route/nat

Hi,

I have a gateway which routes/nat my LAN traffic to a vpn (vpnc) tunnel.
This tunnel goes to university which blocks many ports. On the other
hand, there's a backup connection which can be used on the regular
interface (in my case eth1) which is open.

So
currently everything goes to vpnlink (vpnc interface)

In order to bypass the ports blockers,

Can I make connections using a certain port go through the eth1 interface?
Can I make all traffic of a certain IP to be routed to the eth1 interface?

Regards,
Hendrik Greving

Hey Hendrik,

Cool solution/idea! I think you want to look at the route command. I
believe in there you could define a route to pass all tarffic for one
IP/subnet to a different interface device. Sorry but I'm not too sure
of the specifics. Hopefully I'm pointing you in the right direction.

Let me know if you get anywhere with it.

Why not post a reply to my own message...

Try:

> route add -net <uni ip addr> netmask 255.255.255.255 eth1
or if it is a whole subnet
> route add -net <uni ip addr> netmask 255.255.255.0 eth1

Worth a shot.

Hendrik Greving wrote:
> Hi,
>
> I have a gateway which routes/nat my LAN traffic to a vpn (vpnc) tunnel.
> This tunnel goes to university which blocks many ports. On the other
> hand, there's a backup connection which can be used on the regular
> interface (in my case eth1) which is open.
>
> So
> currently everything goes to vpnlink (vpnc interface)
>
> In order to bypass the ports blockers,
>
> Can I make connections using a certain port go through the eth1 interface?
> Can I make all traffic of a certain IP to be routed to the eth1 interface?

Please note that many VPN systems disable other network
traffic for the duration of the tunnel connection. This
is done to prevent sneak paths around the organization's
firewall (probably the thing you're trying to achieve).

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno Voipio wrote:
> Hendrik Greving wrote:
>
>> Hi,
>>
>> I have a gateway which routes/nat my LAN traffic to a vpn (vpnc)
>> tunnel. This tunnel goes to university which blocks many ports. On
>> the other hand, there's a backup connection which can be used on the
>> regular interface (in my case eth1) which is open.
>>
>> So
>> currently everything goes to vpnlink (vpnc interface)
>>
>> In order to bypass the ports blockers,
>>
>> Can I make connections using a certain port go through the eth1
>> interface?
>> Can I make all traffic of a certain IP to be routed to the eth1
>> interface?
>
>
> Please note that many VPN systems disable other network
> traffic for the duration of the tunnel connection. This
> is done to prevent sneak paths around the organization's
> firewall (probably the thing you're trying to achieve).
>

That's right, but I use vpnc, which doesn't block other devices.

Regards,
Hendrik

Hendrik Greving wrote:
> Tauno Voipio wrote:
>
>> Hendrik Greving wrote:
>>
>>> Hi,
>>>
>>> I have a gateway which routes/nat my LAN traffic to a vpn (vpnc)
>>> tunnel. This tunnel goes to university which blocks many ports. On
>>> the other hand, there's a backup connection which can be used on the
>>> regular interface (in my case eth1) which is open.
>>>
>>> So
>>> currently everything goes to vpnlink (vpnc interface)
>>>
>>> In order to bypass the ports blockers,
>>>
>>> Can I make connections using a certain port go through the eth1
>>> interface?
>>> Can I make all traffic of a certain IP to be routed to the eth1
>>> interface?
>>
>>
>>
>> Please note that many VPN systems disable other network
>> traffic for the duration of the tunnel connection. This
>> is done to prevent sneak paths around the organization's
>> firewall (probably the thing you're trying to achieve).
>>
>
> That's right, but I use vpnc, which doesn't block other devices.

You could try the other way: route the university subnet(s)
to the tunnel (tun0) and point the default gateway to the
direct interface.

The routing gets more complicated if the tunnel is done
at the data link layer (using tap0).

--

Tauno Voipio
tauno voipio (at) iki fi

Hendrik Greving wrote:
> Hi,
>
> I have a gateway which routes/nat my LAN traffic to a vpn (vpnc) tunnel.
> This tunnel goes to university which blocks many ports. On the other
> hand, there's a backup connection which can be used on the regular
> interface (in my case eth1) which is open.
>
> So
> currently everything goes to vpnlink (vpnc interface)
>
> In order to bypass the ports blockers,
>
> Can I make connections using a certain port go through the eth1 interface?
> Can I make all traffic of a certain IP to be routed to the eth1 interface?
>
> Regards,
> Hendrik Greving

No ideas?

