You are not logged in.

#26 2021-10-11 12:36:38

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

Koatao wrote:

Okay, so now that everything is correctly set up on 5erver, we can try to make it a router.

3rd steps is already done.

Let's connect the laptop to it.

What we want to do is to:
- Modify the NM connection named «local».
Removing ipv4.method=shared and setting up manually a static IP address for enp6s0 instead.

$ nmcli connection delete local
$ nmcli connection add con-name local ifname enp6s0 type ethernet ip4 10.42.0.1/24

- Set up a DHCP server:
https://wiki.archlinux.org/title/Networ … ation#DHCP
The server should listen on enp6s0, offer leases on the 10.42.0.0/24 network and use the DHCP options for gateway (option 3) and DNS server (option 6) to be passed on to the host.
https://www.incognito.com/tutorials/dhc … n-english/

- Configure Netfilter:
If the policy of the chain FORWARD of the table filter is DROP, you will have to create rules to route packet between each network. One way to that:

# iptables -A FORWARD -i enp6s0 -o enp2s0 -j ACCEPT
# iptables -A FORWARD -i enp2s0 -o enp6s0 -j ACCEPT

Don't forget to make sure 5erser can route packets:

# sysctl -w net.ipv4.ip_forward=1

https://wiki.archlinux.org/title/Sysctl

Once this is done, connect the laptop to the 5erver. On the laptop, the connection should be set up using DHCP and letting NetworkManager configure the gateway and DNS server(s) automatically.

Ok i will do that Wednesday. I‘m on a short trip in the moutains.

Offline

#27 2021-10-13 16:31:56

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

[morta@5erver ~]$ cat /etc/dnsmasq.conf
# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.

# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353

# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.

# Never forward plain names (without a dot or domain part)
#domain-needed
# Never forward addresses in the non-routed address spaces.
#bogus-priv

# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
#conf-file=/usr/share/dnsmasq/trust-anchors.conf
#dnssec

# Replies which are not DNSSEC signed may be legitimate, because the domain
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
# check that an unsigned reply is OK, by finding a secure proof that a DS 
# record somewhere between the root and the domain does not exist. 
# The cost of setting this is that even queries in unsigned domains will need
# one or more extra DNS queries to verify.
#dnssec-check-unsigned

# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k

# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=

# By  default,  dnsmasq  will  send queries to any of the upstream
# servers it knows about and tries to favour servers to are  known
# to  be  up.  Uncommenting this forces dnsmasq to try each query
# with  each  server  strictly  in  the  order  they   appear   in
# /etc/resolv.conf
#strict-order

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv

# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll

# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1

# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3

# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/

# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1

# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83

# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search

# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via eth1
# server=10.1.2.3@eth1

# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
# IP on the machine, obviously).
# server=10.1.2.3@192.168.1.1#55

# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=enp6s0
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=

# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces

# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts

# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts

# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
#     as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
#    domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk

# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24

# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=10.42.0.2,10.42.0.254,12h

# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h

# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150

# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h

# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static

# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h

# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only 

# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack 
# hosts. Use the DHCPv4 lease to derive the name, network segment and 
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC algorithm.
#dhcp-range=1234::, ra-names

# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h

# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac

# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless

# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names

# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overridden by ra-stateless, ra-names, et al, the router 
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the 
# clients don't use SLAAC addresses.
#enable-ra

# Supply parameters for specified hosts using DHCP. There are lots
# of valid alternatives, so we will give examples of each. Note that
# IP addresses DO NOT have to be in the range given above, they just
# need to be on the same network. The order of the parameters in these
# do not matter, it's permissible to give name, address and MAC in any
# order.

# Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60

# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred

# Always give the host with Ethernet address 11:22:33:44:55:66
# the name fred and IP address 192.168.0.60 and lease time 45 minutes
#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m

# Give a host with Ethernet address 11:22:33:44:55:66 or
# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
# that these two Ethernet interfaces will never be in use at the same
# time, and give the IP address to the second, even if it is already
# in use by the first. Useful for laptops with wired and wireless
# addresses.
#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60

# Give the machine which says its name is "bert" IP address
# 192.168.0.70 and an infinite lease
#dhcp-host=bert,192.168.0.70,infinite

# Always give the host with client identifier 01:02:02:04
# the IP address 192.168.0.60
#dhcp-host=id:01:02:02:04,192.168.0.60

# Always give the InfiniBand interface with hardware address
# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
# ip address 192.168.0.61. The client id is derived from the prefix
# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
# hex digits of the hardware address.
#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61

# Always give the host with client identifier "marjorie"
# the IP address 192.168.0.60
#dhcp-host=id:marjorie,192.168.0.60

# Enable the address given for "judge" in /etc/hosts
# to be given to a machine presenting the name "judge" when
# it asks for a DHCP lease.
#dhcp-host=judge

# Never offer DHCP service to a machine whose Ethernet
# address is 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,ignore

# Ignore any client-id presented by the machine with Ethernet
# address 11:22:33:44:55:66. This is useful to prevent a machine
# being treated differently when running under different OS's or
# between PXE boot and OS boot.
#dhcp-host=11:22:33:44:55:66,id:*

# Send extra options which are tagged as "red" to
# the machine with Ethernet address 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,set:red

# Send extra options which are tagged as "red" to
# any machine with Ethernet address starting 11:22:33:
#dhcp-host=11:22:33:*:*:*,set:red

# Give a fixed IPv6 address and name to client with 
# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
# Note also that the [] around the IPv6 address are obligatory.
#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] 

# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.
#dhcp-ignore=tag:!known

# Send extra options which are tagged as "red" to any machine whose
# DHCP vendorclass string includes the substring "Linux"
#dhcp-vendorclass=set:red,Linux

# Send extra options which are tagged as "red" to any machine one
# of whose DHCP userclass strings includes the substring "accounts"
#dhcp-userclass=set:red,accounts

# Send extra options which are tagged as "red" to any machine whose
# MAC address matches the pattern.
#dhcp-mac=set:red,00:60:8C:*:*:*

# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers

# Send options to hosts which ask for a DHCP lease.
# See RFC 2132 for details of available options.
# Common options can be given to dnsmasq by name:
# run "dnsmasq --help dhcp" to get a list.
# Note that all the common settings, such as netmask and
# broadcast address, DNS server and default route, are given
# sane defaults by dnsmasq. You very likely will not need
# any dhcp-options. If you use Windows clients and Samba, there
# are some options which are recommended, they are detailed at the
# end of this section.

# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
dhcp-option=3,0.0.0.0
dhcp-option=6,0.0.0.0
# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4

# Override the default route supplied by dnsmasq and send no default
# route at all. Note that this only works for the options sent by
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3

# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5

# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]

# Send DHCPv6 option for namservers as the machine running 
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]

# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h

# Set option 58 client renewal time (T1). Defaults to half of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T1,1m

# Set option 59 rebinding time (T2). Defaults to 7/8 of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T2,2m

# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0

# Set the NIS domain name to "welly"
#dhcp-option=40,welly

# Set the default time-to-live to 50
#dhcp-option=23,50

# Set the "all subnets are local" flag
#dhcp-option=27,1

# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100

# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1

# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0           # option ip-forwarding off
#dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0     # netbios datagram distribution server
#dhcp-option=46,8           # netbios node type

# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"

# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com

# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8

# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0

# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i

# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"

# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i

# Set the boot filename for netboot/PXE. You will only need
# this if you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built-in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0

# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100

# Boot for iPXE. The idea is to send two different
# filenames, the first loads iPXE, and the second tells iPXE what to
# load. The dhcp-match sets the ipxe tag for requests from iPXE.
#dhcp-boot=undionly.kpxe
#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php

