Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to get a Linux host to act as a router. It has two NICs, one is in the 192.168.4.0/24 subnet (192.168.4.1), the other is in the 192.168.5.0/24 subnet. I want hosts to be able to use 4.1 as their gateway...traffic goes in 4.1, then goes out 5.x...
I've tried getting IP forwarding to work and it's not wanting to cooperate. I think I'm missing something...I'm thinking I need a static route, but I'm not sure. The hosts (one Linux, one Windows) in question are VMs in VirtualBox that I'm using for some testing but can't quite get it all to work the way I want.
The Linux host has WAN connectivity. The Windows host can ping the Linux host (gateway), but the Windows host does NOT have WAN connectivity. The Linux host can NOT ping the Windows host but DOES have WAN connectivity...this is why I'm thinking it's a routing thing that I'm missing...
Thoughts? Perhaps there's an easier way to do this?
Bear in mind that by default IP forwarding is turned off on a standard Linux kernel. You need to enable it. This is covered in that article.
The steps might be slightly different if you're using a different distro.
Awesome. I'll check that out. Thanks!!
The distro is Kali. I want the traffic from the Windows machine going through the Kali machine so I can use Wireshark for some testing.
Quote:
Originally Posted by Ser Olmy
Exactly how have you configured the NICs for these VMs in VirtualBox?
I created a NAT Network and have both hosts joined to the NAT Network. This may not be the best way to do it but is the first that came to mind. Haven't tinkered with this part of it all yet.
I created a NAT Network and have both hosts joined to the NAT Network. This may not be the best way to do it but is the first that came to mind. Haven't tinkered with this part of it all yet.
You're right about that not being the optimal way to set this up. And you really should have your network topology up and running before you start configuring IP forwarding, NAT, and the like.
These would be my suggestions:
Have the NIC of the Windows VM connect to an "Internal Network".
In VirtualBox terminology, an "Internal Network" is an isolated network with no outside connections; think of it as a virtual switch. You can basically create as many of these as you like by simply typing in a name in the relevant Adapter tab on the "Settings > Network" page for the VM.
Make sure one of the Linux VM NICs is connected to the same "Internal Network" as the Windows VM. You should find the name you typed in previously available in the pulldown list.
The 2nd NIC of the Linux VM should either be connected to a NAT network, or bridged to whatever interface on the host that has Internet connectivity.
With this setup, you should be able to ping the Linux VM from the Windows VM. You may have to disable the Windows firewall for pings to work in the opposite direction.
If you've configured the Windows host to use the Linux VM as its gateway, you should also be able to ping the IP of the other interface (on the Linux VM) from the Windows VM, regardless of whether routing is working on the Linux VM or not.
Once you've got this up and running you can start configuring routing (and possibly NAT, if required).
Alright, I went through following the guide posted earlier and made the recommended changes in VirtualBox and it's still not wanting to work. I'm not sure where the disconnect is. Again, I really appreciate the assistance!! Thank you, everyone!
eth0 = VM Adapter 1, "NAT Network 1" - This is the NIC for the Windows host to use as its gateway.
IP: 192.168.4.1
Subnet: /24
Gateway: ?? (I actually don't know...I don't see it in ifconfig's output and the little "Network Connections" utility shows the gateway as "0.0.0.0"...so...??)
eth1 = VM Adapter 2, "NAT" - This is the WAN connection.
IP: 10.0.3.15
Subnet: /24
Gateway: ??
Linux host can ping WAN (1.1.1.1)
Windows host can NOT ping WAN
Linux host can NOT ping windows host (192.168.4.12)
Windows host CAN ping Linux host (192.168.4.1 NIC on Linux host, set as gateway in Windows host)
"ip route" output is as follows:
Code:
$ ip route
default via 10.0.3.2 dev eth1 proto dhcp src 10.0.3.15 metric 100
10.0.3.0/24 dev eth1 proto kernel scope link src 10.0.3.15 metric 100
192.168.4.0/24 dev eth0 proto kernel scope link src 192.168.4.1
10.0.3.2 is VirtualBox's "NAT gateway". All that looks good to me. So...yea...I'm not sure why it's not working. It seems like a routing issue or something as I can only ping in one direction but, yup. Dunno. Ideas? Anything look out of place to any of you?
I thought I had it! lol I noticed the 10. via 192. route wasn't there! So I added it...still nothing. lol
Thought I had it...hahaha
"ip route" now reads:
Code:
$ ip route
default via 10.0.3.2 dev eth1 proto dhcp src 10.0.3.15 metric 100
10.0.3.0/24 via 192.168.4.1 dev eth0
10.0.3.0/24 dev eth1 proto kernel scope link src 10.0.3.15 metric 100
192.168.4.0/24 dev eth0 proto kernel scope link src 192.168.4.1
I did notice though, when I do a "ip route add 192.168.4.0/24 via 10.0.3.15", it tells me "file already exists"...I don't see that in there, though. That's kinda confusing...
