You are not logged in.
- Topics: Active | Unanswered
#1 2021-09-18 13:56:05
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Routing with two Gateway
I have a Router with 192.168.11.1 and a Server one eth1 with 192.168.11.162 behind the Server is a Laptop(enp2s0) which get from eth2((10.42.0.1)(Server)) a IP with 10.42.0.115.
I forwarded the internet with iptables and forward=1 like in the Arch Wiki but the Router is on the Laptop not reachable. Why? And how i can add a route to the interface from Laptop that i can reach all IP from 192.168.11.0/24 ?
Offline
#2 2021-09-18 19:51:26
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 98
Re: Routing with two Gateway
Hi,
Internet ---------------- Router1 ---------------- Router/Server ---------------- Laptop
192.168.11.0/24 10.42.0.0/16Do you have this set up? (Network Mask might be wrong, but the solutions are still the same).
If so, the laptop should have a default route to Router/Server.
I believe Router1 does not know the route to 10.42.0.0/16.
You can either:
- Do a NAT with Router/Server (from 10.42.0.0 to 192.168.11.0) using NAT table with Iptables (simple and straightforward).
- Add a route to use Router/Server to reach 10.42.0.0/24 on Router1 (if Router1 host a DHCP server, you might want to add this new route as an option so all DHCP clients can configure their routing table accordingly).
Offline
#3 2021-10-05 09:08:56
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
Yes. I have this Setup.
I add a route on the Server but nothing happen.
How does it show the iptables rules?
Offline
#4 2021-10-05 12:41:23
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 13,279
Re: Routing with two Gateway
10.0.0./8 and 192.168.0.0/16 are both private ip addresses .
Routers don't route between such networks by default .
Using NAT would lead to a double nat mapping (one on router1 , 2nd on router/server ) and those tend to create lots of issues.
The 2nd option mentioned by Koatao seems to give the most chance.
Routes need to be added/verified on both routers, please post routing tables (ip route) for them .
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#5 2021-10-05 15:11:35
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
10.0.0./8 and 192.168.0.0/16 are both private ip addresses .
Routers don't route between such networks by default .Using NAT would lead to a double nat mapping (one on router1 , 2nd on router/server ) and those tend to create lots of issues.
The 2nd option mentioned by Koatao seems to give the most chance.
Routes need to be added/verified on both routers, please post routing tables (ip route) for them .
I haven‘t access to ssh of my zyxel router.
I can only add route over the web interface.
https://abload.de/img/a9c235d9-f502-4e9b-8bhyjyb.png
Routing Table IPv4 Webinterface Zyxel Router
Routing Table
Routing is based on the destination address only and the Zyxel Device takes the shortest path to forward a packet.
The table below shows IPv4 and IPv6 routing information. The IPv4 subnet mask is ‘255.255.255.255’ for a host destination and ‘0.0.0.0’ for the default route. The gateway address is written as ‘*’(IPv4)/‘::’(IPv6) if none is set.
Destination:This indicates the destination IPv4 address or IPv6 address and prefix of this route.
Gateway:This indicates the IPv4 address or IPv6 address of the gateway that helps forward this route’s traffic.
Subnet Mask:This indicates the destination subnet mask of the IPv4 route.
Flag:This indicates the route status.
U-Up: The route is up.
!-Reject: The route is blocked and will force a route lookup to fail.
G-Gateway: The route uses a gateway to forward traffic.
H-Host: The target of the route is a host.
R-Reinstate: The route is reinstated for dynamic routing.
D-Dynamic (redirect): The route is dynamically installed by a routing daemon or redirect.
M-Modified (redirect): The route is modified from a routing daemon or redirect.
Metric:The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". The smaller the number, the lower the "cost".
Interface:This indicates the name of the interface through which the route is forwarded.
IPv4 Routing Table
Destination Gateway Subnet Mask Flag Metric Interface
0.0.0.0 85.195.234.1 0.0.0.0 UG 0 eth5.3
85.195.234.0 0.0.0.0 255.255.255.0 U 0 eth5.3
192.168.11.0 0.0.0.0 255.255.255.0 U 0 br0
239.0.0.0 0.0.0.0 255.0.0.0 U 0 br0ip route on server/router for laptop
[morta@5erver data]$ ip route
default via 192.168.11.1 dev enp2s0 proto dhcp metric 101
10.42.0.0/24 dev enp6s0 proto kernel scope link src 10.42.0.1 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev enp5s0 proto kernel scope link src 192.168.1.2 linkdown
192.168.11.0/24 dev enp2s0 proto kernel scope link src 192.168.11.162 metric 101
192.168.68.0/24 dev wg0 proto kernel scope link src 192.168.68.1
192.168.228.0/24 dev tun0 proto kernel scope link src 192.168.228.1 [morta@5erver data]$ arp -a
? (10.42.0.114) at 80:6d:97:0d:ed:b9 [ether] on enp6s0
_gateway (192.168.11.1) at 50:e0:39:2e:d3:f3 [ether] on enp2s0
? (192.168.11.222) at 84:fd:d1:fd:30:36 [ether] on enp2s0
? (192.168.11.47) at e4:5f:01:41:ce:9b [ether] on enp2s0
? (192.168.11.139) at 80:6d:97:0d:ed:b9 [ether] on enp6s0
? (192.168.1.1) at 90:50:5a:55:46:38 [ether] PERM on enp5s0
? (192.168.11.139) at 84:fd:d1:fd:30:36 [ether] on enp2s0Mod Edit - Replaced oversized image with link.
CoC - Pasting pictures and code
Last edited by Slithery (2021-10-11 12:23:40)
Offline
#6 2021-10-06 03:38:35
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 98
Re: Routing with two Gateway
Hello,
As we mentioned before, you need to add a route to 10.42.0.0/24 via 10.42.0.1 (5erver) ON the Zylex Router.
Given the routing table of 5server, the network architecture seems a bit more complex that what you told us. If adding the required route to the Zylex Router doesn't work, then do a tracepath from your laptop to 192.168.11.1 and drop the Netfilter's filter and nat table configurations on 5server:
laptop$ tracepath 192.168.11.15erver# iptables -nvL
5erver# iptables -t nat -nvL(If iptables is used)
Moreover, you can capture network traffic on 5erver with CLI tools like tcpdump and tshark (wireshark-cli). By analyzing the IP header of packet coming from Laptop, you should be able to understand where does the failure happens.
Last edited by Koatao (2021-10-06 04:06:49)
Offline
#7 2021-10-06 07:55:09
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
https://abload.de/img/1cf4c404-271d-4b1c-9i4khe.jpeg
The 10.42.0.115 is the ip of the laptop.
Sorry 10.42.0.114 i corrected on router.
Is this correct?
Mod Edit - Replaced oversized image with link.
CoC - Pasting pictures and code
Last edited by Slithery (2021-10-11 12:23:14)
Offline
#8 2021-10-06 09:07:07
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 98
Re: Routing with two Gateway
Hi, yes it seems correct, you could have just use the whole network 10.42.0.0/24 as destination IP too.
