|
|
|||||||
| OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
 |
|
|
Thread Tools | Display Modes |
25th September 2008
|
|||
|
|||
Routing between site-to-site tunnels
I set up a few site-to-site tunnels between a main office and two branches using the instructions at OpenBSDsupport. It was relatively easy with hosts in the main office able to ping hosts in either branch. Hosts in either branch office can ping hosts in the main office.
The problem comes into play where hosts in one branch office wants to ping a host in the other branch office. Right now, the tunnels are from branch office to main office, but not between the branches (this is what I prefer). I updated pf.conf at the main office site, but I don't think this is the problem. If I do a traceroute from one branch to the other, it's going out directly through the Internet, not through the tunnel. I tried adding a route, but I'm only guessing at the syntax. The branch office subnets are 192.168.201.0/24 and 192.168.202.0/24, so I tried something like: sudo route add -encap 192.168.201.0/24 -interface enc0 or variations on this theme. Can anyone point me in the right direction? As a last resort, I can always set up a tunnel between the branches, but I'd rather route everything through the main office for now, even though that's a single point of failure. 
|
|
25th September 2008
|
||||
|
||||
|
It looks to me like you'd have to set your main office server to be the gateway for the LAN on the other side, so 201 should route traffic destined for 202 to the main office, and 202 should route traffic destined for 201 to the main office. The main office server knows where both networks are, so it is capable of routing traffic between them (assuming IP forwarding is on already).
In pseudo code: 201: route add 202/24 main-office-ip 202: route add 201/24 main-office-ip P.S.: the main office server knows where both networks are, your local NIC does not. Therefore that traffic just gets routed via the default gateway, which is its internet connection. Last edited by DutchDaemon; 25th September 2008 at 11:45 PM.
|
|
25th September 2008
|
|||
|
|||
|
So if my main office gateway had two interfaces with its internal IP being 10.1.1.254 (this is a /24 as well), do I:
(on branch 1 gateway) sudo route add -net 192.168.202.0/24 10.1.1.254 (on branch 2 gateway) sudo route add -net 192.168.201.0/24 10.1.1.254 I'm not sure if this works, so perhaps my syntax is off.
|
|
26th September 2008
|
|||
|
|||
|
Quote:
|
|
26th September 2008
|
|||
|
|||
|
I've been through the man page already, although I seem to be missing something (or more likely, I'm just not "getting" something).
|
|
26th September 2008
|
||||
|
||||
|
You can only use a gateway when it's on a directly connected network (i.e. a network that your NIC knows about). I'm assuming your main office server has an IP address on both the 201 and the 202 LANs?
|
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| connect to an other site using ipsec-nat | wesley | OpenBSD Security | 30 | 23rd September 2009 09:41 AM |
| Posting to O'Reilly site | Fritz_Katz | Feedback and Suggestions | 1 | 22nd July 2008 11:03 PM |
| Getting mentioned on the FreeBSD site | scottro | Feedback and Suggestions | 6 | 1st June 2008 10:11 PM |
| Bare Minimum Site-to-Site VPN on OpenBSD | ai-danno | Guides | 0 | 20th May 2008 12:45 AM |
| Transferring away from the other site... | s2scott | Feedback and Suggestions | 2 | 5th May 2008 09:47 AM |
Linear Mode