# Encapsulated options for iPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b         # priority code
#dhcp-option=encap:175, 176, 1b       # no-proxydhcp
#dhcp-option=encap:175, 177, string   # bus-id
#dhcp-option=encap:175, 189, 1b       # BIOS drive code
#dhcp-option=encap:175, 190, user     # iSCSI username
#dhcp-option=encap:175, 191, pass     # iSCSI password

# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64

# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60

# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"

# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux

# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4

# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1

# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4

# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf


# Enable dnsmasq's built-in TFTP server
#enable-tftp

# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd

# Do not abort if the tftp-root is unavailable
#tftp-no-fail

# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure

# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize

# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net

# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3

# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fashion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name

# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150

# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases

# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative

# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
# option with a DHCPACK including a Rapid Commit option and fully committed address
# and configuration information. This must only be enabled if either the server is 
# the only server for the subnet, or multiple servers are present and they each
# commit a binding for all clients.
#dhcp-rapid-commit

# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo

# Set the cachesize here.
#cache-size=150

# If you want to disable negative caching, uncomment this.
#no-negcache

# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=

# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11

# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0

# Change these lines if you want dnsmasq to serve MX records.

# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50

# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com

# Return an MX record pointing to the mx-target for all local
# machines.
#localmx

# Return an MX record pointing to itself for all local machines.
#selfmx

# Change the following lines if you want dnsmasq to serve SRV
# records.  These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)

# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389

# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389

# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2

# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com

# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"

# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)

#Example SPF.
#txt-record=example.com,"v=spf1 a -all"

#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4

# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert

# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries

# Log lots of extra information about DHCP transactions.
#log-dhcp

# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d

# Include all the files in a directory except those ending in .bak
#conf-dir=/etc/dnsmasq.d,.bak

# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
#dhcp-name-match=set:wpad-ignore,wpad
#dhcp-ignore-names=tag:wpad-ignore

It's this correct dnsmasq.conf?

Here systemctl status dnsmasq

[morta@5erver ~]$ systemctl status dnsmasq
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
     Active: active (running) since Wed 2021-10-13 18:27:00 CEST; 5min ago
       Docs: man:dnsmasq(8)
    Process: 1834389 ExecStartPre=/usr/bin/dnsmasq --test (code=exited, status=0/SUCCESS)
   Main PID: 1834390 (dnsmasq)
      Tasks: 1 (limit: 76905)
     Memory: 1.1M
        CPU: 25ms
     CGroup: /system.slice/dnsmasq.service
             └─1834390 /usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file

Oct 13 18:32:01 5erver dnsmasq[1834390]: Benutze Namensserver 2001:1620:2777:1::10#53
Oct 13 18:32:01 5erver dnsmasq[1834390]: Benutze Namensserver 2001:1620:2777:2::20#53
Oct 13 18:32:34 5erver dnsmasq[1834390]: lese /etc/resolv.conf
Oct 13 18:32:34 5erver dnsmasq[1834390]: Benutze Namensserver 77.109.128.2#53
Oct 13 18:32:34 5erver dnsmasq[1834390]: Benutze Namensserver 213.144.129.20#53
Oct 13 18:32:35 5erver dnsmasq[1834390]: lese /etc/resolv.conf
Oct 13 18:32:35 5erver dnsmasq[1834390]: Benutze Namensserver 77.109.128.2#53
Oct 13 18:32:35 5erver dnsmasq[1834390]: Benutze Namensserver 213.144.129.20#53
Oct 13 18:32:35 5erver dnsmasq[1834390]: Benutze Namensserver 2001:1620:2777:1::10#53
Oct 13 18:32:35 5erver dnsmasq[1834390]: Benutze Namensserver 2001:1620:2777:2::20#53

I added the two iptables rules and forwarding the the traffic.

Have a i to add 192.168.11.1 (Router) as DNS-Server in resolv.conf and eventually 10.42.0.1 also?

https://abload.de/img/iprljzc.png
https://abload.de/img/bildschirmfotovom2021mhk9f.png
This seems not correct anymore on the router and i have no internet on the laptop over ethernet



Mod Edit - Replaced oversized images with links.
CoC - Pasting pictures and code

Last edited by Slithery (2021-10-17 20:27:57)

Offline

#28 2021-10-16 07:52:25

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Hello,

Seems like a decent conf to me.

