tech-net: Re: default route and private networks

Subject: Re: default route and private networks
To: None <tech-net@NetBSD.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 04/13/2005 19:17:26
> I have the following setup:
>                 _______________                     _________
> --- public IP | NetBSD 3.0 box |10.1.1.1----10.1.1.2| Router|Internet-------
>                 ---------------                     ---------

> That is, the NetBSD box has a public IP, on a public IP network, but
> it's not the network connecting it to the default router (its default
> route is 10.1.1.2).  This works mostly fine, exept that for outgoing
> connections from the NetBSD box, the source address is 10.1.1.1.  Is
> there a way to force it to use the public IP for outgoing connections
> ?

When I want to do this, I usually use an srt interface.  This is a
pseudo-interface I wrote which makes routing decisions based on ip_src
addresses - it sends an outgoing packet to one of its configured
sub-interfaces, depending on the packet's ip_src.  By routing 0/0 to
the appropriate place, you can get it to have no effect on where
packets go, but since it's point-to-point, you can give it a local
address that matches your public IP.

For exmaple, my own world-facing gateway has three interfaces:

le0 216.46.5.9/28 (house routable)
qe0 216.46.14.122/30 (external world)
qe1 10.0.1.1/24 (house nonroutable)

With a naīve setup, external connections from this machine would be
from-stamped 216.46.14.122, whereas I'd rather they come from
216.46.5.9.  So I also have

# ifconfig srt0
srt0: flags=11<UP,POINTOPOINT> mtu 1500
	inet 216.46.5.9 --> 10.0.0.255 netmask 0xffffffff
# srtconfig srt0
0: 216.46.5.0 /28 qe0 216.46.14.121
1: 216.46.14.122 /32 qe0 216.46.14.121
# netstat -rn -f inet | egrep default
default            10.0.0.255         UGS         3 17742234   1500  srt0

Traffic initiated by this machine to the world gets from-stamped
216.46.5.9 (because that's the address of this end of the interface the
default route points out), but still goes to the same place (because
srt0 is configured to route everything out qe0, addressed to the other
end of the link - the reason srt0 isn't configured to route 0/0 out is
to get some degree of egress filtering for free).  The only downside is
the slight delay the srt code introduces, and that's wholly ignorable
in view of the benefit I get from it.

Of course, this depends on having an srt interface around.
ftp.rodents.montreal.qc.ca:/mouse/source-tree/patches/working/src/sys/dev/pseudo/
contains the code I'm using, in the if_srt* files.  While it's for a
fairly old kernel version, someone who actually understands the current
device interface paradigms (ie, not me) could doubtless drop it into a
current kernel with minimal trouble; it's a very simple thing.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B