d93875c2ced6eeca53f9b7a6a335541d3eae3add
howto/networksettings.md
| ... | ... | @@ -0,0 +1,32 @@ |
| 1 | +The first rule of dn42 is always disable `rp_filter`. The second rule of dn42 |
|
| 2 | +is always disable `rp_filter`. The third rule of dn42 is to allow ip forwarding! |
|
| 3 | +No serious, in case some packets are dropped check first if your settings are correct. |
|
| 4 | + |
|
| 5 | +`rp_filter` also known as reverse path filtering is a security measure, |
|
| 6 | +which drop packages, where the reverse route to the source interface |
|
| 7 | +does not match the source address of the package. However this often happens in dn42, |
|
| 8 | +because routes can be asymmetric (packets can take different routes on the return path). |
|
| 9 | +That is why `rp_filter` needs to be disabled: |
|
| 10 | + |
|
| 11 | +**Note** using sysctl is not persistent. Depending on your linux distribution put it into `/etc/sysctl.conf` or `/etc/sysctl.d` |
|
| 12 | + |
|
| 13 | +``` |
|
| 14 | +sysctl -w net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 |
|
| 15 | +``` |
|
| 16 | + |
|
| 17 | +Check that its really disabled: |
|
| 18 | +``` |
|
| 19 | +sysctl -a | grep rp_filter |
|
| 20 | +``` |
|
| 21 | + |
|
| 22 | +Also the following options must be set. |
|
| 23 | +``` |
|
| 24 | +$ sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1 |
|
| 25 | +``` |
|
| 26 | + |
|
| 27 | +Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4. |
|
| 28 | +``` |
|
| 29 | +$ sysctl -a | grep forwarding |
|
| 30 | +``` |
|
| 31 | + |
|
| 32 | +Happy Routing! |
|
| ... | ... | \ No newline at end of file |