Morta wrote:

Have a i to add 192.168.11.1 (Router) as DNS-Server in resolv.conf and eventually 10.42.0.1 also?

It is a better idea to configure DNS options with DHCP on dnsmasq.

Route on the router doesn't have any gateway. Add 5erver as gateway to 10.42.0.0/24 network.

A good thing to debug networking issue is ICMP with tracepath:

laptop$ tracepath 192.168.1.1

Offline

#29 2021-10-16 12:04:16

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

Koatao wrote:

Hello,

Seems like a decent conf to me.

Morta wrote:

Have a i to add 192.168.11.1 (Router) as DNS-Server in resolv.conf and eventually 10.42.0.1 also?

It is a better idea to configure DNS options with DHCP on dnsmasq.

Route on the router doesn't have any gateway. Add 5erver as gateway to 10.42.0.0/24 network.

A good thing to debug networking issue is ICMP with tracepath:

laptop$ tracepath 192.168.1.1
[morta@lapt0p ~]$ tracepath 192.168.11.1
 1?: [LOCALHOST]                      pmtu 1500
 1:  _gateway                                              0.454ms 
 1:  _gateway                                              0.388ms 
 2:  keine Antwort
 3:  keine Antwort
 4:  keine Antwort
 5:  keine Antwort
 6:  keine Antwort
 7:  keine Antwort
 8:  keine Antwort

I can just add the 192.168.1.162 as gateway to 10.42.0.1 (gateway for lapt0p) . I can't add a hole subnet /24 just one IP on the Router.

https://abload.de/img/routingpzjtl.png



Mod Edit - Replaced oversized image with link.
CoC - Pasting pictures and code

Last edited by Slithery (2021-10-17 20:28:30)

Offline

#30 2021-10-17 20:26:09

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

I find it weird that you can set up RIP which is routing protocol, and cannot configure a static route to any network on it. ^^
Anyway, the destination IP should be the IP (10.42.0.18) of the laptop.

By the way, can you ping 192.168.1.162 from the laptop?

What is the firewall configuration on 5erver now?

# iptables -nvL
# iptables -t nat -nvL

Offline

#31 2021-10-18 11:56:44

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

[morta@lapt0p ~]$ tracepath 192.168.11.1
 1?: [LOCALHOST]                      pmtu 1500
 1:  _gateway                                              0.485ms 
 1:  _gateway                                              0.393ms 
 2:  keine Antwort
 3:  keine Antwort
^C
[morta@lapt0p ~]$ tracepath 192.168.11.162
 1?: [LOCALHOST]                      pmtu 1500
 1:  ^C
[morta@lapt0p ~]$ ping 192.168.11.162
PING 192.168.11.162 (192.168.11.162) 56(84) bytes of data.
64 Bytes von 192.168.11.162: icmp_seq=1 ttl=64 Zeit=0.242 ms
64 Bytes von 192.168.11.162: icmp_seq=2 ttl=64 Zeit=0.259 ms
^X64 Bytes von 192.168.11.162: icmp_seq=3 ttl=64 Zeit=0.237 ms
^C
--- 192.168.11.162 ping statistics ---
3 Pakete übertragen, 3 empfangen, 0% packet loss, time 2030ms
rtt min/avg/max/mdev = 0.237/0.246/0.259/0.009 ms
[morta@lapt0p ~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
2 Pakete übertragen, 0 empfangen, 100% packet loss, time 1022ms

[morta@lapt0p ~]$ 

Seems that NetworkManager don't provide the internet to my laptop.

