10 Apr
2014
10 Apr
'14
10:11 p.m.
On 10/04/2014 23:23, Bart Kus wrote:
At step (c) the packet matched a route that is
associated with an IPIP
tunnel. The inner headers are from-44.whatever and to-44.24.240.0/20.
When that match is made, the packet is IPIP encapsulated, and given new
outer src/dst IPs. The dst-IP in this case should be 44.24.221.1, and
the src-IP should be whatever local-address was configured for the IPIP
tunnel (which should be routable over his public ISP). Then the router
has to make a 2nd routing decision about how to deliver to 44.24.221.1.
In this case, it should match default route (0.0.0.0/0).
I think the issues still come because of BCP38.
44GW have access to the commercial Internet and 44net, so you need to
apply source and destination based routing rules. In general you will
1) handle traffic with an ORIGIN within 44/8 in a dedicated routing table
2) handle traffic with a DESTINATION within 44/8 in a dedicated routing
table
So once the IPIP packet towards your 44GW has been created and the
SOURCE is a commercial IP address and the DESTINATION is a 44net
address. Rule 2) from above will kick in. As your network 44.24.221.0/24
is not in the encap file, there is no route in the dedicated routing
table and as such the traffic travel via the default route in the
dedicated routing table. That default route within the dedicated routing
table goes via UCSD because of BCP38.
So what you are asking is to ignore routing rule (ip rule NOT ip route)
once a packet has been encapsulated into IPIP. This seems to be
difficult using the current code, there might be a possibility using
iptables and packet marking.
Another solution would be to specifically exclude your 44GW ip address
(44.24.221.1) from rule 2) (and 1) if I happen to apply the same
implementation than yours).
73 de Marc