You are not logged in.

#1 2021-09-18 13:56:05

Morta
Member
Registered: 2019-07-07
Posts: 655

Routing with two Gateway

I have a Router with 192.168.11.1 and a Server one eth1 with 192.168.11.162 behind the Server is a Laptop(enp2s0) which get from eth2((10.42.0.1)(Server)) a IP with 10.42.0.115.
I forwarded the internet with iptables and forward=1 like in the Arch Wiki but the Router is on the Laptop not reachable. Why? And how i can add a route to the interface from Laptop that i can reach all IP from 192.168.11.0/24 ?

Offline

#2 2021-09-18 19:51:26

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Hi,

Internet ---------------- Router1 ---------------- Router/Server ---------------- Laptop
                                   192.168.11.0/24                10.42.0.0/16

Do you have this set up? (Network Mask might be wrong, but the solutions are still the same).

If so, the laptop should have a default route to Router/Server.
I believe Router1 does not know the route to 10.42.0.0/16.

You can either:
- Do a NAT with Router/Server (from 10.42.0.0 to 192.168.11.0) using NAT table with Iptables (simple and straightforward).
- Add a route to use Router/Server to reach 10.42.0.0/24 on Router1 (if Router1 host a DHCP server, you might want to add this new route as an option so all DHCP clients can configure their routing table accordingly).

Offline

#3 2021-10-05 09:08:56

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

Yes. I have this Setup.

I add a route on the Server but nothing happen.

How does it show the iptables rules?

Offline

#4 2021-10-05 12:41:23

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: Routing with two Gateway

10.0.0./8 and 192.168.0.0/16 are both private ip addresses .
Routers don't route between such networks by default .

Using NAT would lead to a double nat mapping (one on router1 , 2nd on router/server ) and those tend to create lots of issues.

The 2nd option mentioned by Koatao seems to give the most chance.

Routes need to be added/verified on both routers, please post routing tables (ip route)  for them .


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#5 2021-10-05 15:11:35

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

Lone_Wolf wrote:

10.0.0./8 and 192.168.0.0/16 are both private ip addresses .
Routers don't route between such networks by default .

Using NAT would lead to a double nat mapping (one on router1 , 2nd on router/server ) and those tend to create lots of issues.

The 2nd option mentioned by Koatao seems to give the most chance.

Routes need to be added/verified on both routers, please post routing tables (ip route)  for them .

I haven‘t access to ssh of my zyxel router.
I can only add route over the web interface.

https://abload.de/img/a9c235d9-f502-4e9b-8bhyjyb.png

Routing Table IPv4 Webinterface Zyxel Router

Routing Table
Routing is based on the destination address only and the Zyxel Device takes the shortest path to forward a packet.

The table below shows IPv4 and IPv6 routing information. The IPv4 subnet mask is ‘255.255.255.255’ for a host destination and ‘0.0.0.0’ for the default route. The gateway address is written as ‘*’(IPv4)/‘::’(IPv6) if none is set.

Destination:This indicates the destination IPv4 address or IPv6 address and prefix of this route.
Gateway:This indicates the IPv4 address or IPv6 address of the gateway that helps forward this route’s traffic.
Subnet Mask:This indicates the destination subnet mask of the IPv4 route.
Flag:This indicates the route status.
U-Up: The route is up.
!-Reject: The route is blocked and will force a route lookup to fail.
G-Gateway: The route uses a gateway to forward traffic.
H-Host: The target of the route is a host.
R-Reinstate: The route is reinstated for dynamic routing.
D-Dynamic (redirect): The route is dynamically installed by a routing daemon or redirect.
M-Modified (redirect): The route is modified from a routing daemon or redirect.
Metric:The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". The smaller the number, the lower the "cost".
Interface:This indicates the name of the interface through which the route is forwarded.
IPv4 Routing Table
Destination 	Gateway 	Subnet Mask 	Flag 	Metric 	Interface
0.0.0.0 	85.195.234.1 	0.0.0.0 	UG 	0 	eth5.3
85.195.234.0 	0.0.0.0 	255.255.255.0 	U 	0 	eth5.3
192.168.11.0 	0.0.0.0 	255.255.255.0 	U 	0 	br0
239.0.0.0 	0.0.0.0 	255.0.0.0 	U 	0 	br0

ip route on server/router for laptop

[morta@5erver data]$ ip route
default via 192.168.11.1 dev enp2s0 proto dhcp metric 101 
10.42.0.0/24 dev enp6s0 proto kernel scope link src 10.42.0.1 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev enp5s0 proto kernel scope link src 192.168.1.2 linkdown 
192.168.11.0/24 dev enp2s0 proto kernel scope link src 192.168.11.162 metric 101 
192.168.68.0/24 dev wg0 proto kernel scope link src 192.168.68.1 
192.168.228.0/24 dev tun0 proto kernel scope link src 192.168.228.1 
[morta@5erver data]$ arp -a
? (10.42.0.114) at 80:6d:97:0d:ed:b9 [ether] on enp6s0
_gateway (192.168.11.1) at 50:e0:39:2e:d3:f3 [ether] on enp2s0
? (192.168.11.222) at 84:fd:d1:fd:30:36 [ether] on enp2s0
? (192.168.11.47) at e4:5f:01:41:ce:9b [ether] on enp2s0
? (192.168.11.139) at 80:6d:97:0d:ed:b9 [ether] on enp6s0
? (192.168.1.1) at 90:50:5a:55:46:38 [ether] PERM on enp5s0
? (192.168.11.139) at 84:fd:d1:fd:30:36 [ether] on enp2s0

Mod Edit - Replaced oversized image with link.
CoC - Pasting pictures and code

Last edited by Slithery (2021-10-11 12:23:40)

Offline

#6 2021-10-06 03:38:35

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Hello,

As we mentioned before, you need to add a route to 10.42.0.0/24 via 10.42.0.1 (5erver) ON the Zylex Router.

Given the routing table of 5server, the network architecture seems a bit more complex that what you told us. If adding the required route to the Zylex Router doesn't work, then do a tracepath from your laptop to 192.168.11.1 and drop the Netfilter's filter and nat table configurations on 5server:

laptop$ tracepath 192.168.11.1
5erver# iptables -nvL
5erver# iptables -t nat -nvL

(If iptables is used)
Moreover, you can capture network traffic on 5erver with CLI tools like tcpdump and tshark (wireshark-cli). By analyzing the IP header of packet coming from Laptop, you should be able to understand where does the failure happens.

Last edited by Koatao (2021-10-06 04:06:49)

Offline

#7 2021-10-06 07:55:09

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

https://abload.de/img/1cf4c404-271d-4b1c-9i4khe.jpeg

The 10.42.0.115 is the ip of the laptop.

Sorry 10.42.0.114 i corrected on router.

Is this correct?


Mod Edit - Replaced oversized image with link.
CoC - Pasting pictures and code

Last edited by Slithery (2021-10-11 12:23:14)

Offline

#8 2021-10-06 09:07:07

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Hi, yes it seems correct, you could have just use the whole network 10.42.0.0/24 as destination IP too.

