Ladies and Gentlemen (and others ;-) ), I recently opened an office in a new location and moved part of the network with me. Because it takes so long to get some services installed (frame relay), I am using a connection from another ISP. However, for the short time I''ll be on that ISP, I don''t want to change all the DNS back and forth. So I''ve built a gre tunnel based on the information in the HOW-TO. Here''s where I run into a problem. Main network: 209.127/16 relocated network: 209.127.112.0/25 Everything works great as far as tunneling traffic from the main network to the relocated network. Unfortunately, the relocated network is connected to 200.46/16. What I need is to tunnel the default gateway back through the main network. Reason: some connections realize that traffic coming from my relocate network is coming via an invalid route and is filtered. I''ve tried everything I can think of to tunnel 0/0 back to the main network, but to no avail. The command: ip route add 0/0 dev netmain fails miserably. Any suggestions on how to tunnel the default route? Thanx, David A. Bandel -- Focus on the dream, not the competition. -- Nemesis Racing Team motto
Have you tried to set a default route to the IP address of the tunnel interface at the main network: ip route add default via a.b.c.d where a.b.c.d is the IP address you gave to the tunnel interface at the main network end. David A. Bandel wrote:> Ladies and Gentlemen (and others ;-) ),> back through the main network. Reason: some connections realize that > traffic coming from my relocate network is coming via an invalid route > and is filtered.this is also called RPF or reverse path filtering, and is sometimes used as a partial countermeasure against spoofed ddos attacks Regards, Guy
Have you brought the tunnel device up? try: ip link set dev <tunneldevice> up When I try to set the default route without the device being up I get the same message... Have you configured the tunnel devices at both ends at all (up, addresses and such)? Regards, Guy When i try to set David A. Bandel wrote:> Guy Van Den Bergh wrote: > >> Have you tried to set a default route to the IP address of the tunnel >> interface at the main network: >> ip route add default via a.b.c.d >> where a.b.c.d is the IP address you gave to the tunnel interface at the >> main network end. > > > RTNETLINK answers: Network is unreachable > > This is the same answer when I try to set the default route via the > tunnel name. > > >> David A. Bandel wrote: >> >> >>> Ladies and Gentlemen (and others ;-) ), >> >>> back through the main network. Reason: some connections realize that >>> traffic coming from my relocate network is coming via an invalid route >>> and is filtered. >> >> this is also called RPF or reverse path filtering, and is sometimes used >> as a partial countermeasure against spoofed ddos attacks > > > yes, I know, I turn it on too on systems that aren''t tunnel endpoints. > > >> Regards, >> Guy > > > Ciao, > > David A. Bandel
Guy Van Den Bergh wrote:> > Have you brought the tunnel device up? > try: ip link set dev <tunneldevice> up >[snip] this is the _exact_ set of commands I used (comments in parens): ip tunnel add netmain mode gre remote 209.127.xxx.xxx local 200.46.xxx.xxx ttl 225 (note, I actually put ip numbers, not xxx in the command) ip link set netmain up (and it shows as up with ifconfig, ip tunnel show, etc. -- if I set it down, the error I get has to do with the device or route not up) ip addr add 10.0.3.0 dev netmain ip route add 0/0 dev netmain (and here I get, depending on what else I''ve done, a route that doesn''t work, or an error, usually network not reachable) Final line in the route -n command looks like: 0.0.0.0 0.0.0.0 0.0.0.0 UG 1 0 0 netmain note the second 0.0.0.0 -- that''s wrong. And I can''t ping, traceroute, or otherwise get anywhere. Ciao, David A. Bandel -- Focus on the dream, not the competition. -- Nemesis Racing Team motto
I think you also need a route to the tunnel remote address, via the interface connected to the public internet. If your box does not know a route to the tunnel remote end, it cannot setup the tunnel. As long as you have a default route straight into the internet, connecting to the remote end is no problem, but if you redirect this default route over the tunnel, your router does not know anymore how to reach the tunnel remote end. If this is not working either, then I am out of suggestions... Good luck! Guy David A. Bandel wrote:> Guy Van Den Bergh wrote: > >> Have you brought the tunnel device up? >> try: ip link set dev <tunneldevice> up >> > > [snip] > > this is the _exact_ set of commands I used (comments in parens): > > ip tunnel add netmain mode gre remote 209.127.xxx.xxx local > 200.46.xxx.xxx ttl 225 (note, I actually put ip numbers, not xxx in the > command) > > ip link set netmain up (and it shows as up with ifconfig, ip tunnel > show, etc. -- if I set it down, the error I get has to do with the > device or route not up) > > ip addr add 10.0.3.0 dev netmain > > ip route add 0/0 dev netmain (and here I get, depending on what else > I''ve done, a route that doesn''t work, or an error, usually network not > reachable) > > Final line in the route -n command looks like: > 0.0.0.0 0.0.0.0 0.0.0.0 UG 1 0 0 netmain > > note the second 0.0.0.0 -- that''s wrong. And I can''t ping, traceroute, > or otherwise get anywhere. > > Ciao, > > David A. Bandel