Routing and ip_forward
 

Hi,

I'm trying to turn my Ubuntu server into a router.
I have 2 subnets:

10.8.0.0/24
192.168.0.0/24

I have enabled ip_forwarding and have iptables set to accept all.

The router doesn't seem to work. A computer on each subnet can ping the gateway/router and the router
can ping the clients on each subnet. But I can't seem to ping from one subnet to another.

cat /proc/sys/net/ipv4/if_forwarding returns 1 so I know ip_forwarding is enabled.

Does anybody have any ideas as to what I'm doing wrong?

Thanks.

When I used my laptop's wireless to give my desktop access to the internet (192.168.1.0/25 and 192.168.1.128/25 subnets), I needed to modprobe the ip_conntrack module before forwarding would work.

I believe that if you specify a route on the client machine the things might work:

On a PC that is on the 10.x.x.x network:
# route add -net 192.168.0.0/24 eth0

[]'s, FMC!

I've loaded ip_conntrack and by linux box still isn't routing.

Here is the routing table for the linux router:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1


So tun0 is connected to the 10.8.0.0/24 subnet and eth1 is connected to the 192.168.0.0/24 subnet.


I think the client routing table is Ok because when I ping from the 10.8.0.0 subnet to another subnet
and then run "tcpdump -i tun0" on the router, it sees the the ping requests, but doesn't send out
the replies.

I must be missing something basic here because all the linux router guides say you should only have
to setup if_forwarding for this to work.

Any ideas?

Thanks.

hi,

any firewall running?
how about the remote end? ip_forward running?

I'm not sure why you have a tun0 device. It is not needed in this case.

Also, the ip_conntrack applies only to internal traffic destined for the Internet that is masqueraded (NAT'e). For one network to another "behind the firewall," you will not need to add any routes.

Maybe the NAT rules kick in before the route rules and attempt to direct the packet to the Internet.

Get this to work first without NAT. Then introduce NAT.

The tunnel device confused me as well.

I also shouldn't have assumed that you would have the routes set up.

What is on the 10.8. network? Are you routing between two subnet? If that is the case, you don't need to use NAT.
The devices on the 10.8. network should have your Linux routers 10.8. device as their default gateway.
The devices on the 192.168.0. network should have eth1's IP address (192.168.0.1) as their default gateway entry.

In my case, I had a Linksys wireless router and that provided the NAT translating. I used the laptop to forward internet traffic between the router and the desktop, which at the time didn't have a wireless card.

First set up the interfaces and routes for each network. Make sure that you can ping devices on both the 10.8 and 192.168.0 networks before proceeding.

Maybe you have a vpn tunnel setup to another network and that is what the route is doing, connecting two sites. Maybe more information on the two networks would be helpful. Also, enclose output of commands like route in a code block so that you don't loose alignment. Thanks.

Thanks a lot for everyone's input. I think I've found the problem, but haven't been able
to solve it yet (thanks to a cheapo dlink router used as a gateway on 192.168.0.0)

The reason for the tun0 device is that the linux router is actually an openvpn server.
I didn't mention it because I didn't want responses about openvpn not be setup properly
because I'm pretty sure it is.

Anyway, I think I've found the problem but haven't solved it yet.

Basically the 192.168.0.0/24 is my home network and the 10.8.0.0/24 is the subnet I use for VPN clients.
On the 192.168.0.0/24 network I have a cheapo D-Link SOHO router for my default gateway/router (This is how I share
internet on my home network, 192.168.0.0/24). Now I have an openvpn server behind the dlink router.
I think the problem is that my openvpn server is not the default gateway for the 192.168.0.0/24 network. The dlink
router is.

So when I try to ping a 192.168.0.0 address from the 10.8.0.0 network, the ping request gets through to the 192.168.0.*
host but the 192.168.0.* host sends the reply to the dlink router because that is the default gateway for 192.168.0.0.

So I could either a) Add a route on all devices on the 192.168.0.0 network to route 10.8.0.0 to the vpn server (Huge
pain to do)

or
b) Add a route to the dlink router (the default gateway for 192.168.0.0). Problem is that the cheapo dlink router
doesn't let me modify the routing table so I can't test this method.

Long story short, the devices on the 192.168.0.0/24 network don't send packets destined for 10.8.0.0/24 to the correct gateway.

Thanks again for your responses.

Do you want the 192.168.0.0 network traffic to the internet to be routed through your linux router, or just use the router to route traffic between the vpn and the LAN. If it is the latter, then you need a route to the VPN. But it isn't the default route. The default gateway should be the IP of the dlink router.

Then you need a route to the vpn tunnel. This is another route but not the default route.

The other hosts on the lan will need a route to 10.8.0.0 with the gateway being the linux routers eth0 IP address.
Their default gateway will be the dlink's IP address.

You could alternately use the Linux router as the default gateway. Then you need a route to 192.168.0.0/24, a route to 10.8.0.0/24 and a default route to the dlink router. Then one of the other hosts on the LAN will use your Linux router for both 10.8.0.0/24 network traffic, and internet traffic, but the Linux router will use the 10.8.0.0/24 route instead of the default route for the 10.8.0.0/24 route.

By the way, if you name your networks in /etc/networks, then you can use symbolic names for the networks.

The linksys entry is from /etc/hosts.

Looking back at your original post, I guess what I am suggesting is similar to what you had, except that you should not have the 10.8.0.0/24 route being a default route. The default route is the one to use when none of the net or host routes match.

is this your home LAB? or your production?

if this your home LAB than I assume you have plenty of time reading about terms such as site-to-site VPN, and VPN Client, router, gateway etc.

how can you route a vpn traffic on a single NIC vpn server?

HTH,

Cheers.

I don't want the vpn server to be the default gateway. I want the dlink router to be the default gateway (for the 192.168 subnet).
I only want the vpn server to route between the 10.8 subnet and the 192.168 subnet.
I was hoping that I could add a route on the 192.168 default gateway (i.e. the dlink router) to the 10.8. network.
That way I wouldn't have to change any routes on my 192.168.0.0 hosts. Unfortunately, the dlink router doesn't
let me add or modify any routes.

I agree. But rather than giving them each a route to the 10.8 network via the openvpn server, I was hoping to just add
the route to the 192.168 default gateway (the dlink router). That way a host on 192.168 would route 10.8 addresses to the default
gateway (dlink router) which would then route to the vpn server rather than the internet.

That's really cool. I've never played with that file before. Thanks =)


rossonieri, openvpn uses tun/tap devices. These are like vitual NICs. I could route many more networks using tun or tap devices but only using
1 physical NIC.