0

I have the following host, with one interface and two GRE tunnels. It thinks it is locally connected to three networks.

eth0:
 inet 10.1.0.123/16
gre1:
 inet 172.16.0.123/16
gre2:
 inet 192.168.0.123/16

The two GRE tunnels both have connections to a fourth network 10.0.0.0/16 (this is unrelated to eth0's network). I'd like to configure the routing tables on this host such that requests from the 10.0.0.0/16 network that come in via gre1 to 172.16.0.123/16 are responded to via gre1 as well. And vice-versa for the gre2 tunnel.

  • If I don't configure a route for 10.0.0.0/16, then the packets are filtered due to rp_filter.
  • If I disable rp_filter but don't configure a route for 10.0.0.0/16 then the response packets go out eth0 due to the default route.
  • I can set a route to 10.0.0.0/16 to either gre1 or gre2, but I can't set them both.
$ sudo ip route add 10.0.0.0/16 dev gre2
RTNETLINK answers: File exists
Huckle
  • 1,005
  • The usual way to deal with multiple parallel routes is to give them priorities, so that the route with higher priority is always used. If you don't want to follow this pattern for whatever reason (you didn't say), them simplest solution would be to put both gre1 and gre2 in a network namespace of it's own, and have services answering requests run in both namespaces. Other solutions may be better depending on what you actually want to achieve (please also read about XY questions, Y = I need two parallel tunnels, X = ?). – dirkt Oct 04 '20 at 06:48
  • It's still possible to use policy/source-based routing to do this without namespaces, but if the host's server application is over UDP rather than TCP, extra care must be done, sometimes in the application's configuration, sometimes in the application code (because an application not binding its source UDP address to emit a reply and not multi-homing aware itself may still get the system to choose the wrong interface and source address: the default). All this anyway only if different host's addresses are used (gre's interface ips) else this requires marks and gets worse. – A.B Oct 04 '20 at 09:12
  • @A.B Would you have an example of how to do this with policy-based routing? – Huckle Oct 04 '20 at 21:02
  • @dirkt "for whatever reason" - Because of stateful firewalls in the gre1 and gre2 networks mucking with things. Middleboxes being middleboxes. The syn,ack looks unsolicited and gets eaten by a firewall if it takes a different return path. This isn't so much an XY question as it's a "someone is paying me to deal with crappy networks" question. – Huckle Oct 04 '20 at 21:07
  • 1
    My comment asked for 2 questions: ip addresses and udp usage. Knowing an answer won't work correctly doesn't make me want to give one. I'm also curious about dirkt's question: he asked why you are using two tunnels, but you answered why you need to use the same tunnel because of firewalls. – A.B Oct 04 '20 at 21:42
  • So if someone is paying you, tell them "the way you set up things doesn't work, it would make more sense to change it". You can use policy based routing (see e.g. here), but as the other comment has said, it doesn't work properly in all situations. You'll always end up having to fiddle and fix things. – dirkt Oct 05 '20 at 04:18

0 Answers0