One way to find out if it is good is to test it. Does the laptop and the Zylex router can communicate with each other now?
Offline
#9 2021-10-06 15:53:17
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
Hi, yes it seems correct, you could have just use the whole network 10.42.0.0/24 as destination IP too.
One way to find out if it is good is to test it. Does the Laptop and the Zyxelrouter can communicate with each other now?
I can’t enter the whole range only one ip.
I will try again but from the smartphone i can‘t ping
10.42.0.114 (laptop)
I can reach the local nas and other stuff in the network but no more internet on the laptop only local network also the router (192.168.11.1) can't ping or reach the web interface.
[morta@lapt0p ~]$ ping 192.168.11.1 (Router)
PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
Von 192.168.11.222 icmp_seq=1 Zielhost nicht erreichbar
Von 192.168.11.222 icmp_seq=2 Zielhost nicht erreichbar
Von 192.168.11.222 icmp_seq=3 Zielhost nicht erreichbar
Von 192.168.11.222 icmp_seq=4 Zielhost nicht erreichbar
Von 192.168.11.222 icmp_seq=5 Zielhost nicht erreichbar
Von 192.168.11.222 icmp_seq=6 Zielhost nicht erreichbar
^C
--- 192.168.11.1 ping statistics ---
8 Pakete übertragen, 0 empfangen, +6 Fehler, 100% packet loss, time 7088ms
pipe 4
[morta@lapt0p ~]$ ping 10.42.0.1 (Gateway 2, Server)
PING 10.42.0.1 (10.42.0.1) 56(84) bytes of data.
64 Bytes von 10.42.0.1: icmp_seq=1 ttl=64 Zeit=68.4 ms
64 Bytes von 10.42.0.1: icmp_seq=2 ttl=64 Zeit=0.404 ms
c64 Bytes von 10.42.0.1: icmp_seq=3 ttl=64 Zeit=0.445 ms
^C
--- 10.42.0.1 ping statistics ---
3 Pakete übertragen, 3 empfangen, 0% packet loss, time 2024ms
rtt min/avg/max/mdev = 0.404/23.088/68.417/32.051 ms
[morta@lapt0p ~]$ ping 10.42.0.114 (Laptop)
PING 10.42.0.114 (10.42.0.114) 56(84) bytes of data.
64 Bytes von 10.42.0.114: icmp_seq=1 ttl=64 Zeit=0.060 ms
64 Bytes von 10.42.0.114: icmp_seq=2 ttl=64 Zeit=0.058 ms
64 Bytes von 10.42.0.114: icmp_seq=3 ttl=64 Zeit=0.138 ms
64 Bytes von 10.42.0.114: icmp_seq=4 ttl=64 Zeit=0.060 ms
^C
--- 10.42.0.114 ping statistics ---
4 Pakete übertragen, 4 empfangen, 0% packet loss, time 3049ms
rtt min/avg/max/mdev = 0.058/0.079/0.138/0.034 ms
[morta@lapt0p ~]$ ping 192.168.11.162 (Server)
PING 192.168.11.162 (192.168.11.162) 56(84) bytes of data.
64 Bytes von 192.168.11.162: icmp_seq=1 ttl=64 Zeit=0.353 ms
64 Bytes von 192.168.11.162: icmp_seq=2 ttl=64 Zeit=0.389 ms
64 Bytes von 192.168.11.162: icmp_seq=3 ttl=64 Zeit=0.394 ms
64 Bytes von 192.168.11.162: icmp_seq=4 ttl=64 Zeit=0.397 ms
64 Bytes von 192.168.11.162: icmp_seq=5 ttl=64 Zeit=0.315 ms
64 Bytes von 192.168.11.162: icmp_seq=6 ttl=64 Zeit=0.317 ms
64 Bytes von 192.168.11.162: icmp_seq=7 ttl=64 Zeit=0.399 ms
64 Bytes von 192.168.11.162: icmp_seq=8 ttl=64 Zeit=0.306 msWhy? Have i to adjust the iptables rules ?
#!/bin/bash
#Delete old NetworkManager Connections
nmcli connection delete local
nmcli connection delete local-nas
#NetworkManager forward IPv4&IPv6 to Laptop
nmcli connection add type ethernet ifname enp6s0 ipv4.method shared con-name local
nmcli connection modify local ipv6.method shared
nmcli c mod enp2s0 ipv6.token ::deca:fbad:c0:ffee
#NetworkManager forward IPv4 to NAS
nmcli connection add type ethernet ifname enp5s0 ipv4.method shared con-name local-nas
nmcli connection modify local-nas ipv6.method shared
#Forward Internet to Laptop with Iptables
sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp6s0 -o enp2s0 -j ACCEPT
iptables -A FORWARD -i enp5so -o enp2s0 -j ACCEPTLast edited by Morta (2021-10-06 16:27:59)
Offline
#10 2021-10-07 07:06:27
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 98
Re: Routing with two Gateway
I can’t enter the whole range only one ip.
Of course you can. Use the IP network address (instead of the host address) and the correct network mask (24 bits). But this forum is neither a 101 course on Networking nor on Zyxel's router configuration.
Sharing connection with NetworkManager (ipv4.method shared) on 5erver should work fine as it is. The last 5 lines of your script are redundant, you should remove them to avoid any collision with NetworkManager.
Something must be messed up in 5erver or laptop.
Please print the outputs of the command below:
laptop$ ip a
laptop$ ip r
laptop$ cat /etc/resolved5erver# cat /etc/NetworkManager/system-connections/local
5erver# ip a
5erver# ip r
5erver# iptables -nvL
5erver# iptables -t nat -nvL
5erver# ss -ltunpBesides, what device has the ip address 192.168.11.222? How is it connected to the rest of the infrastructure?
Last edited by Koatao (2021-10-07 07:07:01)
Offline
#11 2021-10-07 08:01:11
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
Morta wrote:I can’t enter the whole range only one ip.
Of course you can. Use the IP network address (instead of the host address) and the correct network mask (24 bits). But this forum is neither a 101 course on Networking nor on Zyxel's router configuration.
Sharing connection with NetworkManager (ipv4.method shared) on 5erver should work fine as it is. The last 5 lines of your script are redundant, you should remove them to avoid any collision with NetworkManager.
Something must be messed up in 5erver or laptop.
Please print the outputs of the command below:laptop$ ip a laptop$ ip r laptop$ cat /etc/resolved5erver# cat /etc/NetworkManager/system-connections/local 5erver# ip a 5erver# ip r 5erver# iptables -nvL 5erver# iptables -t nat -nvL 5erver# ss -ltunpBesides, what device has the ip address 192.168.11.222? How is it connected to the rest of the infrastructure?
192.168.11.222 is the laptop connected over ethernet but it has two ip 192.168.1.222 & 10.42.0.114 is wired . I disconnected WLAN when i do the test of connectivity of laptop over lan.
