[ale] Routing Questions
Byron A Jeff
byron at cc.gatech.edu
Sat Dec 1 00:24:06 EST 2001
>
> So, see if I understand this right.
>
> Becasue I have chosen to use private IP's on each eand, those packets by
> definition are not routeable.
Right. At some point a router will drop them on the floor.
> If they were public then it should have worked?
Correct. That's normal Internet routing. Internet routers would flow packets
to the router that the public network is connected to.
>
> I wanted to get basic routing doen then move to tunnel and encryption. I
> guess I'll skip the test of pinging machines on both sides and begin
> working directly on a tunnel.
You have basic routing if your two routers can ping one another and your
internal nets have connectivity.
>
> Technically why can I not tell the kernel to send all pakets for 192.168.2.0
> to skylab and tell sky lab the reverse to send back to Mir? Is it a
> technical limitation or the fact the IPs are private?
Technical limitation. See the router address usually isn't encoded in an IP
packet. Only the source and destination addresses. So each router along the
way makes an independant decision of how to route each packet. So the gateway
that's specified in the route command must in fact be directly connected
to the source. There can be no intervening routers.
Think about it this way. Routers are designed to connect your local network
to another network. Specifying a remote router doesn't work because there's
no default mechanism to specify a route to the router. It's expected to be
directly connected.
Note that there is a mechanism for doing what you request. It's called source
routing. In this case the route is actually embedded into the IP packet.
However since it's a security hole big enough to drive the Space Shuttle
through most routers and hosts will drop such packets like a hot potato.
Essentially it lets someone spoof the network they are trying to get into.
It's bad news.
Hope this helps,
BAJ
>
> Thanks,
> Chris Fowler
>
> -----Original Message-----
> From: Byron A Jeff [mailto:byron at cc.gatech.edu]
> Sent: Friday, November 30, 2001 6:05 PM
> To: cfowler at outpostsentinel.com
> Subject: Re: [ale] Routing Questions
>
>
> >
> > I have 2 networks now. One in Buford and One in Alpharetta.
> >
> > Alpharetta: 192.168.2.0
> > Buford: 192.168.1.0
> >
> > Both networks are connected to the internet using telocity. I want to be
> > able to route packets between both of the private nets. Is this possible
> > since these
> > are 192.168.*.
>
> Not directly.
>
> > [Table deleted for brevity]
> >
> > When I issue this command in Alpharetta:
> > [root at skylab /etc]# route add -net 192.168.1.0 netmask 255.255.255.0 gw
> 64.129.131.124 eth1
> > SIOCADDRT: Network is unreachable
> >
> > Buford:
> > [root at mir /etc]# /sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw
> skylab metric 1 eth1
> > SIOCADDRT: Network is unreachable
>
> You'll need to tunnel packets between your two gateways. You first set up a
> pipe between your two gateways (and ssh one for example). Then setup a PPP
> session between them using the ssh pipe. Then direct your packets for the
> opposite network to the ppp interface.
>
> This is a simplistic mechanism for building a VPN, which is essentially what
> you need in this instance.
>
> A 5 second perusal of linuxdocs.org pointed me to the Firewall-Piercing
> Howto.
> This applies because the naming of your networks with private IP's
> essentially
> firewalls them.
>
> Anyway read the HOWTO's in this section:
>
> http://www.linuxdocs.org/HOWTOs/HOWTO-INDEX/networking.html#NETVPN
>
> and they will guide you into building a tunnel between your networks.
>
> BAJ
>
>
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list