maximum number of connected client nodes, less tunnel-protocol-overhead,...
happy routing, /axel
It also ends up with double-nat (well, actually triple-nat in my case). I have gotten rid of one level of nat (on router1). But I'm still left with a double nat.
Nat happens when default route traffic from batman nodes is sent down bat0 tunnel and then once again when my gateway passes it onto the public ip space.
I have succeeded in creating a setup where no nat is done when client nodes connect to 10.0.0.0/24 network (10.0.0.0/24 hna on router1) but if I want to go out onto the internet I simply have to do
iptables -t nat -A POSTROUTING -o bat0 -j MASQUERADE
on each batman node, otherwise nodes themselves can get out but their eth0 clients cannot (i.e. from 10.0.2.0/24 or 10.0.3.0/24 - 10.0.1.0/24 doesn't have this problem as it has a default route entry in the output of 'route'
- other batman nodes don't)
Can someone with a bit more experience in these matters give me a hand. I will probably end up having to use batman on gateway node as well but I'd rather have this possibility of a gw node not runnig batman.
Thanks again!
Pele
B.A.T.M.A.N mailing list B.A.T.M.A.N@open-mesh.net https://list.open-mesh.net/mm/listinfo/b.a.t.m.a.n