[SOLVED] Trying to use my Linux machine as an internal router to segment my lan

MonctonJohn · 06-01-2012, 11:35 AM

Here is a picture I did that represents my LANs (it was quick and dirty):
http://i.imgur.com/MqqIA.png

I would like all the clients in the 10.25.1.0 network to be able to access the Linux router for SMB and mysql (XBMC)

Also I would like all the 10.25.1.0 clients to be able to access the printer at 11.25.1.24.

Now for the 2nd LAN (11.25.1.0) I would like these clients to only be able to access each other and the internet, but not access anything in the 10.25.1.0 network and printer access is not necessary.

I'm using webmin to try to achieve this but I'm having some issues.

I have a static route set in the internet connected router to forward all requests for 11.25.1.0 to gateway 10.25.1.120.

iptables -L:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  10.25.1.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.25.1.0/24         BRN001BA96D3C8B.local 
ACCEPT     all  --  BRN001BA96D3C8B.local  10.25.1.0/24        
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -t nat -L:

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  10.25.1.0/24         BRN001BA96D3C8B.local to:11.25.1.24 
           all  --  BRN001BA96D3C8B.local  10.25.1.0/24        

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  10.25.1.0/24         BRN001BA96D3C8B.local to:10.25.1.100-10.25.1.254 
SNAT       all  --  BRN001BA96D3C8B.local  10.25.1.0/24        to:11.25.1.24 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  10.25.1.0/24         BRN001BA96D3C8B.local to:11.25.1.24 
DNAT       all  --  BRN001BA96D3C8B.local  10.25.1.0/24        to:10.25.1.100-10.25.1.254 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

So far I can ping from 10.25.1.145 to 10.25.1.120 but nothing else (no SMB which was working before). At the moment I don't have the 11.25.1.100 router connected as I'm just concerned with getting basic file sharing and printing working for the 10.25.1.0 network.

My question then is what's missing from this configuration to make it work?

MonctonJohn · 06-01-2012, 04:17 PM

Ok, so I changed the value from 0 to 1 in cd /proc/sys/net/ipv4/ip_forward and now I can ping from the 10.25.1.145 machine to the 11.25.1.24 printer

But I'm still stuck on getting services (SMB, mysql, printer discovery) to work from the 10.25.1.0 network.

MonctonJohn · 06-01-2012, 05:31 PM

Restarted smb and now I get shares

But still can't get from the windows machine to the printer to print, but I can ping it.

MonctonJohn · 06-01-2012, 08:48 PM

Finally, I had to Masquerade any traffic from 10.25.1.0 destined to the printer.

iptables -t nat -L:

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.25.1.0/24         11.25.1.24