Brian J. Murrell wrote: > On Wed, 2007-02-07 at 20:32 -0800, Tom Eastep wrote: >> OTOH, I challenge you to give us a good reason for replicating your tun0 >> route in multiple tables rather than simply using the single copy of >> that route that is is automatically added to the main table by OpenVPN. > > OK. > > 1. I start shorewall (no openvpn yet) and provider specific routing > tables are copied from main. > 2. Now I start openvpn, which adds a route to the main table for > the other end of the tunnel: > * 10.75.23.0/24 via 10.33.66.2 dev tun0 > 3. Now traffic starts flowing to 10.75.23.1 > I. First packet in the connection will use the main routing > table and be routed to the remote correctly > II. Remote will send back it's reply in that connection and > it's arrival will mark the packet and connection > according to the provider it's received on > III. Local will send it's second packet to remote but since > it's on the connection marked for the provider it will > be routed via the provider's table (which does not have > the route added in step 2) and it will end up going via > the default route rather than the tun0 route. >
Yup, part III is about right, that is why you need to point to a table (main) that has the route available, that is the whole point of the route_rules file. > As I understand it and as my debugging has led me to believe. I think > my supposition is correct because I can fix the above situation by > adding that route that was added in step 2 to the provider tables. Now instead of adding a route to the providers table, add an "ip rule" instead. "ip rule add to 10.75.23.0/24 pref 9999 lookup main" and retest. That is more or less an entry that could be created with the route_rules file. Working now? Jerry ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
