Two networks - one for LAN, second for INTERNET

waldauf · 2017-05-29 08:57:06

Hello,

I have two networks:
* wired - for company LAN (no Internet)
* wifi - for INTERNET

If I conncet to wifi I can get to the Internet. But after connect wire I can get only to company LAN but no to the Internet (wifi is still connected). Can I ask you for help - how to set to get to both net spaces - LAN and INTERNET?

# ip route
default via 10.88.14.1 dev enp0s31f6 proto static metric 20100  .................. company LAN
default via 192.168.43.1 dev wlp1s0 proto static metric 20600    .................. wifi Internet
10.88.14.0/24 dev enp0s31f6 proto kernel scope link src 10.88.14.115 metric 100 
192.168.43.0/24 dev wlp1s0 proto kernel scope link src 192.168.43.173 metric 600

Waldauf

brebs · 2017-05-29 09:17:16

Since the wired company LAN does not provide a route to the Internet, the "default via 10.88.14.1 dev enp0s31f6" entry should not exist.

waldauf · 2017-05-29 09:36:25

brebs wrote:

Since the wired company LAN does not provide a route to the Internet, the "default via 10.88.14.1 dev enp0s31f6" entry should not exist.

I tried to remove this route but then I can get to the Internet but not to the Company's site:

# ip route flush dev enp0s31f6

My route table:

# ip route                    
default via 192.168.43.1 dev wlp1s0 proto static metric 20600 
10.88.14.0/24 dev enp0s31f6 proto kernel scope link src 10.88.14.115 metric 100 
192.168.43.0/24 dev wlp1s0 proto kernel scope link src 192.168.43.173 metric 600

Last edited by waldauf (2017-05-29 09:37:12)

Lone_Wolf · 2017-05-29 11:14:44

try adding a route like this :

10.0.0.0/8 via 10.88.14.1 dev enp0s31f6

waldauf · 2017-05-29 13:52:11

Lone_Wolf wrote:

try adding a route like this :
10.0.0.0/8 via 10.88.14.1 dev enp0s31f6

Unfortunately didn't help.

ewaller · 2017-05-29 15:21:42

How are you identifying hosts on the company LAN? By hostname? Have you tried by IP? In other words, can you ping a known address on the LAN?
What are the contents of /etc/resolv.conf ?

waldauf · 2017-05-30 14:47:25

I'm identified by 802.1x security (PEAP) on LAN. I must type my user/passwd to get LAN IP.

Now, when I'm writing this, I'm connected to both - Wifi (internet) and LAN. Wifi is working but when I'm trying to get to LAN Web I got this error message in web browser:

This site can’t be reached

wiki.kb.cz’s server DNS address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN

... so does that mean there is problem with DNS?

My resolv.conf with connecting to both sites:

cat /etc/resolv.conf
# Generated by resolvconf
search ds.kb.cz
nameserver 192.168.43.1 .... wifi DNS
nameserver 10.6.35.36
nameserver 10.6.67.36
nameserver 10.6.33.36
nameserver 10.6.65.36

Without LAN I have only wifi DNS in resolve.conf.

My route table now:

default via 192.168.43.1 dev wlp1s0 proto static metric 600 
default via 10.88.14.1 dev enp0s31f6 proto static metric 20100 
10.88.14.0/24 dev enp0s31f6 proto kernel scope link src 10.88.14.115 metric 100 
192.168.43.0/24 dev wlp1s0 proto kernel scope link src 192.168.43.173 metric 600

Last edited by waldauf (2017-06-01 13:09:15)

Lone_Wolf · 2017-05-31 20:04:06

please post output from :

drill wiki.kb.cz
drill @192.168.43.1 wiki.kb.cz
drill @10.6.35.36 wiki.kb.cz

drill is in package ldns.
NOTE: i'm assuming wiki.kb.cz is one of the sites you want to access through company lan

waldauf · 2017-06-01 13:13:19

@Lone_Wolf: You're right "wiki.kb.cz" is LAN site (I fixed resolv.conf in previous post). There are outputs from drill:

drill wiki.kb.cz

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 337
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; wiki.kb.cz.  IN      A

;; ANSWER SECTION:
wiki.kb.cz.     85489   IN      A       10.6.114.13

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 10.6.67.36
;; WHEN: Thu Jun  1 15:07:26 2017
;; MSG SIZE  rcvd: 44

drill @192.168.43.1 wiki.kb.cz

Error: error sending query: Could not send or receive, because of network error

drill @10.6.35.36 wiki.kb.cz

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 4725
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; wiki.kb.cz.  IN      A

;; ANSWER SECTION:
wiki.kb.cz.     56227   IN      A       10.6.114.13

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 10.6.35.36
;; WHEN: Thu Jun  1 15:08:05 2017
;; MSG SIZE  rcvd: 44

Last edited by waldauf (2017-06-01 13:23:37)

waldauf · 2017-06-01 13:23:07

Next what I found out:

We have proxy server. But I think it is not problem with proxy server

My colleague has Ubuntu and he can work with Wifi and LAN without any additional configuration:

His /etc/resolv.conf:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.6.35.36
nameserver 10.6.67.36
nameserver 10.6.33.36
search ds.kb.cz

