This happens because of router redundancy. Case in point: suppose
vampire is selected via IPv6 router discovery, but radius owns the
external tunnel. Then vampire will forward the packet over the
backbone to radius, which mustn't reject it.
(This isn't a security problem because the untrusted network isn't (by
definition) trusted very much for anything.
## House hosts.
defhost radius
hosttype router
- iface eth0 dmz unsafe safe default
- iface eth1 dmz unsafe safe default
+ iface eth0 dmz unsafe safe untrusted default
+ iface eth1 dmz unsafe safe untrusted default
iface eth2 safe
iface eth3 untrusted default
iface t6-he default
iface eth3 untrusted
defhost vampire
hosttype router
- iface eth0.0 dmz unsafe safe
- iface eth0.1 dmz unsafe safe
+ iface eth0.0 dmz unsafe untrusted safe
+ iface eth0.1 dmz unsafe untrusted safe
iface eth0.2 safe
iface eth0.3 untrusted
iface dns0 iodine