-1
Hello fellow superusers,
Here is the topology of my lan. WAN - modem-router-firewall - Pi router-firewall - lan machines .
I use a test machine in the lan: bob.
I cannot access the internet sites form bob, I get "destination host unreachable".
Here are my routes:
routes on bob (anonymized):
default via pi-router-iface-inner-lan-eth0 dev eth0 src bob-ip metric 202
inner-lan/24 dev eth0 proto dhcp scope link src bob-ip metric 202
lan-beyond-pi-router (modem + pi-iface-eth1)/24 via pi-router-inner-lan-iface-eth0 dev eth0
routes on the pi router:
default via pi-router-inner-iface-eth0 dev eth0 src pi-router-inner-iface-eth0 metric 202
default via pi-router-outer-iface-eth1 dev eth1 src pi-router-outer-iface-eth1 metric 203
inner-lan/24 dev eth0 proto dhcp scope link src pi-router-inner-iface-eth0 metric 202
lan-beyond-pi-router/24 dev eth1 proto dhcp scope link src pi-router-outer-iface-eth1 metric 203
I use ufw for filters and nat. This is my own idea, not completely sure about it: as I cannot configure a via route on the modem, I enabled NAT on the "external" (eth1) interface of Pi router (interface on the modem side). Here is my ufw config:
'#
'# rules.before
'#
'# Rules that should be run before the ufw command line added rules. Custom
'# rules should be added to one of these chains:
'# ufw-before-input
'# ufw-before-output
'# ufw-before-forward
'#
'# nat Table rules
*nat
:POSTROUTING ACCEPT - [0:0]
'# Forward traffic from eth0 through eth1
-A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE
'#personal addition, not sure about it
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
'# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT
'# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
'# End required lines
'# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
'# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
'# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
'# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
'# ok icmp code for FORWARD -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
'# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
'#
'# ufw-not-local
'#
-A ufw-before-input -j ufw-not-local
'# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
'# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
'# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
'# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
'# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
'# is uncommented) -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
'# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
'# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
COMMIT
Now, I can ping the modem from bob, but I cannot access internet properly. Thougb internet DNS works.
When I try to connect to a WAN server I get: "destination host unreachable". I guess I have an issue in my config somewhere, or something is lacking.
Maybe I should configure something on the modem, I don't now. But, no, when I did the tests, I plugged the Pi router on a switch with both ifaces on the same switch at one point I was able to access the net, everything worked. After these tests, I plugged the Pi to its final location, next to the modem. Now, from machine bob to reach WAN, the route goes through a switch, two CPLs, the pi router, the modem.
Thank you very much for your insights :-)
/cr!?ptal
Your
– Tom Yan – 2019-11-16T03:05:03.310MASQUERADE
rule applies to traffics from10.0.0.0/24
, whilebob
is in the subnet of10.0.x.0/24
, so isx
0
? Seriously, stop "anonymizing" private IPs; while they are called "private IPs", it doesn't mean there's any privacy in them. Every household can use them. https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addressesAlso, not sure if you have just been omitting routes on the pi or you simply didn't assign the address on
eth1
with/24
. You should have a subnet route (10.0.x.0/24
) forbob
on it. (Well, or you can just do/32
withbob
as itspeer
; but I assume you will hook a switch to eth1 instead someday, so) – Tom Yan – 2019-11-16T03:12:38.857thx for you reply https://superuser.com/users/554702/tom-yan. I have updated the question with new findings :-)
– cr1ptal – 2019-11-17T12:07:41.093