Two routes to a host: how to make sure which noe is used when?

I recently bumped into a problem with my VPN:

I've setup my networking as follows:

+-----------+ +----------+
| mymachine |---192.168.1.13--> | myrouter |---> The world
+-----------+ +----------+
|
| +-----------------+
+--vpnNNN.domain--> | Some VPN server |---> *.domain
+-----------------+

Some IP range (corresponding to *.domain) goes through the VPN, but the
default routing rule is to go straight to my router. Plus some addresses in
*.domain are special cased to go via the router: these are machines visible
from outside and I don't want connections to these machines to die/hang when
I start/stop the vpn tunnel. One of those addresses is the VPN server itself.

I.e. the routing table looks like this:

% route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
AAA.BBB.CCC.DDD 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1
AAA.BBB.EEE.FFF 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
AAA.BBB.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ppp0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
%

AAA.BBB.CCC.DDD is the VPN server and AAA.BBB.EEE.FFF is the IMAP server.

This usually works just dandy, except when AAA.BBB.EEE.FFF or
AAA.BBB.CCC.DDD tries to connect to my VPN-address (i.e. vpnNNN.domain):
- the packets coming from toto.domain reach me fine through the VPN.
- but my replies seem to be sent via the router.

I've tried to add a "src" specification to my routing (using the `ip route'
command):

% ip route
AAA.BBB.CCC.DDD via 192.168.1.1 dev eth1 src 192.168.1.13
AAA.BBB.EEE.FFF via 192.168.1.1 dev eth1 src 192.168.1.13
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.13
AAA.BBB.0.0/16 dev ppp0 scope link src AAA.BBB.NNN.MMM
default via 192.168.1.1 dev eth1
%

but it doesn't seem to help. Any idea what I should do?


Stefan

Stefan Monnier <(E-Mail Removed)> writes:


>I recently bumped into a problem with my VPN:

>I've setup my networking as follows:

> +-----------+ +----------+
> | mymachine |---192.168.1.13--> | myrouter |---> The world
> +-----------+ +----------+
> |
> | +-----------------+
> +--vpnNNN.domain--> | Some VPN server |---> *.domain
> +-----------------+

>Some IP range (corresponding to *.domain) goes through the VPN, but the
>default routing rule is to go straight to my router. Plus some addresses in
>*.domain are special cased to go via the router: these are machines visible
>from outside and I don't want connections to these machines to die/hang when
>I start/stop the vpn tunnel. One of those addresses is the VPN server itself.

>I.e. the routing table looks like this:

> % route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> AAA.BBB.CCC.DDD 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1
> AAA.BBB.EEE.FFF 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> AAA.BBB.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ppp0
> 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
> %

>AAA.BBB.CCC.DDD is the VPN server and AAA.BBB.EEE.FFF is the IMAP server.

>This usually works just dandy, except when AAA.BBB.EEE.FFF or
>AAA.BBB.CCC.DDD tries to connect to my VPN-address (i.e. vpnNNN.domain):
>- the packets coming from toto.domain reach me fine through the VPN.
>- but my replies seem to be sent via the router.

From an to are different. From does whatever that machine tells it to. YOu
cannot control on your machine which route the other machine uses to get to
you.

Your routing table is read from most specic to least.
Thus all traffic to AAA.BBB.CCC.DDD goes via eth1.
All traffic to AAA.BBB.EEE.FFF goes via eth 1

All traffic to any other address starting with AAA.BBB goes via ppp0
All other traffic goes via eth1.

I have no idea what toto.domain is. What is its IP address. Note your DNS
is probably out on the default do all dns queries will go out of eth1



>I've tried to add a "src" specification to my routing (using the `ip route'
>command):

> % ip route
> AAA.BBB.CCC.DDD via 192.168.1.1 dev eth1 src 192.168.1.13
> AAA.BBB.EEE.FFF via 192.168.1.1 dev eth1 src 192.168.1.13
> 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.13
> AAA.BBB.0.0/16 dev ppp0 scope link src AAA.BBB.NNN.MMM
> default via 192.168.1.1 dev eth1

??? No idea what that source is supposed to do. Your fourth source line is
only relevant if you are acting as a gateway for AAA.BBB.NNN.MMM Are you?

And it would say that ONLY if the traffice comes from there is it to be
sent out of ppp0. I doubt that is what you want.


> %

>but it doesn't seem to help. Any idea what I should do?

Tell us more exactly what the problem is.



> Stefan

Stefan Monnier <(E-Mail Removed)> wrote:

> I recently bumped into a problem with my VPN:

> I've setup my networking as follows:

> +-----------+ +----------+
> | mymachine |---192.168.1.13--> | myrouter |---> The world
> +-----------+ +----------+
> |
> | +-----------------+
> +--vpnNNN.domain--> | Some VPN server |---> *.domain
> +-----------------+

> Some IP range (corresponding to *.domain) goes through the VPN,
> but the default routing rule is to go straight to my router.
> Plus some addresses in *.domain are special cased to go via the
> router: these are machines visible from outside and I don't want
> connections to these machines to die/hang when I start/stop the
> vpn tunnel. One of those addresses is the VPN server itself.