One way to find out if it is good is to test it. Does the laptop and the Zylex router can communicate with each other now?

Offline

#9 2021-10-06 15:53:17

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

Koatao wrote:

Hi, yes it seems correct, you could have just use the whole network 10.42.0.0/24 as destination IP too.

One way to find out if it is good is to test it. Does the Laptop and the Zyxelrouter can communicate with each other now?

I can’t enter the whole range only one ip.

I will try again but from the smartphone i can‘t ping
10.42.0.114 (laptop)


I can reach the local nas and other stuff in the network but no more internet on the laptop only local network also the router (192.168.11.1) can't ping or reach the web interface.

[morta@lapt0p ~]$ ping 192.168.11.1 (Router)
PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
Von 192.168.11.222 icmp_seq=1 Zielhost nicht erreichbar
Von 192.168.11.222 icmp_seq=2 Zielhost nicht erreichbar
Von 192.168.11.222 icmp_seq=3 Zielhost nicht erreichbar
Von 192.168.11.222 icmp_seq=4 Zielhost nicht erreichbar
Von 192.168.11.222 icmp_seq=5 Zielhost nicht erreichbar
Von 192.168.11.222 icmp_seq=6 Zielhost nicht erreichbar
^C
--- 192.168.11.1 ping statistics ---
8 Pakete übertragen, 0 empfangen, +6 Fehler, 100% packet loss, time 7088ms
pipe 4
[morta@lapt0p ~]$ ping 10.42.0.1 (Gateway 2, Server)
PING 10.42.0.1 (10.42.0.1) 56(84) bytes of data.
64 Bytes von 10.42.0.1: icmp_seq=1 ttl=64 Zeit=68.4 ms
64 Bytes von 10.42.0.1: icmp_seq=2 ttl=64 Zeit=0.404 ms
c64 Bytes von 10.42.0.1: icmp_seq=3 ttl=64 Zeit=0.445 ms
^C
--- 10.42.0.1 ping statistics ---
3 Pakete übertragen, 3 empfangen, 0% packet loss, time 2024ms
rtt min/avg/max/mdev = 0.404/23.088/68.417/32.051 ms
[morta@lapt0p ~]$ ping 10.42.0.114 (Laptop)
PING 10.42.0.114 (10.42.0.114) 56(84) bytes of data.
64 Bytes von 10.42.0.114: icmp_seq=1 ttl=64 Zeit=0.060 ms
64 Bytes von 10.42.0.114: icmp_seq=2 ttl=64 Zeit=0.058 ms
64 Bytes von 10.42.0.114: icmp_seq=3 ttl=64 Zeit=0.138 ms
64 Bytes von 10.42.0.114: icmp_seq=4 ttl=64 Zeit=0.060 ms
^C
--- 10.42.0.114 ping statistics ---
4 Pakete übertragen, 4 empfangen, 0% packet loss, time 3049ms
rtt min/avg/max/mdev = 0.058/0.079/0.138/0.034 ms
[morta@lapt0p ~]$ ping 192.168.11.162 (Server)
PING 192.168.11.162 (192.168.11.162) 56(84) bytes of data.
64 Bytes von 192.168.11.162: icmp_seq=1 ttl=64 Zeit=0.353 ms
64 Bytes von 192.168.11.162: icmp_seq=2 ttl=64 Zeit=0.389 ms
64 Bytes von 192.168.11.162: icmp_seq=3 ttl=64 Zeit=0.394 ms
64 Bytes von 192.168.11.162: icmp_seq=4 ttl=64 Zeit=0.397 ms
64 Bytes von 192.168.11.162: icmp_seq=5 ttl=64 Zeit=0.315 ms
64 Bytes von 192.168.11.162: icmp_seq=6 ttl=64 Zeit=0.317 ms
64 Bytes von 192.168.11.162: icmp_seq=7 ttl=64 Zeit=0.399 ms
64 Bytes von 192.168.11.162: icmp_seq=8 ttl=64 Zeit=0.306 ms

Why? Have i to adjust the iptables rules ?

#!/bin/bash
#Delete old NetworkManager Connections
nmcli connection delete local
nmcli connection delete local-nas

#NetworkManager forward IPv4&IPv6 to Laptop
nmcli connection add type ethernet ifname enp6s0 ipv4.method shared con-name local
nmcli connection modify local ipv6.method shared
nmcli c mod enp2s0 ipv6.token ::deca:fbad:c0:ffee

#NetworkManager forward IPv4 to NAS
nmcli connection add type ethernet ifname enp5s0 ipv4.method shared con-name local-nas
nmcli connection modify local-nas ipv6.method shared

#Forward Internet to Laptop with Iptables
sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp6s0 -o enp2s0 -j ACCEPT
iptables -A FORWARD -i enp5so -o enp2s0 -j ACCEPT

Last edited by Morta (2021-10-06 16:27:59)

Offline

#10 2021-10-07 07:06:27

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Morta wrote:

I can’t enter the whole range only one ip.

Of course you can. Use the IP network address (instead of the host address) and the correct network mask (24 bits). But this forum is neither a 101 course on Networking nor on Zyxel's router configuration.

Sharing connection with NetworkManager (ipv4.method shared) on 5erver should work fine as it is. The last 5 lines of your script are redundant, you should remove them to avoid any collision with NetworkManager.
Something must be messed up in 5erver or laptop.
Please print the outputs of the command below:

laptop$ ip a
laptop$ ip r
laptop$ cat /etc/resolved
5erver# cat /etc/NetworkManager/system-connections/local
5erver# ip a
5erver# ip r
5erver# iptables -nvL
5erver# iptables -t nat -nvL
5erver# ss -ltunp

Besides, what device has the ip address 192.168.11.222? How is it connected to the rest of the infrastructure?

Last edited by Koatao (2021-10-07 07:07:01)

Offline

#11 2021-10-07 08:01:11

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

Koatao wrote:
Morta wrote:

I can’t enter the whole range only one ip.

Of course you can. Use the IP network address (instead of the host address) and the correct network mask (24 bits). But this forum is neither a 101 course on Networking nor on Zyxel's router configuration.

Sharing connection with NetworkManager (ipv4.method shared) on 5erver should work fine as it is. The last 5 lines of your script are redundant, you should remove them to avoid any collision with NetworkManager.
Something must be messed up in 5erver or laptop.
Please print the outputs of the command below:

laptop$ ip a
laptop$ ip r
laptop$ cat /etc/resolved
5erver# cat /etc/NetworkManager/system-connections/local
5erver# ip a
5erver# ip r
5erver# iptables -nvL
5erver# iptables -t nat -nvL
5erver# ss -ltunp

Besides, what device has the ip address 192.168.11.222? How is it connected to the rest of the infrastructure?

192.168.11.222 is the laptop connected over ethernet but it has two ip 192.168.1.222 & 10.42.0.114 is wired . I disconnected WLAN when i do the test of connectivity of laptop over lan.

[qoute]Of course you can. Use the IP network address (instead of the host address) and the correct network mask (24 bits). But this forum is neither a 101 course on Networking nor on Zyxel's router configuration.

https://abload.de/img/zyxeli9jrb.png

I can't enter 0/24 instead of 114. Or did i misunderstood you?

