[LARTC] Tunnel problem

[LARTC] Tunnel problem

[David A. Bandel]

Ladies and Gentlemen (and others ;-) ),

I recently opened an office in a new location and moved part of the
network with me.  Because it takes so long to get some services
installed (frame relay), I am using a connection from another ISP. 
However, for the short time I'll be on that ISP, I don't want to change
all the DNS back and forth.  So I've built a gre tunnel based on the
information in the HOW-TO.  Here's where I run into a problem.

Main network:
209.127/16

relocated network:
209.127.112.0/25

Everything works great as far as tunneling traffic from the main network
to the relocated network.  Unfortunately, the relocated network is
connected to 200.46/16.  What I need is to tunnel the default gateway
back through the main network.  Reason: some connections realize that
traffic coming from my relocate network is coming via an invalid route
and is filtered.

I've tried everything I can think of to tunnel 0/0 back to the main
network, but to no avail.  The command:
ip route add 0/0 dev netmain
fails miserably.

Any suggestions on how to tunnel the default route?

Thanx,

David A. Bandel
-- 
Focus on the dream, not the competition.
		-- Nemesis Racing Team motto

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Tunnel problem

[Guy Van Den Bergh]

Have you tried to set a default route to the IP address of the tunnel 
interface at the main network:
ip route add default via a.b.c.d
where a.b.c.d is the IP address you gave to the tunnel interface at the 
main network end.

David A. Bandel wrote:

> Ladies and Gentlemen (and others ;-) ),

> back through the main network.  Reason: some connections realize that
> traffic coming from my relocate network is coming via an invalid route
> and is filtered.

this is also called RPF or reverse path filtering, and is sometimes used
as a partial countermeasure against spoofed ddos attacks

Regards,
Guy


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Tunnel problem

[Guy Van Den Bergh]

Have you brought the tunnel device up?
try: ip link set dev <tunneldevice> up

When I try to set the default route without the device being up
I get the same message...

Have you configured the tunnel devices at both ends at all (up, 
addresses and such)?

Regards,
Guy

When i try to set
David A. Bandel wrote:

> Guy Van Den Bergh wrote:
> 
>> Have you tried to set a default route to the IP address of the tunnel
>> interface at the main network:
>> ip route add default via a.b.c.d
>> where a.b.c.d is the IP address you gave to the tunnel interface at the
>> main network end.
> 
> 
> RTNETLINK answers: Network is unreachable
> 
> This is the same answer when I try to set the default route via the
> tunnel name.
> 
> 
>> David A. Bandel wrote:
>> 
>> 
>>> Ladies and Gentlemen (and others ;-) ),
>> 
>>> back through the main network.  Reason: some connections realize that
>>> traffic coming from my relocate network is coming via an invalid route
>>> and is filtered.
>> 
>> this is also called RPF or reverse path filtering, and is sometimes used
>> as a partial countermeasure against spoofed ddos attacks
> 
> 
> yes, I know, I turn it on too on systems that aren't tunnel endpoints.
> 
> 
>> Regards,
>> Guy
> 
> 
> Ciao,
> 
> David A. Bandel



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Tunnel problem

[David A. Bandel]

Guy Van Den Bergh wrote:
> 
> Have you brought the tunnel device up?
> try: ip link set dev <tunneldevice> up
> 
[snip]

this is the _exact_ set of commands I used (comments in parens):

ip tunnel add netmain mode gre remote 209.127.xxx.xxx local
200.46.xxx.xxx ttl 225 (note, I actually put ip numbers, not xxx in the
command)

ip link set netmain up  (and it shows as up with ifconfig, ip tunnel
show, etc. -- if I set it down, the error I get has to do with the
device or route not up)

ip addr add 10.0.3.0 dev netmain

ip route add 0/0 dev netmain  (and here I get, depending on what else
I've done, a route that doesn't work, or an error, usually network not
reachable)

Final line in the route -n command looks like:
0.0.0.0   0.0.0.0   0.0.0.0     UG   1   0    0  netmain

note the second 0.0.0.0 -- that's wrong.  And I can't ping, traceroute,
or otherwise get anywhere.

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
		-- Nemesis Racing Team motto

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Tunnel problem

[Guy Van Den Bergh]

I think you also need a route to the tunnel remote address, via the 
interface connected to the public internet. If your box does not know a
route to the tunnel remote end, it cannot setup the tunnel. As long as 
you have a default route straight into the internet, connecting to the 
remote end is no problem, but if you redirect this default route over 
the tunnel, your router does not know anymore how to reach the tunnel 
remote end.

If this is not working either, then I am out of suggestions...

Good luck!

Guy

David A. Bandel wrote:

> Guy Van Den Bergh wrote:
> 
>> Have you brought the tunnel device up?
>> try: ip link set dev <tunneldevice> up
>> 
> 
> [snip]
> 
> this is the _exact_ set of commands I used (comments in parens):
> 
> ip tunnel add netmain mode gre remote 209.127.xxx.xxx local
> 200.46.xxx.xxx ttl 225 (note, I actually put ip numbers, not xxx in the
> command)
> 
> ip link set netmain up  (and it shows as up with ifconfig, ip tunnel
> show, etc. -- if I set it down, the error I get has to do with the
> device or route not up)
> 
> ip addr add 10.0.3.0 dev netmain
> 
> ip route add 0/0 dev netmain  (and here I get, depending on what else
> I've done, a route that doesn't work, or an error, usually network not
> reachable)
> 
> Final line in the route -n command looks like:
> 0.0.0.0   0.0.0.0   0.0.0.0     UG   1   0    0  netmain
> 
> note the second 0.0.0.0 -- that's wrong.  And I can't ping, traceroute,
> or otherwise get anywhere.
> 
> Ciao,
> 
> David A. Bandel



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/