Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Following the instructions on this page http://blog.redbranch.net/2015/07/30...ivate-network/ I have configured a test environment which works EXCEPT when I connect my gateway PC to a VPN with OpenVpn. Here is the setup I have:
PC15 - the gateway PC has a wireless card wlp2s0 and a wired card plp2.
wlp2s0 connects to my router at 192.168.0.1 and gets a DHCP reserved IP address 192.168.0.125.
plp2 is manually configured to address 192.168.3.115 netmask 255.255.255.0 and no gateway (it is the gateway I believe)
plp2 is plugged into a switch. PC16 is also plugged into the switch (NIC also called plp2). Its wireless card is disabled.
PC16 plp2 is manually configured to 192.168.3.116 netmask 255.255.255.0 and gateway 192.168.0.125 (PC15). I have also entered a DNS server 208.67.220.220 (Open DNS). I believe my testing showed that last step to be necessary although I have tweaked so many things so many times I am not sure. It is specified at the moment and things are working.
After completing the steps on the page linked above (adjusted for my NIC names and IP addresses) I can communicate between PC16 and PC15, I can browse the web from either PC as well.
However, when I activate a VPN on PC15 via Networkmanager-openvpn-gnome I can no longer access the Internet from PC16. PC15 works fine and gets the appropriate Internet IP address from the VPN. So close
- change the gateway of PC16 to 192.168.3.115 (which is PC15's wired NIC).
- enable forwarding on PC15 via /etc/sysctl.conf with this value 'net.ipv4.ip_forward = 1'
It would also be helpful if you can provide the routing table of PC16.
I think I need to buy a router and install DD-WRT. I spent 10 minutes this morning trying to get my test environment running - finally noticed that I had unplugged the power to the switch
I DO have the forward command in /etc.sysctl.conf on PC15 and I do have the gateway on PC16 set to 192.168.3.115. I must have transcribed an earlier attempt into my original post. My apologies.
Here are the route results for PC16
Code:
[root@taylor16 ken]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.3.115 0.0.0.0 UG 100 0 0 p1p2
192.168.3.0 0.0.0.0 255.255.255.0 U 100 0 0 p1p2
PC15 without VPN
Code:
[root@taylor15 ken]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 600 0 0 wlp2s0
172.16.38.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
192.168.0.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0
192.168.3.0 0.0.0.0 255.255.255.0 U 100 0 0 p1p2
192.168.251.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
and after I invoke the VPN on PV15
Code:
[root@taylor15 ken]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.21.94.1 0.0.0.0 UG 50 0 0 tun0
0.0.0.0 192.168.0.1 0.0.0.0 UG 600 0 0 wlp2s0
64.145.79.16 192.168.0.1 255.255.255.255 UGH 600 0 0 wlp2s0
172.16.38.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
172.21.94.0 0.0.0.0 255.255.254.0 U 50 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0
192.168.0.1 0.0.0.0 255.255.255.255 UH 600 0 0 wlp2s0
192.168.3.0 0.0.0.0 255.255.255.0 U 100 0 0 p1p2
192.168.251.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
vmnet8 is an artifact from VMWare Player which is installed. I do not think it is coming into play. Let me see if I remember how to uninstall it and I will see if it makes a difference.
The PC is totally hosed. I can only connect to ANYTHING via the wireless if I disable the manually configured wired connection. Let me see if I have a Clonezilla snapshot from before I installed VMWare. Otherwise I will reinstall CentOS and get a clean start.
It gets better and better. I restored a CentOS 7.3 image without VMWare on the router PC. I then enabled the WiFi adapter and configured it to connect to my hidden WiFi network. It seems to do so, gets an IP address from DHCP on my real router but it has no connectivity. The wired NIC is simply plugged into the switch - no DHCP for it to get an address from (it is set to automatically get an address, not manually configured). If I unplug the ethernet cable or disable the wired NIC the WiFi connection will begin to transmit data. When the wired connection is enabled and plugged into something the WiFi traffic stops.
If I was to put this PC/CentOS "router" into "production" I would in fact use a USB to Ethernet dongle in place of the WiFi - the PC is a Dell Inspriron 3050 Micro (sort of like an Intel NUC) and it has no room for an addin NIC. However, a decent quality dongle would run about $20US or more and I can get a Linksys WRT54GL router which will run DD-WRT for $35US.
On the other hand my previous desktop has space for two NICs - might even have 2 installed. I may resurrect it and load CentOS 7 and give it a test. Not a practical solution as it draws about 170 Watts vs 6 Watts for the Micro. Not something I want on all the time.
