tech-net: Re: default route and private networks

Subject: Re: default route and private networks
To: Jonathan Stone <jonathan@dsg.stanford.edu>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: tech-net
Date: 04/23/2005 11:17:57
On Sat, Apr 23, 2005 at 01:37:39AM -0700, Jonathan Stone wrote:
> 
> In message <20050413171405.GA19330@antioche.lip6.fr>,
> Manuel Bouyer writes:
> 
> >Hi,
> >I have the following setup:
> >                _______________                     _________
> >--- public IP | NetBSD 3.0 box |10.1.1.1----10.1.1.2| Router|Internet-------
> >                ---------------                     ---------
> >
> >That is, the NetBSD box has a public IP, on a public IP network, but it's
> >not the network connecting it to the default router (its default route is
> >10.1.1.2).
> >This works mostly fine, exept that for outgoing connections from the NetBSD
> >box, the source address is 10.1.1.1.
> >Is there a way to force it to use the public IP for outgoing connections ?
> >I tried playing with the -ifa modifier to route, without results.
> 
> Hi Manuel,
> 
> I'm not sure this is even workable.
> 
> You want outbound traffic to gos out the local 10.1.1.1 interface to
> the box labelled "router", which forwards to the public Internet.
> But what is the return path supposed to be?  Via the ``public IP'' on the
> NetBSD box, or via the box labelled `router'?

Via the box labelled 'router'

> More: is the router
> using the same routable subnet as the ``public IP'', or is it a
> disjoint subnet?

No, 2 disjoint subnets.

> 
> If disjoint, then most ISPs are going to drop your packets due to
> ingress filtering (as far as they can see, your router is
> IP-source-spoofing the ``public IP''). And even if your ISP doesn't do
> ingress filtering, you won't be able to communicate with other
> subscribers to the AS of your `public IP'': those hosts will will try
> to reach your NetBSD host directly via the its left interface.

No, the announced route where to the subnet where ``public IP'' is is
via the router (In fact, the router announce a /24 that I later subnetted.
For operationnal reasons, I want one of these subnets to be behind
a second router, the "NetBSD box here". Other subnets of this /24 are
directly connected to the router).

> 
> OTOH, if the addresses are on the same subnet -- which amounts to
> saying that the left and right lines of your diagram are joined --
> then I don't see why you would care.  Am I missing something?
> 
> For non-bound sockets, IP is going to pick whatever it thinks is the
> first-listed address of the outbound interface. I'd expect that to be
> the 10.1.1.1 address. But is that your only problem?

Yes, it is. Execpt connections going out of the NetBSD box, all is working
fine. 

> 
> On your NetBSD machine, try binding a socket to a local address, then
> initiate a connection to a distant host.  Does that work?

Yes. And I can reach the NetBSD machine from outside using its public IP
too.

> How about
> connections to another host on another subnet of the `public IP' of
> the NetBSD box?

This works too.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--