[qoute]Of course you can. Use the IP network address (instead of the host address) and the correct network mask (24 bits). But this forum is neither a 101 course on Networking nor on Zyxel's router configuration.
https://abload.de/img/zyxeli9jrb.png
I can't enter 0/24 instead of 114. Or did i misunderstood you?
LAPTOP
ip a
[morta@lapt0p ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 48:2a:e3:4c:13:ef brd ff:ff:ff:ff:ff:ff
3: vmnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.193.1/24 brd 192.168.193.255 scope global dynamic vmnet1
valid_lft 1513sec preferred_lft 1288sec
inet6 fe80::8820:5214:6066:f42f/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fec0:1/64 scope link
valid_lft forever preferred_lft forever
4: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
inet 192.168.130.1/24 brd 192.168.130.255 scope global dynamic vmnet8
valid_lft 1513sec preferred_lft 1288sec
inet6 fe80::cbf6:56e:9959:3067/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fec0:8/64 scope link
valid_lft forever preferred_lft forever
5: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 84:fd:d1:fd:30:36 brd ff:ff:ff:ff:ff:ff
inet 192.168.11.139/24 brd 192.168.11.255 scope global dynamic noprefixroute wlp0s20f3
valid_lft 73914sec preferred_lft 73914sec
inet6 2a02:168:a774:0:8506:5c61:51e4:5fa/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 4294967101sec preferred_lft 4294967101sec
inet6 2a02:168:a774:0:d661:9368:8e60:8aff/64 scope global dynamic noprefixroute
valid_lft 4294960299sec preferred_lft 4294960299sec
inet6 fe80::3793:476a:7e95:7656/64 scope link noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::2f16:6517:4fb3:e987/64 scope link noprefixroute
valid_lft forever preferred_lft forever
6: enp58s0u1u3c2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 80:6d:97:0d:ed:b9 brd ff:ff:ff:ff:ff:ff
inet 192.168.11.222/32 scope global noprefixroute enp58s0u1u3c2
valid_lft forever preferred_lft forever
inet 10.42.0.114/24 brd 10.42.0.255 scope global dynamic noprefixroute enp58s0u1u3c2
valid_lft 808sec preferred_lft 147sec
inet6 fe80::dea0:8e28:3f7:6843/64 scope link noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::41d0:7fea:8405:d9cf/64 scope link noprefixroute
valid_lft forever preferred_lft foreverip r
[morta@lapt0p ~]$ ip r
default via 192.168.11.1 dev wlp0s20f3 proto dhcp metric 600
default via 192.168.11.1 dev wlp0s20f3 proto dhcp src 192.168.11.139 metric 3005
192.168.11.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.11.139 metric 600
192.168.11.1 dev enp58s0u1u3c2 proto static scope link metric 20100
192.168.130.0/24 dev vmnet8 proto dhcp scope link src 192.168.130.1 metric 1004
192.168.193.0/24 dev vmnet1 proto dhcp scope link src 192.168.193.1 metric 1003
[morta@lapt0p ~]$ cat /etc/resolv.conf
ameserver 127.0.0.53
options edns0 trust-ad
search home-------------------------
Server
[root@5erver system-connections]# ls
enp2s0.nmconnection local-nas.nmconnection local.nmconnectioncat local.nmconnection
[root@5erver system-connections]# cat local.nmconnection
[connection]
id=local
uuid=2a6c0f4b-cda0-40d5-9992-60c849157688
type=ethernet
interface-name=enp6s0
permissions=
[ethernet]
mac-address-blacklist=
[ipv4]
dns-search=
method=shared
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=sharedip a
[root@5erver system-connections]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 04:d9:f5:bc:8f:c6 brd ff:ff:ff:ff:ff:ff
3: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 04:d9:f5:bc:8f:c7 brd ff:ff:ff:ff:ff:ff
4: enp5s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 04:d9:f5:bc:8f:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global enp5s0
valid_lft forever preferred_lft forever
5: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 04:d9:f5:bc:8f:c9 brd ff:ff:ff:ff:ff:ff
inet 10.42.0.1/24 brd 10.42.0.255 scope global noprefixroute enp6s0
valid_lft forever preferred_lft forever
inet6 fe80::b9fa:d7bf:6edd:7775/64 scope link noprefixroute
valid_lft forever preferred_lft forever
6: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:1b:21:e7:ab:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.11.162/24 brd 192.168.11.255 scope global dynamic noprefixroute enp2s0
valid_lft 54590sec preferred_lft 54590sec
inet6 2a02:168:a774:0:deca:fbad:c0:ffee/64 scope global dynamic noprefixroute
valid_lft 4294962267sec preferred_lft 4294962267sec
inet6 fe80::21b:21ff:fee7:ab02/64 scope link noprefixroute
valid_lft forever preferred_lft forever
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:96:3f:fd:30 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft foreverip r
[root@5erver system-connections]# ip r
default via 192.168.11.1 dev enp2s0 proto dhcp metric 102
10.42.0.0/24 dev enp6s0 proto kernel scope link src 10.42.0.1 metric 103
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.11.0/24 dev enp2s0 proto kernel scope link src 192.168.11.162 metric 102[root@5erver system-connections]# iptables -nvL
Chain INPUT (policy ACCEPT 50M packets, 90G bytes)
pkts bytes target prot opt in out source destination
1156K 659M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4766 285K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
1162 67612 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:873
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6680
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
49254 51M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
8006 495K ACCEPT all -- enp6s0 enp2s0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp5so enp2s0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 45M packets, 156G bytes)
pkts bytes target prot opt in out source destination
1156K 659M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0[root@5erver system-connections]# sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 128K packets, 8398K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 124K packets, 8142K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 47129 packets, 5059K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3960 packets, 245K bytes)
pkts bytes target prot opt in out source destination
2 376 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
43168 4813K MASQUERADE all -- * enp2s0 0.0.0.0/0 0.0.0.0/0 [root@5erver system-connections]# ss -ltunp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 10.42.0.1:53 0.0.0.0:* users:(("dnsmasq",pid=92561,fd=6))
udp UNCONN 0 0 0.0.0.0:67 0.0.0.0:* users:(("dnsmasq",pid=92561,fd=4))
udp UNCONN 0 0 0.0.0.0:5060 0.0.0.0:* users:(("OoklaServer",pid=1264,fd=9))
udp UNCONN 0 0 0.0.0.0:8080 0.0.0.0:* users:(("OoklaServer",pid=1264,fd=10))
tcp LISTEN 0 64 0.0.0.0:8080 0.0.0.0:* users:(("OoklaServer",pid=1264,fd=6))
