Erich, >>>> Call me stupid, but I am running a cascade of two Leaf routers and I >>>> would not even start to consider joining them. That said, I have been >>>> running them on the same host lately (VMware). That is because I've run >>>> out of old small sized boxes and everything I can get my hands on is >>>> hugely oversized for the job. >>> Out of curiosity, why would you not run this functionality on a single >>> Box, but be prepared to tolerate the VMWare overhead and network >>> abstraction, but really just out of curiosity..... >> One large reason. Except for doing ISP connect, the outer box also >> functions as an ipsec/l2tp VPN router. When a remote user connects to >> one of the l2tp nodes, this dynamically adds a ppp interface. > > Oh, you are doing l2tp on the leaf box, I always delegate this to > winblows. But surely you only accept those requests from the ipsec > interface.
Naturally :) But that leaves the problem of not being able to add non-existing interfaces to a zone. Let alone define any rules for those interfaces. Meaning the l2tp users are being confined to a tunnel with a dead end if I use the default DROP policy. As far as VMware overhead is concerned, I've used P1-66 upto P4-700 and now it's on a Quadcore together with some more or less publicly exposed services. I've never noticed any difference in internet speed, except for that one time I'd set up a honeypot out of interest. ;) > I have >> found no other way to handle this other than by setting the policy for >> iptables to ACCEPT. That introduces a security risc for everything I may >> have forgotten to catch in an earlier stage (the rules, or exceptions to >> policy). >> >>>> When my needs were smaller I did have ISP connect en TC on the same >>>> router, but the current cascaded setup appears to be a lot more stable. >>> Can you elaborate on the stability problem? Do we have one? >> I used to have frequent ISP connection resets, and for some reason I >> never managed to have it reconnect without human interaction on the box >> itself. Now I have less resets and it also reconnects automatically. > > Have you found a reason for this? Probably some PPTP control signal that is being blocked by netfilter. But that's just a wild guess. > The >> only issue I have now is that at some times it starts to flood the logs >> with klips messages and I can only stop that by fully resetting the router. > > This would point to a ipsec problem, wouldn't it? Again I'd have to guess. Can't realy pinpoint the origin. In any case restarting ipsec only doesn't help. It would seem the part that's causing the problem stays resident, but I can't find it. Gordon ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
