The MPLS-OPS Archive

[paranoia@phreaker.net]

On Mon, Jan 31, 2005 at 01:07:18PM +0100, Garry Glendown wrote:
> paranoia@phreaker.net wrote:
> > On Sat, Jan 29, 2005 at 10:09:05PM +0100, Garry Glendown wrote:
> >>what Firewall are you folks using to connect multiple
> >>MPLS VPNs to the Internet?
> >
> > I use Linux with a *very* customized iptables script.
>
> I would *love* to use Linux - I know Linux VLAN support is working fine,
> but from what I read, the Linux VRF project seems not very active (at
> best) and lacking very many functions

Which is one reason why I don't use it :-) The other one is that
I had to hack this together quickly, and installing a Linux with
MPLS from scratch would not have been an option unless I was
dead certain it would work and how long it would take.

> how do you handle overlapping IP
> ranges of different customers? I.e., 192.168.2/24 routed on two VLANs
> for two different customers?

fwmark and iproute2.

PREROUTING fwmarks MPLS2Public packets according to which vlan
they come in from

PREROUTING fwmarks Public2MPLS packets according to which public
IP they were sent to

iproute has several routing tables and chooses the one to use
based on the fwmark

POSTROUTING does SNAT based on the fwmark.

Filters check that private IPs and NetBIOS stay where they
should be and such things.

Before and after doing this I looked around to see if it had
been done by somebody else, didn't find, was going to write it
up in HOWTO format, but well, work came in the way.

I've never used arrays in bash, which is why I didn't do so
in this case, but they would greatly simplify adding a new
client. For now adding a new client involves editing the file in
at least six distinct places.

If you're interested I could sanitize the script a bit and post
it here sometime tomorrow.

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml