1

We have been attempting to setup a Linux/BSD/etc box that can behave as both an internet gateway and as a router. I don't know how to articulate our situation very well, so please forgive me...

Currently we are using Vyatta with the following network interfaces (with masked IP addresses):

  • eth0 -> x.x.x.178/30 - WAN (upstream router: x.x.x.177)
    • vlan100 -> Attached to eth0
  • br100 -> y.y.y.1 - Bridges eth0.vlan100 and eth1
  • eth1 -> y.y.y.y/24 - Bridged with the WAN (x.x.x.178 is the upstream router for this subnet)
  • eth2 -> 10.10.0.1/16 - Private network, NAT through y.y.y.1

The problem is: when we set the NAT rule to route 10.10.0.0/16 traffic through br100 nothing gets routed. However, if we set the NAT rule to route through eth0, the traffic actually routes, but now it is sourced from the x.x.x.178 address instead of the y.y.y.1 address.

What am I doing wrong here? Any thoughts or suggestions would be helpful.


Current configuration (minus some fluff):

interfaces {
    bridge br100 {
        address y.y.y.1/24
    }
    ethernet eth0 {
        address x.x.x.178/30
        vif 100 {
            bridge-group {
                bridge br100
            }
        }
    }
    ethernet eth1 {
        bridge-group {
            bridge br100
        }
    }
    ethernet eth2 {
        address 10.10.0.1/16
    }
    loopback lo {
    }
}
services {
    nat {
        rule 1 {
            outbound-interface br100
            source {
                address 10.10.0.0/16
            }
            type masquerade
        }
    }
}
system {
    gateway-address x.x.x.177
}
miquella
  • 250
  • 1
  • 5
  • 10

3 Answers3

2

The way that we were able to solve this was to change the NAT rule to an SNAT instead of a masquerade.

Futoque
  • 136
  • 2
1

On most distro, unless they are set up to serve as routers, they will default to the behavior of refusing to forward IP traffic. Generally I use a packetprotector (linux running on asus home router) for such work. But you will want to check the settings in /etc/sysctl.conf.

Look for 'net.ipv4.ip_forward = ', if you wish to forward traffic, this value should be set to 1 (if not then '0'). Changing the file here will have the change persist across reboots, and will start when network services start.

haus
  • 104
  • 1
  • 1
    very good point. This might be worth reading: http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ – BuildTheRobots Dec 31 '09 at 16:26
  • 1
    Thank you for the suggestion! I always seem to forget that when I setup a Linux distro, but that is one of the things I checked this time. Vyatta is a firewall distro and it has ip forwarding on by default. – miquella Jan 01 '10 at 17:24
-1

I would recommend you use pfSense.

It has a really nice Web-based interface.

Brad Gilbert
  • 2,473
  • 2
  • 21
  • 19
  • 1
    Thank you for the suggestion, but pfSense is the last one we tried. The reason we're using Vyatta at all is because pfSense stopped routing our traffic... Don't know why, it worked fine for 2 weeks and then it just stopped routing. – miquella Jan 01 '10 at 17:28