Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Split tunnelling for HTTP/HTTPS?

Status
Not open for further replies.
allywilson

allywilson

Technical User
Nov 27, 2002
157
0
0
GB
Hi all,
Bit of an unusual one here I think...

Server has a PPTP VPN connection (ppp0)

All traffic is tunnelled over that connection.

I want to reroute certain kinds of traffic going over it (HTTP/HTTPS) to use the default gateway of the LAN instead.

So far this has led me to have the following setup...

A virtual ethernet adapter (eth0:1) with a static IP.
Squid proxy listening on eth0:1 so I can point all HTTP/HTTPS traffic at it.

This works, but all traffic for eth0:1 goes over ppp0...

I cannot for the life of me figure out how to force all eth0:1 traffic (0.0.0.0/8) to the DG and bypass ppp0.

I think the problem really stems from my lack of understanding of how to manipulate routes :-\

Any help appreciated :)
 
Sort by date Sort by votes
I agree with your suspicion and I think the solution to your problem will involve partitioning your network into zones. You will need to have a 'zone' dedicated to the local lan and a zone dedicated to the VPN. With the zone definitions, which will reflect the different sub nets you can have a gateway router assigned for the zone. This will likely be accomplished with a combination of your DHCP and DNS configurations.

One thing in particular that jumps out at me in your current configuration is the 0.0.0.0/8, which effectively means all traffic.

Without at least knowing what programs you are using, it is impossible to suggest specific means to configure and partition your system. If you are able to provide some additional details it is possible that someone here might have some suggestions for you.
 
Upvote 0 Downvote
Thanks for replying, I'll try to give a better understanding of why and how.

eth0 = DHCP, 192.168.1.1
eth0:1 = Static, 192.168.1.2
DG = 192.168.1.254

When VPN is connected...
ppp0 = DHCP (assigned), 192.168.2.1
DG = 192.168.2.254
They're both actually on the same subnet, but this just makes it a little easier to explain.

When the VPN connection is made, all traffic is routed over ppp0 and destined for 192.168.2.254.

I'd like it so that any traffic destined for 192.168.1.2 (eth0:1 - as that's where squid/proxy is listening) bypasses 192.168.2.254 and goes to 192.168.1.254.

My manipulation skills of the routing table is incredibly basic, it's more of a guessing game than anything else...

Hope you can help :)
 
Upvote 0 Downvote
I am having a bit of trouble understanding exactly how you have things setup. I will try to spell out what I am interpreting. Please correct my understanding if / where I get it wrong.

eth0: this is the primary wired ethernet on your server. The IP address of the server is 192.168.1.1. Devices on this segment get their addresses dynamically from a DHCP server. What is unknown is what is the mask, i.e. how many bits represent the network and how many represent the host.

eth0:1 this is an ALIAS for eth0 on the same machine. It has been assigned a STATIC IP address of 192.168.1.2. Based on the address this is undoubtedly on the same LAN segment as eth0.

DG (default gateway): 192.168.1.254. This is acceptable. I would assume from this that the lan segment is 192.168.1.0/24.

Now your VPN is using 192.168.2.1 with a default gateway of:192.168.2.254.

You mention that these are the same subnet. This implies that your LAN can't be 192.168.1.0/24. If I am not mistaken, there can only be one default gateway for a particular LAN segment. Consequently, either 192.168.1.x and 192.168.2.x are separate subnets or there is a conflict on the gateway settings.

If we assume that they are different subnets, traffic on your VPN (192.168.2.x) that is destined for a different segment will be routed via the gateway. So, what is on the other side of this gateway?

Also, what programs are you using for DHCP, DNS, and VPN? Without knowing, we can only guess at what your configurations setup is.


 
Upvote 0 Downvote
First of all please post your current config as far as IP config and route config.

This can be done very easily with iptables.

Is this box directing its outbound traffic for web surfing to ports 80/443 via the LAN gateway I assume.

Now, try these lines in iptables


-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Krus1972
  • Locked
  • Question
Rewrite Rule for .htaccess Help
Replies
0
Views
124
Krus1972
Krus1972
krabban
  • Locked
  • Question
Dirvish for backup
Replies
0
Views
113
krabban
krabban
msk69
  • Locked
  • Question
Format Conversion query
Replies
6
Views
127
MBTC
MBTC
RedLinux
  • Locked
  • Question
Login session issues with HTTP headers
Replies
0
Views
65
RedLinux
RedLinux
kevinds
  • Locked
  • Question
Help With Per File/Folder Restriction Based on HTTPS Client Certificate's CN
Replies
0
Views
64
kevinds
kevinds

Part and Inventory Search

Sponsor

Back
Top