Ubuntu Server 15.04 as Router and DHCP Server with multiple subnets

Question

at my company i got assigned to build a new network, where 1 ubuntu server manages DHCP for 3 subnets, allows communication of these subnets between each other and shares the connection to the public to the subnets. All that just over 1 networkcard. DHCP is configured to connect over eth0 and the connection to the public is managed over a virtual interface eth0:1.

The configuration of /etc/network/interfaces looks like this:

#The local network interface
auto eth0
iface eth0 inet static  
 address 10.0.1.1  
 netmask 255.255.240.0  

#The public virtual network interface
auto eth0:1  
iface eth0:1 inet static  
 address 10.0.0.3  
 netmask 255.255.255.0                  
 gateway 10.0.0.1               
 dns-nameservers 10.0.0.1

##IP-routing table

# modem + sonicwall  
 up route add -net 10.0.0.0/24 gw 10.0.0.1 dev eth0:1  
  up route add -net 10.0.0.0/24 dev eth0:1

# servers  
 up route add -net 10.0.1.0/24 gw 10.0.1.1 dev eth0  
  up route add -net 10.0.1.0/24 dev eth0  

# printers
 up route add -net 10.0.7.0/24 gw 10.0.1.1 dev eth0  
  up route add -net 10.0.7.0/24 dev eth0

# workstations
 up route add -net 10.0.8.0/21 gw 10.0.1.1 dev eth0  
  up route add -net 10.0.8.0/21 dev eth0

/etc/dhcp/dhcpd.conf:

# Global Configuration
authoritative;
option domain-name-servers      10.0.0.1;
option routers                  10.0.0.1;

# ----------------------------------------------------------
# Subnetting
# ----------------------------------------------------------
# Servers
shared-network wonder {
 subnet 10.0.1.0 netmask 255.255.255.0 {
  range                          10.0.1.1 10.0.1.255;
  option domain-name             "servers.wonder.land.com";
  option subnet-mask             255.255.255.0;
  option broadcast-address       10.0.1.255;
  option routers                 10.0.1.1;
  default-lease-time             86400;
  max-lease-time                 86400;

  host FILESERVER {
   hardware ethernet            XX:XX:XX:XX:XX:XX;
   fixed-address                10.0.1.2;
   option host-name             "FILESERVER";
  }

  host MAILSERVER {
   hardware ethernet            XX:XX:XX:XX:XX:XX;
   fixed-address                10.0.1.3;
   option host-name             "MAILSERVER";
  }
 }

 # Printers
 subnet 10.0.7.0 netmask 255.255.255.0 {
  range                          10.0.7.1 10.0.7.255;
  option domain-name             "printers.wonder.land.com";
  option subnet-mask             255.255.255.0;
  option broadcast-address       10.0.7.255;
  option routers                 10.0.1.1;
  default-lease-time             86400;
  max-lease-time                 86400;

  host HP9500 {
   hardware ethernet            XX:XX:XX:XX:XX:XX;
   fixed-address                10.0.7.1;
   option host-name             "HP5900";
  }
 }

 # Workstations
 subnet 10.0.8.0 netmask 255.255.248.0 {
  range                          10.0.8.1 10.0.15.255;
  option domain-name             "workstations.wonder.land.com";
  option subnet-mask             255.255.248.0;
  option broadcast-address       10.0.8.255;
  option routers                 10.0.1.1;
  default-lease-time             86400;
  max-lease-time                 86400;
  filename                       "pxelinux.0";

  # XXX
  host WSXXX001 {
   hardware ethernet            XX:XX:XX:XX:XX:XX;
   fixed-address                10.0.8.1;
   option host-name             "WSXXX001";
  }

  host WSXXX002 {
   hardware ethernet            XX:XX:XX:XX:XX:XX;
   fixed-address                10.0.8.2;
   option host-name             "WSXXX002";
  }

  host WSXXX003 {
   hardware ethernet            XX:XX:XX:XX:XX:XX;
   fixed-address                10.0.8.3;
   option host-name             "WSXXX003";
  }

