From: Nikolaus Rath <Nikolaus@rath.org>
To: netfilter@vger.kernel.org
Subject: Re: Wrong routing when combining ip rule with SNAT
Date: Wed, 18 Sep 2013 10:38:32 -0700 [thread overview]
Message-ID: <87txhic9nr.fsf@rath.org> (raw)
In-Reply-To: 1BE5F0A9-E67C-4870-AC63-F30FAAFEB227@alex.org.uk
Alex Bligh <alex@alex.org.uk> writes:
> On 18 Sep 2013, at 01:55, Nikolaus Rath wrote:
>
>> Why not? For example, the VPN node also acts as my mailserver. So
>> whenever I encounter firewalls that e.g. block everything but port 443
>> and 80, I have to establish a tunnel to be able to connect to port 25,
>> and then change the mail server name in my MUA to the internal name on
>> the VPN. Then, if I'm at a different location where I do not need the
>> VPN, I have to change it back to the public hostname.
>>
>> That is rather annoying, and I could avoid it if I somehow get
>> the smtp connections to use the VPN gateway as well.
>
> One possibility would be to add another interface, so you are using
> separate destination IP addresses for the end of the VPN tunnel
> and 'everything else'. Remember the 'everything else' IP address
> does not need to be public, as you'll only be reaching it by
> the VPN tunnel.
Hmm. I don't get it. Could you explain in more detail?
> Another is to use policy routing and only direct the VPN traffic
> down the /32 route. This is pretty much what you were suggesting
> re the marking etc. However, I would caution that this will mean
> (e.g.) ICMP goes the 'wrong' way for at least one session. This
> will make debugging hard, may affect pMTU discovery etc. etc.,
> all of which will be bad news for reliable connections.
I think I could live with the debugging problems, but at the moment it
is not working at all because of the source ip issues (see my very first
mail that started this thread).
Best,
Nikolaus
--
Encrypted emails preferred.
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C
»Time flies like an arrow, fruit flies like a Banana.«
next prev parent reply other threads:[~2013-09-18 17:38 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-13 5:10 Wrong routing when combining ip rule with SNAT Nikolaus Rath
2013-09-13 6:26 ` Vigneswaran R
2013-09-13 16:09 ` Nikolaus Rath
2013-09-13 22:03 ` Nikolaus Rath
2013-09-14 13:41 ` Pascal Hambourg
2013-09-14 15:40 ` Nikolaus Rath
2013-09-14 17:17 ` Pascal Hambourg
2013-09-16 7:14 ` Vigneswaran R
2013-09-16 23:38 ` Eliezer Croitoru
2013-09-17 0:58 ` Nikolaus Rath
2013-09-17 12:35 ` Alex Bligh
2013-09-17 23:23 ` Pascal Hambourg
2013-09-18 0:55 ` Nikolaus Rath
2013-09-18 7:58 ` Alex Bligh
2013-09-18 17:38 ` Nikolaus Rath [this message]
2013-09-18 20:11 ` Alex Bligh
2013-09-19 2:29 ` Nikolaus Rath
2013-09-17 21:58 ` Eliezer Croitoru
2013-09-18 0:58 ` Nikolaus Rath
2013-09-18 5:54 ` Vigneswaran R
2013-09-18 17:51 ` Nikolaus Rath
2013-09-19 9:25 ` Vigneswaran R
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87txhic9nr.fsf@rath.org \
--to=nikolaus@rath.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.