IP routes and iptables for GGSN/PGW

In order to seal off subscribers from each other in your network, but also be able to ping/ssh subscribers when administrating the YateUCN locally, the usage of iptables will help.

Depending on the settings of the tunnel, if the PDN tunnel has an explicit gateway (interface defined as x.x.x.x/nn/y.y.y.y) then it’s the gateway’s job to block access between subscribers.

If no explicit gateway is defined (interface defined as x.x.x.x/nn) you can use something like:

iptables -A FORWARD -i tun-pdn -o tun-pdn -j DROP

Unified LTE/GSM+GPRS core network, including SGSN, GGSN, GMSC, MME, SGW, PGW
See the product here ››

You will still be able to ping/ssh/etc from YateUCN as by default the local address selected towards subscribers will be x.x.x.x (owned by the tun-pdn interface itself).

Note that user plane packets will be routed by kernel’s “default” table, together with pretty much everything else.

When an explicit gateway is defined we install a policy routing rule separating user plane traffic:

tun_init_external=tun_config.sh “${tunnel}” “1400” “”

# ip rule show
0: from all lookup local
150: from lookup tun-pdn
32766: from all lookup main
32767: from all lookup default

# ip route show table tun-pdn
default via y.y.y.y dev enp0s31f6

# ip route show table local

broadcast dev tun-pdn proto kernel scope link src
local dev tun-pdn proto kernel scope host src
broadcast dev tun-pdn proto kernel scope link src

All user packets go to y.y.y.y, the only exception is which is routed by table “local” at highest priority.

Our solutions