[plug] Routing with nonat - ssh tunnel and port forwarding

Carl Gherardi carl.gherardi at gmail.com
Thu Mar 19 10:23:59 WST 2009


On Thu, Mar 19, 2009 at 9:51 AM, Daniel Pittman <daniel at rimspace.net> wrote:
> Carl Gherardi <carl.gherardi at gmail.com> writes:
>
>>> For simply tunnelling the IP traffic across the network you can
>>> create a tunnel trivially, with either IP-in-IP or GRE, on Linux,
>>> without a problem.
>
> [...]
>
>> Thanks for this. I found ssh -w last night and that seemed
>> appropriate.
>
> Woah!  No, it isn't, in almost any circumstances.  That passes your
> traffic over the ssh link, which is a reliable TCP connection.
>
> You absolutely do *NOT* want to run a reliable protocol, including TCP
> or UDP-with-retries, over a TCP link, because you *will* end up with
> problems.

Hmm - i'll have to review this. Apprceiate your comments.

> ...um, and if you already have a tunnel why can't you just use that?

Its natting. If i dont nat traffic over the tunnel then the bit bucket
comes into play. 95% or traffic is fine using the current tunnel, i
need two servers to talk on their actual ip address to get the last 5%

Dodgy ascii diagram

10.61.6.x (remote)
|
Linux router
| vpn tunnel to public ip
Dodgy wifi card
|
ASA(vpn termination)
|192.168.x.x (vpn assigned ip address)
Black box network that routes 10.61.6.x traffic to bit bucket) but
10.61.0.0 to correct place
|
10.61.0.0 (local)

I need to be able to route 10.61.0.0 to 10.61.6.0 (only a couple of
hosts with static routes) over the black box.

I figured a ssh vpn from 10.61.0.host to 10.61.6.host (port forwarding
remote end) would solve the issue.

>>> Footnotes:
>>> [1]  ...well, personally I would make the life of whoever owned the
>>>     faulty device in the middle hell until they fixed their problem, so
>>>     that I didn't have to work around it, since it saves work in the
>>>     long run, but if you can't do that then you are correct... ;)
>>
>> The broken peice of equipment is 'no line installed', which we are on
>> but is going to take longer than acceptable.
>
> *nod*  Well, at least you don't have to look forward to the workarounds
> forever, I guess. :)

Once the new line is installed the black box will work correctly and I
can just kill all this. I think i'll probably enjoy that.

Carl G



More information about the plug mailing list