LAPTOP

ip a

[morta@lapt0p ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 48:2a:e3:4c:13:ef brd ff:ff:ff:ff:ff:ff
3: vmnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.193.1/24 brd 192.168.193.255 scope global dynamic vmnet1
       valid_lft 1513sec preferred_lft 1288sec
    inet6 fe80::8820:5214:6066:f42f/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fec0:1/64 scope link 
       valid_lft forever preferred_lft forever
4: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.130.1/24 brd 192.168.130.255 scope global dynamic vmnet8
       valid_lft 1513sec preferred_lft 1288sec
    inet6 fe80::cbf6:56e:9959:3067/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fec0:8/64 scope link 
       valid_lft forever preferred_lft forever
5: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 84:fd:d1:fd:30:36 brd ff:ff:ff:ff:ff:ff
    inet 192.168.11.139/24 brd 192.168.11.255 scope global dynamic noprefixroute wlp0s20f3
       valid_lft 73914sec preferred_lft 73914sec
    inet6 2a02:168:a774:0:8506:5c61:51e4:5fa/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 4294967101sec preferred_lft 4294967101sec
    inet6 2a02:168:a774:0:d661:9368:8e60:8aff/64 scope global dynamic noprefixroute 
       valid_lft 4294960299sec preferred_lft 4294960299sec
    inet6 fe80::3793:476a:7e95:7656/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::2f16:6517:4fb3:e987/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
6: enp58s0u1u3c2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 80:6d:97:0d:ed:b9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.11.222/32 scope global noprefixroute enp58s0u1u3c2
       valid_lft forever preferred_lft forever
    inet 10.42.0.114/24 brd 10.42.0.255 scope global dynamic noprefixroute enp58s0u1u3c2
       valid_lft 808sec preferred_lft 147sec
    inet6 fe80::dea0:8e28:3f7:6843/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::41d0:7fea:8405:d9cf/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

ip r

[morta@lapt0p ~]$ ip r
default via 192.168.11.1 dev wlp0s20f3 proto dhcp metric 600 
default via 192.168.11.1 dev wlp0s20f3 proto dhcp src 192.168.11.139 metric 3005 
192.168.11.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.11.139 metric 600 
192.168.11.1 dev enp58s0u1u3c2 proto static scope link metric 20100 
192.168.130.0/24 dev vmnet8 proto dhcp scope link src 192.168.130.1 metric 1004 
192.168.193.0/24 dev vmnet1 proto dhcp scope link src 192.168.193.1 metric 1003 
[morta@lapt0p ~]$ 

cat /etc/resolv.conf

ameserver 127.0.0.53
options edns0 trust-ad
search home

-------------------------

Server

[root@5erver system-connections]# ls
enp2s0.nmconnection  local-nas.nmconnection  local.nmconnection

cat local.nmconnection

[root@5erver system-connections]# cat local.nmconnection 
[connection]
id=local
uuid=2a6c0f4b-cda0-40d5-9992-60c849157688
type=ethernet
interface-name=enp6s0
permissions=

[ethernet]
mac-address-blacklist=

[ipv4]
dns-search=
method=shared

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=shared

ip a

[root@5erver system-connections]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 04:d9:f5:bc:8f:c6 brd ff:ff:ff:ff:ff:ff
3: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 04:d9:f5:bc:8f:c7 brd ff:ff:ff:ff:ff:ff
4: enp5s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 04:d9:f5:bc:8f:c8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global enp5s0
       valid_lft forever preferred_lft forever
5: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 04:d9:f5:bc:8f:c9 brd ff:ff:ff:ff:ff:ff
    inet 10.42.0.1/24 brd 10.42.0.255 scope global noprefixroute enp6s0
       valid_lft forever preferred_lft forever
    inet6 fe80::b9fa:d7bf:6edd:7775/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
6: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:1b:21:e7:ab:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.11.162/24 brd 192.168.11.255 scope global dynamic noprefixroute enp2s0
       valid_lft 54590sec preferred_lft 54590sec
    inet6 2a02:168:a774:0:deca:fbad:c0:ffee/64 scope global dynamic noprefixroute 
       valid_lft 4294962267sec preferred_lft 4294962267sec
    inet6 fe80::21b:21ff:fee7:ab02/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:96:3f:fd:30 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

ip r

[root@5erver system-connections]# ip r
default via 192.168.11.1 dev enp2s0 proto dhcp metric 102 
10.42.0.0/24 dev enp6s0 proto kernel scope link src 10.42.0.1 metric 103 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.11.0/24 dev enp2s0 proto kernel scope link src 192.168.11.162 metric 102
[root@5erver system-connections]# iptables -nvL
Chain INPUT (policy ACCEPT 50M packets, 90G bytes)
 pkts bytes target     prot opt in     out     source               destination         
1156K  659M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 4766  285K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
 1162 67612 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:873
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:873
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:6680

