So I have a linux machine with 4 interfaces:
- enp1s0
- enp2s0
- enp3s0
- enp4s0
What I would to do is have enp1s0 be the WAN interface and acquire its ip address, dns and gateway via DHCP.
For the other three interfaces, I would like them to have:
- IP addresses on the same subnet
- Have all hosts on one LAN interface be able to see all the other hosts on other LAN interface
- Run shorewall as a firewall
- Use DNS Masq
Here is what I've gotten so far:
cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface # listed as #1 # this is the wan interface auto enp1s0 iface enp1s0 inet dhcp # listed as #2 # this routes to upstairs auto enp3s0 iface enp3s0 inet static address 192.168.47.254 netmask 255.255.255.0 network 192.168.47.0 broadcast 192.168.47.255 # listed as #4 auto enp2s0 iface enp2s0 inet static address 192.168.47.253 netmask 255.255.255.0 network 192.168.47.0 broadcast 192.168.47.255 # listed as #3 auto enp4s0 iface enp4s0 inet static address 192.168.47.252 netmask 255.255.255.0 network 192.168.47.0 broadcast 192.168.47.255
cat /etc/dnsmasq.conf interface=enp2s0 interface=enp3s0 interface=enp4s0 listen-address=192.168.47.254 # Explicitly specify the address to listen on bind-interfaces # Bind to the interface to make sure we aren't sending things elsewhere server=8.8.8.8 # Forward DNS requests to Google DNS domain-needed # Don't forward short names bogus-priv # Never forward addresses in the non-routed address spaces. dhcp-range=192.168.47.100,192.168.47.250,12h # Assign IP addresses between 192.168.46.100-250 with a 12 hour lease time log-dhcp log-queries
interface=enp2s0 # Use interface wlan0 interface=enp3s0 # Use interface wlan0 interface=enp4s0 # Use interface wlan0 listen-address=192.168.47.254 # Explicitly specify the address to listen on bind-interfaces # Bind to the interface to make sure we aren't sending things elsewhere server=8.8.8.8 # Forward DNS requests to Google DNS domain-needed # Don't forward short names bogus-priv # Never forward addresses in the non-routed address spaces. dhcp-range=192.168.47.100,192.168.47.250,12h # Assign IP addresses between 192.168.46.100-250 with a 12 hour lease time log-dhcp log-queries
And here is a sample ip route table from one of the client machines:
ip -one addr 1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever 1: lo inet6 ::1/128 scope host \ valid_lft forever preferred_lft forever 2: eth0 inet 192.168.46.5/24 brd 192.168.46.255 scope global eth0\ valid_lft forever preferred_lft forever 2: eth0 inet6 fe80::82ee:73ff:fe5d:89d1/64 scope link \ valid_lft forever preferred_lft forever 3: eth1 inet 192.168.47.244/24 brd 192.168.47.255 scope global eth1\ valid_lft forever preferred_lft forever 3: eth1 inet6 fe80::82ee:73ff:fe5d:89d0/64 scope link \ valid_lft forever preferred_lft forever
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.46.1 0.0.0.0 UG 0 0 0 eth0 192.168.46.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0 192.168.47.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1
What works so far:
- Machines on different interfaces get IP address that are correct
- Machines can either ping all of the interfaces on the router or they can't. I think this might depend on which machine most recently DHCP'ed in
- If I can ping from a client machine, other things work too e.g. ssh
- I've never gotten two client machines to ping each other
After a lot of reading, I've determined that I need either static routes, different subnets for each lan interface or bridging.
Ideally, I would like to be set permissions in shorewall based on the interface and still use one subnet for all the LAN interfaces.