Need help to make Linux act as router

sockscap · 12-25-2023, 10:17 PM

The Linux to act as router has IP address: 192.168.1.83.

1. sudo ifconfig output:

Code:

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.83  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::20c:29ff:fe46:2110  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:46:21:10  txqueuelen 1000  (Ethernet)
        RX packets 387  bytes 40493 (40.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 75  bytes 10075 (10.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2. sudo route -n output:

Code:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 ens33
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ens33

3. ping command shows that it can reach external host 192.168.86.1 successfully

Code:

PING 192.168.86.1 (192.168.86.1) 56(84) bytes of data.
64 bytes from 192.168.86.1: icmp_seq=1 ttl=63 time=7.34 ms

4. cat /proc/sys/net/ipv4/ip_forward returns 1, which means ip forwarding is enabled.

5. Add only one iptables rule.

Code:

sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ens33 -j SNAT --to-source 192.168.1.83

6. sudo iptables -L -n output:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

7. sudo iptables -t nat -L -n output:

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  192.168.1.0/24       0.0.0.0/0            to:192.168.1.83

Now I configure a Windows PC with the following network settings (use IPv4 only):

IP address: 192.168.1.95
Subnet mask: 255.255.255.0
Default gateway: 192.168.1.83

1. ipconfig /all output:

Code:

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-8C-01-FF
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.95(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.83
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

2. route print output:

Code:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.1.83     192.168.1.95    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.95    266
     192.168.1.95  255.255.255.255         On-link      192.168.1.95    266
    192.168.1.255  255.255.255.255         On-link      192.168.1.95    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.95    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.95    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     192.168.1.83  Default
===========================================================================

3. ping 192.168.1.83 works

Code:

Pinging 192.168.1.83 with 32 bytes of data:
Reply from 192.168.1.83: bytes=32 time<1ms TTL=64

4. However, it fails to ping 192.168.86.1

Code:

Pinging 192.168.86.1 with 32 bytes of data:
Request timed out.
Request timed out.

5. tracert 192.168.86.1 output:

Code:

Tracing route to 192.168.86.1 over a maximum of 30 hops

  1    <1 ms     *        1 ms  192.168.1.83
  2     *        *        *     Request timed out.

I've spent half day on this but couldn't work it out. What am I missing? Any suggestions are appreciated.

update: I change the iptables rule to the one below, but it still doesn't work.

Code:

sudo iptables -t nat -A POSTROUTING -s 192.168.1.95/32 -o ens33 -j SNAT --to-source 192.168.1.83

Ser Olmy · 12-26-2023, 01:39 AM

Is the packet flow supposed to be like this?

Code:

(192.168.1.95) -> (192.168.1.83) -> (192.168.1.1) -> (192.168.86.1)

If so, then you will have asymmetric routing, as the return path will look like this:

Code:

(192.168.86.1) -> (192.168.1.1) > (192.168.1.95)

...because there's no reason why 192.168.1.1 would choose to use 192.168.1.83 as an intermediary when communicating with another host in the same (sub)network. The NAT command should function as a workaround for this, but as that didn't work either, there must be another issue here as well.

You should troubleshoot this with tcpdump. Running the command

Code:

sudo tcpdump -i ens33 host 192.168.1.95 and host 192.168.86.1

on your router as you attempt to ping 192.168.86.1 from 192.168.1.95 should show you which packets your router is sending and receiving. Post the results here.

sockscap · 12-26-2023, 02:23 AM

Quote:

Originally Posted by Ser Olmy

Is the packet flow supposed to be like this?

Code:

(192.168.1.95) -> (192.168.1.83) -> (192.168.1.1) -> (192.168.86.1)

Yes.

Quote:

Originally Posted by Ser Olmy

If so, then you will have asymmetric routing, as the return path will look like this:

Code:

(192.168.86.1) -> (192.168.1.1) > (192.168.1.95)

...because there's no reason why 192.168.1.1 would choose to use 192.168.1.83 as an intermediary when communicating with another host in the same (sub)network. The NAT command should function as a workaround for this, but as that didn't work either, there must be another issue here as well.

The idea was, "sudo iptables -t nat -A POSTROUTING -s 192.168.1.95/32 -o ens33 -j SNAT --to-source 192.168.1.83" should make 192.168.1.1 believe it comes from 192.168.1.83 (thus hide 192.168.1.95).

Quote:

Originally Posted by Ser Olmy

You should troubleshoot this with tcpdump. Running the command

Code:

sudo tcpdump -i ens33 host 192.168.1.95 and host 192.168.86.1

on your router as you attempt to ping 192.168.86.1 from 192.168.1.95 should show you which packets your router is sending and receiving. Post the results here.

It's a bit too complicated (not easy to do tcpdump from the router).

This is part of the effort to setup a hacked Wii. My local LAN uses 192.168.1.0/24. Usually when I setup a hacked game console, I assign a static IP (e.g. 192.168.1.7) with subnmet mask 255.255.0.0 and gateway 192.168.0.2 (non-exist host). That way, I can access game console in local LAN and ensure it cannot access Internet for background upgrade or do something unexpected.

However, Wii system is special, it has to go through the network connection check to make the setting effective. Otherwise it simply doesn't use the setting. The initial idea was to assign a second ip (192.168.0.2) on a Linux host to make the network connection check pass, but it doesn't work. During the test, I notice the routing doesn't work with the primary ip address only. That's the simplified scenario you see in this post.

I was able to find a workaround to complete the Wii setup. I temporarily change route's LAN setting with IP Address: 192.168.0.2 & Subnet Mask: 255.255.252.0. With this setting, Wii was able to pass the network connection check. After that I change back the router setting to make sure Wii can no longer access Internet. Problem resolved.

Still, I'm curious why the routing doesn't work, but I understand this is an uncommon scenario (their IPs are all 192.168.1.x). Most likely it's related with that.

MikeDeltaBrown · 01-02-2024, 01:04 PM

This is kind of confusing; you say you're setting this up to disallow the Wii from accessing the internet yet you are setting up a computer to direct the Wii's traffic to your internet router. If you don't want the Wii to send traffic "off-net" then don't configure a Gateway Address on the Wii. Simple.