tcp LISTEN 0 32 10.42.0.1:53 0.0.0.0:* users:(("dnsmasq",pid=92561,fd=7))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=860,fd=3))
tcp LISTEN 0 10 127.0.0.1:9756 0.0.0.0:* users:(("pritunl",pid=799,fd=8))
tcp LISTEN 0 5 0.0.0.0:3551 0.0.0.0:* users:(("apcupsd",pid=1388,fd=5))
tcp LISTEN 0 64 0.0.0.0:5060 0.0.0.0:* users:(("OoklaServer",pid=1264,fd=4))
tcp LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:* users:(("mongod",pid=1384,fd=12))
tcp LISTEN 0 5 0.0.0.0:873 0.0.0.0:* users:(("rsync",pid=855,fd=5))
tcp LISTEN 0 80 0.0.0.0:3306 0.0.0.0:* users:(("mariadbd",pid=891,fd=21))
tcp LISTEN 0 511 *:80 *:* users:(("/usr/bin/httpd",pid=10241,fd=4),("/usr/bin/httpd",pid=6985,fd=4),("/usr/bin/httpd",pid=6984,fd=4),("/usr/bin/httpd",pid=6983,fd=4),("/usr/bin/httpd",pid=6982,fd=4),("/usr/bin/httpd",pid=6979,fd=4))
tcp LISTEN 0 4096 *:4243 *:* users:(("dockerd",pid=1382,fd=10))
tcp LISTEN 0 32 *:21 *:* users:(("vsftpd",pid=1990,fd=3))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=860,fd=4))
tcp LISTEN 0 4096 *:3000 *:* users:(("grafana-server",pid=1158,fd=8))
tcp LISTEN 0 511 *:443 *:* users:(("/usr/bin/httpd",pid=10241,fd=6),("/usr/bin/httpd",pid=6985,fd=6),("/usr/bin/httpd",pid=6984,fd=6),("/usr/bin/httpd",pid=6983,fd=6),("/usr/bin/httpd",pid=6982,fd=6),("/usr/bin/httpd",pid=6979,fd=6))
tcp LISTEN 0 4096 *:444 *:* users:(("pritunl-web",pid=1711,fd=3))
tcp LISTEN 0 4096 *:9090 *:* users:(("prometheus",pid=1387,fd=8))
tcp LISTEN 0 100 [::ffff:127.0.0.1]:5000 *:* users:(("rtorrent main",pid=872,fd=15))
tcp LISTEN 0 5 [::]:873 [::]:* users:(("rsync",pid=855,fd=6))
tcp LISTEN 0 80 [::]:3306 [::]:* users:(("mariadbd",pid=891,fd=24))
tcp LISTEN 0 4096 *:9100 *:* users:(("prometheus-node",pid=1386,fd=3))
tcp LISTEN 0 4096 *:55085 *:* users:(("rtorrent main",pid=872,fd=14))
tcp LISTEN 0 512 *:8686 *:* Mod Edit - Replaced oversized image with link.
CoC - Pasting pictures and code
Last edited by Slithery (2021-10-11 12:22:55)
Offline
#12 2021-10-07 08:43:01
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 13,279
Re: Routing with two Gateway
Koatao wrote:Of course you can. Use the IP network address (instead of the host address) and the correct network mask (24 bits). But this forum is neither a 101 course on Networking nor on Zyxel's router configuration.
https://abload.de/img/zyxeli9jrb.png
I can't enter 0/24 instead of 114. Or did i misunderstood you?
Check https://www.manualslib.com/products/Zyx … 65483.html , chapter 4
Last edited by Lone_Wolf (2021-10-07 08:43:32)
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#13 2021-10-07 09:00:48
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 98
Re: Routing with two Gateway
Zyxel router:
My bad! I have made a mistake telling you the route is 10.42.0.114 via 10.42.0.1, it is via 192.168.11.162 (the interface of 5erver on the same network than the Zyxel Router).
Laptop:
It is already connected to the 192.168.11.0/24 network through wlp0s20f3 and enp58s0u1u3c2.
Routing table indicates it will try to reach 192.168.11.1 with enp58s0u1u3c2. And that default (internet for example) is using 192.168.11.139 reached through wlp0s20f3.
enp58s0u1u3c2 is also connected to 10.42.0.0/24 network but has not route configured for it.
So it is a mess. Was the output obtained directly after a reboot?
5erver:
the mess is on the firewall:
- filter table:
- for each chain policy is ACCEPT and there is no rules with DROP or REJECT target in it. There is no filtering done at the moment.
- If there were some filtering done (with a policy to DROP or rules with DROP or REJECT target as some point, you would be, networking wise, locked out of your 5erver because you don't have any rule matching ESTABLISHED,RELATED traffic in the INPUT chain.
- You also might need to allow your DHCP serveur and DNS serveur (dnsmasq) to be reached on enp6s0 (as NetworkManager will use it to set up the shared connection.
- nat table:
- There is like 7 times the same rule, which shouldn't exist anyway. Why would you MASQUERADE in both ways?
If you use NetworkManager's shared connection feature, everything should be set up automatically (on Netfilter and dnsmasq).
If NetworkManager is correctly configured once, you don't have to run your script (with nmcli and iptables lines) multiple times after that.
Advise:
At some point, you will have to learn about networking, firewall, iproute2 and Netfilter, otherwise, you will keep getting stucked with buggy stuff or worst like getting hacked.
Start simple, understand what you do. After that, you can add some more complexity to it.
Last edited by Koatao (2021-10-07 09:02:39)
Offline
#14 2021-10-07 10:02:40
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
Morta wrote:Koatao wrote:Of course you can. Use the IP network address (instead of the host address) and the correct network mask (24 bits). But this forum is neither a 101 course on Networking nor on Zyxel's router configuration.
https://abload.de/img/zyxeli9jrb.png
I can't enter 0/24 instead of 114. Or did i misunderstood you?
Check https://www.manualslib.com/products/Zyx … 65483.html , chapter 4
I‘m blind or either there is no way to route to a /24 subnet
Offline
#15 2021-10-07 10:13:31
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
Zyxel router:
My bad! I have made a mistake telling you the route is 10.42.0.114 via 10.42.0.1, it is via 192.168.11.162 (the interface of 5erver on the same network than the Zyxel Router).Laptop:
It is already connected to the 192.168.11.0/24 network through wlp0s20f3 and enp58s0u1u3c2.
Routing table indicates it will try to reach 192.168.11.1 with enp58s0u1u3c2. And that default (internet for example) is using 192.168.11.139 reached through wlp0s20f3.
enp58s0u1u3c2 is also connected to 10.42.0.0/24 network but has not route configured for it.
So it is a mess. Was the output obtained directly after a reboot?5erver:
the mess is on the firewall:
- filter table:
- for each chain policy is ACCEPT and there is no rules with DROP or REJECT target in it. There is no filtering done at the moment.
- If there were some filtering done (with a policy to DROP or rules with DROP or REJECT target as some point, you would be, networking wise, locked out of your 5erver because you don't have any rule matching ESTABLISHED,RELATED traffic in the INPUT chain.
- You also might need to allow your DHCP serveur and DNS serveur (dnsmasq) to be reached on enp6s0 (as NetworkManager will use it to set up the shared connection.
- nat table:
- There is like 7 times the same rule, which shouldn't exist anyway. Why would you MASQUERADE in both ways?If you use NetworkManager's shared connection feature, everything should be set up automatically (on Netfilter and dnsmasq).
