(Machine to act as a) Router

[ShedPaul]

Debian 12, two network interfaces.

eth0 is the access to the internet (on 192.168.0.1), and my home network is 192.168.1.0/24 on eth1

I'm just using /etc/network/interfaces which has:

auto eth1
iface eth1 inet static
address 192.168.1.1
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255

auto eth0
iface eth0 inet static
address 192.168.0.2
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1


So from this machine I can ping to the outside world from both ports, for example to 192.168.0.1 and to 192.168.1.8

but... if I try to ping 192.168.0.1 from 192.168.1.8, no routing is found.

And yes, I uncommented the 'net.ipv4ip_forward=1' in /etc/sysctl.conf

I know I must be missing some thing very obvious, but I just can't see it.

Is there anything else in sysctl.conf?

[RedGreen925]

So from this machine I can ping to the outside world from both ports, for example to 192.168.0.1 and to 192.168.1.8

but... if I try to ping 192.168.0.1 from 192.168.1.8, no routing is found.


I know I must be missing some thing very obvious, but I just can't see it.

Well the obvious is they are on separate networks which will not be reachable due to that. Put them on the same network and they should be able to communicate with each other. Use either the 192.168.0.??? or the 192.168.1.??? for both the interfaces. If you plan on using the second interface to connect other machines to the internet via it then what you do will make sense. Also I see no mention of firewall being used to shield the computer from being directly connected to the internet and allowing those ports that are open to be exposed to any port scanners out there doing what they do, scan for open ports for machines to compromise if they can. A search to list some articles you should read to configure this properly. I gave up on it ages ago and now just use router and hubs for my home network. It simplifies the process to a pre-configured device that works well in my experience with them at a fraction of the power consumption of dedicated machine doing it.

https://www.google.com/search?q=setting ... dm=14#ip=1

[FreewheelinFrank]

@ShedPaul

Welcome to the forum!

A more descriptive topic title would help both with members with knowledge of the issue being more likely to respond, and members with the same or similar issue being more likely to find your topic in the future.

Please could you edit your first post and make the title more descriptive. Thank you.

[kopper]

If the host you are pinging from sits in the 192.168.1.0/24 network and you expect the 192.168.0.0/24 network to be reachable, via 192.168.1.1, the host must know where to send packets intended for 192.168.0.0/24. I.e. it must have a route defined for that network.

Assuming you don't have any other router configured on your pinging host, you must configure the host either to have:

• 192.168.1.1 as default gateway, or
• static route to 192.168.0.0/24 via 192.168.1.1.

Perhaps output of

Code: Select all

ip r

of pinging host would be useful. Other than that, it is hard to comment any network layout or e.g. firewall related issues without more information.

[ShedPaul]

ip r gives:

default via 192.168.0.1 dev eth0 onlink
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1

[ShedPaul]

A couple of people have commented about the different network definitions on the two ports. In that case how does a router to the internet ever work?

[RedGreen925]

A couple of people have commented about the different network definitions on the two ports. In that case how does a router to the internet ever work?

NAT or network address translation, a host machine with an IP on the same network segment as the machine(s) behind it translates the requests and forwards the packets along to the machine it has given their IP to. Part of the ip forwarding you tried to use with the firewall like iptables doing the connection routing and protecting the machine from being exploited. This is usually done with a DHCP server involved which tells the client machines that it serves what their IP, gateway IP and DNS servers are if it is not serving up the DNS itself. Then again you would know some of this by now if you had read even one of any of the articles in the search I linked too. Oh and the host machine acting as the router was assigned their settings by yet again another machine doing exactly the same thing, the whole process repeated for as many layers of it as is required to get it done to connect to the outside world. Each step it goes through is one closer to communicating with your destination sought. The output of the traceroute command shows you the path your packets travel going through this process to connect to a website, here it shows nine hops as they are called to get to the 8.8.8.8 address (Google DNS server)

