[Shorewall-users] Large number of SNAT'd addresses loads very slowly

Clint Miller cmiller at tigerbyte.com
Wed Dec 10 16:16:37 PST 2003


Tom -

On Wednesday 10 December 2003 15:14, Tom Eastep wrote:
>
> I'm saying to do that WITHOUT ADDING THE ADDRESSES to the tunnel interface!
> I don't believe that they serve any purpose.
>
> -Tom

I've tried without adding the addresses.  It doesn't work.  The route table 
ends up looking something like this on our central VPN server:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.1    0.0.0.0        255.255.255.255 UH    0      0        0 tun1
192.168.0.1    0.0.0.0        255.255.255.255 UH    0      0        0 tun2
192.168.0.1    0.0.0.0        255.255.255.255 UH    0      0        0 tun3
xx.xx.xx.0     0.0.0.0        255.255.255.128 U     0      0        0 eth0
10.0.0.0       0.0.0.0        255.255.255.0   U     0      0        0 eth1
192.168.0.0    10.0.0.201     255.255.255.0   UG    0      0        0 tun1
192.168.0.0    10.0.0.203     255.255.255.0   UG    0      0        0 tun3
192.168.0.0    10.0.0.202     255.255.255.0   UG    0      0        0 tun2
127.0.0.0      0.0.0.0        255.0.0.0       U     0      0        0 lo
0.0.0.0        xx.xx.xx.1     0.0.0.0         UG    0      0        0 eth0

We can only have one route to 192.168.0.0/24... right?  We have about 15 LANs 
that are addressed 192.168.0.0/24.  Another 13 that are 10.10.10.0/24.  All 
of these are in different locations and all need to route between each other.  
If I'm on one LAN and try to connect to 192.168.0.20 on a remote LAN, which 
192.168.0.20 am I going to get?  (especially if I'm on 192.168.0.20).  The 
first one in the route table.  How would I address multiple hosts on 
different LANs all addressed the same?   How would 2 machines both addressed 
192.168.0.20 talk to one another?

If we SNAT the interfaces on to the tunnels we get something that looks like 
this on our central VPN server:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.3.1.1        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
10.3.2.1        0.0.0.0         255.255.255.255 UH    0      0        0 tun2
10.3.3.1        0.0.0.0         255.255.255.255 UH    0      0        0 tun3
xx.xx.xx.0      0.0.0.0         255.255.255.128 U     0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.3.1.0        10.0.0.201      255.255.255.0   UG    0      0        0 tun1
10.3.2.0        10.0.0.202      255.255.255.0   UG    0      0        0 tun2
10.3.3.0        10.0.0.203      255.255.255.0   UG    0      0        0 tun3
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         xx.xx.xx.1      0.0.0.0         UG    0      0        0 eth0

This allows routes to exist to every host on every network to every other host 
on every network even if they have the same addresses because we can force 
the SNAT'd addresses to be unique.  This works well and is in production 
(except for the new LANs with hundreds of hosts).

I must be missing something or not explaining myself well.  Sorry about that.
-- 
Clint Miller



More information about the Shorewall-users mailing list