If NetworkManager is correctly configured once, you don't have to run your script (with nmcli and iptables lines) multiple times after that.Advise:
At some point, you will have to learn about networking, firewall, iproute2 and Netfilter, otherwise, you will keep getting stucked with buggy stuff or worst like getting hacked.
Start simple, understand what you do. After that, you can add some more complexity to it.
Thanks for your time!
The firewall isn‘t finish configured on the server.
The masqauarade rules are multiple while i execute more than one time the rc.local script because of a error in coreutils package.
I know the NM rules are persistent but when i disconnect the dockingstation the reconnect fail of the laptop so had only to reexecute the script.
I‘m not very common with iptables you‘re right.
The only thing is that a good firewall dosen’t filtring only accept and drop.
So i don‘t know why but NM dosen’t forward the internet connection to the laptop so i studied the arch wiki and forwarded internet with iptables and the kernel.
The laptop wireless connection you can view it as obsolet. I used only to reach the web interface of the router and my goal is to dosen’t use it in the local network.
So i will give a try with these step
- adjust the routing on the router
- delete all iptables rules on the server
- look if the NM provide internet and local network from the server to the laptop
- set up the a firewall for the server which deserve the name ;-)
any thoughts?
Last edited by Morta (2021-10-07 10:14:00)
Offline
#16 2021-10-07 15:42:19
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
I have still no internet when i forwarded with NM... Need NM Cli iptables?
I can't reach also the router 192.168.11.1 but the other local devices i can reach....
What i'm doing wrong?
- Iptables off on the server
- NM works with Internet but sometimes is breaking up like sleeping. How i can change that?
I did that for get the dns from the router on the laptop
[root@lapt0p dispatcher.d]# cat 20-reslov.sh
#!/bin/sh
case "$2" in
up)
echo "192.168.11.1" > /etc/resolv.conf
echo "10.42.0.1" > /etc/resolv.conf
;;
esacThe NetworkManager of the laptop is working.... Everytime disconnecting.
Are you shure the routing of 10.42.0.114 via 192.168.11.162 is right?
Or is something else a error...
That laptop receive two ipv4 addresses? 10.42.0.114 and 192.168.11.222 ?
Last edited by Morta (2021-10-07 17:06:49)
Offline
#17 2021-10-08 01:18:47
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 98
Re: Routing with two Gateway
Problem is: we don't have any clue of what is currently your configuration since you rely weird custom scripts (instead of relying on actual proven software and their configuration) and input us with «obsolete» or not relevant information. Plus you continue to do stuff and modified other things, so whatever could have been true at some point in time could not be now. Mixed that with a partial understand of most of what you did and you have a broken infrastructure.
Do 1 thing at a time and do it right (in a reliable way).
1st: reboot 5erver and laptop to get ride of any manual, not permanent configurations you may have done (and forgot to undone). AND get ride (meaning make sure they don't run at boot time) of those broken scripts of yours.
2nd: Execute this commands right after reboot.
laptop$ ip a
laptop$ ip r
laptop$ cat /etc/resolv.conf
laptop$ find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f5erver# cat /etc/NetworkManager/system-connections/local
5erver# ip a
5erver# ip r
5erver# cat /etc/resolv.conf
5erver# iptables -nvL
5erver# iptables -t nat -nvL
5erver# find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -fList of commands will be extended after we have an insight of what is running.
3rd: connect the Zyxel router and 5erver on the same network (that should be already done with Zyxel router with 192.168.11.1 IP address and 5erver with 192.168.11.162 on interface enp2s0).
4th: connect the laptop and 5erver on the same network, configure a DHCP server (like dnsmasq) on 5erver to serve the laptop.
5th: configure 5erver to route traffic between 192.168.11.0/24 and 10.42.0.0/24 (we will not use NetworkManager's shared feature).
6th: tests
7th: save config
Do 1st and 2nd. We will work from there.
find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -fThis command is to find what network manager or network related services is running.
Last edited by Koatao (2021-10-08 01:22:19)
Offline
#18 2021-10-08 14:35:20
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
Problem is: we don't have any clue of what is currently your configuration since you rely weird custom scripts (instead of relying on actual proven software and their configuration) and input us with «obsolete» or not relevant information. Plus you continue to do stuff and modified other things, so whatever could have been true at some point in time could not be now. Mixed that with a partial understand of most of what you did and you have a broken infrastructure.
Do 1 thing at a time and do it right (in a reliable way).
1st: reboot 5erver and laptop to get ride of any manual, not permanent configurations you may have done (and forgot to undone). AND get ride (meaning make sure they don't run at boot time) of those broken scripts of yours.
2nd: Execute this commands right after reboot.laptop$ ip a laptop$ ip r laptop$ cat /etc/resolv.conf laptop$ find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f5erver# cat /etc/NetworkManager/system-connections/local 5erver# ip a 5erver# ip r 5erver# cat /etc/resolv.conf 5erver# iptables -nvL 5erver# iptables -t nat -nvL 5erver# find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -fList of commands will be extended after we have an insight of what is running.
3rd: connect the Zyxel router and 5erver on the same network (that should be already done with Zyxel router with 192.168.11.1 IP address and 5erver with 192.168.11.162 on interface enp2s0).
4th: connect the laptop and 5erver on the same network, configure a DHCP server (like dnsmasq) on 5erver to serve the laptop.
5th: configure 5erver to route traffic between 192.168.11.0/24 and 10.42.0.0/24 (we will not use NetworkManager's shared feature).
6th: tests
7th: save configDo 1st and 2nd. We will work from there.
find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -fThis command is to find what network manager or network related services is running.
Ok. I will do this step by step tomorrow. Today i had a short trip in the hospital because of investigation of my stomach but all fine.