Code: Select all

zeus@9600k:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b4:2e:99:63:13:53 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 192.168.0.101/24 brd 192.168.0.255 scope global dynamic noprefixroute eno1
       valid_lft 85938sec preferred_lft 85938sec
    inet6 fe80::9cba:25ed:2435:cf3/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

zeus@9600k:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  asus.local (192.168.0.1)  0.475 ms  0.699 ms  0.866 ms
 2  192.168.2.1 (192.168.2.1)  2.714 ms  2.775 ms  2.755 ms
 3  10.178.218.5 (10.178.218.5)  5.908 ms  5.752 ms  5.818 ms
 4  ae21-84.cr02.drmo.ns.aliant.net (142.166.39.157)  5.902 ms  6.313 ms  6.760 ms
 5  hg-0-4-0-1-50.cr01.drmo.ns.aliant.net (142.166.218.65)  6.915 ms hg-0-4-0-0.cr01.hlfx.ns.aliant.net (142.166.211.73)  6.970 ms  6.764 ms
 6  hg-0-4-0-0.cr01.hlfx.ns.aliant.net (142.166.211.73)  6.957 ms  5.810 ms be19.bx02.nycm.ny.aliant.net (207.231.227.62)  23.394 ms
 7  74.125.119.154 (74.125.119.154)  24.686 ms be19.bx02.nycm.ny.aliant.net (207.231.227.62)  23.835 ms 74.125.119.154 (74.125.119.154)  24.104 ms
 8  * * 74.125.119.154 (74.125.119.154)  22.212 ms
 9  * dns.google (8.8.8.8)  22.653 ms *

Here it shows my router 192.168.0.1 as the first hop after it leaving my machine 192.168.0.101. The asus.local in turn got its IP and default route from the 192.168.2.1 the router of my ISP. Who in turn got its IP from another private subnet machine with the IP of 10.178.218.5 at the other end of my fiberoptic connection. Then we get to the ISPs facilities with a public routable address of 142.166.39.157 and bounces around for a few more of their machines. Until the 74.125.119.154 gets involved one of Googles machines where it gets passed along to the actual DNS server.

Code: Select all

zeus@9600k:~$ whois 74.125.119.154

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#


NetRange:       74.125.0.0 - 74.125.255.255
CIDR:           74.125.0.0/16
NetName:        GOOGLE
NetHandle:      NET-74-125-0-0-1
Parent:         NET74 (NET-74-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   Google LLC (GOGL)
RegDate:        2007-03-13
Updated:        2012-02-24
Ref:            https://rdap.arin.net/registry/ip/74.125.0.0

snip....

The readings suggested is/are a basic requirement to doing what you wish to be done with the machine. Without an understanding of how all this works it will be useless trying to set it up as you have already discovered.

[steve_v]

I know I must be missing some thing very obvious

A firewall rule to do the address mangling/masquerading (NAT) perhaps?
Examples of appropriate rules abound on the 'net, and this very forum.

How we got to 4 replies waffling about routes without anyone mentioning this fairly important piece of the puzzle I don't know.

[ShedPaul]

I am making progress, but slowly. I think it is in the firewalling, but even that doesn't make much sense. The box does have ufw, which by default allows imcp packets through. Indeed I can see the rules in the 'before' file allow this, ans I certainly haven't added any rules of my own which affect pings. But disabling the firewall allows me to reach 192.168.0.2 (the port on the box which is destined for the internet), but not beyond, say the router at 192.168.0.1
I've struggled for too long with this, I'm going to grab my configuration files and do a fresh install - that is the only way to track this down without extra stuff, such as rather complex dhcpd, tftpd and other daemons.
I just wonder if there is hardware issue, in the same way that bridging sometimes won't work. Interestingly this question does appear on a variety of forums for various distributions, usually without a clear resolution.
I know that I need to be careful with web searches referring to prehistoric distributions (prehistoric can mean 4 years old) because so much changes, and it is impossible to keep a track of it all, I had a vague hope that this post might induce a "have you checked blah.blah.blah.conf? It's new since Deb 11" kind of reply.
I'll try to update, because I hate these pots that just fizzle out without a resolution.

[maggiv8]

Seems you are missing the corresponding entries in IPTables....please see viewtopic.php?t=160994