11 Feb
2016
11 Feb
'16
1:43 p.m.
On a somewhat related note: people, please include some filtering in your gateways
to drop the packets with an RFC1918 source or destination address (the 192.168 networks
etc)
before forwarding them over tunnels. There are several other filters that you can apply,
depending on the position of your gateway in the network, including the verification that
the
source address of packets is within your gatewayed subnet.
I have filters with logging on the tunnel interfaces and it is unbelievable how many
192.168.88.x
and 10.x.y.z packets I see being dropped. A little output filtering does not hurt!
Rob