You are not logged in.

Pages: 1

#1 2024-03-04 16:27:44

planetmarshall
Member
Registered: 2023-09-07
Posts: 11

[solved] Setting up Conditional Forwarding with 2 network cards

I am using NetworkManager with systemd-resolved. I have two ethernet cards:

* enp5s0 is connected to a hardware VPN device so that I can access resources on a corporate network
* eno1 is connected to my home router

What I want to do is setup conditional forwarding so that I can access resources on the corporate network, but all other queries go through eno1.

By default, resolvectl returns the following:

$ resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net
                      2001:4860:4860::8888#dns.google

Link 2 (enp5s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.1.1.1
       DNS Servers: 10.88.16.1 10.72.235.65 8.8.8.8 1.1.1.1
        DNS Domain: corp.com

Link 3 (eno1)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: fd8b:e6ab:9552::1
       DNS Servers: 192.168.1.1 fd8b:e6ab:9552::1
        DNS Domain: lan

Note that the "DefaultRoute" flag is enabled on both connections. My understanding is that this means that any traffic not matching the search domains could be routed to either connection, it just depends who gets there first. I have observed that when I enable the corporate connection (enp5s0) first, I cannot reach corporate resources, however if I enable the home connection (eno1) first, then those resources are available - but sometimes other traffic is routed over the corporate network, and sometimes it isn't.

Obviously this behaviour is undesirable.

What I have tried: Disabling the "Default Route" flag on the corporate connection:

$ resolvectl
...
Link 2 (enp5s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.1.1.1
       DNS Servers: 10.88.16.1 10.72.235.65 8.8.8.8 1.1.1.1
        DNS Domain: corp.com

Link 3 (eno1)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: fd8b:e6ab:9552::1
       DNS Servers: 192.168.1.1 fd8b:e6ab:9552::1
        DNS Domain: lan

I would have expected this to give me the behaviour I wanted, but although this means that default traffic goes over the home network, I can no longer access corporate resources at all. Why are domains ending in "corp.com" not being resolved? Is that not what the `ipv4.dns-search` setting is supposed to do?

What am I missing? I can use `dig` and `nmcli` etc to debug network behaviour and change various settings, but am unsure what to look for.

Any help appreciated.

Last edited by planetmarshall (2024-03-16 20:01:48)

Offline

#2 2024-03-04 16:50:02

yxcv
Member
Registered: 2024-02-13
Posts: 19

Re: [solved] Setting up Conditional Forwarding with 2 network cards

I strongly recommend reading baturin.org then all about Kusnetsov's  man  ip to get what is meant by default route.
I only know much less than nothing about the mysterious NetworkManager, i never needed it and never will use it in my life.

Was du ererbt von deinen Vätern,
erwirb es, um es zu besitzen

Offline

#3 2024-03-05 13:10:20

just4arch
Member
Registered: 2023-01-07
Posts: 84

Re: [solved] Setting up Conditional Forwarding with 2 network cards

You're looking for "policy-based routing", no idea how NM handles this though.
The idea is, to have a second routing table with rules to use it for your VPN / corpo networks.

Offline

#4 2024-03-16 20:01:07

planetmarshall
Member
Registered: 2023-09-07
Posts: 11

Re: [solved] Setting up Conditional Forwarding with 2 network cards

Cracked it. I was on the right track but was missing the gateway information when adding a manual route. The steps I took were as follows:

1. Leave the primary connection (my home router) on its default settings, that is, it is the default route for all internet traffic
2. Set the secondary connection to not be the default. In the GUI this is done by clearing the checkbox "Use this connection only for resources on its network", or
   

   nmcli connection modify corporate ipv4.never-default=yes

3. Add the IP address of the corporate websites **together with the IP address of the corporate gateway**. This is unreliable in the GUI. The command line is
   

   nmcli connection modify corporate +ipv4.routes "<ip address of corporate resource> <ip address of gateway>"

Many thanks to everyone for their help, this may have seemed obvious but I'm pretty new at network admin.

Offline

Pages: 1

Board footer

Powered by FluxBB