Hi, I''m trying to do some horrible private address routing between networks. Is there a way to handle the following? I''m guessing policy routing *might* be the way, but anyway... Two networks, accessible via public addresses -- a /29 on each. Each network, however, has more machines than this, so one also has 192.168.0.0/24 and the other has 192.168.1.0/24. I have an IPIP tunnel between the networks -- 192.168.0.252 -> .253, and routing entries like: 192.168.0.253 * 255.255.255.255 UH 0 0 0 tunl1 192.168.1.0 192.168.0.253 255.255.255.0 UG 0 0 0 tunl1 On the other end, .252 and network 192.168.0.0 via it. My problem is routing from *public* addresses on network A to *private* addresses on network B, or vice versa. (Private <-> private is fine). I presume that the problem is that returning packets from the private address to the public address tries to send it over the wider Internet, but the packets are lost since they have private source addresses. Somehow, I need to send only packets *from* private addresses *to* public addresses on my other network back via the IPIP tunnel. Am I right in that assumption? If so, is policy routing the way to go there, or is there some other way? Thanks, Alan -- Alan Ford * alan@whirlnet.co.uk _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Sunday, 01 February 2004, at 17:09:39 +0000, Alan Ford wrote:> My problem is routing from *public* addresses on network A to *private* > addresses on network B, or vice versa. (Private <-> private is fine). >The routing table on both gateways apply to all traffic that arrives to them, so if traffic from one gateway''s private network can reach the other remote private network correctly, I think the same should happen to the public IP ranges from both networks. The IPIP tunnel should encapsulate whole packets inside newly created ones, which will be using public IP addressing, in fact the tunnel is working nice because you can reach from one private network to the other. You should try to troubleshoot the problem with the usual tools, for example ping, traceroute, "ip route get", tcpdump, ethereal, telnet, etc. Try to see the path that take your packets, maybe they are not being tunneled, maybe there is a route missing from some router, maybe just a typo prevents it from working.> Am I right in that assumption? If so, is policy routing the way to go > there, or is there some other way? >I don''t think your setup needs policy routing to work ok, so first check routing tables and do some tests to see where packets go and die :-) Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.1-rc3) _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Sun, Feb 01, 2004 at 11:10:43PM +0100, Jose Luis Domingo Lopez wrote:> On Sunday, 01 February 2004, at 17:09:39 +0000, > Alan Ford wrote: > > > My problem is routing from *public* addresses on network A to *private* > > addresses on network B, or vice versa. (Private <-> private is fine). > > The routing table on both gateways apply to all traffic that arrives to > them, so if traffic from one gateway''s private network can reach the > other remote private network correctly, I think the same should happen > to the public IP ranges from both networks.I''ve now done some packet sniffing to confirm what I suggested in my first mail. The packets get there OK, but responses don''t come back. They can route from the public to the private blocks, because they get to the router and the router knows to send it down the IPIP tunnel. But how can I configure the router at the other end to know to send responses from the private block to the public block down the tunnel? I think that''s what I am needing to do here, does that make sense? Thanks, Alan -- Alan Ford * alan@whirlnet.co.uk _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday, 02 February 2004, at 11:26:48 +0000, Alan Ford wrote:> They can route from the public to the private blocks, because they get to > the router and the router knows to send it down the IPIP tunnel. But how > can I configure the router at the other end to know to send responses > from the private block to the public block down the tunnel? I think that''s > what I am needing to do here, does that make sense? >Traditional routing is always based solely on the destination IP address of packages arriving at a router. With Linux policy routing you can route based on both destination and source IP address, and based on more parameters, for example, any parameter selectable via iptables. The router on the other end already has a working routing table based on both information from IP addresses for each interface and static routes you should have added manually. If the router on the other end doesn''t know how to route packets back to the other router , then the routing table on the distant router is not correct. As the two internal networks are far away and connected by a tunnel using public IP addressing, I guess what is missing in the remote router is a route that sends traffic directed to the other private network through the tunnel. Exactly the same you seem to have done on your "local" router to make traffic directed to the remote LAN be encapsulated through the IPIP tunnel. Just for completeness, in this setup I don''t think policy routing (based on source IP addresses) is the correct way to handle the problem. Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.2-bk3) _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/