Cannot ping second ethernet device

jplev22 · 04-16-2020, 04:57 PM

I am setting up an internal subnet on the second ethernet adapter of my server. The intent is to eventually route all that subnet's traffic though a tunnel.

However, I can't seen to get past the ethernet device.
(enp8s0=internal subnet eno1=subnet connected to wan)

Example:

Code:

$ ping -I enp8s0 192.168.190.20
PING 192.168.190.20 (192.168.190.20) from 192.168.192.1 enp8s0: 56(84) bytes of data.

--- 192.168.190.20 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 66ms

ip route:

Code:

default via 192.168.190.1 dev eno1 onlink 
192.168.190.0/24 dev eno1 proto kernel scope link src 192.168.190.20 
192.168.192.0/24 dev enp8s0 proto kernel scope link src 192.168.192.1

I also modified the iptables using:

Code:

$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
$ sudo iptables -A FORWARD -i enp8s0 -o eno1 -j ACCEPT

Confirmed ip forward is enabled:

Code:

$ sudo cat /proc/sys/net/ipv4/ip_forward
1

Any clue? Thanks for any input.

frankbell · 04-16-2020, 07:47 PM

What is the ip address you are pinging from?

ferrari · 04-16-2020, 07:51 PM

Well this won't work, you're specifying the wrong interface (based on your routing table)

Code:

$ ping -I enp8s0 192.168.190.20

In any case, no need to specify the interface. Just do...

Code:

ping 192.168.190.20

jplev22 · 04-16-2020, 08:36 PM

@frankbell I am pinging form 192.168.192.1. (IP associated with enp8s0)

@ferrari I though the "-I" flag meant ping from a specific device. Please correct my understanding if incorrect. Indeed ping 192.168.190.20 does work.

I do get the same negative result if I ping from a client on the 192.168.192.0/24 subnet.

Here's a ping & tcpdump for reference:

Code:

$ ping -I enp8s0 192.168.190.1
PING 192.168.190.1 (192.168.190.1) from 192.168.192.1 enp8s0: 56(84) bytes of data.
--- 192.168.190.1 ping statistics ---
438 packets transmitted, 0 received, 100% packet loss, time 909ms

Code:

$ sudo tcpdump -i enp8s0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp8s0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:29:28.690616 ARP, Request who-has _gateway tell JPStudy, length 28
22:29:29.714679 ARP, Request who-has _gateway tell JPStudy, length 28
22:29:30.197417 IP 192.168.192.29.39276 > _gateway.domain: 46423+ TXT? push.apple.com. (32)
22:29:30.197472 IP 192.168.192.29.39276 > dns.google.domain: 46423+ TXT? push.apple.com. (32)
22:29:30.197489 IP 192.168.192.29.39276 > dns.google.domain: 46423+ TXT? push.apple.com. (32)
22:29:30.738623 ARP, Request who-has _gateway tell JPStudy, length 28
22:29:31.762621 ARP, Request who-has _gateway tell JPStudy, length 28

Running tcpdump on eno1, there is not one 192.168.192.x that appears.

ferrari · 04-17-2020, 12:52 AM

In this case only one interface (en01) can reach the target address. No routing is required, since the server is directly connected to the subnet belonging to the IP address of interest.

ferrari · 04-17-2020, 12:59 AM

Quote:

@ferrari I though the "-I" flag meant ping from a specific device.

No, it means interface. From 'man ping'...

Quote:

-I interface
interface is either an address, or an interface name. If interface is an address, it sets source address to specified interface address. If interface in an interface name, it sets source
interface to specified interface. For IPv6, when doing ping to a link-local scope address, link specification (by the '%'-notation in destination, or by this option) is required.

It really only has relevance if there are two or more routes to a given IP address from a given device (usually a router). The source address will be that of the interface the packet is being sent from.

jplev22 · 04-17-2020, 11:10 AM

Thank for the explanation.

Traffic is finally routed through my server:

NAT had to be setup in nftables
[code]
nft add table nat
nft add chain nat post { type nat hook postrouting priority 0 \; }
nft add chain nat pre { type nat hook prerouting priority 0 \; }
nft add rule nat post ip saddr 192.168.192.0/24 oif ono1 snat 192.168.190.20 [\code]

Now my lan clients have access to the internet. Thanks for your input.

Reference: http://computer-outlines.over-blog.com/article-nftables-6-a-nftables-linux-internet-gateway-123294152.html