[ale] Blocking packets destined for VPN from going back to the default gw

Chris Fowler cfowler at outpostsentinel.com
Thu Feb 17 11:33:56 EST 2022


I'm running into something that is causing confusion when a VPN connection is down.  Packets destined for the remote segment are sent back to the VPN's default gateway and then sent back to the VPN server.  Creates a loop that confuses people when they do traceroute.

Default GW: 192.168.17.1
 Routes: 192.168.19.0/24 -> 192.168.17.2
                192.168.18.0/24 -> 192.168.17.2
VPN S:            192.168.17.2
  Routes: 0.0.0.0 -> 192.168.17.2
                 192.168.19.1 -> 192.168.18.1

192.168.18.0/24 is used for the VPN endpoints
192.168.19.0/24 is used for DNAT rules on the VPN end point.

When the VPN is up, packets to 192.168.19.1 will go to 17.1 first, then 17.2, then 18.1, and finally 19.1

If 18.1 is offline then packets to 192.168.19.1 go to 17.1, then 17.2, and back to 17.1.  This creates a loop.

Can I stop that?  I thought about blocking 192.168.19.0/24 on eth0 with iptables, but would that not black the return path when the VPN is up and connections work?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20220217/e5b2d434/attachment.htm>


More information about the Ale mailing list