Tauno Voipio wrote:
> Hendrik Greving wrote:
>
>> Tauno Voipio wrote:
>>
>>> Hendrik Greving wrote:
>>>
>>>> Hi,
>>>>
>>>> I have a gateway which routes/nat my LAN traffic to a vpn (vpnc)
>>>> tunnel. This tunnel goes to university which blocks many ports.
>>>> On the other hand, there's a backup connection which can be used on
>>>> the regular interface (in my case eth1) which is open.
>>>>
>>>> So
>>>> currently everything goes to vpnlink (vpnc interface)
>>>>
>>>> In order to bypass the ports blockers,
>>>>
>>>> Can I make connections using a certain port go through the eth1
>>>> interface?
>>>> Can I make all traffic of a certain IP to be routed to the eth1
>>>> interface?
>>>
>>>
>>>
>>>
>>> Please note that many VPN systems disable other network
>>> traffic for the duration of the tunnel connection. This
>>> is done to prevent sneak paths around the organization's
>>> firewall (probably the thing you're trying to achieve).
>>>
>>
>> That's right, but I use vpnc, which doesn't block other devices.
>
>
> You could try the other way: route the university subnet(s)
> to the tunnel (tun0) and point the default gateway to the
> direct interface.
>
> The routing gets more complicated if the tunnel is done
> at the data link layer (using tap0).
>
Hm and whats the difference between making the tunnel as default or the
direct interface?

How is nat configured then?

Regards,
Hendrik

Hendrik Greving wrote:
> Tauno Voipio wrote:
>
>> Hendrik Greving wrote:
>>
>>> Tauno Voipio wrote:
>>>
>>>> Hendrik Greving wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have a gateway which routes/nat my LAN traffic to a vpn (vpnc)
>>>>> tunnel. This tunnel goes to university which blocks many ports.
>>>>> On the other hand, there's a backup connection which can be used on
>>>>> the regular interface (in my case eth1) which is open.
>>>>>
>>>>> So
>>>>> currently everything goes to vpnlink (vpnc interface)
>>>>>
>>>>> In order to bypass the ports blockers,
>>>>>
>>>>> Can I make connections using a certain port go through the eth1
>>>>> interface?
>>>>> Can I make all traffic of a certain IP to be routed to the eth1
>>>>> interface?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Please note that many VPN systems disable other network
>>>> traffic for the duration of the tunnel connection. This
>>>> is done to prevent sneak paths around the organization's
>>>> firewall (probably the thing you're trying to achieve).
>>>>
>>>
>>> That's right, but I use vpnc, which doesn't block other devices.
>>
>>
>>
>> You could try the other way: route the university subnet(s)
>> to the tunnel (tun0) and point the default gateway to the
>> direct interface.
>>
>> The routing gets more complicated if the tunnel is done
>> at the data link layer (using tap0).
>>
> Hm and whats the difference between making the tunnel as default or the
> direct interface?

If the tunnel inside is the default route, all traffic
to the Internet out of your local net will enter the
tunnel and pass via the gateway and firewall at the
other end.

If the direct interface is the default route, all traffic
to the Internet will go to the Net directly via your ISP,
by-passing the tunnel and the firewall at the other end.

The traffic destined to the other end of the tunnel may
be picked off the default routing by suitable routes
destined to the tunnel inside.

> How is nat configured then?

NAT is handled before the decisions above. Its purpose
is to mark the IP address of your gateway as the publicly
seen sender of the packets. The routing does not affect
the garden-variety NAT (IP-Masquerading) in any way.

---

BUT ...

The considerations above apply for an IP-layer tunnel
(using tun0 with OpenVPN). The link-layer tunneling
is more complicated to handle here, though there are
possibilities with ebtables (no misprint, Google for
it).

--

Tauno Voipio
tauno voipio (at) iki fi

Are you sure, that nat is done prior routing? I thought it's different
because I'm in the POSTROUTING chain using iptables. Currently,
everything works like that.

The problem is, currently, the default route goes to interface "vpnlink"
(interface of vpnc) and I use

iptables -t nat POSTROUTING [..] -o vpnlink MASQUERADE

What I'd like to have is, to determine a certain group of ip addresses,
say 0-127 is applied with nat and are routed to vpnlink, and the rest,
say 128-254 shuold be routed (and nat) to my DSL (ppp) interface ppp0.

I'm not very familiar with this stuff, hope everything is correct. Is
the rule above possible to achieve?

Regards,
Hendrik