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
49254   51M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 8006  495K ACCEPT     all  --  enp6s0 enp2s0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  enp5so enp2s0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 45M packets, 156G bytes)
 pkts bytes target     prot opt in     out     source               destination         
1156K  659M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
[root@5erver system-connections]# sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 128K packets, 8398K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 124K packets, 8142K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 47129 packets, 5059K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 3960 packets, 245K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   376 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
43168 4813K MASQUERADE  all  --  *      enp2s0  0.0.0.0/0            0.0.0.0/0   
 [root@5erver system-connections]# ss -ltunp
Netid       State        Recv-Q       Send-Q                  Local Address:Port               Peer Address:Port       Process                                                                                                                
udp         UNCONN       0            0                           10.42.0.1:53                      0.0.0.0:*           users:(("dnsmasq",pid=92561,fd=6))                                                                                    
udp         UNCONN       0            0                             0.0.0.0:67                      0.0.0.0:*           users:(("dnsmasq",pid=92561,fd=4))                                                                                    
udp         UNCONN       0            0                             0.0.0.0:5060                    0.0.0.0:*           users:(("OoklaServer",pid=1264,fd=9))                                                                                 
udp         UNCONN       0            0                             0.0.0.0:8080                    0.0.0.0:*           users:(("OoklaServer",pid=1264,fd=10))                                                                                
tcp         LISTEN       0            64                            0.0.0.0:8080                    0.0.0.0:*           users:(("OoklaServer",pid=1264,fd=6))                                                                                 
tcp         LISTEN       0            32                          10.42.0.1:53                      0.0.0.0:*           users:(("dnsmasq",pid=92561,fd=7))                                                                                    
tcp         LISTEN       0            128                           0.0.0.0:22                      0.0.0.0:*           users:(("sshd",pid=860,fd=3))                                                                                         
tcp         LISTEN       0            10                          127.0.0.1:9756                    0.0.0.0:*           users:(("pritunl",pid=799,fd=8))                                                                                      
tcp         LISTEN       0            5                             0.0.0.0:3551                    0.0.0.0:*           users:(("apcupsd",pid=1388,fd=5))                                                                                     
tcp         LISTEN       0            64                            0.0.0.0:5060                    0.0.0.0:*           users:(("OoklaServer",pid=1264,fd=4))                                                                                 
tcp         LISTEN       0            4096                        127.0.0.1:27017                   0.0.0.0:*           users:(("mongod",pid=1384,fd=12))                                                                                     
tcp         LISTEN       0            5                             0.0.0.0:873                     0.0.0.0:*           users:(("rsync",pid=855,fd=5))                                                                                        
tcp         LISTEN       0            80                            0.0.0.0:3306                    0.0.0.0:*           users:(("mariadbd",pid=891,fd=21))                                                                                    
tcp         LISTEN       0            511                                 *:80                            *:*           users:(("/usr/bin/httpd",pid=10241,fd=4),("/usr/bin/httpd",pid=6985,fd=4),("/usr/bin/httpd",pid=6984,fd=4),("/usr/bin/httpd",pid=6983,fd=4),("/usr/bin/httpd",pid=6982,fd=4),("/usr/bin/httpd",pid=6979,fd=4))
tcp         LISTEN       0            4096                                *:4243                          *:*           users:(("dockerd",pid=1382,fd=10))                                                                                    
tcp         LISTEN       0            32                                  *:21                            *:*           users:(("vsftpd",pid=1990,fd=3))                                                                                      
tcp         LISTEN       0            128                              [::]:22                         [::]:*           users:(("sshd",pid=860,fd=4))                                                                                         
tcp         LISTEN       0            4096                                *:3000                          *:*           users:(("grafana-server",pid=1158,fd=8))                                                                              
tcp         LISTEN       0            511                                 *:443                           *:*           users:(("/usr/bin/httpd",pid=10241,fd=6),("/usr/bin/httpd",pid=6985,fd=6),("/usr/bin/httpd",pid=6984,fd=6),("/usr/bin/httpd",pid=6983,fd=6),("/usr/bin/httpd",pid=6982,fd=6),("/usr/bin/httpd",pid=6979,fd=6))
tcp         LISTEN       0            4096                                *:444                           *:*           users:(("pritunl-web",pid=1711,fd=3))                                                                                 
tcp         LISTEN       0            4096                                *:9090                          *:*           users:(("prometheus",pid=1387,fd=8))                                                                                  
tcp         LISTEN       0            100                [::ffff:127.0.0.1]:5000                          *:*           users:(("rtorrent main",pid=872,fd=15))                                                                               
tcp         LISTEN       0            5                                [::]:873                        [::]:*           users:(("rsync",pid=855,fd=6))                                                                                        
tcp         LISTEN       0            80                               [::]:3306                       [::]:*           users:(("mariadbd",pid=891,fd=24))                                                                                    
tcp         LISTEN       0            4096                                *:9100                          *:*           users:(("prometheus-node",pid=1386,fd=3))                                                                             
tcp         LISTEN       0            4096                                *:55085                         *:*           users:(("rtorrent main",pid=872,fd=14))                                                                               
tcp         LISTEN       0            512                                 *:8686                          *:* 

Mod Edit - Replaced oversized image with link.
CoC - Pasting pictures and code

Last edited by Slithery (2021-10-11 12:22:55)

Offline

#12 2021-10-07 08:43:01

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: Routing with two Gateway

Morta wrote:
Koatao wrote:

Of course you can. Use the IP network address (instead of the host address) and the correct network mask (24 bits). But this forum is neither a 101 course on Networking nor on Zyxel's router configuration.

https://abload.de/img/zyxeli9jrb.png

I can't enter 0/24 instead of 114. Or did i misunderstood you?

Check https://www.manualslib.com/products/Zyx … 65483.html , chapter 4

Last edited by Lone_Wolf (2021-10-07 08:43:32)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#13 2021-10-07 09:00:48

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Zyxel router:
My bad! I have made a mistake telling you the route is 10.42.0.114 via 10.42.0.1, it is via 192.168.11.162 (the interface of 5erver on the same network than the Zyxel Router).

Laptop:
It is already connected to the 192.168.11.0/24 network through wlp0s20f3 and enp58s0u1u3c2. 
Routing table indicates it will try to reach 192.168.11.1 with enp58s0u1u3c2. And that default (internet for example) is using 192.168.11.139 reached through wlp0s20f3.
enp58s0u1u3c2 is also connected to 10.42.0.0/24 network but has not route configured for it.
So it is a mess. Was the output obtained directly after a reboot?

5erver:
the mess is on the firewall:
- filter table:
    - for each chain policy is ACCEPT and there is no rules with DROP or REJECT target in it. There is no filtering done at the moment.
    - If there were some filtering done (with a policy to DROP or rules with DROP or REJECT target as some point, you would be, networking wise, locked out of your 5erver because you don't have any rule matching ESTABLISHED,RELATED traffic in the INPUT chain.
    - You also might need to allow your DHCP serveur and DNS serveur (dnsmasq) to be reached on enp6s0 (as NetworkManager will use it to set up the shared connection.
- nat table:
    - There is like 7 times the same rule, which shouldn't exist anyway. Why would you MASQUERADE in both ways?

If you use NetworkManager's shared connection feature, everything should be set up automatically (on Netfilter and dnsmasq).
If NetworkManager is correctly configured once, you don't have to run your script (with nmcli and iptables lines) multiple times after that.

Advise:
At some point, you will have to learn about networking, firewall, iproute2 and Netfilter, otherwise, you will keep getting stucked with buggy stuff or worst like getting hacked.
Start simple, understand what you do. After that, you can add some more complexity to it.

Last edited by Koatao (2021-10-07 09:02:39)

Offline

#14 2021-10-07 10:02:40

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

Lone_Wolf wrote:
Morta wrote:
Koatao wrote:

Of course you can. Use the IP network address (instead of the host address) and the correct network mask (24 bits). But this forum is neither a 101 course on Networking nor on Zyxel's router configuration.

https://abload.de/img/zyxeli9jrb.png

I can't enter 0/24 instead of 114. Or did i misunderstood you?

Check https://www.manualslib.com/products/Zyx … 65483.html , chapter 4

I‘m blind or either there is no way to route to a /24 subnet

Offline

#15 2021-10-07 10:13:31

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

Koatao wrote:

Zyxel router:
My bad! I have made a mistake telling you the route is 10.42.0.114 via 10.42.0.1, it is via 192.168.11.162 (the interface of 5erver on the same network than the Zyxel Router).

Laptop:
It is already connected to the 192.168.11.0/24 network through wlp0s20f3 and enp58s0u1u3c2. 
Routing table indicates it will try to reach 192.168.11.1 with enp58s0u1u3c2. And that default (internet for example) is using 192.168.11.139 reached through wlp0s20f3.
enp58s0u1u3c2 is also connected to 10.42.0.0/24 network but has not route configured for it.
So it is a mess. Was the output obtained directly after a reboot?

