LinuxQuestions.org - Linux box as a gateway/router

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Linux box as a gateway/router (https://www.linuxquestions.org/questions/linux-networking-3/linux-box-as-a-gateway-router-318043/)

Linux box as a gateway/router

Hi, I decided to add a linux box between my DSL router/modem (GNET BB0060), and my Linksys router, to eventually act as a firewall. However, it seems that the packets that are coming from Linksys router, are not routing properly to my GNET modem. However, traffic that is initiated from the linux box makes its way to the router/modem without any issue, and routes to the Internet.

Here are some more details:

- 10.0.0.0 /30 between linux box and Linksys (linksys is 10.0.0.1 ... Linux box P2P is 10.0.0.2)

- 192.168.7.0 /24 between linux box and GNET router/modem (GNET is 192.168.7.1 .... Linux box is at 192.168.7.2)

++++

linux:~ # netstat -ar
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.0.0 * 255.255.255.252 U 0 0 0 eth0
192.168.7.0 * 255.255.255.0 U 0 0 0 eth1
link-local * 255.255.0.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.7.1 0.0.0.0 UG 0 0 0 eth1

+++++

linux:~ # arp -a
? (192.168.7.1) at 00:30:EB:D6:4F:48 [ether] on eth1
? (10.0.0.1) at 00:06:25:9C:CB:7D [ether] on eth0

+++++

linux:~ # lspci

-- snip --
0000:00:09.0 Ethernet controller: Lite-On Communications Inc LNE100TX (rev 20)
0000:00:0b.0 Ethernet controller: D-Link System Inc RTL8139 Ethernet (rev 10)
-- snip --

++++++++++

Here's an example that it doesn't work. From a Windows workstation that connects to the Linksys, I can ping the LAN IP of the linux box at IP 10.0.0.2, as well as the WAN IP of the linux box at IP 192.168.7.2. However, I cannot ping the LAN (inside interface) of the GNET router/modem at IP 192.168.7.1. However, like I said before from the Linux box no problem :

linux:~ # ping 192.168.7.1
PING 192.168.7.1 (192.168.7.1) 56(84) bytes of data.
64 bytes from 192.168.7.1: icmp_seq=1 ttl=64 time=0.469 ms
64 bytes from 192.168.7.1: icmp_seq=2 ttl=64 time=0.406 ms
64 bytes from 192.168.7.1: icmp_seq=3 ttl=64 time=0.420 ms

--- 192.168.7.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.406/0.431/0.469/0.036 ms

+++++++++++

If you look at the routing table provided earlier, dynamic routing seems to have done its job properly, where traffic from the Linux box routes to gateway 192.168.7.1.

Any idea what's going on? Oh, by the way, linux box is Suse 9.1, haven't touched anything regarding firewall yet, just chose the basic installation of Suse 9.1.

Are you using NAT on the Linux box? If not, then your problem is probably that the GNET router has no route to the 10 network. When it receives the ping from 10.0.0.1, it will look for a route to the 10 network so it can send a response. Not finding a route to the 10 network, it most likely will send the reply to it's default gateway which should be pointing to your ISP. What it does with the packet really depends on the software running on the router but it will not automatically forward the packet back through 192.168.7.2.
If your GNET router supports static routes, you could configure a static route on it that says "to reach the 10.0.0.0 network, send packets through 192.168.7.2". Many small DSL routers don't support static routes. Even if they do, some only support NAT on one subnet.
I have a small 3Com router at home. I tried to set up the same type of network you have with a Linux box acting as a firewall between my home network and the 3Com router that connects to the Internet. I can configure a static route on the 3Com router so that it will respond to pings from machines on the home network on the other side of the Linux box. However, the 3Com router will only preform NAT on the subnet that is actually attached to it's LAN interface so I couldn't reach the Internet from the home network.

The solution I ended up with was to set up IP Masquerading on the Linux box. That way, any packet that reaches the 3Com router from my home network has a source IP address of the interface on the Linux box that connects to the 3Com router. Basically I was using double NAT. It worked OK but there was a slight performance hit on the network because each packet had to be translated twice.

If the GNET router doesn't support static routes or it will only allow NAT on one subnet, your easiest option will be to use IP Masquerading on the Linux box if you want to use it as a firewall.
Another option is to use proxy ARP. If you're not familiar with it, it's more complicated to set up than IP masquerading.

Added Later:
After re-reading your post, I see that you also have a Linksys router in the mix which could make things even more complicated. Is it a router/switch combo where you could use it as only a switch or does it have to work as a router?

Your suggestion to add a static route route on the GNET, to announce network 10.0.0.0 /30 to forward to gateway 192.168.7.2 worked, thanks.

Ben