[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Routed behind Actiontec Verizon FIOS?


  • Subject: Re: [Openvpn-users] Routed behind Actiontec Verizon FIOS?
  • From: Stefan Bethke <stb@xxxxxxxxxx>
  • Date: Sun, 10 Feb 2008 12:24:09 +0100

Am 09.02.2008 um 20:47 schrieb Cory Crooks:

> Anyone had luck with a routed setup sitting behind an Actiontec  
> router (the one's Verizon FIOS uses)?
>
> My internal LAN is on 10.74.65.0/24, my VPN is using 10.8.0.0/24, I  
> added a routing rule to the router to send all 10.8.0.0 (netmask  
> 255.255.255.0) traffic to 10.74.65.13 (the machine running OpenVPN),  
> but it doesn't seem to fully work.
>
> If I connect to the VPN with a machine (and get address 10.8.0.6), I  
> can then ping 10.8.0.6 from any of the LAN machines (on  
> 10.74.65.0/24), but if I try to ping from 10.8.0.6 to any of the LAN  
> machines, it fails.
>
> I did a couple tcpdump trials and it really looks like the ping  
> requests is getting to the pinged machine (say 10.64.75.11), but the  
> ack for the ping is then not funneling back through the VPN machine,  
> so for some reason it seems the acks aren't routing correctly, but  
> if a request a ping it is.
>
> If I add a specific route to one of the machines on the LAN (like  
> 10.64.75.11) using "route add -net 10.8.0.0 NETMASK 255.255.255.0 GW  
> 10.74.65.13" (or whatever the correct incantation is), then if I  
> ping that machine from 10.8.0.6 the acks come through. I guess this  
> is the workaround I will use if necessary, but I'd rather have it  
> just work.

Setting a seperate route on each machine on the LAN is how it's  
supposed to be done.

By only setting the route on the machine that is the default gateway  
for everyone else (the FiOS router), you're relying on that machine  
and your LAN machines to generate and process ICMP redirects properly,  
and/or your router to properly forward packets out the same interface  
they came in on. I've found that this does not work reliably,  
depending on the exact OS versions and various circumstances.

You could switch to a bridged layout, so that routing is not  
necessary, or you could make your OpenVPN router sit between the FiOS  
router and everything else, so that all the machines on the LAN use  
the OpenVPN router as a default gateway, and that will forward any  
traffic not destined for the VPN on to the FiOS router.


HTH,
Stefan

-- 
Stefan Bethke <stb@xxxxxxxxxx>   Fon +49 170 346 0140


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users