-   Linux - Networking (
-   -   Linux routing problem (

sanctanox 02-06-2013 05:27 PM

Linux routing problem

I'm having a problem using Linux (CentOS 6.3) as a router that I've tried to outline below. Goal is that computers on LAN2 should be able to access the internet with the Linux server inline acting as the router between LAN2 & LAN1. I don't want to NAT LAN2 to a pool of addresses in LAN1, I just want to route through the Linux box and have the cable modem perform NAT through its outside interface.

Any help is appreciated as I've been banging my head on this for a while now.


Cable Modem    (default gw =
    | LAN1 =
Linux Router    (default gw = (forwarding enabled via sysctl)
    | LAN2 =
ComputerA      (default gw =

Routing table for Cable Modem: via
default via

Routing table for Linux Router (multiple tables):
(Main) dev outside proto kernel scope link src dev inside proto kernel scope link src
default via dev outside

(201) dev outside scope link dev inside scope link
default via dev inside

Rules for Linux Router:
0: from all lookup local
32765: from lookup 201
32766: from all lookup main
32767: from all lookup default

Routing table on ComputerA:
default via

ComputerA cannot access the internet.
ComputerA can ping as follows: yes yes yes no

What am I missing? Why can't ComputerA access the internet and/or ping an internet host that is known to respond to icmp (Google DNS)?

jschiwal 02-06-2013 07:40 PM

Is the cable modem performing NAT translation for the network, or merely routing traffic which it won't do on it's WAN interface since it's in a reserved private only address. In other words, does it only perform NAT translation for the network its LAN switch is on?
If that is the case, maybe treating the network as a the DMZ could trick the modem. to provide NAT if it allows a DMZ port configured on a separate private network.

You could configure the Linux router to masquarade addresses when the source is from a address and the destination isn't a local address. So you would only be doing, what you want to avoid doing, if the destination is on the Internet. You could NAT to a single address. This would be using double-nattng for the hosts on the network.

Another option could be to subnet the 172.20.101 network with the host addresses changed from the 192.168.220 network to the top subnet. The router's LAN interface would still have /24 scope encompassing both /25 subnets.

Good Luck.

sanctanox 02-08-2013 05:34 PM

Makes sense
That makes sense. I'll check out the DMZ idea you suggested, but I'm betting that will fail as well. I'll need to see if our provider can give us a simple modem/bridge rather than a modem/gateway and then perform all the translation on the server.

Thank you. I'll reply regarding whether-or-not the DMZ idea works after I test.

All times are GMT -5. The time now is 07:59 PM.