5erver:
the mess is on the firewall:
- filter table:
    - for each chain policy is ACCEPT and there is no rules with DROP or REJECT target in it. There is no filtering done at the moment.
    - If there were some filtering done (with a policy to DROP or rules with DROP or REJECT target as some point, you would be, networking wise, locked out of your 5erver because you don't have any rule matching ESTABLISHED,RELATED traffic in the INPUT chain.
    - You also might need to allow your DHCP serveur and DNS serveur (dnsmasq) to be reached on enp6s0 (as NetworkManager will use it to set up the shared connection.
- nat table:
    - There is like 7 times the same rule, which shouldn't exist anyway. Why would you MASQUERADE in both ways?

If you use NetworkManager's shared connection feature, everything should be set up automatically (on Netfilter and dnsmasq).
If NetworkManager is correctly configured once, you don't have to run your script (with nmcli and iptables lines) multiple times after that.

Advise:
At some point, you will have to learn about networking, firewall, iproute2 and Netfilter, otherwise, you will keep getting stucked with buggy stuff or worst like getting hacked.
Start simple, understand what you do. After that, you can add some more complexity to it.

Thanks for your time!

The firewall isn‘t finish configured on the server.
The masqauarade rules are multiple while i execute more than one time the rc.local script because of a error in coreutils package.

I know the NM rules are persistent but when i disconnect the dockingstation the reconnect fail of the laptop so had only to reexecute the script.

I‘m not very common with iptables you‘re right.
The only thing is that a good firewall dosen’t filtring only accept and drop.

So i don‘t know why but NM dosen’t forward the internet connection to the laptop so i studied the arch wiki and forwarded internet with iptables and the kernel.

The laptop wireless connection you can view it as obsolet. I used only to reach the web interface of the router and my goal is to dosen’t use it in the local network.

So i will give a try with these step
- adjust the routing on the router
- delete all iptables rules on the server
- look if the NM provide internet and local network from the server to the laptop
- set up the a firewall for the server which deserve the name ;-)

any thoughts?

Last edited by Morta (2021-10-07 10:14:00)

Offline

#16 2021-10-07 15:42:19

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

I have still no internet when i forwarded with NM... Need NM Cli iptables?

I can't reach also the router 192.168.11.1 but the other local devices i can reach....

What i'm doing wrong?

- Iptables off on the server
- NM works with Internet but sometimes is breaking up like sleeping. How i can change that?

I did that for get the dns from the router on the laptop

[root@lapt0p dispatcher.d]# cat 20-reslov.sh 
#!/bin/sh
case "$2" in
       up)
               echo "192.168.11.1" > /etc/resolv.conf
	       echo "10.42.0.1" > /etc/resolv.conf
      ;;
esac

The NetworkManager of the laptop is working.... Everytime disconnecting.

Are you shure the routing of 10.42.0.114 via 192.168.11.162 is right?

Or is something else a error...

That laptop receive two ipv4 addresses? 10.42.0.114 and 192.168.11.222 ?

Last edited by Morta (2021-10-07 17:06:49)

Offline

#17 2021-10-08 01:18:47

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Problem is: we don't have any clue of what is currently your configuration since you rely weird custom scripts (instead of relying on actual proven software and their configuration) and input us with «obsolete» or not relevant information. Plus you continue to do stuff and modified other things, so whatever could have been true at some point in time could not be now. Mixed that with a partial understand of most of what you did and you have a broken infrastructure.

Do 1 thing at a time and do it right (in a reliable way).
1st: reboot 5erver and laptop to get ride of any manual, not permanent configurations you may have done (and forgot to undone). AND get ride (meaning make sure they don't run at boot time) of those broken scripts of yours.
2nd: Execute this commands right after reboot.

laptop$ ip a
laptop$ ip r
laptop$ cat /etc/resolv.conf
laptop$ find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
5erver# cat /etc/NetworkManager/system-connections/local
5erver# ip a
5erver# ip r
5erver# cat /etc/resolv.conf
5erver# iptables -nvL
5erver# iptables -t nat -nvL
5erver# find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

List of commands will be extended after we have an insight of what is running.
3rd: connect the Zyxel router and 5erver on the same network (that should be already done with Zyxel router with 192.168.11.1 IP address and 5erver with 192.168.11.162 on interface enp2s0).
4th: connect the laptop and 5erver on the same network, configure a DHCP server (like dnsmasq) on 5erver to serve the laptop.
5th: configure 5erver to route traffic between 192.168.11.0/24 and 10.42.0.0/24 (we will not use NetworkManager's shared feature).
6th: tests
7th: save config

Do 1st and 2nd. We will work from there.




find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

This command is to find what network manager or network related services is running.

Last edited by Koatao (2021-10-08 01:22:19)

Offline

#18 2021-10-08 14:35:20

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

Koatao wrote:

Problem is: we don't have any clue of what is currently your configuration since you rely weird custom scripts (instead of relying on actual proven software and their configuration) and input us with «obsolete» or not relevant information. Plus you continue to do stuff and modified other things, so whatever could have been true at some point in time could not be now. Mixed that with a partial understand of most of what you did and you have a broken infrastructure.

Do 1 thing at a time and do it right (in a reliable way).
1st: reboot 5erver and laptop to get ride of any manual, not permanent configurations you may have done (and forgot to undone). AND get ride (meaning make sure they don't run at boot time) of those broken scripts of yours.
2nd: Execute this commands right after reboot.

laptop$ ip a
laptop$ ip r
laptop$ cat /etc/resolv.conf
laptop$ find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
5erver# cat /etc/NetworkManager/system-connections/local
5erver# ip a
5erver# ip r
5erver# cat /etc/resolv.conf
5erver# iptables -nvL
5erver# iptables -t nat -nvL
5erver# find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

List of commands will be extended after we have an insight of what is running.
3rd: connect the Zyxel router and 5erver on the same network (that should be already done with Zyxel router with 192.168.11.1 IP address and 5erver with 192.168.11.162 on interface enp2s0).
4th: connect the laptop and 5erver on the same network, configure a DHCP server (like dnsmasq) on 5erver to serve the laptop.
5th: configure 5erver to route traffic between 192.168.11.0/24 and 10.42.0.0/24 (we will not use NetworkManager's shared feature).
6th: tests
7th: save config

Do 1st and 2nd. We will work from there.




find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

This command is to find what network manager or network related services is running.

Ok. I will do this step by step tomorrow. Today i had a short trip in the hospital because of investigation of my stomach but all fine.

