# Route ip to local network

## creack

Hi,

Here is my situation:

1 server with 2 ips with vpn

I would like to route 1 of my ips to my computer over the vpn, how can I do? I tried with route without success and I tried with iptables but it is too huge and I am not sure of what I did.

Do you know how to do what I want or where I can find documentation about it?

Thank.

----------

## erik258

Hi,

I'm not sure what you're trying to accomplish.  If I understand you correctly your network looks something like this: 

http://spore.ath.cx/~dan/diagram.png

You'll note that in the diagram, server has 2 connections to the internet, remote has a connection to the server through a vpn, and there's an arrow inside the server pointing from IP2 through to the vpn.  

It seems that your intention is to redirect traffict coming in to IP2 through to the VPN address on remote.  This is not too difficult to do, but you'll need to use IPtables.  Something like this should suffice: 

```

IP2=<IP_ADDR_TO_FORWARD>

RIP=<REMOTE_IP_TO_FORWARD_TO>

iptables -t nat -I PREROUTING -d $IP2 -j DNAT --to-destination $RIP
```

----------

## creack

it is exactly what I want to do, I flushed my tables (iptables -F ; iptables -t nat -F) and I try your command but it still does not reach my RIP with I ping IP2  :Sad: 

EDIT: actualy, it kind of work, it is very strange:

ON my server:

$>tcpdump -i eth0 proto ICMP

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

07:15:12.018816 IP sla-rbx2-xx.ovh.net > $IP2: ICMP echo request, id 39220, seq 6148, length 64

07:15:12.274662 IP $IP2 > sla-rbx2-xx.ovh.net: ICMP echo reply, id 39220, seq 6148, length 64

On my computer (over VPN)

$>sudo tcpdump -i tun1 proto ICMP

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on tun1, link-type RAW (Raw IP), capture size 96 bytes

09:16:36.756573 IP sla-rbx2-xx.ovh.net > 172.16.0.6: ICMP echo request, id 39220, seq 6148, length 64

09:16:36.756601 IP 172.16.0.6 > sla-rbx2-xx.ovh.net: ICMP echo reply, id 39220, seq 6148, length 64

But when I try do ping $IP2 myself, it does not forward to my computer... I don't understand (I think sla-rbx2-xx.ovh.net must be the monitoring from my ISP)

----------

## erik258

It seems as though it's working for the ICMP requests, right?  It seems as though tcpdump is showing the DNAT happening with ICMP packets going in $IP2 and coming out 172.16.0.6 ( assume the vpn IP) and back, right?  If you tcpdumped on the tun/tap device on the server, you'd probably see those same packets entering the vpn on the server side too.  

So, what's not working?  What is 'my computer' and where does it fit into the network?  

ps: are your clocks off?  (maybe just in different timezones)

----------

## creack

actually, I had bad routes, it works perfectly fine, thank you very much

----------

## creack

Actually I have an other question : now that my computer over the VPN has its own IP, how can I make the world see that ip instead of the VPN server?

----------

## erik258

Hello again, 

 *Quote:*   

> it works perfectly fine

 

Glad to hear it.  

 *Quote:*   

>  now that my computer over the VPN has its own IP, how can I make the world see that ip instead of the VPN server?

 

Does the computer over the VPN have a public IP?  I don't know any way of sending traffic for one IP to a different IP without modifying routing tables.  Unfortunately, something like that can't be done on the Internet.  Routing on the internet is based on a number of advanced routing protocols and you'd need the cooperation of the administrators of the ISPs that 'own' both public IP addresses and connect them to the internet for that to work.  Sorry.

If your VPN remote endpoint has a private IP the situation is just as bleak.  Public computers can't talk to private IP addresses over the internet, they'd have to be connected to the VPN to be able to reach it.  

The ability to move services between IP addresses is one of the reasons DNS names are used so frequently online.  If the world connects to a DNS hostname rather than the IP, updating the A record in DNS will be sufficient to move traffic over to that IP, but the change will take time to propagate through the world's public dns servers.

i hope that answers your question.

----------

## creack

I am not sure of what you mean but yes, I have 2 public IP

http://ip2/  from anywhere in the world go to my computer

on my server, I have 2 NIC, eth0 with IP1 and eth1 with IP2 (both public) and I would like that anything from the vpn(tun0) leave trough eth1 and not eth0

Is that possible?

----------

## erik258

Ah, I understand now.  I thought you wanted to make traffic destined for IP1/2 be delivered straight to 'IP3', another public address on the other side of the vpn.  Obviously a difficult task, if not imposible, without forwarding them there after the fact as you are doing.  

I know you can use policy routing to decide how to route packets based on the source of the address.  There are a number of other policies you can also apply to routing using the ip2 framework.  So, if IP1 and IP2 were on a LAN, my answer would be that I'm pretty sure you can do it.  But I'm concerned that you might have problems sending packets back over a different path than the one they came in on.  Although, maybe I'm imagining a problem that doesn't actually exist.  

I guess I don't know the answer.  If you find out elsewhere, I'd certainly appreciate it if you let me/us know what you find.  All I can say is this: http://lartc.org/howto/ should tell you how to do it, if it's doable.

----------

## creack

I finaly succeded!!!

here is my solutions:

```

#!/bin/sh

WDEV=eth0   #dev with internet connection (facultative)

W_IP1=  #Public IP1 that we want to route

W_IP2=  #Public IP2 that we want to route

L_IP1=   #LAN (or vpn) IP of the first computer

L_IP2=   #LAN (or vpn) IP of the second computer

#first clean the tables

iptables -F

iptables -t nat -F

iptables -t mangle -F

#then route the ip to the correct computer (until then I was OK)

iptables -t nat -I PREROUTING -d $W_IP1 -j DNAT --to-destination $L_IP1

iptables -t nat -I PREROUTING -d $W_IP2 -j DNAT --to-destination $L_IP2

#finaly, NAT the outgoing packets with the correct ip

iptables -t nat -A POSTROUTING  -s $L_IP1 -j NETMAP --to $W_IP1

iptables -t nat -A POSTROUTING  -s $L_IP2 -j NETMAP --to $W_IP2

#then, if we have more computer than public IPs, we let all the other clients access to internet dynamicly

iptables -t nat -A POSTROUTING -o $W_DEV -j MASQUERADE

```

So with this, I have my server with public IP, and 2 computers behind VPN that look like public

----------