His ip route table:

default via 10.88.14.1 dev enp0s25  proto static  metric 100 
default via 10.3.72.1 dev wlp3s0  proto static  metric 600 
10.3.72.0/21 dev wlp3s0  proto kernel  scope link  src 10.3.77.151  metric 600 
10.6.10.153 via 10.88.14.1 dev enp0s25  proto dhcp  metric 100 
10.6.10.153 via 10.3.72.1 dev wlp3s0  proto dhcp  metric 600 
10.88.14.0/24 dev enp0s25  proto kernel  scope link  src 10.88.14.134  metric 100 
169.254.0.0/16 dev wlp3s0  scope link  metric 1000

His interfaces:

2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:21:cc:c8:0e:10 brd ff:ff:ff:ff:ff:ff
    inet 10.88.14.134/24 brd 10.88.14.255 scope global dynamic enp0s25
       valid_lft 684243sec preferred_lft 684243sec
    inet6 fe80::9eb7:79:e3f3:316b/64 scope link 
       valid_lft forever preferred_lft forever
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 8c:70:5a:ea:13:18 brd ff:ff:ff:ff:ff:ff
    inet 10.3.77.151/21 brd 10.3.79.255 scope global dynamic wlp3s0
       valid_lft 4990sec preferred_lft 4990sec
    inet6 fe80::f1cf:a51d:b4ae:9960/64 scope link 
       valid_lft forever preferred_lft forever

Lone_Wolf · 2017-06-01 13:55:31

Your colleague uses a different wifi network then you.

the wifi network he connects with is 10.3.77.151/21 , you connect with 192.168.43.0/24 .

I could be wrong, but your wifi connection looks like it uses a consumer network (like most of us have at home) .
His wifi connection looks like it goes over the kind of guest network a company would setup for guests / employees.

Can you connect to the wifi network your colleague uses ?

waldauf · 2017-06-01 14:18:13

Yes my colleague uses company's WIFI which is weak in space I'm working. So that's why I'm using cell phone hotspot or USB 3G modem.

This is my configuration when I'm connected to company's WIFI. My interfaces:

2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether b8:81:98:00:bc:c5 brd ff:ff:ff:ff:ff:ff
    inet 10.3.73.6/21 brd 10.3.79.255 scope global dynamic wlp1s0
       valid_lft 14134sec preferred_lft 14134sec
    inet6 fe80::6f3f:b74e:34ca:1ab8/64 scope link 
       valid_lft forever preferred_lft forever
3: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether c8:5b:76:07:5a:71 brd ff:ff:ff:ff:ff:ff
    inet 10.88.14.115/24 brd 10.88.14.255 scope global dynamic enp0s31f6
       valid_lft 691139sec preferred_lft 691139sec
    inet6 fe80::d3dd:d5ed:4136:cd3a/64 scope link 
       valid_lft forever preferred_lft foreve

Route table:

default via 10.88.14.1 dev enp0s31f6 proto static metric 20100 
default via 10.3.72.1 dev wlp1s0 proto static metric 20600 
10.3.72.0/21 dev wlp1s0 proto kernel scope link src 10.3.73.6 metric 600 
10.88.14.0/24 dev enp0s31f6 proto kernel scope link src 10.88.14.115 metric 100

And resolv.conf:

# Generated by resolvconf
search ds.kb.cz
nameserver 10.6.35.36
nameserver 10.6.67.36
nameserver 10.6.33.36
nameserver 10.6.65.36
nameserver 10.7.107.10

In my mind was born one question: Is it possible that LAN connection could block any other connections? In meaning - company doesn't want to use another connection (cell phone hotspot/3g modem) simultaneously with LAN....?

Lone_Wolf · 2017-06-01 14:47:37

They probably have setup their network so the nameservers only allow 2 things : company lan + everything else through company wifi network .

If it's indeed dns-based, ip-address based communication should still work .

In theory you might be able to use your personal wifi to ssh to a trusted machine and access internet that way.
Keep in mind that there's very likely a company policy forbidding that.

waldauf · 2017-06-01 14:54:57

I'm afraid the's the snag.... I have to find out how it is with network policy (it is little bit complicated, but that's my challenge).

@Lone_Wolf - thank you for your help!

Arch Linux

#1 2017-05-29 08:57:06

Two networks - one for LAN, second for INTERNET

#2 2017-05-29 09:17:16

Re: Two networks - one for LAN, second for INTERNET

#3 2017-05-29 09:36:25

Re: Two networks - one for LAN, second for INTERNET

#4 2017-05-29 11:14:44

Re: Two networks - one for LAN, second for INTERNET

#5 2017-05-29 13:52:11

Re: Two networks - one for LAN, second for INTERNET

#6 2017-05-29 15:21:42

Re: Two networks - one for LAN, second for INTERNET

#7 2017-05-30 14:47:25

Re: Two networks - one for LAN, second for INTERNET

#8 2017-05-31 20:04:06

Re: Two networks - one for LAN, second for INTERNET

#9 2017-06-01 13:13:19

Re: Two networks - one for LAN, second for INTERNET

#10 2017-06-01 13:23:07

Re: Two networks - one for LAN, second for INTERNET

#11 2017-06-01 13:55:31

Re: Two networks - one for LAN, second for INTERNET

#12 2017-06-01 14:18:13

Re: Two networks - one for LAN, second for INTERNET

#13 2017-06-01 14:47:37

Re: Two networks - one for LAN, second for INTERNET

#14 2017-06-01 14:54:57

Re: Two networks - one for LAN, second for INTERNET

Board footer