News Group Posts

two gateways routes ifconfig alias

From: Mike Brown <mike@tkg.ca>
Subject: Re: incoming ssh from two gateways
Date: Fri, 19 Dec 2003 23:11:47 -0500
Message-ID: <3FE3CC03.47963CFE@tkg.ca> 
References: <200312191014.aa02681@mbsi.magnatechonline.com> 

Joe Chasan wrote:
> 
> I have a site with 2 gateways to internet - say 192.168.1.50 and 51 -
> currently sco openserver 5.07 box uses only the 50.  i ssh in from
> outside to it and go to the sco box just fine.  the router uses nat,
> port forwarding for a variety of functions.
> 
> i wanted to use the 2nd gateway as well, for now just for other ssh access.
> i setup the (identical) router ok (i have other nat/port forwarding's
> working fine), but sco 5.07 box will not communicate back.  i am thinking
> because it will only respond to outside through the 50 gateway.   am i
> correct?  if this is the case, what are my options?
> 
> i don't know how to tell sco to use 2 gateways - i was thinking of using
> ifconfig alias and mapping a second ip to use second gateway via an
> appropriate route statement, also routing the incoming ssh to it from
> router (but the last time i used ifconfig alias, it seemed only 75%
> implemented for networking functions, some things would not work).  does
> that make sense?  would it work?  any other options?
> 
> at this point its more for support and our own educational value, so i'd
> not want to go on-site and install a second NIC to make this happen.
> 
> --- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---
> -Joe Chasan-                      Magnatech Business Systems, Inc.
> joe@magnatechonline.com           Hicksville, NY - USA
> http://www.MagnatechOnline.com    Tel.(516) 931-4444/Fax.(516) 931-1264

You will have to rely on a routing advertising broadcasts coming from the
routers, or an ICMP redirect coming from the .50 router. OSR5 can build and
maintain a fairly complex routing table based on that information.

It becomes a bit more of a problem to configure the routers to supply the
information, since both routers are on the internet and both routers could
return the packet back to you.  In general it should not matter what route
the packet takes to go back to you, so coming in on .51 and returning on
.50 is acceptable.  At the client side, where you started the connection,
is where the problem occurs.  Your router has started a connection to a
particular IP address on the internet, and is expecting a packet back
from that address.  If the correct response comes back, but from the
wrong IP, a good firewall will just discard it.  If both your PC and the
SCO box had real internet addresses assigned to their NICs, then
you could connect even if the packets took numerous different routes.
The issue comes up when the router or firewall is running NAT.

The best solution, if it is available, is to connect to the router
through a tunnel such as PPtP or IPsec/VPN.  With PPtP your PC will
be assigned an 192.168.1.xxx address, and SCO will think you are a
local PC.  With a VPN the router will generate a routing broadcast
of your remote IP network, and the packets will get tunneled between
the two private networks.

A poor solution, is to log into the router remotely, configure a static
route from the .51 back to your IP address, and wait for it to broadcast
the information to SCO. Messy, but it does work.

There are some programing tricks, that use IP wrappers, which wait for
a connection on some chosen high port number.  When a connection is
attempted on that port, the wrapper discovers the IP address it is
coming from and builds a temporary static route through a chosen
router for that IP address.  In some cases a service like SSH is
turned off until the higher port is tickled, then it gets turned
on just for that remote address.  Its like knocking on one door
to get a second door opened.

Mike

-- 
Michael Brown

The Kingsway Group

Comments?

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.