Short version
I’m looking at doing away with all my bridges and wanting to go full routing but I’m at a loss. When creating a Route, you can only specify a single address or a range (which is defined by subnet, which is not ideal for closely spaced IPs). Is there a way you can predefine certain addresses the route can be applied to?
Longer version
I have multiple VPN connections settling on multiple bridges (my way of isolating certain segments of the network) but I would like to do away with the bridges so that broadcasts can be sent to specific points instead of being broadcast all over. I would imagine this not only being beneficial to “general” traffic but might also have with the SNMP requests being sent every few minutes (LibreNMS).
There is no way to use a list of prefixes as a dst-address of a single route.
The usual approach is to use a dynamic routing protocol such as OSPF or BGP.
Another approach might be to use mangle rules (which can match on dst-address-list) to assign routing-mark values, and have just a default route for each routing-mark value, but it is just moving the problem somewhere else - instead of N routes via the same gateway, you will have a single route but N items in the address-list. With dynamic routing protocols, you’ll still have N routes but you won’t have to configure them manually.
Routes are selected by netmask so the granularity is by increasing powers of 2, however it is possible to use routing marks and lookups in alternate routing tables in specific scenarios.
Unless you are using EoIP or BCP to create layer2 (ethernet) VPN connections broadcasts are irrelevent, they will not be transmitted over layer3 (IP) VPN connections.
So I can basically setup OSPF and the router will learn which IPs are on which interfaces and I can simply restrict access from one section to another with a firewall rule as I currently do (maybe using interface lists instead of bridges)?
tdw, I use OVPN connections, set for ethernet, and the connection gets attached to a bridge on both the local and remote side. Hence my assumption that they use broadcasting to get things done.
No. As you have a layer 2 network using OpenVPN TAP then it is a single broadcast domain and the usual IP-over-ethernet mechanisms apply, e.g. ARP to discover the MAC address associated with a particular IP address.
You could do something hacky with bridge filters to block broadcast/multicast as required, but it is something else to maintain / get wrong. Unless you particularly need ethernet access, e.g. proprietary non-IP protocols or discovery tools which only work within a local network / broadcast domain, it would be better to reorganise using IP VPNs.
Plain IPsec can be challenging if you haven’t deployed it before as you do not get interfaces for the tunnelled traffic - some people use IPsec encapsulated GRE tunnels, or you can use L2TP/IPsec which is reasonably straightforward to set up. There are also the less efficient SSTP and OpenVPN TUN protocols which both can suffer from TCP-in-TCP meltdown.
The PPP-like protocols can have routes attached to the PPP secrets for the connection so are inserted into the routing table when the VPN client connects, both the PPP-like protocols and IP tunnels can be used with OSPF.
