All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Linux source IP routing
Hey guys,
I hope you can help me out with the following little problem I have.
I have a Raspberry, on Raspbian, with 2 network interfaces:
- eth0 (192.168.0.20)
- tun0 (10.8.0.2 (openvpn, gateway 10.8.0.1))
The Raspberry is acting as a gateway, so all clients on the same subnet set up with a gateway of 192.168.0.20 will actually browse the internet through the openvpn tunnel.
This works perfect.
Now my challenge is that I want only one specific client with a static IP of say 192.168.0.50, using the Raspberry as a gateway as well, to not be routed over tun0 but to go the internet using the regular gateway of 192.168.0.1
That's where I get stuck.
I have tried this:
- ip rule add from 192.168.0.50 table 666
- ip route add default via 192.168.0.1 dev eth0 table 666
and
ip route add 10.8.0.2 via 192.168.0.1 src 192.168.0.50
Either way traffic from 192.168.0.50 still gets routed over tun0.
What am I doing wrong? I've been banging my head on the table over this for a few days already.
Comments
You may need to use an IPTABLES mangle rule to mark the traffic from that IP to be routed via the alternate routing table.
At least that's how most of the router distro's seem to do it.
Try adding "dev eth0" to the end?
Unforunately ip route add 10.8.0.2 via 192.168.0.1 src 192.168.0.50 dev eth0 gives 'invalid argument'. And I doubt using mangle is the key, because I don't need to alter packets. Just to give them a different route... But in all honesty, I'm not very familiar with using that option so I'll try to look into that Any more options are very welcome!
Can you show your /etc/iproute2/rt_tables ?
Hello,
Can't your computer (192.168.0.50) use router (192.168.0.1) as a GW instead of using raspberry ?
Hi there, technically it could use that IP definitely. However, my router is lacking some filtering features and security measures that I can achieve with the Raspberry. Hence I prefer to use 1 GW for all computers
I'll post my rt_tables later today. Don't have access to them from where I am at the moment. I do remember they seemed quite empty / standard.
@urdn here it is:
cat /etc/iproute2/rt_tables
#
reserved values
#
255 local
254 main
253 default
0 unspec
#
local
#
1 inr.ruhep
That's not how it will work. Even if you set this up correctly, after a few packets your Raspberry Pi will send a router redirect message to your computer, and from then on it will proceed to use the router directly.
One solution is to use different subnets, one for the Raspberry and all computers which use it as the router, another is for communication between the Raspberry and your actual router only. The proper way to set this up would be to use VLANs and a managed switch, but I suppose you don't have one, so just setting up two subnets on the same LAN will work too.
Have any reference for this "routing redirect message"? I am using this same setup and traffic always go through the Pi (even after being connected for days).
You must add your table in there.
Here you go: http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html#howitworks
The proper name is ICMP Redirect (sorry): http://www.cymru.com/gillsr/documents/icmp-redirects-are-bad.htm
from what I can tell this article doesn't say they are harmful as a concept, but just that you should avoid designing a network which ends up relying on them being present or absent.
Interesting. So disabling redirects on the Pi ( http://www.itsyourip.com/Security/how-to-disable-icmp-redirects-in-linux-for-security-redhatdebianubuntususe-tested/ ) should solve the problem then, right?
If you disable sending them, then yes. In fact since you say it was working as you wanted already, maybe they are disabled by default there. But anyways, as that article says, such network design is still a bad practice, so why not just split things into different subnets.
To be honest I wouldn't have known if it works in the case when the destination is on the Internet. As far as I understand these redirects happen per host. So the Pi remains the default gateway but as more packets travel out to the same host it will eventually send the redirect for that particular destination. I assumed it works because I tried a couple of traces but something like this would brake on a per-host basis. The Pi can't just send a blank redirect saying "make 192.168.0.1 your default gateway now".
Edit: Notice it says this must not be the default route
I the topology we are discussing the Pi is R1 and R2 is its default route.
Guys, I have solved my problem! @urdn gave me hint in the right direction.
In case any of you ever comes across the same problem as me, here's how it goes.
One first creates a table (thanks @urdn):
Next we mention in the table what IP foo's computer has, in the example here 10.10.10.10
Now we set up the table and mention on which interface the gateway can be found:
Now, this is so important to make it work...... flush your route cache! It won't work without this:
Done!
I haven't noticed yet that the network gives me a redirect to 192.168.0.1 yet. So far it keeps using the route to the gateway through the Raspberry.
Thank you guys!
Note that you don't have to explicitly create the table if you use numbers instead of a name.
My pleasure.