On Wed, Jun 17, 2015 at 9:11 PM, Marius Petrescu marius@yo2loj.ro wrote:
Table 44, where all the tunnle routes reside, has to be used for ALL outgoing 44net destinations, so that the proper tunnel gets selected.
So all packets 'to 44.0.0.0/8' have to go into table 44.
I'm still hoping you could explain the "why" of that statement. Even if a specific 44 destination has a tunnel, it's only appropriate for your gateway to use it if the source address is within your assigned subnet. Unless I'm missing something, the only reason you should ever be forced to use the tunnels for outbound packets is to prevent them from getting filtered when using your assigned 44 source addresses on them.
using 'from 44.182.21.0/24' would direct all packets generated by my subnet to table 44. This would include internet traffic to non-ampr hosts (e.g. 44.182.21.1 to www.google.com), which is not correct
Well, then I'm really confused as I thought that was intentional. Are you trying to say that hosts on your assigned 44 net are only supposed to be able to communicate with other 44 nets and not any other hosts on the internet?
My understanding of the wiki doc is that it describes how to setup a private network that NATs to the internet on your ISP's address and a separate ham network that uses your assigned 44 IPs. Then the ham network can tunnel traffic between you and other tunneled networks or the general internet by tunneling to the ampr-gw.
Here's a matrix of how I think it's supposed to work:
- PrivateLAN -> InternetHosts = Uses default routing table and NAT
- PrivateLAN -> Assigned44LAN = Routes directly as both subnets direct connected to gw
- PrivateLAN -> OtherIPIPLANs = Should use default routing table and NAT (but likely doesn't due to what seems like a misconfiguration to me)
- Assigned44LAN -> PrivateLAN = Routes directly as both subnets direct connected to gw
- Assigned44LAN -> OtherIPIPLANs = Uses 44 routing table and forwards packets over IPIP tunnel
- Assigned44LAN -> InternetHosts = Uses default 0/0 route on 44 table and IPIP tunnel to ampr-gw for forwarding to internet hosts
- OtherIPIPLANs -> Assigned44LAN = Packets appear on IPIP interface and forwarded to directly connected subnet
- OtherIPIPLANs -> PrivateLAN = Not possible due to non-unique IP space on private LAN
- InternetHosts -> Assigned44LAN = Packets appear on IPIP interface from ampr-gw and forwarded to directly connected subnet
- InternetHosts -> PrivateLAN = Not possible due to non-unique IP space on private LAN
- InternetHosts -> YourGWHost = Packets appear on ISP interface (can then be configured to "port-forward" to LAN using NAT/PAT)
- YourGWHost -> Internet = Uses default route on default table and uses IP of the egress interface (your ISP address)
- YourGWHost -> PrivateLAN = Packets egress on interface directly connected to PrivateLAN with the source IP of that interface
- YourGWHost -> Assigned44LAN = Packets egress on interface directly connected to your 44LAN with the source IP of that interface
- YourGWHost -> BGP-only44Net = Should be treated like any other internet destination and egress the ISP interface; This doesn't work because of the arbitrary "to 44/8 use table 44" rule that doesn't seem to have a valid reason for existing.
If my logic is flawed somehow, please let me know which of the above cases it relates to and hopefully we can clear this up once and for all. :)