You are not logged in.
I'm trying to setup a linux router using Arch for my house.
The setup is pretty basic:
ISP --> Modem --> Arch Router doing NAT and DHCP Server --> Switch --> My local network
If I boot into my Arch without having anything configure any of my interfaces at boot, I can do this:
****Manually set an ip on the lan0 interface and bring it up****
# ip address add dev lan0 192.168.0.1/24
# ip link set dev lan0 up
****Set up the wan0 interface using dhcp****
# dhcpcd wan0
****Tell iptables to enable NAT****
# iptables --table nat -A POSTROUTING -o wan0 -j MASQUERADE
****Tell kernel to do forwarding****
# echo 1 > /proc/sys/net/ipv4/ip_forward
****Start my preconfigured DHCP server, which works great****
# systemctl start dhcpd4and everything works great. A client connected to the LAN interface can get an IP from the DHCP server, and can access the internet without a problem.
What I want to do is have systemd-networkd configure my interfaces exactly the same way as I did it.
To do this, I do this:
****Configure wan0 interface using dhcp****
# vim /etc/systemd/network/wan.network
    [Match]
    Name=wan0
    [Network]
    DHCP=ipv4
    [DHCP]
    UseHostname=false
****Configure lan0 interface statically****
# vim /etc/systemd/network/lan.network
    [Match]
    Name=lan0
    [Address]
    Address=192.168.0.1/24This results in both interfaces configured at boot, but ip forwarding no longer works. Clients on the LAN interface can no longer access the Internet.
Note: Yes, I reenabled /proc/sys/net/ipv4/ip_forward, and iptables masquerading
I noticed in "man systemd.network" that the .network files can have the following 2 options:
IPForward=ipv4
IPMasquerade=yesA google search reveals that these are fairly new additions to systemd, but not much on how exactly I should use them. I tried a few things, like adding IPForward=ipv4 to both the lan.network and wan.network files in the [Network] sections, and IPMasquerade=yes in the wan.network file in the [Network] section, but it didn't help. The clients still have problems accessing the Internet.
Anyone know what systemd is doing that's blocking ip forwarding? If I do masquerading with IPMasquerade, does that mean I no longer need the iptables rule that does it?
Last edited by tal (2015-05-31 16:43:18)
Offline
http://cgit.freedesktop.org/systemd/sys … 835011#n69
CHANGES WITH 220:
        [..]
        * Note that systemd-networkd manages the sysctl variable
          /proc/sys/net/ipv[46]/conf/*/forwarding for each interface
          it is configured for since v219. The variable controls IP
          forwarding, and is a per-interface alternative to the global
          /proc/sys/net/ipv[46]/ip_forward. This setting is
          configurable in the IPForward= option, which defaults to
          "no". This means if networkd is used for an interface it is
          no longer sufficient to set the global sysctl option to turn
          on IP forwarding! Instead, the .network file option
          IPForward= needs to be turned on! Note that the
          implementation of this behaviour was broken in v219 and has
          been fixed in v220.Maybe you're seeing the broken behaviour, although this doesn't explain in what way it was broken exactly.
And you might not need to run the iptables command anymore if you set the IPMasquerade option.
Offline
Maybe you're seeing the broken behaviour, although this doesn't explain in what way it was broken exactly.
And you might not need to run the iptables command anymore if you set the IPMasquerade option.
Wow - I actually am running systemd 219. If this is the problem, it explains everything!
I'm going to see if I can upgrade systemd and try again - thanks!
Offline
I configured the router using the following settings under systemd 219:
****Configure wan0 interface using dhcp****
# vim /etc/systemd/network/wan.network
    [Match]
    Name=wan0
    [Network]
    DHCP=ipv4
    IPForward=ipv4
    [DHCP]
    UseHostname=false
****Configure lan0 interface statically****
# vim /etc/systemd/network/lan.network
    [Match]
    Name=lan0
    [Address]
    Address=192.168.0.1/24
    [Network]
    IPForward=ipv4
    IPMasquerade=yesreboot the system, and the client had no internet connectivity.
I then enabled the testing repo and upgraded systemd to 220, changing nothing else, and reboot the Arch router, and it works.
The problem is definitely the bug in 219. Thanks Raynman!
For anyone else messing with an Arch router trying to get the new systemd to work:
You are NOT required to turn on ip forwarding systemwide by modifying /proc/sys/net/ipv4/ip_forward, either manually, or by a file in /etc/sysctl.d/ (as I had been doing). Specifying IPForward=ipv4 in both .network files as I did above sets the following interface-specific files to "1", which is enough for ip forwarding:
/proc/sys/net/ipv4/conf/wan0/forwarding
/proc/sys/net/ipv4/conf/lan0/forwardingYou are also definitely NOT required to use the iptables masquerade rule anymore - setting IPMasquerade=yes on the LAN interface is enough for systemd to enable masquerading.
Offline
I would strongly advise against using networkd's IPMasquerade. According to [1], networkd will switch to using nftables for this functionality. When this switch happens you will be forced to change your configuration. You will need to either change back to using iptables directly for masquerading or migrate your router's entire firewall configuration to nftables. Otherwise your system will be left trying to use iptables and nftables simultaneously.
Offline
Otherwise your system will be left trying to use iptables and nftables simultaneously.
Interesting. I don't think I heard about nftables until now. Maybe I'll try switching over to it - I don't have that many rules that I'd need to convert to the nftables syntax.
Even if I was to stick with iptables, would that just mean that systemd would automatically make a single nftables rule to do masquerading, which would have very little impact on any input, output or forward chain rules in iptables? I don't know for sure, but it doesn't sound like using both iptables and nftables at the same time (assuming that is possible at all) would be all that difficult in this case, since nftables would be configured by systemd automatically and iptables wouldn't need to worry about it.
Offline
I don't know for sure, but i think you are right in that nftables rules for masquerading (postrouting and prerouting hooks) would not affect iptables rules in the filter table. So if the configuration remains simple it may not be a problem.
Offline
I don't know for sure, but i think you are right in that nftables rules for masquerading (postrouting and prerouting hooks) would not affect iptables rules in the filter table. So if the configuration remains simple it may not be a problem.
Interesting. I'll have to test that when I get around to it, and when systemd actually switches over to nftables.
Either way, thanks for posting about systemd and nftables - I didn't know that - definitely something to watch out for.
Offline