I have posted a question on the DD-WRT forum regarding what happens when the VPN drops the connection. If I connect to the VPN from the command line and the connection drops, all traffic stops. If I connect from NetworkManager-openvpn and the VPN drops, NetworkManager will resume the connection in the clear so to speak - no VPN. Not cool. Hopefully I will get an answer on that and decide how I need to proceed.
Thanks again for your reply c0wb0y. I will post an update when I have determined my next steps.
My previous experiment was a sort of fiasco because 1) the switch I was using was on an old router and I failed to disable DHCP on the thing; 2) I had VMWare networking on the router PC; 3) The wired NIC seems to take priority over the WiFi NIC even if the wired NIC does not connect to anything which communicates anywhere. So... I built a fresh install of CentOS 7.3 on another PC which has two wired NICs. I followed as best I could the same steps as in the previous experiment. Here is what I can do:
PC15 (now just a member of my LAN) has WiFi disabled and the wired NIC manually set to address 192.168.7.115 mask 255.255.255.0 gateway 192.168.7.112 (on router PCP) DNS specified at 208.67.222.222,208.67.220.220
From PC15 I can ping other the router PC12 at 192.168.7.112.
From PC15 I can ping other PCs on my 192.168.0 subnet.
From PC15 I can ping a DNS server 208.67.222.222
From PC12 - the router - I can ping PC15
From PC12 I can connect to the Internet (using the DNS specified on my real router)
And what I cannot do:
I cannot ping PC15 from other PCs on my 192.168.0 subnet
I cannot connect to the Internet with a web browser nor ping www.wral.com from PC15.
Below is a transcript of my activities step by step. I have looked over it until I am crosseyed. I probably missed something simple (I hope). Suggestions please!
TIA,
Ken
Code:
PC12 (aka taylor12) started out with this configuration:
[root@taylor12 ken]# ifconfig
enp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.112 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::225:64ff:fee8:182c prefixlen 64 scopeid 0x20<link>
ether 00:25:64:e8:18:2c txqueuelen 1000 (Ethernet)
RX packets 6775 bytes 8206616 (7.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5127 bytes 527151 (514.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17
enp6s1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.7.112 netmask 255.255.255.0 broadcast 192.168.7.255
inet6 fe80::240:5ff:fe36:71c5 prefixlen 64 scopeid 0x20<link>
ether 00:40:05:36:71:c5 txqueuelen 1000 (Ethernet)
RX packets 11 bytes 888 (888.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 1722 (1.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@taylor12 ken]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 enp5s0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp5s0
192.168.7.0 0.0.0.0 255.255.255.0 U 100 0 0 enp6s1
[root@taylor12 ken]# firewall-cmd --list-all-zones
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0 enp6s1
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
----------------------------------------------------------------------------------
iptables-save > savedrules.txt
----------------------------------------------------------------------------------
Here I start tweaking...
vim /etc/sysctl.conf
add the lines
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
#sysctl -w net.ipv4.ip_forward=1
192.168.0.0 enp5s0 move to external
192.168.7.0 enp6s1 move to internal
[root@taylor12 ken]# firewall-cmd --zone=internal --add-interface=enp5s0 --permanent
The interface is under control of NetworkManager, setting zone to 'internal'.
success
[root@taylor12 ken]# firewall-cmd --zone=external --add-interface=enp6s1 --permanent
The interface is under control of NetworkManager, setting zone to 'external'.
success
[root@taylor12 ken]# firewall-cmd --complete-reload
[root@taylor12 ken]# firewall-cmd --list-all-zones
internal (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
external (active)
target: default
icmp-block-inversion: no
interfaces: enp6s1
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[root@taylor12 ken]# iptables-save > savedrules1.txt
[root@taylor12 ken]# firewall-cmd --zone=external --add-masquerade --permanent
Warning: ALREADY_ENABLED: masquerade
success
[root@taylor12 ken]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o enp5s0 -j MASQUERADE -s 192.168.7.0/24
success
[root@taylor12 ken]# firewall-cmd --complete-reload
[root@taylor12 ken]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 enp5s0
0.0.0.0 192.168.0.112 0.0.0.0 UG 101 0 0 enp6s1
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp5s0
192.168.0.112 0.0.0.0 255.255.255.255 UH 100 0 0 enp6s1
192.168.7.0 0.0.0.0 255.255.255.0 U 100 0 0 enp6s1
From PC15 - the PC on the 192.168.7 subnet - while I CAN ping a PC on the 192.168.0. subnet I CANNOT ssh to that same PC. I can ssh to the 192.168.0 PC from PC12 - the router PC.
From PC15 - the PC on the 192.168.7 subnet - while I CAN ping a PC on the 192.168.0. subnet I CANNOT ssh to that same PC. I can ssh to the 192.168.0 PC from PC12 - the router PC.