Offline
#19 2021-10-09 11:23:51
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
[root@5erver morta]# iptables -nvL
Chain INPUT (policy ACCEPT 24687 packets, 14M bytes)
pkts bytes target prot opt in out source destination
0 0 monitorix_IN_8 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:143 ctstate NEW,RELATED,ESTABLISHED
35 2651 monitorix_IN_7 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 ctstate NEW,RELATED,ESTABLISHED
0 0 monitorix_IN_6 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:3306 ctstate NEW,RELATED,ESTABLISHED
0 0 monitorix_IN_5 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:139 ctstate NEW,RELATED,ESTABLISHED
0 0 monitorix_IN_4 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:110 ctstate NEW,RELATED,ESTABLISHED
143 12493 monitorix_IN_3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 ctstate NEW,RELATED,ESTABLISHED
31 2513 monitorix_IN_2 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 ctstate NEW,RELATED,ESTABLISHED
0 0 monitorix_IN_1 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 ctstate NEW,RELATED,ESTABLISHED
0 0 monitorix_IN_0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 ctstate NEW,RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 616 packets, 163K bytes)
pkts bytes target prot opt in out source destination
616 163K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
616 163K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 18996 packets, 117M bytes)
pkts bytes target prot opt in out source destination
0 0 monitorix_IN_8 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:143 dpts:1024:65535 ctstate RELATED,ESTABLISHED
35 4791 monitorix_IN_7 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535 ctstate RELATED,ESTABLISHED
0 0 monitorix_IN_6 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:3306 dpts:1024:65535 ctstate RELATED,ESTABLISHED
0 0 monitorix_IN_5 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:139 dpts:1024:65535 ctstate RELATED,ESTABLISHED
0 0 monitorix_IN_4 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:110 dpts:1024:65535 ctstate RELATED,ESTABLISHED
99 13541 monitorix_IN_3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:1024:65535 ctstate RELATED,ESTABLISHED
27 8154 monitorix_IN_2 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:1024:65535 ctstate RELATED,ESTABLISHED
0 0 monitorix_IN_1 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:1024:65535 ctstate RELATED,ESTABLISHED
0 0 monitorix_IN_0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 dpts:1024:65535 ctstate RELATED,ESTABLISHED
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
616 163K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
616 163K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain monitorix_IN_0 (2 references)
pkts bytes target prot opt in out source destination
Chain monitorix_IN_1 (2 references)
pkts bytes target prot opt in out source destination
Chain monitorix_IN_2 (2 references)
pkts bytes target prot opt in out source destination
Chain monitorix_IN_3 (2 references)
pkts bytes target prot opt in out source destination
Chain monitorix_IN_4 (2 references)
pkts bytes target prot opt in out source destination
Chain monitorix_IN_5 (2 references)
pkts bytes target prot opt in out source destination
Chain monitorix_IN_6 (2 references)
pkts bytes target prot opt in out source destination
Chain monitorix_IN_7 (2 references)
pkts bytes target prot opt in out source destination
Chain monitorix_IN_8 (2 references)
pkts bytes target prot opt in out source destination
[root@5erver morta]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 249 packets, 15740 bytes)
pkts bytes target prot opt in out source destination
140 8138 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 140 packets, 8138 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 89 packets, 9851 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 89 packets, 9851 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
1 328 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp6s0 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
[root@5erver morta]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 04:d9:f5:bc:8f:c6 brd ff:ff:ff:ff:ff:ff
3: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 04:d9:f5:bc:8f:c7 brd ff:ff:ff:ff:ff:ff
4: enp5s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 04:d9:f5:bc:8f:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global enp5s0
valid_lft forever preferred_lft forever
5: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 04:d9:f5:bc:8f:c9 brd ff:ff:ff:ff:ff:ff
inet 10.42.0.1/24 brd 10.42.0.255 scope global noprefixroute enp6s0
valid_lft forever preferred_lft forever
inet6 fe80::9412:6f17:f85e:4419/64 scope link noprefixroute
valid_lft forever preferred_lft forever
6: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:1b:21:e7:ab:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.11.162/24 brd 192.168.11.255 scope global dynamic noprefixroute enp2s0
valid_lft 85926sec preferred_lft 85926sec
inet6 2a02:168:a774:0:deca:fbad:c0:ffee/64 scope global dynamic noprefixroute
valid_lft 4294966805sec preferred_lft 4294966805sec
inet6 fe80::21b:21ff:fee7:ab02/64 scope link noprefixroute
valid_lft forever preferred_lft forever
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:99:41:22:ae brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
[root@5erver morta]# ip r
default via 192.168.11.1 dev enp2s0 proto dhcp metric 102
10.42.0.0/24 dev enp6s0 proto kernel scope link src 10.42.0.1 metric 101
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.11.0/24 dev enp2s0 proto kernel scope link src 192.168.11.162 metric 102
[root@5erver morta]# cat /etc/NetworkManager/system-connections/local.nmconnection
[connection]
id=local
uuid=f7de5869-bd60-4cfa-8eef-97ceb9f81f50
type=ethernet
interface-name=enp6s0
permissions=
[ethernet]
mac-address-blacklist=
[ipv4]
dns-search=
method=shared
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=shared
[proxy]
[root@5erver morta]# ss -ltunp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 10.42.0.1:53 0.0.0.0:* users:(("dnsmasq",pid=1606,fd=6))
udp UNCONN 0 0 0.0.0.0:67 0.0.0.0:* users:(("dnsmasq",pid=1606,fd=4))
udp UNCONN 0 0 0.0.0.0:5060 0.0.0.0:* users:(("OoklaServer",pid=1507,fd=9))
udp UNCONN 0 0 0.0.0.0:39521 0.0.0.0:* users:(("OoklaServer",pid=1507,fd=11))
udp UNCONN 0 0 0.0.0.0:8080 0.0.0.0:* users:(("OoklaServer",pid=1507,fd=10))
tcp LISTEN 0 64 0.0.0.0:5060 0.0.0.0:* users:(("OoklaServer",pid=1507,fd=4))
tcp LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:* users:(("mongod",pid=1638,fd=12))
tcp LISTEN 0 5 0.0.0.0:873 0.0.0.0:* users:(("rsync",pid=1177,fd=5))
tcp LISTEN 0 80 0.0.0.0:3306 0.0.0.0:* users:(("mariadbd",pid=1207,fd=22))
tcp LISTEN 0 64 0.0.0.0:8080 0.0.0.0:* users:(("OoklaServer",pid=1507,fd=6))
tcp LISTEN 0 32 10.42.0.1:53 0.0.0.0:* users:(("dnsmasq",pid=1606,fd=7))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1179,fd=3))
tcp LISTEN 0 10 127.0.0.1:9756 0.0.0.0:* users:(("pritunl",pid=1116,fd=9))
tcp LISTEN 0 5 0.0.0.0:3551 0.0.0.0:* users:(("apcupsd",pid=1642,fd=5))
tcp LISTEN 0 4096 *:9090 *:* users:(("prometheus",pid=1641,fd=3))
tcp LISTEN 0 4096 *:55077 *:* users:(("rtorrent main",pid=1184,fd=14))
