0

Yes I know again and again ... but I don't see it maybe someone sees my problem. I have to forward a internal Office Network (here 9.0.0.0/24) which is connected to eth1 (9.0.0.5) through the Server with Internet access on (10.0.0.5).

Here is where I started:

/etc/network/interfaces

# INTERNET
auto eth0
iface eth0 inet static          
    address 10.0.0.5            
    netmask 255.255.255.248     # we've got only 5 IPs with Internet connection.
    gateway 10.0.0.1            # the gateway where we get our signal from
    dns-name-servers 1.2.3.4    # DNS-Server

# OFFICE - DNS-Server running on this iface giving IPs of the network 9.0.0.0/24
auto eth1
iface eth1 inet static
    address 9.0.0.5
    netmask 255.255.255.0

route -n

target    Router     Genmask          Flags Metric Ref Use Iface
0.0.0.0   10.0.0.1   0.0.0.0          UG    0      0   0   eth0
9.0.0.0   0.0.0.0    255.255.255.0    U     0      0   0   eth1
10.0.0.0  0.0.0.0    255.255.255.248  U     0      0   0   eth0

Further there is a DHCP-Server running on eth1 with the setup

/etc/dhcp/dhpcd.conf

ddns-update-style none;

option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;

authoritative;

log-facility local7;

### OUR OFFICE NETWORK
subnet 9.0.0.0 netmask 255.255.255.0 {
    range 9.0.0.10 9.0.0.252;
    option subnet-mask 255.255.255.0;
    option routers 10.0.0.5; # <- The servers eth1 IP here?
}

What am I missing?

EDIT: Found out how to add an image ;) I hope this helps understanding My access ends at "My Server"...

derHugo
  • 3,356
  • 5
  • 31
  • 51
  • Don't you need to setup also IP masquerading in iptables ? – marosg Jan 30 '17 at 15:33
  • Is there anything that does not work? As you are on the server, you need no 'Router' to access the attached networks. So the configuration shown in your first call to route -n was correct and sufficient. The 0.0.0.0in the Router column has nothing to do with default route- it just says theat there is no router, but direct attached. default routemeans 0.0.0.0in the target column! – ridgy Jan 30 '17 at 15:34
  • I believe that one problem you might be having is that your Office Network IPs are not set to Private, they are Public. That can cause DNS problems with routing to the internet. Private IPs start with either 10.x.x.x, 172.16.x.x or 192.168.x.x. See here: https://www.iplocation.net/public-vs-private-ip-address – Terrance Jan 30 '17 at 15:35
  • @ridgy oh ok so I will remove those again.. well anything that works right now is: DHCP I get an IP configuration on the clients; I can access the server from the clients and backwards. But I can not ping anything further for example the eth0 of the server or the gateway behind it ... – derHugo Jan 30 '17 at 15:41
  • @Terrance the private network starts with 192.168.x.x – derHugo Jan 30 '17 at 15:41
  • @user596137 I've read about NAT but the main problem it throws is that since it is an Office we later also want VPN access and everywhere it says that NAT works fine only in one direction... – derHugo Jan 30 '17 at 15:43
  • Why does your office network say subnet 9.0.0.0 netmask 255.255.255.0? That is not private – Terrance Jan 30 '17 at 15:44
  • @Terrance I just used symbolic IPs nets to make reading easier – derHugo Jan 30 '17 at 15:46
  • I found my first mistake! In the dhcp settings it said routers 9.0.0.1 but had to be routers 9.0.0.5 to match the servers IP :D

    now I can ping also the NIC connected to the internet. But why don't I come further from here?

     – derHugo Jan 30 '17 at 16:22
  • Does your router(at 10.0.0.1) know the route to the internal network (he needs a route to 9.0.0.0/24 via 10.0.0.5, otherwise could not route back the packages. And I think option routers 10.0.0.5 in your DHCP config is a typo... – ridgy Jan 30 '17 at 17:26
  • No the problem is this "Gateway 10.0.0.1" is our connection to the internet and I don't have access on it. The Server at 10.0.0.5 is the DHCP Server / Router with the two NICs – derHugo Jan 30 '17 at 17:32
  • @ridgy the 10.0.0.5 in dhcp is not a typo but maybe I've choosen the wrong IP here ... does it have to b the internal or externl IP of the Server? – derHugo Jan 30 '17 at 18:03

1 Answers1

1

Thanks for the image, which makes things clearer.

First, as your clients are in network 9.0.0.0/24, they need to have a default router in the same subnet (they would not know how to reach another subnet), so the DHCP entry should read option routers 9.0.0.5 - the address of 'My Server' in that subnet.

Now they should send packets for any other network (except from 9.0.0.0) to the address 9.0.0.5 in the hope that would know how to route them.

As 'My Server' has a default route to 10.0.0.1, it will pass those packets to 'Gateway' if the destination is outside its direct attached networks. And hopefully 'Gateway' will pass them further, using NAT. Up to now it's OK.

When the target host (say 151.101.65.69) tries to respond, it sends the response to 'Gateway'; this one knows that the request came from say 9.0.0.10. But now there is a problem: 'Gateway' does not have a route to 9.0.0.0/24, and so again passes the packet to its default route (or drops it maybe, as your private network is not routed at all).

If you have no access to change the configuration of 'Gateway', there are two solutions:

  1. If 'Gateway' listens to any sort of router information protocol on the inside, say RIP2, OSPF or BGP, 'My Server' should announce its routing information on the network. How to do that see e.g. Dynamic Routing or How to Turn....
  2. If this does not work, your only chance is to use NAT on 'My Server' instead of routing. This is done by 'masquerad'ing; it is described in How to Turn... as well.
ridgy
  • 2,356
  • Hi sorry wasn't in the office till today.. Thanks a lot for your detailed answer! Yes I guess since I can ping the "extarnal" NIC from my office PC the problem has to be in the Gateway as you described. So I will first try this Dynamic Routing thing. Is there some form to find out what the Gateway is listening to? Or will I have to try every option and hope? – derHugo Feb 03 '17 at 07:40
  • hm according to your second link about How to Turn... it says for Dynamic Routing: "Important: Don’t forget to repeat the following setup for both routers." ... so since I have no access at the Gateway this means I can not use this method, can I? – derHugo Feb 03 '17 at 08:00
  • Hey thanks to your explanation and the hint with NAT I finally got it! The Clients have Internet via DHCP! Important Question now: Is this setUp via NAT and Masquerading compatible with a Firewall like shorewall? Since it is an office we need a very well configured Firewall and shorewall is the one I'm most used to.

    I did the iptables SetUp exactly the same as in This question is this a recomendable setup?

     – derHugo Feb 03 '17 at 08:40
  • As I don't know shorewall, and are not very familiar with iptables, I can't help any further. Maybe ask a new question? – ridgy Feb 03 '17 at 09:41
  • Ok, thanks anyway!! I finally can work with it from now ;) – derHugo Feb 03 '17 at 09:45