[clug] routing advice needed

Tomasz Ciolek tmc at dreamcraft.com.au
Wed Dec 3 13:01:51 GMT 2003

Rigth oh... 
On Wed, Dec 03, 2003 at 11:18:26PM +1100, Kim Holburn wrote:
> I could have private networks on each internal interface and on the 
> remote.  I don't really see the difference routing-wise except there 
> is NAT in there.  I might still want a route from one internal 
> interface to a remote subnet/IP and a different route from my other 
> internal interface to the remote.  I might want routes with different 
> weighting/costing.

Okay. what you propsed is what we call assymetric routing. But you tried
to do it all on the same infrastructure... It has the advantage that it
gets you exactly what you are after right now, but....

1. It will break nay firewalling thats in place, because if uyou have a
firewall in there somehwre it will only see 1/2 of the trafiic.

2. debugging is a bitch.

3. You COULD end up with a routing loop, and stuff will go no-where

4. If I get inside one of the networks I can bypass the VPN to attack
the other, by spoofing the non-vpn'd 1/2 of the route... In that case
why did you want to have a vpn if you will only use it for some of the
traffic? how is stuff going back different in sensetivity, etc to the
the stuff commin in via the VPN

5. It gets messy.

6. No-one said natting. I was thinking IP/Protocol lever re-directs
actually, which IPTABLES does do (I think).

the above aside - solutions have separate routers for traffic going in
via the vpn and comming back. If not feasible, use IPTABLES to re-drect
on by protocol basis (ie UDP, TCP, ICMP, etc... )


Tomasz M. Ciolek	
  email:  tmc at dreamcraft dot com dot au 
	GPG Key ID: 0x41C4C2F0  Key available on www.pgp.net	
  Everything falls under the law of change;	
  Like a dream, a phantom, a bubble, a shadow,
  like dew or flash of lightning.
  You should contemplate like this. 

More information about the linux mailing list