On Tue, Jun 16, 2015 at 11:01 PM, Brian Kantor Brian@ucsd.edu wrote:
There were, in fact, several of case (3) which of course did NOT work.
If in fact the HAMWAN entry is needed, I can ask Chris to undo the restriction and then we'll just have to be extra vigilent about checking new gateway entries. Mistakes will happen and have to be corrected.
The difference is that 44 addresses can be valid gateway destinations as long as that IP doesn't exist in any of the subnets that have IPIP tunnels configured.
There's a good chance that the mistakes others made were specifying a 44-based gateway address that existed within the same subnet they're trying to tunnel. Assuming Chris already has an easy way to do IP math in the portal, then he should still be able to restrict that mistake. If you wanted to be thorough, you could also reject any gateway IP that happens to match the subnet of any tunnel.