[morta@5erver ~]$ sudo  iptables -nvL
Chain INPUT (policy ACCEPT 364M packets, 596G bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 monitorix_IN_8  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:143 ctstate NEW,RELATED,ESTABLISHED
 6437  511K monitorix_IN_7  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spts:1024:65535 dpt:53 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_6  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:3306 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_5  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:139 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_4  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:110 ctstate NEW,RELATED,ESTABLISHED
 131K   18M monitorix_IN_3  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:22 ctstate NEW,RELATED,ESTABLISHED
8625K   22G monitorix_IN_2  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:80 ctstate NEW,RELATED,ESTABLISHED
 3658  199K monitorix_IN_1  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:21 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_0  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:25 ctstate NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
73989   40M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
73989   40M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
21238 1478K ACCEPT     all  --  enp6s0 enp2s0  0.0.0.0/0            0.0.0.0/0           
  121 26411 ACCEPT     all  --  enp2s0 enp6s0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 321M packets, 1162G bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 monitorix_IN_8  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:143 dpts:1024:65535 ctstate RELATED,ESTABLISHED
 6311  996K monitorix_IN_7  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_6  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:3306 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_5  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:139 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_4  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:110 dpts:1024:65535 ctstate RELATED,ESTABLISHED
 129K   24M monitorix_IN_3  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 dpts:1024:65535 ctstate RELATED,ESTABLISHED
5794K  852M monitorix_IN_2  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 dpts:1024:65535 ctstate RELATED,ESTABLISHED
 5376  474K monitorix_IN_1  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:21 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_0  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:25 dpts:1024:65535 ctstate RELATED,ESTABLISHED

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
73989   40M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
73989   40M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain monitorix_IN_0 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_1 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_3 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_4 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_5 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_6 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_7 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_8 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
[morta@5erver ~]$ sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1464K packets, 92M bytes)
 pkts bytes target     prot opt in     out     source               destination         
1451K   91M DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 1451K packets, 91M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 530K packets, 62M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 541K packets, 63M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           

Seems that the Iptables rules are not active and persistent. I will add to /etc/rc.local and reboot and repost it.

Offline

#32 2021-10-18 12:05:42

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

morta@5erver ~]$ cat /etc/rc.local
#!/bin/bash
#Delete old NetworkManager Connections
#nmcli connection delete local
#nmcli connection delete local-nas

#NetworkManager forward IPv4&IPv6 to Laptop
#nmcli connection add type ethernet ifname enp6s0 ipv4.method shared con-name local
#nmcli connection modify local ipv6.method shared
#nmcli c mod enp2s0 ipv6.token ::deca:fbad:c0:ffee

#NetworkManager forward IPv4 to NAS
#nmcli connection add type ethernet ifname enp5s0 ipv4.method shared con-name local-nas
#nmcli connection modify local-nas ipv6.method shared

#Forward Internet to Laptop with Iptables
sysctl net.ipv4.ip_forward=1
#iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
#iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -i enp6s0 -o enp2s0 -j ACCEPT
#iptables -A FORWARD -i enp5s0 -o enp2s0 -j ACCEPT

#Loopback for fastcg/php-fpm
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

#Iptables rules for speedtesting.it
#iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

#Iptables rules for rsync
#iptables -A INPUT -m state --state NEW -p tcp --dport 873 -j ACCEPT
#iptables -A INPUT -m state --state NEW -p udp --dport 873 -j ACCEPT

#Iptables ipv6 http & https
#ip6tables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
#ip6tables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

#Iptabels rules for mopidy
#iptables -A INPUT -m state --state NEW -p tcp --dport 6680 -j ACCEPT
#ip6tables -A INPUT -m state --state NEW -p tcp --dport 6680 -j ACCEPT

#Docker ipv6
#ip6tables -t nat -A POSTROUTING -s fd00::/80 ! -o docker0 -j MASQUERADE


#Iptables off
iptables -A FORWARD -i enp6s0 -o enp2s0 -j ACCEPT
iptables -A FORWARD -i enp2s0 -o enp6s0 -j ACCEPT


