How to route a network connection through another PC (no ICS, NAT)

udippel · 03-10-2012, 09:59 PM

I have tried in vain to route traffic from PC2 through PC1 to a WAN connection.

The setup is like this: PC2 is connected to PC1 (router) via Ethernet. This works perfectly well in both directions (10.10.10.0/24).
PC1 is perfectly well connected to the Internet, with name resolution and all; and I can browse all websites (it is a DHCP-client on the WAN).

I have set the IP_forward to "1" on PC1 (router):
$ cat /proc/sys/net/ipv4/ip_forward
1

Problem: I cannot ping any IP aside of PC1 from PC2. I can ping any IP from PC1 (the one connected to WAN) at that same moment.

Therefore it looks like a routing problem. Though when I look at netstat, it looks okay(?). Since the ping from PC2 finds PC1 alright: How do I teach PC1 to route the packages from its eth0 to the WAN interface?

fukawi1 · 03-11-2012, 03:24 AM

You haven't provided much useful information, but since you said the routes look right, one thing you haven't mentioned, is a masquerade firewall rule..

Assuming you are using iptables, on PC1 (the router)

Code:

 iptables -t nat -A POSTROUTING -o $wAN_IF -j MASQUERADE

Something like this would be required, to masquerade the LAN (PC2) traffic to the public ipaddress of the router (PC1).

udippel · 03-11-2012, 04:29 AM

Yes, I understand. Though I did not want to use NAT.
Maybe I need to give it a public IP then? That's also fine with me.

Which info is missing?
PC1 is a PC for the mobile broadband connection only. PC2 is my advanced firewall, DNS, DHCP and so forth for the internal network. But it doesn't support the G3-dongle.

elfenlied · 03-11-2012, 08:38 PM

Perhaps a simple network diagram would help?

Also unless you have a static IP address on your wireless broadband dongle and which also has a publicly routed subnet attached to it you won't be able to give your PC2 a public IP address. Additionally this also means since you PC2 isn't on a public routed subnet the only way you'll be able to have traffic come back to is if your gateway (PC1) NATs it's packets.

udippel · 03-11-2012, 09:14 PM

Of course, me stupid.
I ought not have overlooked the fact that PC2 needs an address. Which could either be RFC1918 - requiring NAT - or a public IP different from the one of the dongle.
I was just for the fun of it taken in by the idea that NAT and everything are done on PC2 in any case, so that I didn't want to do yet another NAT on PC1.
Though now I see my wrong ways. The problem is the 'outside' address of PC2. Can't be public through the dongle and can't be private without NAT.

My excuses for the noise,

Uwe