> I.e. the routing table looks like this:

> % route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> AAA.BBB.CCC.DDD 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1
> AAA.BBB.EEE.FFF 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> AAA.BBB.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ppp0
> 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
> %

> AAA.BBB.CCC.DDD is the VPN server and AAA.BBB.EEE.FFF is the IMAP server.

> This usually works just dandy, except when AAA.BBB.EEE.FFF or
> AAA.BBB.CCC.DDD tries to connect to my VPN-address (i.e. vpnNNN.domain):
> - the packets coming from toto.domain reach me fine through the VPN.
> - but my replies seem to be sent via the router.

So replace the redundant host gateway host routes (UGH) through eth1
on vpnNNN.domain with host routes (UH) to the same IP addresses through
the PPP interface instead. The configuration commands for those routes
belong in /etc/ppp/ip-up so that they are regenerated each time the
interface is recreated.

Just ignore that person waving host routes if this makes no sense at all
to you - he just doesn't really understand what's what.

--
Clifford Kite
/* For every credibility gap, there is a gullibility fill.
-- R. Clopton */

>> This usually works just dandy, except when AAA.BBB.EEE.FFF or
>> AAA.BBB.CCC.DDD tries to connect to my VPN-address (i.e. vpnNNN.domain):
>> - the packets coming from toto.domain reach me fine through the VPN.
>> - but my replies seem to be sent via the router.

> So replace the redundant host gateway host routes (UGH) through eth1
> on vpnNNN.domain with host routes (UH) to the same IP addresses through
> the PPP interface instead.

I can't replace them because I want the routes through eth1 as well.
I just want connections which started to go over eth1 to keep happening on
eth1 and those that started over ppp0 to keep happening over ppp0.

Those special hosts are reachable over both interfaces (and that's good),
but those hosts don't know that the packets coming from my ppp0 are coming
from the same machine as those I send from eth1 (the two interfaces have
different IP addresses, for example), so I need to make sure that replies to
packets which arrived on ppp0 are sent back via ppp0 and similarly for eth1.


Stefan

Stefan Monnier <(E-Mail Removed)> wrote:
>>> This usually works just dandy, except when AAA.BBB.EEE.FFF or
>>> AAA.BBB.CCC.DDD tries to connect to my VPN-address (i.e. vpnNNN.domain):
>>> - the packets coming from toto.domain reach me fine through the VPN.
>>> - but my replies seem to be sent via the router.

>> So replace the redundant host gateway host routes (UGH) through eth1
>> on vpnNNN.domain with host routes (UH) to the same IP addresses through
>> the PPP interface instead.

> I can't replace them because I want the routes through eth1 as well.
> I just want connections which started to go over eth1 to keep happening on
> eth1 and those that started over ppp0 to keep happening over ppp0.

I see what I overlooked before, namely the network route through ppp0,
so my suggestion about host routes was wrong. If the VPN breaks then I
know of no way to continue via eth1 any previous connections established
via the VPN.

> Those special hosts are reachable over both interfaces (and that's
> good), but those hosts don't know that the packets coming from my
> ppp0 are coming from the same machine as those I send from eth1
> (the two interfaces have different IP addresses, for example),
> so I need to make sure that replies to packets which arrived on
> ppp0 are sent back via ppp0 and similarly for eth1.

If each of the other two hosts also had Internet access through an
Ethernet interface with a routable IP different from that of the VPN
interface then that might solve your problem, assuming you remove the
host routes on vpnNNN.domain.

--
Clifford Kite

>>>> This usually works just dandy, except when AAA.BBB.EEE.FFF or
>>>> AAA.BBB.CCC.DDD tries to connect to my VPN-address (i.e. vpnNNN.domain):
>>>> - the packets coming from toto.domain reach me fine through the VPN.
>>>> - but my replies seem to be sent via the router.

>>> So replace the redundant host gateway host routes (UGH) through eth1
>>> on vpnNNN.domain with host routes (UH) to the same IP addresses through
>>> the PPP interface instead.

>> I can't replace them because I want the routes through eth1 as well.
>> I just want connections which started to go over eth1 to keep happening on
>> eth1 and those that started over ppp0 to keep happening over ppp0.

> I see what I overlooked before, namely the network route through ppp0,
> so my suggestion about host routes was wrong. If the VPN breaks then I
> know of no way to continue via eth1 any previous connections established
> via the VPN.

It's OK: I don't care about preservnig ppp0 connection when the ppp0
interface is taken down.

I only want to be able to have both connections over ppp0 and over eth1 to
the same host at the same time.


Stefan