Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Linux source IP routing
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Linux source IP routing

AkitoAkito Member
edited August 2016 in Help

Hey guys,

I hope you can help me out with the following little problem I have.
I have a Raspberry, on Raspbian, with 2 network interfaces:

  • eth0 (192.168.0.20)
  • tun0 (10.8.0.2 (openvpn, gateway 10.8.0.1))

The Raspberry is acting as a gateway, so all clients on the same subnet set up with a gateway of 192.168.0.20 will actually browse the internet through the openvpn tunnel.
This works perfect.

Now my challenge is that I want only one specific client with a static IP of say 192.168.0.50, using the Raspberry as a gateway as well, to not be routed over tun0 but to go the internet using the regular gateway of 192.168.0.1

That's where I get stuck.
I have tried this:

  • ip rule add from 192.168.0.50 table 666
  • ip route add default via 192.168.0.1 dev eth0 table 666

and

ip route add 10.8.0.2 via 192.168.0.1 src 192.168.0.50

Either way traffic from 192.168.0.50 still gets routed over tun0.

What am I doing wrong? I've been banging my head on the table over this for a few days already.

Comments

  • You may need to use an IPTABLES mangle rule to mark the traffic from that IP to be routed via the alternate routing table.

    At least that's how most of the router distro's seem to do it.

  • Try adding "dev eth0" to the end?

    Thanked by 1century1stop
  • Unforunately ip route add 10.8.0.2 via 192.168.0.1 src 192.168.0.50 dev eth0 gives 'invalid argument'. And I doubt using mangle is the key, because I don't need to alter packets. Just to give them a different route... But in all honesty, I'm not very familiar with using that option so I'll try to look into that :) Any more options are very welcome!

  • UrDNUrDN Member

    Can you show your /etc/iproute2/rt_tables ?

    Thanked by 1century1stop
  • IkoulaIkoula Member, Host Rep

    Hello,

    Can't your computer (192.168.0.50) use router (192.168.0.1) as a GW instead of using raspberry ?

  • Hi there, technically it could use that IP definitely. However, my router is lacking some filtering features and security measures that I can achieve with the Raspberry. Hence I prefer to use 1 GW for all computers :)

    I'll post my rt_tables later today. Don't have access to them from where I am at the moment. I do remember they seemed quite empty / standard.

  • AkitoAkito Member
    edited August 2016

    @urdn here it is:
    cat /etc/iproute2/rt_tables

    #

    reserved values

    #

    255 local

    254 main

    253 default

    0 unspec

    #

    local

    #

    1 inr.ruhep

  • rm_rm_ IPv6 Advocate, Veteran
    edited August 2016

    Akito said: my router is lacking some filtering features and security measures that I can achieve with the Raspberry. Hence I prefer to use 1 GW for all computers :)

    That's not how it will work. Even if you set this up correctly, after a few packets your Raspberry Pi will send a router redirect message to your computer, and from then on it will proceed to use the router directly.

    One solution is to use different subnets, one for the Raspberry and all computers which use it as the router, another is for communication between the Raspberry and your actual router only. The proper way to set this up would be to use VLANs and a managed switch, but I suppose you don't have one, so just setting up two subnets on the same LAN will work too.

  • @rm_ said:

    Akito said: my router is lacking some filtering features and security measures that I can achieve with the Raspberry. Hence I prefer to use 1 GW for all computers :)

    That's not how it will work. Even if you set this up correctly, after a few packets your Raspberry Pi will send a router redirect message to your computer, and from then on it will proceed to use the router directly.

    One solution is to use different subnets, one for the Raspberry and all computers which use it as the router, another is for communication between the Raspberry and your actual router only. The proper way to set this up would be to use VLANs and a managed switch, but I suppose you don't have one, so just setting up two subnets on the same LAN will work too.

    Have any reference for this "routing redirect message"? I am using this same setup and traffic always go through the Pi (even after being connected for days).

  • UrDNUrDN Member

    @Akito said:
    @urdn here it is:
    cat /etc/iproute2/rt_tables

    #

    reserved values

    #

    255 local

    254 main

    253 default

    0 unspec

    #

    local

    #

    1 inr.ruhep

    You must add your table in there.

    #
    # reserved values
    #
    255     local
    254     main
    253     default
    0       unspec
    #
    # local
    #
    #1      inr.ruhep
    666 test
    
  • rm_rm_ IPv6 Advocate, Veteran
    edited August 2016

    elwebmaster said: Have any reference for this "routing redirect message"?

    Here you go: http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html#howitworks

    The proper name is ICMP Redirect (sorry): http://www.cymru.com/gillsr/documents/icmp-redirects-are-bad.htm
    from what I can tell this article doesn't say they are harmful as a concept, but just that you should avoid designing a network which ends up relying on them being present or absent.

    Thanked by 1elwebmaster
  • @rm_ said:

    elwebmaster said: Have any reference for this "routing redirect message"?

    Here you go: http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html#howitworks

    The proper name is ICMP Redirect (sorry): http://www.cymru.com/gillsr/documents/icmp-redirects-are-bad.htm
    from what I can tell this article doesn't say they are harmful as a concept, but just that you should avoid designing a network which ends up relying on them being present or absent.

    Interesting. So disabling redirects on the Pi ( http://www.itsyourip.com/Security/how-to-disable-icmp-redirects-in-linux-for-security-redhatdebianubuntususe-tested/ ) should solve the problem then, right?

  • rm_rm_ IPv6 Advocate, Veteran

    elwebmaster said: Interesting. So disabling redirects on the Pi ( http://www.itsyourip.com/Security/how-to-disable-icmp-redirects-in-linux-for-security-redhatdebianubuntususe-tested/ ) should solve the problem then, right?

    If you disable sending them, then yes. In fact since you say it was working as you wanted already, maybe they are disabled by default there. But anyways, as that article says, such network design is still a bad practice, so why not just split things into different subnets.

  • elwebmasterelwebmaster Member
    edited August 2016

    @rm_ said:

    elwebmaster said: Interesting. So disabling redirects on the Pi ( http://www.itsyourip.com/Security/how-to-disable-icmp-redirects-in-linux-for-security-redhatdebianubuntususe-tested/ ) should solve the problem then, right?

    If you disable sending them, then yes. In fact since you say it was working as you wanted already, maybe they are disabled by default there. But anyways, as that article says, such network design is still a bad practice, so why not just split things into different subnets.

    To be honest I wouldn't have known if it works in the case when the destination is on the Internet. As far as I understand these redirects happen per host. So the Pi remains the default gateway but as more packets travel out to the same host it will eventually send the redirect for that particular destination. I assumed it works because I tried a couple of traces but something like this would brake on a per-host basis. The Pi can't just send a blank redirect saying "make 192.168.0.1 your default gateway now".

    Edit: Notice it says this must not be the default route

    When R1 receives a packet destined for host B, it looks at its routing table and notices that it has a route (not default) to R2 for packets destined to host B.

    I the topology we are discussing the Pi is R1 and R2 is its default route.

  • Guys, I have solved my problem! @urdn gave me hint in the right direction.
    In case any of you ever comes across the same problem as me, here's how it goes.
    One first creates a table (thanks @urdn):

    echo 200 foo >> /etc/iproute2/rt_tables

    Next we mention in the table what IP foo's computer has, in the example here 10.10.10.10

    ip rule add from 10.10.10.10 table foo

    Now we set up the table and mention on which interface the gateway can be found:

    ip route add default via 192.168.0.1 dev eth0 table foo

    Now, this is so important to make it work...... flush your route cache! It won't work without this:

    ip route flush cache

    Done!
    I haven't noticed yet that the network gives me a redirect to 192.168.0.1 yet. So far it keeps using the route to the gateway through the Raspberry.

    Thank you guys!

  • Note that you don't have to explicitly create the table if you use numbers instead of a name.

  • UrDNUrDN Member

    Akito said: Guys, I have solved my problem! @urdn gave me hint in the right direction. In case any of you ever comes across the same problem as me, here's how it goes. One first creates a table (thanks @urdn):

    My pleasure.

Sign In or Register to comment.