11

Problem

Please check the picture here first, a visualization of my network plan.

Network plan diagram

I'm trying to add two networks on same Ubuntu 18 server, one of them is vlan tagged. When I add the second network, internal users can't access to this server from public IP. But anyone outside can access from public IP without any problem.

What I want to do

  • I have default network 192.168.10.0/24 and a VLAN 300 tagged network 192.168.30.0/24.
  • I want to add both 10.x and 30.x networks to one server, because I want it to access both networks.
  • This server must be able to access both 192.168.10.0/24 and 192.168.30.0/24 networks.
  • This server must be reachable from everywhere via its public IP.

Step by step what I do

  • All wifi users are connect to 192.168.10.0/24 network.
  • All servers are using VLAN 300 network 192.168.30.0/24.
  • These servers are reachable via their Public IPs from internet. Internal wifi users can also access via these public IPs.
  • When I add a second network to this ubuntu server, users can't access server via its public IP.

I tried many different things with netplan, and checked all the examples on netplan.io.

Here is my current simplest configuration:

network:
    ethernets:
        ens18: # this one is vlan tagged on Proxmox. So it can get 30.x IP.
            dhcp4: false
            addresses: [192.168.30.101/24]
            gateway4: 192.168.30.1
            routes:
              - to: 192.168.30.0/24
                via: 192.168.30.1
            nameservers:
                addresses: [1.1.1.1, 8.8.8.8]
        ens19:
            dhcp4: false
            addresses: [192.168.10.101/24]
            # gateway4: 192.168.10.1
            routes:
              - to: 192.168.10.0/24
                via: 192.168.10.1
            nameservers:
                addresses: [1.1.1.1, 8.8.8.8]
    version: 2

I also tried things using vlans:

network:
    ethernets:
        ens18:
            addresses: [192.168.10.101/24]
            # gateway4: 192.168.10.1
            routes:
              - to: 192.168.10.0/24
                via: 192.168.10.101
                table: 5
              - to: 0.0.0.0/0
                via: 192.168.10.1
                table: 5
            routing-policy:
              - to: 192.168.10.0/24
                table: 5
            nameservers:
              addresses: [1.1.1.1, 8.8.8.8]
    vlans:
        vlan30:
            id: 300
            link: ens18
            gateway4: 192.168.30.1
            addresses: [192.168.30.101/24]
            routes:
              - to: 192.168.30.0/24
                via: 192.168.30.101
                table: 6
              - to: 0.0.0.0/0
                via: 192.168.30.1
                table: 6
            routing-policy:
              - to: 192.168.30.0/24
                table: 6
            nameservers:
              addresses: [1.1.1.1, 8.8.8.8]
    version: 2
    renderer: networkd
dlin
  • 3,830
burakcalik
  • 111
  • If ens18 is on a vlan tagged port, you do not need to do any vlan configuration in netplan for this. The one thing I see that's incorrect in your first example is that you have listed a route to the local network via a gateway, which is wrong. You should not be declaring routes for your local networks, you only need the gateway4 to set a default route. I don't know if this will be enough to fix your networking problem or if we will need to investigate further after this change. – slangasek May 22 '20 at 16:23
  • @slangasek As you suggested, I deleted gateway4 in the first example, when I delete the default route, I cant connect to internet. And 10.x network users still can't access to this server.

    Also In the first example, ens18 was on a vlan tagged port, but in second example it was not on vlan tagged port. Don't make it confuse you, my point is the problem occurs whenever I add a second network.

     – burakcalik May 22 '20 at 16:59
  • I did not suggest deleting gateway4. I suggested deleting the incorrect /local routes/ that you have added, and leaving gateway4 in place. – slangasek May 23 '20 at 00:52
  • @slangasek Oh yes my mistake. Deleting the local routes that I added brings me back to where I start. So I tried this and this but nothing changes. Server still can access 192.168.10.x routes, but anyone on 192.168.10.x route can't access server via public IP. But when I remove the ens19 interface entirely, then everything works, but server can't access to 192.168.10.x routes then. Btw, you said delete the incorrect routes but thats my question, I don't know what is incorrect. – burakcalik May 24 '20 at 01:21

1 Answers1

0

The problem was actually related to a policy rule on our FortiGate firewall which I didn't mention in the original question. I used Policy Lookup tool from IPv4 Policy page to inspect the issue and modified accordingly, then it is solved.

burakcalik
  • 111