[OpenIndiana-discuss] multiple IP addresses, same NIC

Robbie Crash sardonic.smiles at gmail.com
Wed Mar 6 05:56:18 UTC 2013


If you're not accessing clients on the remote 192.168.1.0 subnet, why are
you adding the second network?

Why are you not handling this on the router instead of the client? Static
routes on a client are bad mojo. It's the router's job to route, let it do
that. All you should need to do is tell the router to route all traffic for
192.168.10.0/24 to use whatever the VPN interface is.

I'm assuming you're using something like Tomato or DD-WRT on your router,
which both should accept a Linux style route add along with an iptables
chain. I have this setup on mine, networks changed for you:

route add -net 192.168.10.0 netmask 255.255.255.0 ppp1
iptables --insert OUTPUT  --source 0.0.0.0/0.0.0.0 --destination
192.168.10.0/255.255.255.0 --jump ACCEPT --out-interface ppp1
iptables --insert INPUT   --source 192.168.10.0/255.255.255.0 --destination
0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination
192.168.10.0/255.255.255.0 --jump ACCEPT --out-interface ppp1
iptables --insert FORWARD --source 192.168.10.0/255.255.255.0 --destination
0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1
iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump
TCPMSS --clamp-mss-to-pmtu

would do it.

The issue here sounds like since the OI box already knows that it has a
route to 192.168.10.10 over its default route, it doesn't need to use the
secondary IP.

If you can't configure the router, PCI NICs are $9 these days, and that'll
work for sure.


On Tue, Mar 5, 2013 at 10:24 PM, Doug Hughes <doug at will.to> wrote:

> On 3/5/2013 10:18 PM, Edward Ned Harvey (openindiana) wrote:
>
>> From: Doug Hughes [mailto:doug at will.to]
>>>
>>> 2) explicitly set the route for 192.168.10.x :
>>> route add 192.168.10.0/<mask> 192.168.2.1
>>>
>>
>> That's what I'm saying I have already done.  I set the default route to
>> 192.168.1.1, and I set a static route, 192.168.10.x/24 via 192.168.2.1.
>>  The route is in effect, as evidenced:
>>
>> For simplicity, let's say 192.168.1.1 has MAC 11:11:11:11:11:11 and let's
>> say 192.168.2.1 has mac 22:22:22:22:22:22.
>>
>> When I ping something on the internet, I see a packet go out my NIC,
>> source IP 192.168.1.100, destination MAC 11:11:11:11:11:11 and destination
>> IP 8.8.8.8.  It all works, I get a ping response.
>>
>> When I ping 192.168.2.1 directly, I see a packet go out my NIC, source IP
>> 192.168.2.100, destination MAC 22:22:22:22:22:22 and destination IP
>> 192.168.2.1.  It all works, I get a ping response.
>>
>> When I ping something on the other end of the VPN, I see a packet go out
>> of my NIC, source IP 192.168.1.100, destination MAC 22:22:22:22:22:22 and
>> destination IP 192.168.10.10 (or whatever.)  The firewall drops the packet,
>> because duh, the source IP isn't in the same subnet as the firewall.
>>
>> I am also exploring the NAT option, assuming I'm not going to be able to
>> resolve the above problem.
>>
>>
>> ______________________________**_________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss@**openindiana.org<OpenIndiana-discuss at openindiana.org>
>> http://openindiana.org/**mailman/listinfo/openindiana-**discuss<http://openindiana.org/mailman/listinfo/openindiana-discuss>
>>
>>
> is it the same if you use something other than ping?
> Does it work correctly if you use ping -i to specify the source interface?
>
> Another option may be tagged vlans. Supporting a separate tagged interface
> would be very clear for the host. It would appear as a totally separate
> layer2 so there'd be no chance for mac reuse. That's only if your router
> can support that too, however...
>
>
>
> ______________________________**_________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss@**openindiana.org<OpenIndiana-discuss at openindiana.org>
> http://openindiana.org/**mailman/listinfo/openindiana-**discuss<http://openindiana.org/mailman/listinfo/openindiana-discuss>
>



-- 
Seconds to the drop, but it seems like hours.

http://www.openmedia.ca
https://robbiecrash.me


More information about the OpenIndiana-discuss mailing list