Next Previous Contents

6. Routing

Piercing the firewall is not everything. You must also route the packets from this side of the firewall to the other. This section tackles the basic settings specific about routing accross a tunnel. For more detailed explanations of routing, see the relevant HOWTOs and man pages about networking, routing and masquerading.

6.1 The catch

The main point is that although your network administration would tell you to setup your local router as the default route, you might want to have it but a specific route to the networks within your side or the firewall, whereas the other end of your PPP link should be the router for the networks on the other side. Your default route should point to a router on whichever side gives you access to the Internet. Most importantly, all machines involved in routing packets to the other end of the tunnel should be routed through your usual network (i.e. ethernet), for your kernel will have problems if it tries to route through the tunnel the packets to the remote host that precisely serves as end-point for the tunnel.

So you'll have to setup proper routes in your network startup configuration like /etc/init.d/network or /etc/network/, as well as your PPP startup configuration in /etc/ppp/ip-up or /etc/ppp/ip-up.d/ or wherever your distribution puts them. To identify your distribution-specific file locations, RTFM the docs of your distribution, use grep recursively on your /etc, and if all else fails, trace the boot behaviour of your computer from /sbin/init.

Also, when piercing a tunnel from a roaming laptop on the Internet into a protected network, I used to use from within my ip-up the script (available from the fwprc distribution) that gives me the current route for the host on the other end of the tunnel.

Once you can route packets to the other side of the tunnel, you might want to setup your machine as a router for all your pals on your site of the firewall, achieving a full-fledged shared VPN. This is not specific to Firewall-Piercing, so just you read the relevant HOWTOs about networking, routing and masquerading. Also, for security reasons, be sure to also setup a proper firewall on your machine, especially if you're going to be a router for other people.

Finally, be reminded that if you're using pppd on the other end of the tunnel (as opposed to user-mode slirp), you will have to configure proper routes and firewall rules on the other side of the tunnel, too.

6.2 Example of routing

Let's consider an example. In your case, of course, you'll have to adapt the IP numbers, and insert the commands in the right place, which depends on your distribution.

For instance, imagine your machine is on the ethernet eth0 with IP address is on network, router Your network administrator will have told you to use as default router. But you shouldn't, as you should only use it to route on your side of the firewall. Imagine you have networks and and host accessible through your router on your side of the firewall. Then you'll add these routes to your startup script:

route add -net netmask gw
route add -net netmask gw
route add -host gw
You must also keep the route to the local network, necessary for linux kernel 2.0 and earlier, but implicitly added by ifconfig on 2.2 and later:
route add -net netmask dev eth0
On the other hand, you must remove any default route from your scripts:
route add default gw
If the default route has already been set, you can remove it as is:
route del default gw
Then you can have pppd setup a default route automatically when it starts by using its defaultroute option. Or you can add it after the fact with:
route add default gw
If you don't want pppd as a default route, because the Internet is on your side of the firewall, and instead want network to be routed through the tunnel, except from host that serves as the other end of the tunnel, then have this executed from your /etc/ppp/ip-up:
route add -host gw
route add -net netmask gw
If you're a laptop and your current LAN moves, and yet you want to keep your current route to, whatever it be, then use as follows to automatically find the right gateway in the route add -host command:
Note that if you have them in your /etc/hosts, you might use symbolic names instead of numerical IP addresses (and you might even use FQDN's, if you trust the DNS never to fail).
Next Previous Contents