iprouting with two nics

1. offizieller Beitrag

    Hi out there,


    i'm stuck to a routing issue and not familiar to iptable. I want to setup an extra LAN just for VDR-stuff in 192.168.22.0/24. These vdr-stuff needs to get access to internet - DNS is set to 192.168.2.254; DG is set to 192.168.22.11.


    What do i have to set OMV?
    eth0 192.168.2.11/255.255.255.0; DG 192.168.2.254; DNS 192.168.2.254
    eth1 192.168.22.11/255.255.255.0


    The router (192.168.2.254) has been set a static route: 192.168.22.0/24 -> 192.168.2.11


    Is firewall- oder routing-tab at \System\Network in webif useful for me?


    regards,
    Erik.

    • Offizieller Beitrag

    Hi there, iptables has nothing to do with routing, it can help to do some selective routing with marks and also help to masquerade packets so they can return.


    You're setup looks ok to me. The firewall tab is not very useful since it only allows rules on the INPUT/OUTPUT chain, whereas in you case you'll be using most likely using the FWD chain and NAT table. I see that you have a static route so maybe masquerade is not necessary.


    I'd recommend you to debug this use tcpdump in linux machines and wireshark in windows machines to inspect ping request/replies

    Hi subzero79,


    thx for taking time. I have not used tcpdump so far.


    Which one would help:

    Code
    tcpdump -nni eth1 host 192.168.22.20 > ~/tcpd_22.20_src.log


    Code
    tcpdump -nni eth1 icmp > ~/tcp_22.20_icmp.log


    regards.

    Auch das geht vorbei ...

    3 Mal editiert, zuletzt von Pfeifenraucher ()

    • Offizieller Beitrag

    yes, but you can also do it in real time for both nics, so you can see if packets are being fwd in between nics,


    tcpdump -nni any 'icmp' and start watching the output. There should be no ping movement until you start the ping, unless there is a openvpn client or other sw generating pings.


    or open two terminals with tcpdump one for each nic.

    Hi,
    you should not need any routing besides the one Default route to internet, because the 2 local networks are known to linux as they are directly attached.
    If you want internet connectivity for the vdr host, you must enable IP Forwarding in the linux kernel

    Code
    sysctl -w net.ipv4.ip_forward=1


    If you want to forbid access to 192.168.2.0/24 from vdr net, you need an iptables rule, otherwise it would also be routed.


    DNS is more challenging, if you want name resolutin depending on the subnet you need split dns. If you don't need you own zones, and just want internet dns,
    you can directly address the router, provider dns or maybe opendns, because of the default route the dns requests are also forwarded.
    But you can also install dnsmasq on omv which justs forwards the requests to internet.
    But remember, if you want to address the fritzbox you and have forbidden access to 192.168.2.0/24, you need to whitelist the FB IP in iptables.

    Hi Malefunk,


    this seems to be an interesting way. Ok, if it works, i have to edit /etc/sysctl.conf to save this entry for reboot.


    regards.

    Auch das geht vorbei ...

    Einmal editiert, zuletzt von Pfeifenraucher ()

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden