1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

2-ways nat on a VPN

Discussion in 'Tomato Firmware' started by rs232, Oct 18, 2011.

  1. rs232

    rs232 Network Guru Member

    HI all, I have a problem I'm trying to solve.

    I have two sites, site 1 has one tomato router where site 2 has two tomato routers
    As it is at the moment

    Site 1
    Router A IP:

    Site 2
    Router B IP
    Router C IP

    On site 2 the routers connect to internet using a different ISP. All the Internet connections have asymmetric speed (10Mb down 1Mb up). As I have VPN set up between the router A and router B I wanted to enable a secondary VPN between Router A and router C.

    I actually did it already (TUN interface) but I'm having some trouble using the secondary link. Mine it's more a design question btw...

    - I thought about having two default gateways set on site 2 with different metrics, but this will not work as router B will always be preferred even if it's WAN interface is down, so not good

    - I thought to use RIP to publish the site 1 subnet on site 2... but the tomato implementation of RIP is very basic and I was not able to make it working on a VPN interface

    - I tried to use OSPF's quegga (quegga.net), again it works on the LAN but not VPN side

    - Virtual IP between router B and C would be nice but not possible as yet AFAIK

    - Finally I got to the conclusion that I could have secondary IP addresses on certain devices (e.g. NAS) and router the primary IP via A-B and secondary (for e.g. rsync replication) via A-C.

    I can think two ways to achieve this, but please feel free to contradict me:

    1) A 2-ways nat where one virtual IP on site 1 ( points to a real IP on site 2 ( and all the way around (virtual -> real
    Has anybody tried a 2-way nat over VPN on tomato before? I predict few extra line of iptables due to the bridge interface in use...

    2) Add a new secondary subnet on both sites e.g.
    Site 1)
    Site 2)

    Routing thies subnets using the A-C VPN, adding an alias on tomato br0 (e.g. br0:1 / br0:1

    The second solution seems more straight forward to me but I'm sure I'm missing something... Does adding a br0:1 alias involve any other step to enable the secondary VPN communication?

    Thanks to let me share with you my daily braindumb!
    rs232 :)

Share This Page