[plug] Routing with nonat - ssh tunnel and port forwarding

Daniel Pittman daniel at rimspace.net
Thu Mar 19 08:18:07 WST 2009

Carl Gherardi <carl.gherardi at gmail.com> writes:

> I need to get traffic from a network ip to another WAN ip
> address _as the same ip address_ - ie no nat
> The boxes exist in different states, and a peice of hardware betwees
> us currently dropping traffic into the bit bucket.
> I need to establish a tunnel of some sort that hops the broken link.

OK.  Um, establish a tunnel then.  Flippant as that sounds, your
analysis is correct[1], and that is exactly the solution.

Respectfully to William, while using a VPN for this would probably work
it seems overkill to me unless you actually /need/ the privacy it
assures you of, or you already have one in place.

For simply tunnelling the IP traffic across the network you can create a
tunnel trivially, with either IP-in-IP or GRE, on Linux, without a

IP-in-IP is relatively Linux specific, but easy:

    ip tunnel add example1 mode ipip remote local \
        ttl 64 dev eth0

GRE is not Linux specific, so you can terminate it at any host that
supports a GRE tunnel.  The same is true of IPIP tunnels, but less
things support them.  Anyway:

    ip tunnel add example2 mode gre remote local \
        ttl 64 dev eth0

GRE also supports multiple tunnels with the same host, through the key,
csum and seq features, about which you can learn if you want.

IPIP tunnels only carry IPv4, GRE carries anything.

Oh.  Once you have the tunnel established the normal routing applies, so
you need to add a route to those connections, obviously, in addition to
establishing the basic tunnel.

Season to taste, and don't forget that any tunnel imposes a limit on the
MTU over that path, so you are going to have to ensure that you don't
drop packets due to that — ensure that you send appropriate ICMP errors,
and that PMTU discovery is enabled on your application servers, or
manually configure their MTU.


[1]  ...well, personally I would make the life of whoever owned the
     faulty device in the middle hell until they fixed their problem, so
     that I didn't have to work around it, since it saves work in the
     long run, but if you can't do that then you are correct... ;)

More information about the plug mailing list