Re: Problem with VPN routing from internal network + tun0 and traffic shaping

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


OK. I didn't know you wanted to NAT the traffic. If you have the default 
gw on your client-net set to the client-gw AND you forward the traffic, 
i.e. set your ip_forward to 1 AND you allow that in your iptables, there 
is no need to NAT the traffic at all. (If you have a static route set to 
your server-net via the tunnel)

I have a similar setup and all I do is:

excerpt from `route -n`
192.168.42.1  0.0.0.0      255.255.255.255 UH  0  0   0 tun0
192.168.42.0  192.168.42.1 255.255.255.0  UG 0   0    0 tun0

Which means the fw fins 192.168.42.1 by looking through the tunnel, and 
the whole network by looking at the far end of the tunnel. 

On the other side it is the exact the same way, except of course turned 
around. 

I saved myself the trouble of having an extra net fo rthe tunnel, I just 
gave the tun0 device the same ipaddress as the internal (i.e. the client) 
network. so it actually looks like this: 

192.168.42.0/24 ---192.168.42.1 ---tunnel---192.168.1.101--192.168.1.0/24
 
This setup has worked very well for me for years, if you see anything 
wrong with it let me know, I am willing to learn. 

As long as packets get forwarded on both gateways there is no need to NAT. 


I can ping any machine from either network, and have samba working for all 
those clients, so it must be reasonable.


As for traffic shaping, I would do the shaping on the internal interface 
(the one pointing to your network behind the fw), there you have control 
of incoming traffic via htb (as the traffic going to the clients is 
outgoing).

I hope all of this is correct. 

Good luck, 

.peter


On Fri, 8 Oct 2004, Remus wrote:

> You are correct Peter.
> But that is not enough to have access from client local lan to serevr client 
> local lan.
> The line below helpped me to fix it:
> iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j SNAT --to-source 
> 10.0.0.2
> 
> So there is one more problem, how to access from the server local net 
> client's local net?
> Any ideas?
> 
> And how to shape traffic going via tun0?
> 
> At the moment I have htb on eth0 and imq0 to shape in and out traffic?
> But what about VPN traffic which goes via tun0?
> 
> Thanks
> 
> Remus
> 

_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux