tech-net: Re: Source address control? [was: peculiar ICMP redirects?]

Subject: Re: Source address control? [was: peculiar ICMP redirects?]
To: None <tech-net@NetBSD.org>
From: David Young <dyoung@pobox.com>
List: tech-net
Date: 03/24/2005 22:55:32
On Thu, Mar 24, 2005 at 07:12:10PM -0500, der Mouse wrote:
> I wrote of problems with routing a /29 carved out of a /23.
> ww@STYX.ORG wrote
> > You might try, since the subnet is so small, putting individual host
> > routes to match the proxy arp entries.
> 
> I've tried this.  It does in fact work.
> 
> But now there's another problem, one which is obvious in retrospect.  I
> know how I would solve it normally, but this is being done on 2.0,
> without all the useful hacks I've added to my 1.4T.
> 
> Here's a recap of the immediately-relevant piece of the network.  This
> is my previous diagram with some pieces suppressed and another host
> added for clarity.
> 
> --------+----------------+-------- 10.10.10.0/23
>    rtk0 | .73            | .20
>     +---+---+        +---+---+
>     |   A   |        |   D   |
>     +-+---+-+        +-------+
>    .1 | tlp0
> ------+--------------+------------ 192.168.1.0/24
>                   .2 | fxp0
>                    +-+---+-+
>                    |   B   |
>                    +---+---+
>                   sip0 | .74
> -----------------------+---------- 10.10.10.72/29

der Mouse,

Maybe I do not understand what you are trying to accomplish, but here
are three suggestions/questions:

1 Is there any reason you do not, say, bridge sip0 and rtk0 to a VLAN
  on the 192.168.1 segment---the VLAN being optional?

2 Set static routes or run routed(8)?  (ISTR you already explained
  why this would not work.)

3 Try 'route add -net 10.10.10/23 192.168.1.1 -ifa 10.10.10.74' ?
  (I do not remember if the -ifa argument is limited to an address on
  the nexthop interface or not.)

Dave

> 
> Now, with the host routes in place on A, packets from D to .74 work.
> Ping works and I can even ssh directly from D to B (though it takes a
> while; DNS on B is a bit broken because of the problem I'm about to
> describe.)
> 
> The next problem is, if B initiates traffic to (say) D, it is
> from-stamped 192.168.1.2.  This won't work right; it needs to be
> from-stamped 10.10.10.74.  If I were on my 1.4T, I'd configure an srt
> interface to route 0/0 out fxp0 to 192.168.1.1, ifconfig the srt to
> 10.10.10.74->10.0.0.1, and point the default route to 10.0.0.1.  (I've
> done this before as a way of getting traffic out an interface
> from-stamped with a different interface's address.)  But this is on
> 2.0.  I'd rather not add srt to 2.0 unless I have to; I'm trying to
> keep this machine as close to stock as feasible.
> 
> What's the right way to make this work under 2.0?  Is there one?
> 
> /~\ The ASCII				der Mouse
> \ / Ribbon Campaign
>  X  Against HTML	       mouse@rodents.montreal.qc.ca
> / \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

-- 
David Young             OJC Technologies
dyoung@ojctech.com      Urbana, IL * (217) 278-3933