I do not THINK there is any firewall block of ssh. I have looked through the firewall settings on both machines and do not see anything. I have done some testing:
From PC12 (the "router") I can ssh to another PC on my 192.168.0 subnet.
From PC12 (the "router") I can ssh to PC15 at 192.168.7.115 but it is EXTREMELY slow to connect and authenticate. Interestingly the connection tells me "Last login ... from gateway.
From PC15 I can ssh to PC12 (the "router") Last login ... from taylor12 (the actual computer name of PC12)
From a pc at 192.168.0.120 I can ssh to PC12 (the "router")
Ken
p.s. As another test I unplugged the router PC from the real router and plugged the router PC into the DSL modem. It received an Internet IP address from my ISP on NIC enp5s0. It can connect to the Internet (e.f. Firfox) but PC15 still can not. Seems my route is not routing
I guess I should call them by my naming convention. I started it back when I first networked a couple of PCs. I don't recall what number that one was but I started my naming scheme retroactively with taylor01 representing my Osborne Executive (which was not networked although there was something for CP/M called the Trantor Web - never had one of them). I am currently at taylor20 - A Dell Precision T3620. PC15 is really taylor15 - a Dell Inspiron 3050 Mico (about the size of an Intel NUC) and PC12 is my previous main desktop a Dell Studio XPS 8000. I ran CentOS 6 on it for about 8 years.
My addressing scheme is similar. taylor15 is 192.168.0.115 on its wired NIC and 192.168.0.125 on the WiFi NIC. Now that I have taylor20 at 192.168.0.120 on its wired NIC I guess my numbering scheme may need some rework
My test environment is a little more complicated as I have only 1 Internet connection and so as not disconnect the whole LAN from the net I am hanging the "router" PC taylor12 off of my Netgear router and building an ersatz LAN represented by taylor15 on the 192.168.7 subnet.
The "production" setup will probably be DSL Modem <--> taylor16 (another 3050 Micro) <--> gigabit switch <--> other PCs and servers using manually configured static IP addresses as they do not change often and saves the trouble of running a DHCP. taylor16 will access a VPN service using OpenVPN and share it with the rest of the LAN. Having the Netgear router in between the DSL modem and taylor16 will allow me to bypass the VPN from a WiFi notebook if needed for testing and the router might provide some firewall protection.
That is sort of the plan if I can get this "share the connection" thing figured out. Windoze could do it, Linux should be able to do it better
Recalling back in the Windoze XP days there was a wizard or similar thing to share an Internet connection. I don't think I ever used it as I had a router once I had enough of an Internet connection to share. (2 modems and 2 phone lines before that) Keeping this simple minded frame of mind... I did another search for "share Internet connection Linux" and I found an Ubuntu page which talked about a "Shared with other computers" method in Network Manager. I had seen that but as it did not let me specify what IP address I wanted to share or ANYTHING at all I had not tried it. Well... I restored my IP tables on taylor12 (the router PC) which I had saved before starting on this boondoggle. I then deleted the manual IP address and changed the LAN NIC enp6s1 from a manual setup to Shared...
After stopping/starting this interface an ifconfig revealed that it was assigned 10.42.0.1. On the LAN PC (taylor15) I changed the manually configured IP address to 10.42.0.115 mask 255.255.255.0 gateway 10.42.0.1. Both the router and LAN PCs can access the Internet. I invoked my OpenVPN script on the router PC and low and behold it is now in Zurich. Checked the LAN PC and it is also in Zurich.
The only problems are:
1 - I have not idea what "Shared..." did
2 - I cannot change the IP address which is shared (again because I have no idea what happened)
3 - Now that I have something which works I may have to purchase a USB NIC for the Micro as it only has one Ethernet port and its WiFi NIC tends to take the day off when the Ethernet NIC is talking to ANYTHING. Of course I can return a $180US router which I was going to configure with DD-WRT.
4 - I have to assign manual IP addresses to 8 physical machines and a similar number of VMWare virtual machines and edit a bunch of hosts files.
5 - I STILL have no idea what happened.
Time to reconfigure my test environment and again try to use the Micro's WiFi as the Internet connection and the Ethernet NIC as the LAN.
My addressing scheme is similar. taylor15 is 192.168.0.115 on its wired NIC and 192.168.0.125 on the WiFi NIC. Now that I have taylor20 at 192.168.0.120 on its wired NIC I guess my numbering scheme may need some rework
You should really keep both nic's on separate networks. The reason, I believe, one nic is shutting down when you have both connected you are causing a routing loop and for protection one of the nics is getting shutting off.
Anytime you connect a device with 2 or more nics to the same network you cause a routing loop and one of the interfaces will be turned off. Creating a different network and attaching one nic to each will correct this problem.
I believe one we get your network straightened out everything else will fall into place.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
