3

I have trouble configuring a server that I own. It has Linux Ubuntu Server Edition 10.04 LTS as OS, two NICs (eth0 and eth1) and uses OpenVPN.

eth0 is connected to a switch which is connected to a 3G router (static ip: 192.168.0.254) and eth1 is sometimes connected to an (before-hands) unknown LAN and uses DHCP to acquire an IP address. Only one of those interfaces will have an internet access at time i.e. if a cable is plugged in eth1, it is required that the 3G router is shutdown*.

Ultimately, I would like all the traffic to go through the VPN using the interface that is connected to the internet but also all traffic to a specific IP address and port (let's say 192.168.45.1:8443) to use eth1, no matter what.

In the process of setting-up that up, I first concentrated on the 3G part, left eth1 unplugged and managed to use the VPN to communicate with other servers in the VPN over eth0.

/etc/network/interfaces looks like this:

auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
gateway 192.168.0.254

auto eth1
iface eth1 inet dhcp

Then, I plugged an ethernet cable in eth1, disabled the VPN and shutdown the 3G router. The LAN to which eth1 is connected has a DHCP server (192.168.0.254) and happens to have the same ip range as the machines connected to eth0 (192.168.0.x). I can by no means guarantee that both subnets will be different in the future.

The server gets an IP (192.168.0.45) from the DHCP server but neither can I ping it nor see the server in the list of connected devices on the DHCP server interface.

After commenting out the gateway line in /etc/network/interfaces, I'm able to ping the DHCP server aswell as any other server in the LAN but still not the other way around. Also, it only works if I specify the interface to use for pinging:

  • ping 192.168.0.254

    PING 192.168.0.254 (192.168.0.254) 56(84) bytes of data.
    From 192.168.0.100 icmp_seq=1 Destination Host Unreachable
    From 192.168.0.100 icmp_seq=3 Destination Host Unreachable
    From 192.168.0.100 icmp_seq=4 Destination Host Unreachable
    ^C
    --- 192.168.0.254 ping statistics ---
    6 packets transmitted, 0 received, +3 errors, 100% packet loss, time 5007ms, pipe 3
    
  • ping 192.168.0.254 -I eth1

    PING 192.168.0.254 (192.168.0.254) from 192.168.0.100 eth1: 56(84) bytes of data.
    64 bytes from 192.168.0.254: icmp_seq=1 ttl=255 time=0.738 ms
    64 bytes from 192.168.0.254: icmp_seq=2 ttl=255 time=0.832 ms
    64 bytes from 192.168.0.254: icmp_seq=3 ttl=255 time=0.809 ms
    64 bytes from 192.168.0.254: icmp_seq=4 ttl=255 time=0.795 ms
    
    --- 192.168.0.254 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 2997ms
    rtt min/avg/max/mdev = 0.738/0.793/0.832/0.044 ms
    

I have no idea why it still says from 192.168.0.100 even when pinging on eth1 since it's not its address.

I've read about IP Policy Routing and it seemed to be the way I should head to achieve what I want in the end (among others, forcing traffic to and from a specific ip/port through eth1). If I understand correctly, what could make it impossible to ping the server from any other machine in the LAN is that it returns the whole traffic through eth0 in case it's the default route?

However, when looking at the output of route, it seems to me that the default route is on eth1?

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
default         192.168.0.254   0.0.0.0         UG    100    0        0 eth1

I've read this post and the one linked in it and tried to adapt it in order to make all traffic that goes in eth0 go out eth0 and the same for eth1:

ip route add default dev eth0 table 3G
ip route add default dev eth1 table LAN
ip rule add fwmark 0x1 table 3G
ip rule add fwmark 0x2 table LAN
iptables -A OUTPUT -t mangle -o eth0 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 2

But that doesn't work and afterwards, I'm not able to ping the DHCP server anymore. I guess I've misunderstood how that works...

What should I do?

Also, I've left out the VPN part for now but I'm a bit concerned that it will not work as I candidly expected. How do routes and the VPN interact? I need to be sure that the route that forces all the traffic to and from a specific ip/route through eth1, cannot be resolved if eth1 is not connected.

Thank you very much in advance for your help. I would be very happy to provide any other information if needed. Please excuse me if the question was already answered somewhere else, I didn't find it (or if it's too basic).

*it would be even better, if I could configure that all traffic except to and from a subset of IP addresses, would go through eth1 if a cable is plugged in.

Edit>

eth0 is now on the subnet 10.13.37.0/255.255.255.248 and the server has 10.13.37.2 as ip.

All traffic now goes through the VPN but I would like that traffic to 192.168.45.1 (192.168.45.0/24 is the OpenVPN subnet) on port 443, while still using transported throught the VPN, uses only eth1 (thus making it unreachable if no connectivity exists) and traffic to 192.168.45.1 on port 8443 use only eth0. Is that possible?

ip route add default dev eth0 table 3G
ip route add default dev eth1 table LAN
ip rule add fwmark 0x1 table 3G
ip rule add fwmark 0x2 table LAN
iptables -A OUTPUT -t mangle -o eth0 --dst 192.168.45.1 --dport 8443 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -o eth1 --dst 192.168.45.1 --dport 443 -j MARK --set-mark 2

but using iptraf, I can see that when wget-ing something on either 443 or 8443, only eth1 is used.

Thanks!

ixM
  • 173
  • 1
  • 8

1 Answers1

1

Are you sure to plug the right cable? looks like that you plug the cable of the 192.168.0.x lan to eth1 not to eth0.

if it's not, have you tried to unplug BOTH cable and tries to ping with only one cable plugged? Like:

  • Unplug both
  • Plug the 3G cable to eth0 and ping 192.168.0.254
  • Unplug it again
  • Plug the lan cable to eth1
  • run: ifconfig eth1 down
  • run: ifconfig eth1 up
  • run: ifconfig eth1 and look the ip

BTW, CHANGE ONE LAN SETTINGS! If you can't change the eth1 lan configuretion, change the eth0 with 3G router, from 192.168.0.x to 192.168.1.x (to all computer in that lan) or you'll have ALWAYS TROUBLES with same ip lan.

RedFoxy Darrest
  • 81
  • 1
  • 1
  • 4
  • Thanks! Changing the ip subnet of eth0 has effectively made the server be able to communicate with machines of both eth0 and eth1. But I'm still unable to achieve what I want regarding OpenVPN. See edit above. – ixM Jul 25 '12 at 15:54