[Gllug] Right way to route some traffic to a VPN connection

Russell Howe rhowe at siksai.co.uk
Thu May 19 11:28:21 UTC 2005


On Thu, May 19, 2005 at 11:38:13AM +0100, John Winters wrote:
> I have a LAN which has a permanent connection to the 'net, plus a VPN
> connection to another LAN.  IP addresses on the local LAN are allocated
> by DHCP.  What is the correct way to tell the machines on the LAN to use
> one machine as their default gateway and another (the one which handles
> the VPN connection) for packets for one particular range of IP
> addresses?
> 
> Method 1 - include information for both in the DHCP server (and if so,
> how?)

option static-routes ip-address ip-address [, ip-address ip-address...  ];

This option specifies a list of static routes that the client should
install in its routing cache. If multiple routes to the same destination
are specified, they are listed in descending order of priority.

I'd avoid using this though - IMHO, there should be a distinction
between network devices and network-using devices whereby the latter
only need to know minimal (or even no) information about the layout of
the network, and nothing beyond their local corner, i.e. all
network-using devices are configured with an IP address, netmask and
default route, and network functions are handled by dedicated devices
(deciding where to send a packet to next is a network function).

> Method 2 - just set up the default route by DHCP, then have the default
> gateway issue redirects to client boxes as the need arises.  (and if so,
> does the gateway need any particular setting up?)

I'd KISS for the the clients and take this option. The only reason to
consider doing otherwise is if the box acting as default gateway can't
handle the extra traffic. Since it's a VPN connection, I assume
bandwidth is rather limited and this box can cope.

You could add static routes to all the clients instead although I think
I'd have a hard time explaining why I have static routes yet configure
IP addressing via DHCP :) Routing would be more efficient, but
efficiency (and in this case we're really probably talking latency) tends
to be fairly irrelevant when you're talking about VPN links.

You could also get all hosts on the network to use something like RIP or
OSPF, but that's almost certainly a bad idea and is asking for
instability and random problems.

Also, the gateway box will probably start sending out ICMP redirects to
say to hosts "OK, you gave me a packet which I'm going to forward on, but
the address I'm going to forward it to is on the same network as you are,
so you might consider passing packets for this destination straight onto
that machine".

I don't know if many IP stacks actually take notice of that message,
though - it's certainly not the kind of message you want coming in from
the Internet, for example (unless you're multihomed, and even then I'd
probably reject them).

The only thing against routing everything via the default gateway is
that it then becomes a SPOF. If you had static routes on all your
machines and the default gateway were to fail then your hosts would
still be able to access the VPN (let's assume the VPN gateway has its
own internet link which doesn't go through the default gateway).

Of course, your default gateway is unlikely to fail because you have two
of them running something like CARP or VRRP between them, so that one is
always ready to take over should the other go up in a cloud of smoke,
right? :)

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list