Offline

#19 2021-10-09 11:23:51

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

[root@5erver morta]# iptables -nvL
Chain INPUT (policy ACCEPT 24687 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 monitorix_IN_8  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:143 ctstate NEW,RELATED,ESTABLISHED
   35  2651 monitorix_IN_7  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spts:1024:65535 dpt:53 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_6  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:3306 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_5  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:139 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_4  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:110 ctstate NEW,RELATED,ESTABLISHED
  143 12493 monitorix_IN_3  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:22 ctstate NEW,RELATED,ESTABLISHED
   31  2513 monitorix_IN_2  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:80 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_1  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:21 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_0  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:25 ctstate NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 616 packets, 163K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  616  163K DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  616  163K DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 18996 packets, 117M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 monitorix_IN_8  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:143 dpts:1024:65535 ctstate RELATED,ESTABLISHED
   35  4791 monitorix_IN_7  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_6  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:3306 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_5  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:139 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_4  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:110 dpts:1024:65535 ctstate RELATED,ESTABLISHED
   99 13541 monitorix_IN_3  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 dpts:1024:65535 ctstate RELATED,ESTABLISHED
   27  8154 monitorix_IN_2  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_1  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:21 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_0  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:25 dpts:1024:65535 ctstate RELATED,ESTABLISHED

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
  616  163K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  616  163K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain monitorix_IN_0 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_1 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_3 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_4 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_5 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_6 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_7 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_8 (2 references)
 pkts bytes target     prot opt in     out     source               destination      



[root@5erver morta]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 249 packets, 15740 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  140  8138 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 140 packets, 8138 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 89 packets, 9851 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 89 packets, 9851 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    1   328 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp6s0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0      
     
	
	[root@5erver morta]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 04:d9:f5:bc:8f:c6 brd ff:ff:ff:ff:ff:ff
3: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 04:d9:f5:bc:8f:c7 brd ff:ff:ff:ff:ff:ff
4: enp5s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 04:d9:f5:bc:8f:c8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global enp5s0
       valid_lft forever preferred_lft forever
5: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 04:d9:f5:bc:8f:c9 brd ff:ff:ff:ff:ff:ff
    inet 10.42.0.1/24 brd 10.42.0.255 scope global noprefixroute enp6s0
       valid_lft forever preferred_lft forever
    inet6 fe80::9412:6f17:f85e:4419/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
6: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:1b:21:e7:ab:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.11.162/24 brd 192.168.11.255 scope global dynamic noprefixroute enp2s0
       valid_lft 85926sec preferred_lft 85926sec
    inet6 2a02:168:a774:0:deca:fbad:c0:ffee/64 scope global dynamic noprefixroute 
       valid_lft 4294966805sec preferred_lft 4294966805sec
    inet6 fe80::21b:21ff:fee7:ab02/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:99:41:22:ae brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
[root@5erver morta]# ip r
default via 192.168.11.1 dev enp2s0 proto dhcp metric 102 
10.42.0.0/24 dev enp6s0 proto kernel scope link src 10.42.0.1 metric 101 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.11.0/24 dev enp2s0 proto kernel scope link src 192.168.11.162 metric 102 

[root@5erver morta]# cat /etc/NetworkManager/system-connections/local.nmconnection 
[connection]
id=local
uuid=f7de5869-bd60-4cfa-8eef-97ceb9f81f50
type=ethernet
interface-name=enp6s0
permissions=

[ethernet]
mac-address-blacklist=

[ipv4]
dns-search=
method=shared

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=shared

[proxy]


[root@5erver morta]# ss -ltunp
Netid       State        Recv-Q       Send-Q                  Local Address:Port               Peer Address:Port       Process                                                                                                                
udp         UNCONN       0            0                           10.42.0.1:53                      0.0.0.0:*           users:(("dnsmasq",pid=1606,fd=6))                                                                                     
udp         UNCONN       0            0                             0.0.0.0:67                      0.0.0.0:*           users:(("dnsmasq",pid=1606,fd=4))                                                                                     
udp         UNCONN       0            0                             0.0.0.0:5060                    0.0.0.0:*           users:(("OoklaServer",pid=1507,fd=9))                                                                                 
udp         UNCONN       0            0                             0.0.0.0:39521                   0.0.0.0:*           users:(("OoklaServer",pid=1507,fd=11))                                                                                
udp         UNCONN       0            0                             0.0.0.0:8080                    0.0.0.0:*           users:(("OoklaServer",pid=1507,fd=10))                                                                                
tcp         LISTEN       0            64                            0.0.0.0:5060                    0.0.0.0:*           users:(("OoklaServer",pid=1507,fd=4))                                                                                 
tcp         LISTEN       0            4096                        127.0.0.1:27017                   0.0.0.0:*           users:(("mongod",pid=1638,fd=12))                                                                                     
tcp         LISTEN       0            5                             0.0.0.0:873                     0.0.0.0:*           users:(("rsync",pid=1177,fd=5))                                                                                       
tcp         LISTEN       0            80                            0.0.0.0:3306                    0.0.0.0:*           users:(("mariadbd",pid=1207,fd=22))                                                                                   
tcp         LISTEN       0            64                            0.0.0.0:8080                    0.0.0.0:*           users:(("OoklaServer",pid=1507,fd=6))                                                                                 
tcp         LISTEN       0            32                          10.42.0.1:53                      0.0.0.0:*           users:(("dnsmasq",pid=1606,fd=7))                                                                                     
tcp         LISTEN       0            128                           0.0.0.0:22                      0.0.0.0:*           users:(("sshd",pid=1179,fd=3))                                                                                        
tcp         LISTEN       0            10                          127.0.0.1:9756                    0.0.0.0:*           users:(("pritunl",pid=1116,fd=9))                                                                                     
tcp         LISTEN       0            5                             0.0.0.0:3551                    0.0.0.0:*           users:(("apcupsd",pid=1642,fd=5))                                                                                     
tcp         LISTEN       0            4096                                *:9090                          *:*           users:(("prometheus",pid=1641,fd=3))                                                                                  
tcp         LISTEN       0            4096                                *:55077                         *:*           users:(("rtorrent main",pid=1184,fd=14))                                                                              
tcp         LISTEN       0            100                [::ffff:127.0.0.1]:5000                          *:*           users:(("rtorrent main",pid=1184,fd=15))                                                                              
tcp         LISTEN       0            5                                [::]:873                        [::]:*           users:(("rsync",pid=1177,fd=6))                                                                                       
tcp         LISTEN       0            80                               [::]:3306                       [::]:*           users:(("mariadbd",pid=1207,fd=38))                                                                                   
tcp         LISTEN       0            4096                                *:9100                          *:*           users:(("prometheus-node",pid=1640,fd=3))                                                                             
tcp         LISTEN       0            512                                 *:8686                          *:*           users:(("Lidarr",pid=1171,fd=233))                                                                                    
tcp         LISTEN       0            511                                 *:80                            *:*           users:(("/usr/bin/httpd",pid=1245,fd=4),("/usr/bin/httpd",pid=1244,fd=4),("/usr/bin/httpd",pid=1243,fd=4),("/usr/bin/httpd",pid=1240,fd=4),("/usr/bin/httpd",pid=1168,fd=4))
tcp         LISTEN       0            4096                                *:4243                          *:*           users:(("dockerd",pid=1636,fd=10))                                                                                    
tcp         LISTEN       0            32                                  *:21                            *:*           users:(("vsftpd",pid=2261,fd=3))                                                                                      
tcp         LISTEN       0            128                              [::]:22                         [::]:*           users:(("sshd",pid=1179,fd=4))                                                                                        
tcp         LISTEN       0            4096                                *:3000                          *:*           users:(("grafana-server",pid=1422,fd=8))                                                                              
tcp         LISTEN       0            511                                 *:443                           *:*           users:(("/usr/bin/httpd",pid=1245,fd=6),("/usr/bin/httpd",pid=1244,fd=6),("/usr/bin/httpd",pid=1243,fd=6),("/usr/bin/httpd",pid=1240,fd=6),("/usr/bin/httpd",pid=1168,fd=6))
tcp         LISTEN       0            4096                                *:444                           *:*           users:(("pritunl-web",pid=1977,fd=3)) 

