Subject: selecting the source address for outgoing connections
To: None <netbsd-users@NetBSD.org>
From: Geert Hendrickx <firstname.lastname@example.org>
Date: 11/30/2006 15:10:00
Content-Type: text/plain; charset=us-ascii
consider the following setup: two LAN's (192.168.1/24 and 192.168.2/24)
VPN-connected via two NetBSD/OpenVPN routers with virtual interfaces on
192.168.1.2 | 192.168.1.3
| | |
| | | LAN A
| | | LAN B
| | |
192.168.2.2 | 192.168.2.3
Traffic between arbitrary nodes on the two LAN's works fine, except for traffic
originating from the VPN-routers themselves, with destination in the other LAN.
Traffic from e.g. VPN-router A (192.168.1.1) to host 192.168.2.2 in lan B has
source address 10.0.0.1, which is unknown to the target host. Traffic can flow
if I add a route for 10.0.0/24 on the target host itself or its default gateway,
but I'd prefer the LAN hosts to be completely unaware of the virtual 10.0.0.x
Can I force both VPN-routers (which are running NetBSD) to use their "internal"
IP (192.168.x.1) as source address for outgoing connections on the "external"
interface (10.0.0.x) ?
For IPv4 I am using NAT to accomplish this. The following line in ipnat.conf
does what I want:
> # hide virtual IP over VPN (packets appear to come from 192.168.1.1)
> map tun0 10.0.0.0/24 -> 192.168.1.1
But for IPv6, NAT is not an option (at least not with ipfilter). Is there a
more generic solution? I've found several threads about this in the archive
(also regarding aliases on the same interface) but no concrete solution...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (NetBSD)
-----END PGP SIGNATURE-----