2016-10-07 09:18 keltez?ssel, Nikos Mavrogiannopoulos ?rta: >> My plan is to add the /32 route to the loopback interface so the running >> dynamic routing daemon can pick it up, >> ip route add $FRAMEDIP/255.255.255.255 dev lo >> Then do something like this >> iptables -t nat -I POSTROUTING -s $IP_REMOTE -j SNAT --to $FRAMEDIP > I see now that you distinguish between IP_REMOTE and FRAMEDIP, why is > that? ocserv should have assigned the framedip received from radius as > the remote IP. Thank you for answering! Sorry if I was vague on the details, but let me be more elaborate: The university has an ipv4 /16 allocated for it. Say 111.191.0.0/16 (which is obviosly not a part of rfc1918 and not the real subnet either). The vpn users get their ip addresses from 3 /24 pools 111.191.88.0/24, 111.191.110.0/24 and 111.191.240.0/24. Currently all of these routes are advertised with their full /24 on the old (but still staying) vpn server. This can't be changed. However if we advertise only the /32 address that the client has, than it will be favored over the /24 group. (smallest match) So I decided to do 1-1 nat for the users; they get an unrouted 172.16.0.0/21 address and that gets nated over their original address. regards Emeric PS: the above pools are about 70% used up and we have a daily of 200-300 vpn users and usually peaks out at 500.
