Routing question

Alex Satrapa grail at
Tue Sep 10 11:07:21 EST 2002

On Tuesday, September 10, 2002, at 07:49 , Michael Still wrote:

> On Mon, 9 Sep 2002, Bob Edwards wrote:
>> Can you already get to random hosts on x.y.z.* from a.b.c.d? If not, 
>> you need
>> a route like:
>>  route add -net x.y.z.0 netmask gw
> This is what I have tried in the past (and just tried again). It breaks
> the ssh link, because then the ssh packets follow the routing rule, and 
> go
> over the ppp link contained by the ssh packets, and so on.

You're effectively trying to set up two routes to the remote host, one 
through the host specific route and one through the net route.

Make the net route go over the PPP link as Bob Edwards mentioned 
previously, with one caveat.  You'll need to use imaginary IP addresses 
for each end of the PPP link, and have the two host routes over the PPP 
link using the imaginary IP addresses - these addresses only matter to 
the PPP link.  Then you can happily add host and network routes for the 
"real" IP addresses that go through the tunnel.

   (Network x.y.z.*)
   |   x.y.z.6   |   Client end
   | |
          | (ppp over ssh vpn, <->
   | |
   |   a.b.c.d   |   Server end
   (Network 172.31.0.*)

Note that this way, data sent to x.y.z.6 will end up going over the 
encrypted tunnel quite happily.

The routes you'll need to make this work are:
  - Host routes for the other end of the PPP link (the 192.168.1.(1|2) 
  - Network routes for the other networks
  - Host routes for the SSH connection over the Internet (the x.y.z.6 and 
  - Reject routes for the PPP link, which go something like this:
     route add -host x.y.z.6 dev ppp0 reject

The reject route tells the routing code to *not* route packets for 
x.y.z.6 over the PPP link.  This is not a firewalling measure, it's a 
routing measure.

Incidentally, you'll be much better off using something like OpenVPN 
instead of PPP over SSH - the experience we had at TSA was that with 
TCP/IP over PPP over SSH over TCP/IP, you have two or three sets of 
congestion management, so the moment one little pocket gets delayed, 
your network throughput gets strangled (the low level TCP backs off by 
about half, the high level TCP backs off too, and no doubt PPP has a 
heart attack in there somewhere to boot).

You may also want to explore using IPSec for that connection too - and 
perhaps consider using RFC 1918 addresses for the "internal" x.y.z.* 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 225 bytes
Desc: not available
Url :

More information about the linux mailing list