The forwarded packets that were supposed to go to my 'inner' server were also routed back to the AMPR GW, which of course did not know anything about my local addresses (192.168...).
However, after adding this line:
ip route add 192.168.19.0/24 dev enp0s6 table 44
everything felt in place and I'm now a happy man.
Unfortunately this is a detail that is soooooo easy to oversee that it frequently happens. But of course it is always educational to encounter this and fix it yourself!
E.g. I recently helped someone with a MikroTik router to setup this kind of policy routing and on that router the direct routes to attached interfaces also only appear in the main routing table and not in those additional ones. There really should be an option to do that automatically, but until then indeed you have to add them manually. The kernel would lookup the route in the main table when it cannot find a route in the additional table, but of course that only works when there is no default route there. And autorouting protocols like BGP won't distribute the route when it is in the wrong table.
Rob
I think there is a solution for this to do it automatically. Let's consider this startup script (tun44 is our tunnel):
#!/bin/sh
MY_IP=`ip addr list dev tun44 | grep inet | awk '{print $2}'`
MY_LOCAL = "44.182.20.0/24,44.182.21.0/24,44.182.61.0/24,yo2loj.go.ro"
# AMPR routes go to table 44
ip rule add from $MY_IP table 44
ip rule add to 44.0.0.0/8 table 44
# default AMPR reply route is in table 45
ip route add default via 169.228.34.84 dev tun44 table 45 onlink
# marke incoming and route replies via table 45
ip rule add fwmark 45 table 45
iptables -t mangle -A PREROUTING -i tun44 ! -s 44.0.0.0/8 -j CONNMARK --set-mark 45
iptables -t mangle -A PREROUTING ! -i tun44 -m connmark --mark 45 -j CONNMARK --restore-mark
# start ampr-ripd
ampr-ripd -s -t 44 -i tun44 -m 90 -a 44.182.20.0/24,44.182.21.0/24,44.182.61.0/24,yo2loj.go.ro
Here we use 2 tables, table 44 holds all ampr routes, table 45 only the default gateway route for ampr.
- regular outgoing ampr connections go via 44
- regular ampr replies go via 44 because of "ip rule add to 44.0.0.0/8 table 44"
- incoming internet requests on the tunnel get connection marked, replies with that connection mark get route mark 45, go to table 45 where they will be sent back via the ampr-gw
- because there is no default route in 44, if a connection is not found for a specific route in that table, there will be a jump into the main table where the local ones will be resolved as regular routes
The only adaptation needed to be done is the -a parameter to ignore the local networks IF the router is behind NAT (otherwise it will do it automatically)
BGP routed 44net traffic goes normally via the public IP (should be NATed by the regular masquerade rule).
If you want it via ampr-gw just add a route into the main table:
ip route add 44.0.0.0/8 via via 169.228.34.84 dev tun44 onlink
I will put this into the EdgeRouter script as the default startup script.
Marius, YO2LOJ
On 05.03.2019 21:25, Rob Janssen wrote:
Unfortunately this is a detail that is soooooo easy to oversee that it frequently happens. But of course it is always educational to encounter this and fix it yourself!
E.g. I recently helped someone with a MikroTik router to setup this kind of policy routing and on that router the direct routes to attached interfaces also only appear in the main routing table and not in those additional ones. There really should be an option to do that automatically, but until then indeed you have to add them manually. The kernel would lookup the route in the main table when it cannot find a route in the additional table, but of course that only works when there is no default route there. And autorouting protocols like BGP won't distribute the route when it is in the wrong table.
Rob
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Please delete the MY_LOCAL line if you whish since it is not used, but you can use it in the ampr-ripd startup line as "-a $MY_LOCAL"...
On 06.03.2019 20:47, Marius Petrescu wrote:
I think there is a solution for this to do it automatically. Let's consider this startup script (tun44 is our tunnel):
#!/bin/sh
MY_IP=`ip addr list dev tun44 | grep inet | awk '{print $2}'`
MY_LOCAL = "44.182.20.0/24,44.182.21.0/24,44.182.61.0/24,yo2loj.go.ro"
# AMPR routes go to table 44
ip rule add from $MY_IP table 44
ip rule add to 44.0.0.0/8 table 44
# default AMPR reply route is in table 45
ip route add default via 169.228.34.84 dev tun44 table 45 onlink
# marke incoming and route replies via table 45
ip rule add fwmark 45 table 45
iptables -t mangle -A PREROUTING -i tun44 ! -s 44.0.0.0/8 -j CONNMARK --set-mark 45
iptables -t mangle -A PREROUTING ! -i tun44 -m connmark --mark 45 -j CONNMARK --restore-mark
# start ampr-ripd
ampr-ripd -s -t 44 -i tun44 -m 90 -a 44.182.20.0/24,44.182.21.0/24,44.182.61.0/24,yo2loj.go.ro
Here we use 2 tables, table 44 holds all ampr routes, table 45 only the default gateway route for ampr.
regular outgoing ampr connections go via 44
regular ampr replies go via 44 because of "ip rule add to
44.0.0.0/8 table 44"
- incoming internet requests on the tunnel get connection marked,
replies with that connection mark get route mark 45, go to table 45 where they will be sent back via the ampr-gw
- because there is no default route in 44, if a connection is not
found for a specific route in that table, there will be a jump into the main table where the local ones will be resolved as regular routes
The only adaptation needed to be done is the -a parameter to ignore the local networks IF the router is behind NAT (otherwise it will do it automatically)
BGP routed 44net traffic goes normally via the public IP (should be NATed by the regular masquerade rule).
If you want it via ampr-gw just add a route into the main table:
ip route add 44.0.0.0/8 via via 169.228.34.84 dev tun44 onlink
I will put this into the EdgeRouter script as the default startup script.
Marius, YO2LOJ
On 05.03.2019 21:25, Rob Janssen wrote:
Unfortunately this is a detail that is soooooo easy to oversee that it frequently happens. But of course it is always educational to encounter this and fix it yourself!
E.g. I recently helped someone with a MikroTik router to setup this kind of policy routing and on that router the direct routes to attached interfaces also only appear in the main routing table and not in those additional ones. There really should be an option to do that automatically, but until then indeed you have to add them manually. The kernel would lookup the route in the main table when it cannot find a route in the additional table, but of course that only works when there is no default route there. And autorouting protocols like BGP won't distribute the route when it is in the wrong table.
Rob
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
-
Marius Petrescu -
Rob Janssen