#Rights for Certbot Let's Encrypt Floder
chgrp -R ssl-cert /etc/letsencrypt
chmod -R 2755 /etc/letsencrypt
morta@5erver ~]$ sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 635 packets, 38157 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  635 38157 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 635 packets, 38157 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 185 packets, 22921 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 185 packets, 22921 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
[morta@5erver ~]$ sudo  iptables -nvL
Chain INPUT (policy ACCEPT 183K packets, 179M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 monitorix_IN_8  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:143 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_7  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spts:1024:65535 dpt:53 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_6  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:3306 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_5  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:139 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_4  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:110 ctstate NEW,RELATED,ESTABLISHED
   82 10312 monitorix_IN_3  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:22 ctstate NEW,RELATED,ESTABLISHED
   46  3108 monitorix_IN_2  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:80 ctstate NEW,RELATED,ESTABLISHED
  123 10792 monitorix_IN_1  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:21 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_0  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:25 ctstate NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  enp6s0 enp2s0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  enp2s0 enp6s0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 190K packets, 725M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 monitorix_IN_8  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:143 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_7  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_6  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:3306 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_5  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:139 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_4  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:110 dpts:1024:65535 ctstate RELATED,ESTABLISHED
   70 10828 monitorix_IN_3  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 dpts:1024:65535 ctstate RELATED,ESTABLISHED
   41  105K monitorix_IN_2  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 dpts:1024:65535 ctstate RELATED,ESTABLISHED
  100 11888 monitorix_IN_1  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:21 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_0  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:25 dpts:1024:65535 ctstate RELATED,ESTABLISHED

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain monitorix_IN_0 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_1 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_3 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_4 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_5 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_6 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_7 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_8 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
[morta@5erver ~]$ 

Now they are live but no internet on my laptop.

[morta@lapt0p ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlp0s20f3: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 7a:ba:c8:b7:6b:ad brd ff:ff:ff:ff:ff:ff permaddr 84:fd:d1:fd:30:36
3: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 48:2a:e3:4c:13:ef brd ff:ff:ff:ff:ff:ff
4: vmnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.193.1/24 brd 192.168.193.255 scope global dynamic vmnet1
       valid_lft 1703sec preferred_lft 1478sec
    inet6 fe80::8820:5214:6066:f42f/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fec0:1/64 scope link 
       valid_lft forever preferred_lft forever
5: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.130.1/24 brd 192.168.130.255 scope global dynamic vmnet8
       valid_lft 1702sec preferred_lft 1477sec
    inet6 fe80::cbf6:56e:9959:3067/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fec0:8/64 scope link 
       valid_lft forever preferred_lft forever
6: enp58s0u1u3c2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 80:6d:97:0d:ed:b9 brd ff:ff:ff:ff:ff:ff
    inet 10.42.0.18/24 brd 10.42.0.255 scope global dynamic noprefixroute enp58s0u1u3c2
       valid_lft 43096sec preferred_lft 43096sec
    inet 10.42.0.17/24 brd 10.42.0.255 scope global secondary dynamic noprefixroute enp58s0u1u3c2
       valid_lft 43103sec preferred_lft 37703sec
    inet6 fe80::dea0:8e28:3f7:6843/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::41d0:7fea:8405:d9cf/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[morta@lapt0p ~]$ tracepath 192.168.11.1
 1?: [LOCALHOST]                      pmtu 1500
 1:  _gateway                                              0.457ms 
 1:  _gateway                                              0.464ms 
 2:  keine Antwort
 3:  keine Antwort
 4:  keine Antwort
 5:  keine Antwort
^C
[morta@lapt0p ~]$ ping 192.168.11.1
PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
^C
--- 192.168.11.1 ping statistics ---
7 Pakete übertragen, 0 empfangen, 100% packet loss, time 6068ms

[morta@lapt0p ~]$

If i add the routing rule to my zyxel router i can't anymore ping 192.168.11.1
Also sometimes gives me two IPv4 to my laptop 10.42.0.17 and 10.42.0.18
tracepath shows me no reached for 192.168.11.1 and ping google.ch fails

Last edited by Morta (2021-10-18 12:32:03)

Offline

#33 2021-10-18 18:40:08

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Morta wrote:

Seems that the Iptables rules are not active and persistent. I will add to /etc/rc.local and reboot and repost it.