tcp LISTEN 0 100 [::ffff:127.0.0.1]:5000 *:* users:(("rtorrent main",pid=1184,fd=15))
tcp LISTEN 0 5 [::]:873 [::]:* users:(("rsync",pid=1177,fd=6))
tcp LISTEN 0 80 [::]:3306 [::]:* users:(("mariadbd",pid=1207,fd=38))
tcp LISTEN 0 4096 *:9100 *:* users:(("prometheus-node",pid=1640,fd=3))
tcp LISTEN 0 512 *:8686 *:* users:(("Lidarr",pid=1171,fd=233))
tcp LISTEN 0 511 *:80 *:* users:(("/usr/bin/httpd",pid=1245,fd=4),("/usr/bin/httpd",pid=1244,fd=4),("/usr/bin/httpd",pid=1243,fd=4),("/usr/bin/httpd",pid=1240,fd=4),("/usr/bin/httpd",pid=1168,fd=4))
tcp LISTEN 0 4096 *:4243 *:* users:(("dockerd",pid=1636,fd=10))
tcp LISTEN 0 32 *:21 *:* users:(("vsftpd",pid=2261,fd=3))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1179,fd=4))
tcp LISTEN 0 4096 *:3000 *:* users:(("grafana-server",pid=1422,fd=8))
tcp LISTEN 0 511 *:443 *:* users:(("/usr/bin/httpd",pid=1245,fd=6),("/usr/bin/httpd",pid=1244,fd=6),("/usr/bin/httpd",pid=1243,fd=6),("/usr/bin/httpd",pid=1240,fd=6),("/usr/bin/httpd",pid=1168,fd=6))
tcp LISTEN 0 4096 *:444 *:* users:(("pritunl-web",pid=1977,fd=3))
[root@5erver morta]# find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
apcupsd.service | multi-user.target.wants
certbot.service | multi-user.target.wants
certbot.timer | timers.target.wants
ckb-next-daemon.service | multi-user.target.wants
dbus-org.freedesktop.network1.service | system
dbus-org.freedesktop.nm-dispatcher.service | system
dirmngr.socket | sockets.target.wants
docker.service | multi-user.target.wants
ethtool@enp2s0.service | multi-user.target.wants
getty@tty1.service | getty.target.wants
gpg-agent-browser.socket | sockets.target.wants
gpg-agent-extra.socket | sockets.target.wants
gpg-agent.socket | sockets.target.wants
gpg-agent-ssh.socket | sockets.target.wants
grafana.service | multi-user.target.wants
httpd.service | multi-user.target.wants
iptables.service | multi-user.target.wants
lidarr.service | multi-user.target.wants
mariadb.service | multi-user.target.wants
mongodb.service | multi-user.target.wants
monitorix.service | multi-user.target.wants
NetworkManager.service | multi-user.target.wants
NetworkManager-wait-online.service | network-online.target.wants
ookla.service | multi-user.target.wants
p11-kit-server.socket | sockets.target.wants
php-fpm7.service | multi-user.target.wants
php-fpm.service | multi-user.target.wants
pritunl.service | multi-user.target.wants
prometheus-node-exporter.service | multi-user.target.wants
prometheus.service | multi-user.target.wants
rclone.service | multi-user.target.wants
remote-fs.target | multi-user.target.wants
rsyncd.service | multi-user.target.wants
rtorrent.service | multi-user.target.wants
sshd.service | multi-user.target.wants
systemd-networkd.service | multi-user.target.wants
systemd-networkd.socket | sockets.target.wants
systemd-networkd-wait-online.service | network-online.target.wants
vsftpd.service | multi-user.target.wants
----------------------
[morta@lapt0p ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: vmnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.193.1/24 brd 192.168.193.255 scope global dynamic vmnet1
valid_lft 1478sec preferred_lft 1253sec
inet6 fe80::8820:5214:6066:f42f/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fec0:1/64 scope link
valid_lft forever preferred_lft forever
3: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 48:2a:e3:4c:13:ef brd ff:ff:ff:ff:ff:ff
4: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
inet 192.168.130.1/24 brd 192.168.130.255 scope global dynamic vmnet8
valid_lft 1479sec preferred_lft 1254sec
inet6 fe80::cbf6:56e:9959:3067/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fec0:8/64 scope link
valid_lft forever preferred_lft forever
5: wlp0s20f3: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 2e:47:25:fe:33:39 brd ff:ff:ff:ff:ff:ff permaddr 84:fd:d1:fd:30:36
6: enp58s0u1u3c2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 80:6d:97:0d:ed:b9 brd ff:ff:ff:ff:ff:ff
inet 10.42.0.114/24 brd 10.42.0.255 scope global dynamic noprefixroute enp58s0u1u3c2
valid_lft 3418sec preferred_lft 2968sec
[morta@lapt0p ~]$ ip r
default via 10.42.0.1 dev enp58s0u1u3c2 proto dhcp src 10.42.0.114 metric 1006
10.42.0.0/24 dev enp58s0u1u3c2 proto dhcp scope link src 10.42.0.114 metric 1006
192.168.130.0/24 dev vmnet8 proto dhcp scope link src 192.168.130.1 metric 1004
192.168.193.0/24 dev vmnet1 proto dhcp scope link src 192.168.193.1 metric 1002
[morta@lapt0p ~]$ find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
acpid.service | multi-user.target.wants
avahi-daemon.service | multi-user.target.wants
avahi-daemon.socket | sockets.target.wants
bluetooth.service | bluetooth.target.wants
brscan-skey.service | multi-user.target.wants
ckb-next-daemon.service | multi-user.target.wants
cups.path | multi-user.target.wants
cups.service | printer.target.wants
cups.socket | sockets.target.wants
dbus-fi.w1.wpa_supplicant1.service | system
dbus-org.bluez.service | system
dbus-org.freedesktop.Avahi.service | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.resolve1.service | system
dbus-org.freedesktop.timesync1.service | system
dhcpcd.service | multi-user.target.wants
dirmngr.socket | sockets.target.wants
displaylink.service | graphical.target.wants
display-manager.service | system
getty@tty1.service | getty.target.wants
gpg-agent-browser.socket | sockets.target.wants
gpg-agent-extra.socket | sockets.target.wants
gpg-agent.socket | sockets.target.wants
gpg-agent-ssh.socket | sockets.target.wants
ip6tables.service | multi-user.target.wants
iptables.service | multi-user.target.wants
linux-modules-cleanup.service | basic.target.wants
mopidy.service | multi-user.target.wants
NetworkManager.service | multi-user.target.wants
NetworkManager-wait-online.service | network-online.target.wants
nvman.service | bumblebeed.service.wants
nvman.service | graphical.target.wants
nvman.service | optimus-manager.service.wants
optimus-manager.service | graphical.target.wants
p11-kit-server.socket | sockets.target.wants
pipewire-media-session.service | pipewire.service.wants
pipewire-session-manager.service | user
pipewire.socket | sockets.target.wants
pritunl-client.service | multi-user.target.wants
pulseaudio.socket | sockets.target.wants
rclone.service | multi-user.target.wants
remote-fs.target | multi-user.target.wants
rsyncd.service | multi-user.target.wants
smartd.service | multi-user.target.wants
sshd.service | multi-user.target.wants
systemd-resolved.service | multi-user.target.wants
systemd-timesyncd.service | sysinit.target.wants
teamviewerd.service | multi-user.target.wants
tlp.service | multi-user.target.wants
vmware-networks.service | multi-user.target.wants
vmware-usbarbitrator.service | multi-user.target.wants
vnstatd.service | system
vnstat.service | multi-user.target.wants
wpa_supplicant.service | multi-user.target.wants
xdg-user-dirs-update.service | default.target.wantsI have no internet on my laptop over ethernet right now
Last edited by Morta (2021-10-09 11:26:01)
Offline
#20 2021-10-09 11:53:57
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 98
Re: Routing with two Gateway
Let's only focus on 5erver atm. We want it to run smooth before setting up connectivity for the laptop.
