On Thursday 30 September 2010 13:50:52 Magosányi Árpád wrote:
I do announce local wifi net through HNA. In the meantime my config started to not work. I saw that the node in the middle does REJECT tunnel traffic from packet filter, so added a firewall rule to accept everything in the FORWARD chain in all nodes. Then as packets started to come out from the system with tunnel source IP, I have added a MASQUERADE on the node which is connected to the internet gateway.
Now it works, but uses the tunnel in an assymetric way: packets out go through the tunnel, packets in go in the plain route.
Batmand offers 2 types of tunnel: the "half tunnel" and the "full tunnel" which allows you to choose what suits you best.
The full tunnel has the advantage that batmand can automatically detect whether the gateway has a working internet connection and switch to another gateway if necessary. As tunneling in user space is painfully CPU intense the full tunnel comes with a performance penalty with many simultaneous users. If that is an issue you might want to have a look at the batgat kernel module which does the tunneling in kernel space.
The half tunnel does not run into the performance issue that easily but can't detect internet availability. As the user traffic is not natted in the tunnel this mode is more suitable for SIP and similar protocols.
Half tunnel mode is the default, full tunneling can be activated by natting on the client's gate0 interface: iptables -t nat -I POSTROUTING -o gate0 -j MASQUERADE
Regards, Marek