[root@5erver morta]#  find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
apcupsd.service                          | multi-user.target.wants
certbot.service                          | multi-user.target.wants
certbot.timer                            | timers.target.wants
ckb-next-daemon.service                  | multi-user.target.wants
dbus-org.freedesktop.network1.service    | system
dbus-org.freedesktop.nm-dispatcher.service | system
dirmngr.socket                           | sockets.target.wants
docker.service                           | multi-user.target.wants
ethtool@enp2s0.service                   | multi-user.target.wants
getty@tty1.service                       | getty.target.wants
gpg-agent-browser.socket                 | sockets.target.wants
gpg-agent-extra.socket                   | sockets.target.wants
gpg-agent.socket                         | sockets.target.wants
gpg-agent-ssh.socket                     | sockets.target.wants
grafana.service                          | multi-user.target.wants
httpd.service                            | multi-user.target.wants
iptables.service                         | multi-user.target.wants
lidarr.service                           | multi-user.target.wants
mariadb.service                          | multi-user.target.wants
mongodb.service                          | multi-user.target.wants
monitorix.service                        | multi-user.target.wants
NetworkManager.service                   | multi-user.target.wants
NetworkManager-wait-online.service       | network-online.target.wants
ookla.service                            | multi-user.target.wants
p11-kit-server.socket                    | sockets.target.wants
php-fpm7.service                         | multi-user.target.wants
php-fpm.service                          | multi-user.target.wants
pritunl.service                          | multi-user.target.wants
prometheus-node-exporter.service         | multi-user.target.wants
prometheus.service                       | multi-user.target.wants
rclone.service                           | multi-user.target.wants
remote-fs.target                         | multi-user.target.wants
rsyncd.service                           | multi-user.target.wants
rtorrent.service                         | multi-user.target.wants
sshd.service                             | multi-user.target.wants
systemd-networkd.service                 | multi-user.target.wants
systemd-networkd.socket                  | sockets.target.wants
systemd-networkd-wait-online.service     | network-online.target.wants
vsftpd.service                           | multi-user.target.wants

         

----------------------

[morta@lapt0p ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: vmnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.193.1/24 brd 192.168.193.255 scope global dynamic vmnet1
       valid_lft 1478sec preferred_lft 1253sec
    inet6 fe80::8820:5214:6066:f42f/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fec0:1/64 scope link 
       valid_lft forever preferred_lft forever
3: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 48:2a:e3:4c:13:ef brd ff:ff:ff:ff:ff:ff
4: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.130.1/24 brd 192.168.130.255 scope global dynamic vmnet8
       valid_lft 1479sec preferred_lft 1254sec
    inet6 fe80::cbf6:56e:9959:3067/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fec0:8/64 scope link 
       valid_lft forever preferred_lft forever
5: wlp0s20f3: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 2e:47:25:fe:33:39 brd ff:ff:ff:ff:ff:ff permaddr 84:fd:d1:fd:30:36
6: enp58s0u1u3c2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 80:6d:97:0d:ed:b9 brd ff:ff:ff:ff:ff:ff
    inet 10.42.0.114/24 brd 10.42.0.255 scope global dynamic noprefixroute enp58s0u1u3c2
       valid_lft 3418sec preferred_lft 2968sec
       
[morta@lapt0p ~]$ ip r
default via 10.42.0.1 dev enp58s0u1u3c2 proto dhcp src 10.42.0.114 metric 1006 
10.42.0.0/24 dev enp58s0u1u3c2 proto dhcp scope link src 10.42.0.114 metric 1006 
192.168.130.0/24 dev vmnet8 proto dhcp scope link src 192.168.130.1 metric 1004 
192.168.193.0/24 dev vmnet1 proto dhcp scope link src 192.168.193.1 metric 1002 
       
       [morta@lapt0p ~]$ find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
acpid.service                            | multi-user.target.wants
avahi-daemon.service                     | multi-user.target.wants
avahi-daemon.socket                      | sockets.target.wants
bluetooth.service                        | bluetooth.target.wants
brscan-skey.service                      | multi-user.target.wants
ckb-next-daemon.service                  | multi-user.target.wants
cups.path                                | multi-user.target.wants
cups.service                             | printer.target.wants
cups.socket                              | sockets.target.wants
dbus-fi.w1.wpa_supplicant1.service       | system
dbus-org.bluez.service                   | system
dbus-org.freedesktop.Avahi.service       | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.resolve1.service    | system
dbus-org.freedesktop.timesync1.service   | system
dhcpcd.service                           | multi-user.target.wants
dirmngr.socket                           | sockets.target.wants
displaylink.service                      | graphical.target.wants
display-manager.service                  | system
getty@tty1.service                       | getty.target.wants
gpg-agent-browser.socket                 | sockets.target.wants
gpg-agent-extra.socket                   | sockets.target.wants
gpg-agent.socket                         | sockets.target.wants
gpg-agent-ssh.socket                     | sockets.target.wants
ip6tables.service                        | multi-user.target.wants
iptables.service                         | multi-user.target.wants
linux-modules-cleanup.service            | basic.target.wants
mopidy.service                           | multi-user.target.wants
NetworkManager.service                   | multi-user.target.wants
NetworkManager-wait-online.service       | network-online.target.wants
nvman.service                            | bumblebeed.service.wants
nvman.service                            | graphical.target.wants
nvman.service                            | optimus-manager.service.wants
optimus-manager.service                  | graphical.target.wants
p11-kit-server.socket                    | sockets.target.wants
pipewire-media-session.service           | pipewire.service.wants
pipewire-session-manager.service         | user
pipewire.socket                          | sockets.target.wants
pritunl-client.service                   | multi-user.target.wants
pulseaudio.socket                        | sockets.target.wants
rclone.service                           | multi-user.target.wants
remote-fs.target                         | multi-user.target.wants
rsyncd.service                           | multi-user.target.wants
smartd.service                           | multi-user.target.wants
sshd.service                             | multi-user.target.wants
systemd-resolved.service                 | multi-user.target.wants
systemd-timesyncd.service                | sysinit.target.wants
teamviewerd.service                      | multi-user.target.wants
tlp.service                              | multi-user.target.wants
vmware-networks.service                  | multi-user.target.wants
vmware-usbarbitrator.service             | multi-user.target.wants
vnstatd.service                          | system
vnstat.service                           | multi-user.target.wants
wpa_supplicant.service                   | multi-user.target.wants
xdg-user-dirs-update.service             | default.target.wants

I have no internet on my laptop over ethernet right now

Last edited by Morta (2021-10-09 11:26:01)

Offline

#20 2021-10-09 11:53:57

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Let's only focus on 5erver atm. We want it to run smooth before setting up connectivity for the laptop.