Two things are wrong on 5erver:
1) You have two network manager running: systemd-networkd and NetworkManager. Pick one, disable the other (meaning any custom config will have to be ported from the disabled one to the active one).
2) The POSTROUTING chain of nat table is automatically configured with 7 same rules I think are useless (why would you want NAT from anywhere to 10.42.0.0/24?). Remove those rules and find out what is creating them to prevent it from doing it again.
Once this is done, restart 5erver and run those commands: (we want to be sure everything is set up accordingly at this point)
# ip -o a
# ip r
# ls -l /etc/resolv.conf && cat /etc/resolv.confOffline
#21 2021-10-09 12:12:38
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
Let's only focus on 5erver atm. We want it to run smooth before setting up connectivity for the laptop.
Two things are wrong on 5erver:
1) You have two network manager running: systemd-networkd and NetworkManager. Pick one, disable the other (meaning any custom config will have to be ported from the disabled one to the active one).
2) The POSTROUTING chain of nat table is automatically configured with 7 same rules I think are useless (why would you want NAT from anywhere to 10.42.0.0/24?). Remove those rules and find out what is creating them to prevent it from doing it again.Once this is done, restart 5erver and run those commands: (we want to be sure everything is set up accordingly at this point)
# ip -o a # ip r # ls -l /etc/resolv.conf && cat /etc/resolv.conf
Ok. I will do later!
Have you a clue how i can find out what add this Postrouting rules to iptables ?
I had only the rc-local scrpit as startup service.
Monitorix, pritunl, docker and NM(?) can add rules or you see any other service who can add rules to iptables?
Last edited by Morta (2021-10-09 12:45:30)
Offline
#22 2021-10-09 14:19:41
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 98
Re: Routing with two Gateway
Have you a clue how i can find out what add this Postrouting rules to iptables ?
iptables.service is enabled according to the commands output you gave:
$ cat /usr/lib/systemd/system/iptables.service
[Unit]
Description=IPv4 Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/usr/lib/systemd/scripts/iptables-flush
RemainAfterExit=yes
[Install]
WantedBy=multi-user.targetAs you can see, it restores rules during boot, those rules are saved in /etc/iptables/iptables.rules.
Other than that, you can find info about Netfilter in the logs:
https://wiki.archlinux.org/title/Systemd/Journal
https://man.archlinux.org/man/dmesg.1
But it is not that easy to work you way through it and find what process created the rules.
There may be easier ways, but I don't know them.
Last edited by Koatao (2021-10-09 14:21:38)
Offline
#23 2021-10-09 14:22:21
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
I found in /etc/iptables/iptables.rules
Six time the POSTROUTING rule, so i deleted!
[morta@5erver cadir]$ sudo systemctl disable systemd-networkd
Removed /etc/systemd/system/multi-user.target.wants/systemd-networkd.service.
Removed /etc/systemd/system/dbus-org.freedesktop.network1.service.
Removed /etc/systemd/system/sockets.target.wants/systemd-networkd.socket.
Removed /etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service[morta@5erver cadir]$ cd /etc/systemd/network/
[morta@5erver network]$ ls
30-wired.conf 60-wired.conf interfaces.txt
[morta@5erver network]$ cat 30-wired.conf
[Match]
Name=enp2s0
[Network]
DHCP=yes
[morta@5erver network]$ cat 60-wired.conf
[Match]
Name=eth3
[Network]
DHCP=no
[morta@5erver network]$ I doesn't have to port it, because DHCP is automatic and eth3 is not needed. So should work without port to NM.
I gave a look to nmconnection files and all used interfaces are configured
Last edited by Morta (2021-10-09 14:49:06)
Offline
#24 2021-10-09 16:07:47
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: Routing with two Gateway
[morta@5erver certs]$ ip -o a
1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever
1: lo inet6 ::1/128 scope host \ valid_lft forever preferred_lft forever
4: enp5s0 inet 192.168.1.2/24 brd 192.168.1.255 scope global enp5s0\ valid_lft forever preferred_lft forever
5: enp6s0 inet 10.42.0.1/24 brd 10.42.0.255 scope global noprefixroute enp6s0\ valid_lft forever preferred_lft forever
5: enp6s0 inet6 fe80::9412:6f17:f85e:4419/64 scope link noprefixroute \ valid_lft forever preferred_lft forever
6: enp2s0 inet 192.168.11.162/24 brd 192.168.11.255 scope global dynamic noprefixroute enp2s0\ valid_lft 86367sec preferred_lft 86367sec
6: enp2s0 inet6 2a02:168:a774:0:deca:fbad:c0:ffee/64 scope global dynamic noprefixroute \ valid_lft 4294967244sec preferred_lft 4294967244sec
6: enp2s0 inet6 fe80::21b:21ff:fee7:ab02/64 scope link noprefixroute \ valid_lft forever preferred_lft forever
7: docker0 inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0\ valid_lft forever preferred_lft forever[morta@5erver certs]$ ip r
default via 192.168.11.1 dev enp2s0 proto dhcp metric 102
10.42.0.0/24 dev enp6s0 proto kernel scope link src 10.42.0.1 metric 101
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.11.0/24 dev enp2s0 proto kernel scope link src 192.168.11.162 metric 102 [morta@5erver certs]$ ls -l /etc/resolv.conf && cat /etc/resolv.conf
-rw-r--r-- 1 root root 277 9. Oct 18:03 /etc/resolv.conf
# Generated by NetworkManager
search home
nameserver 77.109.128.2
nameserver 213.144.129.20
nameserver 2001:1620:2777:1::10
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 2001:1620:2777:2::20So that are the information that you want it...
Offline
#25 2021-10-11 03:37:53
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 98
Re: Routing with two Gateway
Okay, so now that everything is correctly set up on 5erver, we can try to make it a router.
3rd steps is already done.
Let's connect the laptop to it.
What we want to do is to:
- Modify the NM connection named «local».
Removing ipv4.method=shared and setting up manually a static IP address for enp6s0 instead.
$ nmcli connection delete local
$ nmcli connection add con-name local ifname enp6s0 type ethernet ip4 10.42.0.1/24- Set up a DHCP server:
https://wiki.archlinux.org/title/Networ … ation#DHCP
The server should listen on enp6s0, offer leases on the 10.42.0.0/24 network and use the DHCP options for gateway (option 3) and DNS server (option 6) to be passed on to the host.
https://www.incognito.com/tutorials/dhc … n-english/
- Configure Netfilter:
If the policy of the chain FORWARD of the table filter is DROP, you will have to create rules to route packet between each network. One way to that:
# iptables -A FORWARD -i enp6s0 -o enp2s0 -j ACCEPT
# iptables -A FORWARD -i enp2s0 -o enp6s0 -j ACCEPTDon't forget to make sure 5erser can route packets:
# sysctl -w net.ipv4.ip_forward=1https://wiki.archlinux.org/title/Sysctl
Once this is done, connect the laptop to the 5erver. On the laptop, the connection should be set up using DHCP and letting NetworkManager configure the gateway and DNS server(s) automatically.
Offline