Don't, use it as a service with systemd and save the rules you want in /etc/iptables/iptables.rules
https://wiki.archlinux.org/title/Iptabl … _and_usage

Morta wrote:

If i add the routing rule to my zyxel router i can't anymore ping 192.168.11.1

You couldn't anyway? Or are you talking ping fails from 5erver to 192.168.11.1?

Morta wrote:

Also sometimes gives me two IPv4 to my laptop 10.42.0.17 and 10.42.0.18

Yeah, I forgot to mention that, you have two services setting up network on the laptop: dhcpcd.service and NM. Disable the former.

Well, let's try something else then:
- Add NAT on 5erver for traffic going through enp2s0

# iptables -t nat -A POSTROUTING -o enp2s0 -J MASQUERADE

That should get ride off the «configuration of static routing on the router» problem. But it also means 192.168.11.0/24 will be more of a DMZ like network. Meaning any device on 192.168.11.0/24 will not be able to start a new communication with any devices behind 5erver (you can configure port forwarding with iptables afterward though).

Offline

#34 2021-10-19 14:10:08

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

Koatao wrote:
Morta wrote:

Seems that the Iptables rules are not active and persistent. I will add to /etc/rc.local and reboot and repost it.

Don't, use it as a service with systemd and save the rules you want in /etc/iptables/iptables.rules
https://wiki.archlinux.org/title/Iptabl … _and_usage

Ok, i added all rules to iptables.rules with this command sudo iptables-save -f /etc/iptables/iptables.rules

Morta wrote:

If i add the routing rule to my zyxel router i can't anymore ping 192.168.11.1

You couldn't anyway? Or are you talking ping fails from 5erver to 192.168.11.1?

When i delete the routing rule in the routerwebui i can ping 192.168.11.1, if i add a rule to the laptop don't!

Morta wrote:

Also sometimes gives me two IPv4 to my laptop 10.42.0.17 and 10.42.0.18

Yeah, I forgot to mention that, you have two services setting up network on the laptop: dhcpcd.service and NM. Disable the former.

[morta@lapt0p MP3]$ sudo systemctl disable dhcpcd.service
[sudo] Passwort für morta:
Removed /etc/systemd/system/multi-user.target.wants/dhcpcd.service.
[morta@lapt0p MP3]$ sudo systemctl stop dhcpcd.service


Well, let's try something else then:
- Add NAT on 5erver for traffic going through enp2s0

# iptables -t nat -A POSTROUTING -o enp2s0 -J MASQUERADE

That should get ride off the «configuration of static routing on the router» problem. But it also means 192.168.11.0/24 will be more of a DMZ like network. Meaning any device on 192.168.11.0/24 will not be able to start a new communication with any devices behind 5erver (you can configure port forwarding with iptables afterward though).

Should I not do this rules instead of your tree iptables rules. There are so in the Arch Wiki to forward internet!

iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp6s0 -o enp2s0 -j ACCEPT

Last edited by Morta (2021-10-19 19:34:43)

Offline

#35 2021-10-21 21:48:31

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Routing with two Gateway

tracepath on the laptop

 tracepath 192.168.11.1
 1?: [LOCALHOST]                      pmtu 1500
 1:  _gateway                                             62.836ms 
 1:  _gateway                                              0.463ms 
 2:  192.168.11.1                                          0.865ms reached
     Resume: pmtu 1500 hops 2 back 

