[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Routed behind Actiontec Verizon FIOS?

  • Subject: Re: [Openvpn-users] Routed behind Actiontec Verizon FIOS?
  • From: Stefan Bethke <stb@xxxxxxxxxx>
  • Date: Sun, 10 Feb 2008 12:24:09 +0100

Am 09.02.2008 um 20:47 schrieb Cory Crooks:

> Anyone had luck with a routed setup sitting behind an Actiontec  
> router (the one's Verizon FIOS uses)?
> My internal LAN is on, my VPN is using, I  
> added a routing rule to the router to send all (netmask  
> traffic to (the machine running OpenVPN),  
> but it doesn't seem to fully work.
> If I connect to the VPN with a machine (and get address, I  
> can then ping from any of the LAN machines (on  
>, but if I try to ping from to any of the LAN  
> machines, it fails.
> I did a couple tcpdump trials and it really looks like the ping  
> requests is getting to the pinged machine (say, but the  
> ack for the ping is then not funneling back through the VPN machine,  
> so for some reason it seems the acks aren't routing correctly, but  
> if a request a ping it is.
> If I add a specific route to one of the machines on the LAN (like  
> using "route add -net NETMASK GW  
>" (or whatever the correct incantation is), then if I  
> ping that machine from the acks come through. I guess this  
> is the workaround I will use if necessary, but I'd rather have it  
> just work.

Setting a seperate route on each machine on the LAN is how it's  
supposed to be done.

By only setting the route on the machine that is the default gateway  
for everyone else (the FiOS router), you're relying on that machine  
and your LAN machines to generate and process ICMP redirects properly,  
and/or your router to properly forward packets out the same interface  
they came in on. I've found that this does not work reliably,  
depending on the exact OS versions and various circumstances.

You could switch to a bridged layout, so that routing is not  
necessary, or you could make your OpenVPN router sit between the FiOS  
router and everything else, so that all the machines on the LAN use  
the OpenVPN router as a default gateway, and that will forward any  
traffic not destined for the VPN on to the FiOS router.


Stefan Bethke <stb@xxxxxxxxxx>   Fon +49 170 346 0140

Openvpn-users mailing list