Two things are wrong on 5erver:
1) You have two network manager running: systemd-networkd and NetworkManager. Pick one, disable the other (meaning any custom config will have to be ported from the disabled one to the active one).
2) The POSTROUTING chain of nat table is automatically configured with 7 same rules I think are useless (why would you want NAT from anywhere to 10.42.0.0/24?). Remove those rules and find out what is creating them to prevent it from doing it again.

Once this is done, restart 5erver and run those commands: (we want to be sure everything is set up accordingly at this point)

# ip -o a
# ip r
# ls -l /etc/resolv.conf && cat /etc/resolv.conf

Offline

#21 2021-10-09 12:12:38

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

Koatao wrote:

Let's only focus on 5erver atm. We want it to run smooth before setting up connectivity for the laptop.

Two things are wrong on 5erver:
1) You have two network manager running: systemd-networkd and NetworkManager. Pick one, disable the other (meaning any custom config will have to be ported from the disabled one to the active one).
2) The POSTROUTING chain of nat table is automatically configured with 7 same rules I think are useless (why would you want NAT from anywhere to 10.42.0.0/24?). Remove those rules and find out what is creating them to prevent it from doing it again.

Once this is done, restart 5erver and run those commands: (we want to be sure everything is set up accordingly at this point)

# ip -o a
# ip r
# ls -l /etc/resolv.conf && cat /etc/resolv.conf

Ok. I will do later!

Have you a clue how i can find out what add this Postrouting rules to iptables ?

I had only the rc-local scrpit as startup service.

Monitorix, pritunl, docker and NM(?) can add rules or you see any other service who can add rules to iptables?

Last edited by Morta (2021-10-09 12:45:30)

Offline

#22 2021-10-09 14:19:41

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Morta wrote:

Have you a clue how i can find out what add this Postrouting rules to iptables ?

iptables.service is enabled according to the commands output you gave:

$  cat /usr/lib/systemd/system/iptables.service
[Unit]
Description=IPv4 Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target

[Service]
Type=oneshot
ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/usr/lib/systemd/scripts/iptables-flush
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

As you can see, it restores rules during boot, those rules are saved in /etc/iptables/iptables.rules.
Other than that, you can find info about Netfilter in the logs:
https://wiki.archlinux.org/title/Systemd/Journal
https://man.archlinux.org/man/dmesg.1
But it is not that easy to work you way through it and find what process created the rules.

There may be easier ways, but I don't know them.

Last edited by Koatao (2021-10-09 14:21:38)

Offline

#23 2021-10-09 14:22:21

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

I found in /etc/iptables/iptables.rules

Six time the POSTROUTING rule, so i deleted!

[morta@5erver cadir]$ sudo systemctl disable systemd-networkd
Removed /etc/systemd/system/multi-user.target.wants/systemd-networkd.service.
Removed /etc/systemd/system/dbus-org.freedesktop.network1.service.
Removed /etc/systemd/system/sockets.target.wants/systemd-networkd.socket.
Removed /etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service
[morta@5erver cadir]$ cd /etc/systemd/network/
[morta@5erver network]$ ls
30-wired.conf  60-wired.conf  interfaces.txt
[morta@5erver network]$ cat 30-wired.conf 
[Match]
Name=enp2s0

[Network]
DHCP=yes
[morta@5erver network]$ cat 60-wired.conf 
[Match]
Name=eth3

[Network]
DHCP=no
[morta@5erver network]$ 

I doesn't have to port it, because DHCP is automatic and eth3 is not needed. So should work without port to NM.

I gave a look to nmconnection files and all used interfaces are configured

Last edited by Morta (2021-10-09 14:49:06)

Offline

#24 2021-10-09 16:07:47

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

[morta@5erver certs]$ ip -o a
1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft forever preferred_lft forever
1: lo    inet6 ::1/128 scope host \       valid_lft forever preferred_lft forever
4: enp5s0    inet 192.168.1.2/24 brd 192.168.1.255 scope global enp5s0\       valid_lft forever preferred_lft forever
5: enp6s0    inet 10.42.0.1/24 brd 10.42.0.255 scope global noprefixroute enp6s0\       valid_lft forever preferred_lft forever
5: enp6s0    inet6 fe80::9412:6f17:f85e:4419/64 scope link noprefixroute \       valid_lft forever preferred_lft forever
6: enp2s0    inet 192.168.11.162/24 brd 192.168.11.255 scope global dynamic noprefixroute enp2s0\       valid_lft 86367sec preferred_lft 86367sec
6: enp2s0    inet6 2a02:168:a774:0:deca:fbad:c0:ffee/64 scope global dynamic noprefixroute \       valid_lft 4294967244sec preferred_lft 4294967244sec
6: enp2s0    inet6 fe80::21b:21ff:fee7:ab02/64 scope link noprefixroute \       valid_lft forever preferred_lft forever
7: docker0    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0\       valid_lft forever preferred_lft forever
[morta@5erver certs]$ ip r
default via 192.168.11.1 dev enp2s0 proto dhcp metric 102 
10.42.0.0/24 dev enp6s0 proto kernel scope link src 10.42.0.1 metric 101 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.11.0/24 dev enp2s0 proto kernel scope link src 192.168.11.162 metric 102 
[morta@5erver certs]$ ls -l /etc/resolv.conf && cat /etc/resolv.conf
-rw-r--r-- 1 root root 277  9. Oct 18:03 /etc/resolv.conf
# Generated by NetworkManager
search home
nameserver 77.109.128.2
nameserver 213.144.129.20
nameserver 2001:1620:2777:1::10
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 2001:1620:2777:2::20

So that are the information that you want it...

Offline

#25 2021-10-11 03:37:53

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Okay, so now that everything is correctly set up on 5erver, we can try to make it a router.

3rd steps is already done.

Let's connect the laptop to it.

What we want to do is to:
- Modify the NM connection named «local».
Removing ipv4.method=shared and setting up manually a static IP address for enp6s0 instead.

$ nmcli connection delete local
$ nmcli connection add con-name local ifname enp6s0 type ethernet ip4 10.42.0.1/24

- Set up a DHCP server:
https://wiki.archlinux.org/title/Networ … ation#DHCP
The server should listen on enp6s0, offer leases on the 10.42.0.0/24 network and use the DHCP options for gateway (option 3) and DNS server (option 6) to be passed on to the host.
https://www.incognito.com/tutorials/dhc … n-english/

- Configure Netfilter:
If the policy of the chain FORWARD of the table filter is DROP, you will have to create rules to route packet between each network. One way to that:

# iptables -A FORWARD -i enp6s0 -o enp2s0 -j ACCEPT
# iptables -A FORWARD -i enp2s0 -o enp6s0 -j ACCEPT

Don't forget to make sure 5erser can route packets:

# sysctl -w net.ipv4.ip_forward=1

https://wiki.archlinux.org/title/Sysctl

Once this is done, connect the laptop to the 5erver. On the laptop, the connection should be set up using DHCP and letting NetworkManager configure the gateway and DNS server(s) automatically.

Offline

Board footer

Powered by FluxBB