You are not logged in.

#1 2021-09-02 06:21:03

zanny
Member
From: Baltimore
Registered: 2012-10-05
Posts: 84
Website

Networkd and Firewalld as a gateway router

Decided to retire my old consumer router for an... old computer plus a bunch of extra pcie ethernet cards in a box and a wifi card. ATM I have interfaces eno1-4, enp3s0f0-1, and wlan0. External dhcp routing from the upstream gateway works fine on eno1. Everything else should be on a lan that routes through here to wan and each other.

#/etc/systemd/network/10-wan.network 
[Match]
Name=eno1

[Network]
DHCP=yes
IPMasquerade=both
#/etc/systemd/network/20-lan.network 
[Match]
Name=eno2 eno3 eno4 enp3s0f0 enp3s0f1 wlan0

[Network]
Address=192.168.128.1/24
DHCPServer=yes

I have forward and masquerade enabled in firewalld and eno1 is on the external zone while all other faces on a default-set internal zone with dhcp service enabled. IPMasquerade in the second file is turning it and IPForward on in sysctl and firewalld reports the same.

[root@gorre network]# firewall-cmd  --list-all
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno2
  sources: 
  services: dhcp dhcpv6 mdns minidlna nfs samba ssh wireguard
  ports: 
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

As it is connected devices get assigned a dynamic IP but cannot route anywhere. The server can ping and route to any of its clients. All the clients are using standard dhcp autoconnects. Here is an example of the nmcli on one machine:

enp13s0: connected to aquantia
        "Aquantia AQC107 NBase-T/IEEE 802.3bz"
        ethernet (atlantic), 70:85:C2:C7:BE:1C, hw, mtu 1500
        inet4 192.168.128.242/24
        route4 0.0.0.0/0
        route4 192.168.128.0/24
        inet6 fe80::6684:1f72:222a:c45b/64
        route6 fe80::/64

Some attempts to change subnets on another box using networkd:

Sep 01 23:48:21 fidchell systemd-networkd[493]: enp3s0: DHCPv4 address 192.168.128.224/24 via 192.168.128.1
Sep 01 23:40:52 fidchell systemd-networkd[493]: enp3s0: DHCP lease lost
Sep 01 22:40:52 fidchell systemd-networkd[493]: enp3s0: DHCPv4 address 192.168.3.224/24 via 192.168.3.1
Sep 01 22:40:48 fidchell systemd-networkd[493]: enp3s0: Gained carrier

What am I missing? DHCP negotiation happens but routing only goes one way, from server to client. Clients can ping their own assigned IPs but can't reach anything else. I thought it might be netfilter rules for routing but nat is on and attempting the manual tables referenced at https://wiki.archlinux.org/title/Systemd-networkd didn't fix this. I'm assuming its not at the nftables layer because this setup should at least be able to ping across the wire both ways at the least.

Edit: rebooted everything just to check and now clients and server can communicate. Pinging outside gets "packet filtered" on pings and destination host unreachable internally still, so the only change is that clients can now talk to the server. I also tried this setup with dnsmasq instead of networkd's dhcp server and nothing changed.

Last edited by zanny (2021-09-02 15:49:41)

Offline

#2 2021-10-03 23:41:50

zeno801101
Member
Registered: 2021-09-23
Posts: 3

Re: Networkd and Firewalld as a gateway router

I meet the same problem, I encountered it may be caused by the new kernel of 5.14

Offline

#3 2021-10-07 15:55:12

WaterWastage
Member
Registered: 2019-02-08
Posts: 2

Re: Networkd and Firewalld as a gateway router

I think it's Linux 5.14 or systemd 249 (249.4-2-arch), uh.. and this happens on AL ARM too (same versions).

Offline

#4 2021-10-07 19:12:55

pm3840
Member
Registered: 2013-12-16
Posts: 34

Re: Networkd and Firewalld as a gateway router

Get rid of this.

[Match]
Name=eno2 eno3 eno4 enp3s0f0 enp3s0f1 wlan0

[Network]
Address=192.168.128.1/24
DHCPServer=yes

Add a bridge interface here as master and use NICs above as members. (man systemd.netdev)
Enable DHCP and IPMasquerade for the bridge interface. (man systemd.network)

Last edited by pm3840 (2021-10-07 19:14:42)

Offline

#5 2021-10-07 20:28:32

pm3840
Member
Registered: 2013-12-16
Posts: 34

Re: Networkd and Firewalld as a gateway router

PS. not all wifi cards perfectly support being added to a bridge.

Offline

#6 2022-11-07 04:12:33

zanny
Member
From: Baltimore
Registered: 2012-10-05
Posts: 84
Website

Re: Networkd and Firewalld as a gateway router

Forgot to ever post the working setup:

You want a bridge.netdev:

[NetDev]
Name=br0
Kind=bridge

[Match]
Name=br0

A bridge.network:

[Match]
Name=br0

[Link]
RequiredForOnline=no

[Network]
Address=192.168.0.1/24
DHCPServer=yes
IPMasquerade=ipv4

And some .network file to match all the devices you want to be on the bridge and to get their ips from the dhcp server:

[Match]
Name=eno1 eno2 eno3 eno4

[Link]
RequiredForOnline=no

[Network]
Bridge=br0

Last edited by zanny (2022-11-07 04:13:16)

Offline

Board footer

Powered by FluxBB