0

I'm running Ubuntu server v22.04 with 2 NICs - one facing the ISP and one facing the local LAN and is intended to be a media server for the local LAN and the interface between the LAN and WAN.

The NICs:

  1. enp0s31f6 - DHCP-ing from ISP equipment with 192.168.1.65 and then out to WAN
  2. enp3s0 - static IP 192.168.126.10 and DHCP server for the rest of the LAN network on the 192.168.126.x network.

Goal would be that all devices get a 192.168.126.x address and then have traffic flow to the server 192.168.126.10/192.168.1.65 and then out to the internet.

The server CAN talk to the internet at large and can ping the static LAN IP 192.168.126.10 (itself), but cannot ping workstations on the 192.168.126.x network

Workstations that have pulled a DHCP'ed 192.168.126.x address CAN ping the local network server address 192.168.126.10, but not ISP address 192.168.1.65. These workstations cannot access the internet.

Netplan config:

network:
  version: 2
  ethernets:
    enp0s31f6:
      dhcp4: true
      nameservers:
        addresses: [4.2.2.1,8.8.4.4]
      routes:
        - to: 192.168.1.0/24
          via: 192.168.1.1
      routing-policy:
        - from: 192.168.1.0/24
    enps0:
      addresses: [192.168.126.10/32]
      dhcp4: no
      nameservers:
        addresses: [4.2.2.1,8.8.4.4]
      routes:
        - to: 192.168.126.0/24
          via: 192.168.126.10
        - to: 192.168.1.0/24
          via: 192.168.126.10
      routing-policy:
        - from: 192.168.126.0/24

dhcpd.conf

authoritative;

server-identifier 192.168.126.10;
option domain-name "whatever.local";


shared-network dhcp-server
{
  subnet 192.168.126.0 netmask 255.255.255.0
  {
     option domain-name-servers 1.1.1.1, 8.8.4.4;
     option subnet-mask 255.255.255.0;
     option broadcast-address 192.16.126.255;
     option routers 192.168.126.10;
     option domain-name "whatever.local";
     default-lease-time 14400;
     max-lease-time 20000;
     range 192.168.216.100 192.168.126.250;
  }
}

The DHCP config was copied from an older CentOS box that had been working.

Workstation ipconfig /all results

Connection specific DNS suffix : whatever.local
DHCP Enabled ................. : Yes
Autoconfiguration Enabled .... : Yes
IPv4 Address ................. : 192.168.126.127(Preferred)
Subnet Mask .................. : 255.255.255.0
Default Gateway .............. : 192.168.126.10
DHCP Server .................. : 192.168.126.10
DNS Server ................... : 1.1.1.1
                                 8.8.4.4

DHCP seems to be working, but I just can't seem to get workstation traffic to hit the WAN addresses. Workstations cannot ping Google.com but can access any 192.168.126.10 services (ssh, httpd, etc)

Netplan is completely new to me and I am not a networking guru, nor am I convinced that this is the best setup. But I've been trying to mimic what had previously been working in CentOS.

ufw is disabled (for now)

/proc/sys/et/ipv4/ip_forward is 1

sysctl.conf has net.ipv4.ip_forward=1

I do not have any iptables rules.

Can anyone help me get traffic flowing between these two NICs or set me in a different direction to solve the local LAN to server to WAN issues I'm having?

Thanks in advance!

TheKeeper
  • 1
  • with iptables default policies of "ACCEPT" and your ISP equipement being your WAN facing router/firewall, and you already have ip_forward set, then you should only need this: sudo iptables -t nat -A POSTROUTING -o enp0s31f6 -j SNAT --to 192.168.1.65. Not sure about your routing policies though. – Doug Smythies Jun 18 '22 at 21:16

2 Answers2

0

The netmask on your static IP is wrong. You should be using a netmask of /24, not a netmask of /32 (host only).

Once you have corrected this, all of your routes and routing-policy entries are unnecessary and should be dropped.

For the machines behind your router to reach the Internet, one of two things must also be true: either the ISP equipment must have an entry telling it to route all traffic for the 192.168.126.x network to 192.168.1.65, or you just have NAT enabled on your router. Netplan currently does not support configuration of NAT, you would need to do this either with static iptables/nftables commands or through one of the various firewall frontend tools available in Ubuntu.

slangasek
  • 5,562
  • I appreciate the clarification on the routes and -policy. I had added those while trying to figure out why traffic wasn't flowing. – TheKeeper Jun 19 '22 at 11:10
0

My problems ended up being with iptables rules and not with netplan or routing. A simple 1 line rule fixed the issues.

iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE

However when also adding other standard rules seen while Googling, traffic stopped flowing completely. Don't cut and paste multiple rules at once.

TheKeeper
  • 1
  • Based on your description of your network, I do not understand your answer. Shouldn't it be '-o enp0s31f6`. Using SNAT over MASQUERADE is recommended for static IP addresses, but MASQUERADE is O.K. – Doug Smythies Jun 19 '22 at 14:13
  • @DougSmythies- you are correct, in one of my many attempts to fix the problem, I ended up swapping the cables meaning the previous LAN facing NIC became the WAN facing and vice versa. I've updated my answer to reflect that change. – TheKeeper Jun 20 '22 at 14:54