* [LARTC] Private Address Routing via Tunnels
@ 2004-02-01 17:09 Alan Ford
2004-02-01 22:10 ` Jose Luis Domingo Lopez
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Alan Ford @ 2004-02-01 17:09 UTC (permalink / raw)
To: lartc
Hi,
I'm trying to do some horrible private address routing between networks.
Is there a way to handle the following? I'm guessing policy routing
*might* be the way, but anyway...
Two networks, accessible via public addresses -- a /29 on each. Each
network, however, has more machines than this, so one also has
192.168.0.0/24 and the other has 192.168.1.0/24.
I have an IPIP tunnel between the networks -- 192.168.0.252 -> .253,
and routing entries like:
192.168.0.253 * 255.255.255.255 UH 0 0 0 tunl1
192.168.1.0 192.168.0.253 255.255.255.0 UG 0 0 0 tunl1
On the other end, .252 and network 192.168.0.0 via it.
My problem is routing from *public* addresses on network A to *private*
addresses on network B, or vice versa. (Private <-> private is fine).
I presume that the problem is that returning packets from the private
address to the public address tries to send it over the wider Internet,
but the packets are lost since they have private source addresses.
Somehow, I need to send only packets *from* private addresses *to*
public addresses on my other network back via the IPIP tunnel.
Am I right in that assumption? If so, is policy routing the way to go
there, or is there some other way?
Thanks,
Alan
--
Alan Ford * alan@whirlnet.co.uk
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Private Address Routing via Tunnels
2004-02-01 17:09 [LARTC] Private Address Routing via Tunnels Alan Ford
@ 2004-02-01 22:10 ` Jose Luis Domingo Lopez
2004-02-02 11:26 ` Alan Ford
2004-02-03 0:19 ` Jose Luis Domingo Lopez
2 siblings, 0 replies; 4+ messages in thread
From: Jose Luis Domingo Lopez @ 2004-02-01 22:10 UTC (permalink / raw)
To: lartc
On Sunday, 01 February 2004, at 17:09:39 +0000,
Alan Ford wrote:
> My problem is routing from *public* addresses on network A to *private*
> addresses on network B, or vice versa. (Private <-> private is fine).
>
The routing table on both gateways apply to all traffic that arrives to
them, so if traffic from one gateway's private network can reach the
other remote private network correctly, I think the same should happen
to the public IP ranges from both networks.
The IPIP tunnel should encapsulate whole packets inside newly created
ones, which will be using public IP addressing, in fact the tunnel is
working nice because you can reach from one private network to the other.
You should try to troubleshoot the problem with the usual tools, for
example ping, traceroute, "ip route get", tcpdump, ethereal, telnet, etc.
Try to see the path that take your packets, maybe they are not being
tunneled, maybe there is a route missing from some router, maybe just a
typo prevents it from working.
> Am I right in that assumption? If so, is policy routing the way to go
> there, or is there some other way?
>
I don't think your setup needs policy routing to work ok, so first check
routing tables and do some tests to see where packets go and die :-)
Greetings.
--
Jose Luis Domingo Lopez
Linux Registered User #189436 Debian Linux Sid (Linux 2.6.1-rc3)
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Private Address Routing via Tunnels
2004-02-01 17:09 [LARTC] Private Address Routing via Tunnels Alan Ford
2004-02-01 22:10 ` Jose Luis Domingo Lopez
@ 2004-02-02 11:26 ` Alan Ford
2004-02-03 0:19 ` Jose Luis Domingo Lopez
2 siblings, 0 replies; 4+ messages in thread
From: Alan Ford @ 2004-02-02 11:26 UTC (permalink / raw)
To: lartc
On Sun, Feb 01, 2004 at 11:10:43PM +0100, Jose Luis Domingo Lopez wrote:
> On Sunday, 01 February 2004, at 17:09:39 +0000,
> Alan Ford wrote:
>
> > My problem is routing from *public* addresses on network A to *private*
> > addresses on network B, or vice versa. (Private <-> private is fine).
>
> The routing table on both gateways apply to all traffic that arrives to
> them, so if traffic from one gateway's private network can reach the
> other remote private network correctly, I think the same should happen
> to the public IP ranges from both networks.
I've now done some packet sniffing to confirm what I suggested in my first
mail. The packets get there OK, but responses don't come back.
They can route from the public to the private blocks, because they get to
the router and the router knows to send it down the IPIP tunnel. But how
can I configure the router at the other end to know to send responses
from the private block to the public block down the tunnel? I think that's
what I am needing to do here, does that make sense?
Thanks,
Alan
--
Alan Ford * alan@whirlnet.co.uk
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Private Address Routing via Tunnels
2004-02-01 17:09 [LARTC] Private Address Routing via Tunnels Alan Ford
2004-02-01 22:10 ` Jose Luis Domingo Lopez
2004-02-02 11:26 ` Alan Ford
@ 2004-02-03 0:19 ` Jose Luis Domingo Lopez
2 siblings, 0 replies; 4+ messages in thread
From: Jose Luis Domingo Lopez @ 2004-02-03 0:19 UTC (permalink / raw)
To: lartc
On Monday, 02 February 2004, at 11:26:48 +0000,
Alan Ford wrote:
> They can route from the public to the private blocks, because they get to
> the router and the router knows to send it down the IPIP tunnel. But how
> can I configure the router at the other end to know to send responses
> from the private block to the public block down the tunnel? I think that's
> what I am needing to do here, does that make sense?
>
Traditional routing is always based solely on the destination IP address
of packages arriving at a router. With Linux policy routing you can
route based on both destination and source IP address, and based on more
parameters, for example, any parameter selectable via iptables.
The router on the other end already has a working routing table based on
both information from IP addresses for each interface and static routes
you should have added manually. If the router on the other end doesn't
know how to route packets back to the other router , then the routing
table on the distant router is not correct.
As the two internal networks are far away and connected by a tunnel
using public IP addressing, I guess what is missing in the remote router
is a route that sends traffic directed to the other private network
through the tunnel. Exactly the same you seem to have done on your
"local" router to make traffic directed to the remote LAN be
encapsulated through the IPIP tunnel.
Just for completeness, in this setup I don't think policy routing (based
on source IP addresses) is the correct way to handle the problem.
Greetings.
--
Jose Luis Domingo Lopez
Linux Registered User #189436 Debian Linux Sid (Linux 2.6.2-bk3)
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-02-03 0:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-02-01 17:09 [LARTC] Private Address Routing via Tunnels Alan Ford
2004-02-01 22:10 ` Jose Luis Domingo Lopez
2004-02-02 11:26 ` Alan Ford
2004-02-03 0:19 ` Jose Luis Domingo Lopez
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.