[quagga-users 14957] Re: Hiding subnet along routing path

William Herrin bill at herrin.us
Tue Feb 27 23:23:08 GMT 2018


On Tue, Feb 27, 2018 at 5:14 PM, Klemen Sladic <gosturnca at gmail.com> wrote:
> Hi.
>
> I have a question regarding OSPF operation in some specific route
> configuration.
>
> Let's say I have two devices, each has 2 network interfaces and both running
> OSPF.
>
> ----------------------------    --------------------------|
> | DEV1                     |    | DEV2                    |
> | eth0                 eth1|<==>|eth1                 eth0|
> | 192.168.0.1 192.168.192.1|    |192.168.192.2 192.168.1.1|
> ----------------------------    ---------------------------
>
> The "default" kernel routes are like:
> DEV1:
> 192.168.192.0/24 dev eth1 proto kernel scope link src 192.168.192.1
> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
> DEV2:
> 192.168.192.0/24 dev eth1 proto kernel scope link src 192.168.192.2
> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
>
> OSPF and route distribution works as expected through this network.
>
> Now, I wanted to hide the eth1 subnet from the outside world by
> setting 192.168.192.0/24 route source to eth0 IP address, like:
> DEV1:
> 192.168.192.0/24 dev eth1 scope link  src 192.168.0.1
> DEV2:
> 192.168.192.0/24 dev eth1 scope link  src 192.168.1.1
>
> This works from routing perspective, but it breaks OSPF. This is
> probably expected, since this has broken a link between two
> devices/neighbors.
>
> My question is if it is possible to somehow configure OSPF to
> work with those modified route sources? To be able to exchange
> OSPF messages by hopping over eth1 subnet?

Hello,

Short answer: No.

Longer answer: Use public IP addresses on routers which are visible to
the public Internet or else translate ICMP messages from private IPs
to public IPs at your network border. If you leak RFC1918 addresses
you will probably break PMTUD which breaks TCP in mysterious and
subtle ways engineered to drive you completely mad.

Alternate answer: MPLS is the tool you're looking for.

Regards,
Bill Herrin

-- 
William Herrin ................ herrin at dirtside.com  bill at herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>


More information about the Quagga-users mailing list