ip a on the laptop

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 48:2a:e3:4c:13:ef brd ff:ff:ff:ff:ff:ff
3: wlp0s20f3: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether c2:73:fa:d7:11:cd brd ff:ff:ff:ff:ff:ff permaddr 84:fd:d1:fd:30:36
4: vmnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.193.1/24 brd 192.168.193.255 scope global vmnet1
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fec0:1/64 scope link 
       valid_lft forever preferred_lft forever
5: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.130.1/24 brd 192.168.130.255 scope global vmnet8
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fec0:8/64 scope link 
       valid_lft forever preferred_lft forever
6: enp58s0u1u3c2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 80:6d:97:0d:ed:b9 brd ff:ff:ff:ff:ff:ff
    inet 10.42.0.18/24 brd 10.42.0.255 scope global dynamic noprefixroute enp58s0u1u3c2
       valid_lft 42500sec preferred_lft 42500sec
    inet6 fe80::41d0:7fea:8405:d9cf/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Iptables on the server without NAT

sudo iptables -nvL
Chain INPUT (policy ACCEPT 588K packets, 622M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 monitorix_IN_8  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:143 ctstate NEW,RELATED,ESTABLISHED
  230 17593 monitorix_IN_7  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spts:1024:65535 dpt:53 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_6  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:3306 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_5  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:139 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_4  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:110 ctstate NEW,RELATED,ESTABLISHED
  266 20843 monitorix_IN_3  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:22 ctstate NEW,RELATED,ESTABLISHED
  137 11837 monitorix_IN_2  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:80 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_1  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:21 ctstate NEW,RELATED,ESTABLISHED
    0     0 monitorix_IN_0  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:25 ctstate NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
11649   19M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
11649   19M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
11143   19M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  506 72492 ACCEPT     all  --  enp6s0 enp2s0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 413K packets, 1272M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 monitorix_IN_8  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:143 dpts:1024:65535 ctstate RELATED,ESTABLISHED
  230 29105 monitorix_IN_7  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_6  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:3306 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_5  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:139 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_4  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:110 dpts:1024:65535 ctstate RELATED,ESTABLISHED
  230 49602 monitorix_IN_3  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 dpts:1024:65535 ctstate RELATED,ESTABLISHED
  136  295K monitorix_IN_2  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_1  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:21 dpts:1024:65535 ctstate RELATED,ESTABLISHED
    0     0 monitorix_IN_0  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:25 dpts:1024:65535 ctstate RELATED,ESTABLISHED

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
11649   19M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
11649   19M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain monitorix_IN_0 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_1 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_3 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_4 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_5 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_6 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_7 (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain monitorix_IN_8 (2 references)
 pkts bytes target     prot opt in     out     source               destination  

Iptables on the server

sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1259 packets, 152K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  816 56829 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 817 packets, 57147 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 467 packets, 56803 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 70 packets, 4584 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
  846  121K MASQUERADE  all  --  *      enp2s0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0 

Looks fine now, nor?
Looks good with this three iptables rules...
Have you a good guide for a statefull iptables firewall for a server?

How can i add a IPv6 support from the internet router to the laptop?
I have a IPv6 but not these from ISP..

Last edited by Morta (2021-10-22 05:58:23)

Offline

#36 2021-10-23 08:08:53

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: Routing with two Gateway

Well, tracepath is good, so yep, laptop should be connected to the internet now.
The ESTABLISHED,RELATED kind of rule in the forward table is indeed a little bit better in case of a NAT, but atm, due to the default policy, the FORWARD chain isn't filtering anything anyway.

I don't know of any «guide» to set up a firewall. A server is a generic term, it can do pretty much anything and the firewall configuration will depend on what it does. Anyhow, the basics are simple: block everything, only allow what you need and try not to lock yourself out (yes it happens sometimes ^^).

What do you mean about IPv6 support? Linux support it natively. I suggest you learn about IPv4 first before setting up IPv6.

If I have one remark to make is that 5erver shouldn't be a router and a public server. It is a single point of failure, that can be hacked remotely. You will get in trouble at some point with that architecture. Invest in a proper router (beware shitty cheap consumer grade router) or in another device you can turn into a router with Linux or BSD. Archlinux can be set up as a router, but their is distributions like OpenWRT or pfSense (for which you won't find any support here) that are more suited for networking and security purpose (a web interface is useful for day to day administration).

Last edited by Koatao (2021-10-23 08:18:56)

Offline

Board footer

Powered by FluxBB