  # YYY
  host WSYYY001 {
   hardware ethernet            XX:XX:XX:XX:XX:XX;
   fixed-address                10.0.8.4;           
   option host-name             "WSYYY001";
  }
 }
}

and last but not least the iptables /etc/rc.local

#Connection between Subnets
iptables -I FORWARD -i eth0 -o eth0 -s 10.0.0.0/24 -j ACCEPT
iptables -I FORWARD -i eth0 -o eth0 -d 10.0.0.0/24 -j ACCEPT
iptables -I FORWARD -i eth0 -o eth0 -s 10.0.1.0/24 -j ACCEPT
iptables -I FORWARD -i eth0 -o eth0 -d 10.0.1.0/24 -j ACCEPT
iptables -I FORWARD -i eth0 -o eth0 -s 10.0.7.0/24 -j ACCEPT
iptables -I FORWARD -i eth0 -o eth0 -d 10.0.7.0/24 -j ACCEPT
iptables -I FORWARD -i eth0 -o eth0 -s 10.0.8.0/21 -j ACCEPT
iptables -I FORWARD -i eth0 -o eth0 -d 10.0.8.0/21 -j ACCEPT

#Connection from local to public
iptables -A FORWARD -i eth0 -o eth0:1 -j ACCEPT

#Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0:1 -j ACCEPT
iptables -A FORWARD -i eth0:1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Block not established connections from public to local
iptables -A FORWARD -i eth0:1 -o eth0 -j REJECT

#Masquerade local network 
iptables -t nat -A POSTROUTING -o eth0:1 -j MASQUERADE

My problem is that the Clients cant communicate between subnets nor have a connection to the outside. Ive been going through alot of howtos, read other peoples problems which were given a solution and tried alot this last week. From a windows machine in the 10.0.8.X subnet i can ping every client up to the modem 10.0.0.1 but dont have a connection to the internet. On the Ubuntu machines i can only ping in the same subnet. But now im at a point where i dont know any further and need help to finish this project. I hope that someone is able to point me into the right direction to get this whole network work.

score 0 · Accepted Answer · answered Sep 18 '15 at 11:07

There are several problems with your configuration:

You are using a single network interface. That will not provide any isolation between public and private subnets and might cause other problems. You should really add a second network interface if at all possible.
You want to use several subnets but don't have gw IP addresses for those subnets on your local network interface. For example, in the DHCP configuration for the subnet 10.0.7.0 with netmask 255.255.255.0 you specified router 10.0.1.1. That is outside of the subnet and means the clients on that subnet won't be able to reach the router. You should add a separate router IP for each of the subnets on the local interface - for example, 10.0.7.1: up ip addr add 10.0.7.1/24 dev eth0 in the iface eth0 section of /etc/network/interfaces.
The routes you are adding in the up actions will then not be needed - the router will already know how to reach them as it will have the router IPs.
Do you have IP forwarding enabled? Check the output of cat /proc/sys/net/ipv4/ip_forwarding - it should show 1. If it doesn't, do echo "1" > /proc/sys/net/ipv4/ip_forwarding and set net.ipv4.ip_forward=1 in /etc/sysctl.conf

Hope that helps.

Thanks for the reply, I had to get a 2nd NIC which i used as GW eth1(subnet 10.0.0.0) to the router. For each subnet i configured a virtual interface eth0(.1.0)/eth0:1(.7.0)/eth0:2(.8.0) and then used those as GWs in the dhcp.conf. The network works as intended now. It was my first time working on a non private non windows network and im just happy to be done with it. Although now im stuck with nfs problem and ltsp for thinclients haha. ;'( — KiSS, Sep 19 '15 at 12:34

Ubuntu Server 15.04 as Router and DHCP Server with multiple subnets

1 Answers1