And "route -n" shows...
Code:
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.3.2 0.0.0.0 UG 100 0 0 eth1
10.0.3.0 192.168.4.1 255.255.255.0 UG 0 0 0 eth0
10.0.3.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Does that look right to you all? Shouldn't the "Gateway" for the 192.168.4.0 network be 10.0.3.2?...and, isn't the 10.0.3.0 -> 192.168.4.1 entry kinda backwards? Hmmm...
Did some more tinkering with the routes and, while this looks to me like it should work, it's still not.
Code:
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.3.2 0.0.0.0 UG 100 0 0 eth1
10.0.3.0 192.168.4.1 255.255.255.0 UG 0 0 0 eth0
10.0.3.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1
192.168.4.0 10.0.3.15 255.255.255.0 UG 0 0 0 eth1
$ ip route
default via 10.0.3.2 dev eth1 proto dhcp src 10.0.3.15 metric 100
10.0.3.0/24 via 192.168.4.1 dev eth0
10.0.3.0/24 dev eth1 proto kernel scope link src 10.0.3.15 metric 100
192.168.4.0/24 via 10.0.3.15 dev eth1
No, it does not. You don't seem to fully understand the concepts of networks and gateways.
Your Linux router has the IP addresses 192.168.4.1/24 and 10.0.3.15/24. It will be able to reach hosts on both networks with no further configuration.
It should also have a (default) gateway defined. Note: That's a gateway. Not two or three.
A gateway is what a host uses in order to reach hosts outside of the network(s) to which it is directly connected. In this case, that would be the virtual router created by VirtualBox, which has the address 10.0.3.2.
Quote:
Originally Posted by rmp5s
Shouldn't the "Gateway" for the 192.168.4.0 network be 10.0.3.2?
No, no, no.
The gateway for a host connected to network X must be a router that's also connected to network X. Think of it as a door providing an exit from a room: Obviously, the door must be fitted in one of the walls of that room; you can't leave room A using a door in room B. Likewise, the Windows host belonging to network 192.168.4.0/24 must have a gateway in that network.
You mentioned that you were able to ping from the Windows host to the Linux host (192.168.4.1). That means that part of the setup is fully working. The fact that the Windows host doesn't respond to pings is not all that important. If you try pinging from the Linux host and then run arp -an, you'll see that the Linux IP stack has indeed located the MAC address of the Windows PC's IP address.
If the Windows host has the correct gateway (192.168.4.1), you should also be able to ping 10.0.3.15 from Windows. However, you will NOT be able to ping 10.0.3.2, the reason being that the VirtualBox router has no idea how to reach the 192.168.4.0/24 network. In fact, it'll just forward the packet to the default gateway of the VirtualBox host.
AFAIK, there's no way to add a static route to the VirtualBox NAT router. Either you'll have switch to using a bridged network adapter and configure a static route on your actual Internet router, or you must configure the Linux router to NAT all outgoing traffic behind 10.0.3.15.
AFAIK, there's no way to add a static route to the VirtualBox NAT router. Either you'll have switch to using a bridged network adapter and configure a static route on your actual Internet router, or you must configure the Linux router to NAT all outgoing traffic behind 10.0.3.15.
Hmmm...very interesting. I can indeed ping the Linux machine from the Windows machine AND ping the gateway. The Windows machines isn't pointed at the VirtualBox router/switch, though. Can't add routes there but I didn't think that would matter. The Windows machine is statically assigned to a different subnet and uses the Linux VM as its gateway and the Windows machine CAN in fact ping both NICs. (Pretty sure I tried to ping the Linux host from the Windows host before and it didn't work. Is now though. So. Who knows. Whatever. lol)
I just can't get the Linux machine to forward the traffic from the Windows machine out to the WAN. With IP forwarding turned on as shown in the guide that was mentioned earlier, I would think the Windows host would be able to ping the WAN through the Linux host...I thought that was kinda the whole point of that guide. Looking at it again, though, it does only show the two hosts pinging each other...it doesn't mention WAN access for either of them. Hmmm...
So, as a change of tac, maybe I'll just spin up Untangle or pfSense in a VM and make both VMs their own virtual network.
The idea being, I require two things out of the Windows machine: It must be isolated and I must be able to log all inbound and outbound traffic. There are lots of ways to do this...really thought it'd be as easy as throwing a couple static routes in the Linux VM and pointing the Windows VM at it. Guess not.
I just can't get the Linux machine to forward the traffic from the Windows machine out to the WAN. With IP forwarding turned on as shown in the guide that was mentioned earlier, I would think the Windows host would be able to ping the WAN through the Linux host...
And it probably is able to reach the router on the WAN side, it's just that 10.0.3.2 doesn't know where to send the replies.
You can easily verify this. If your WAN interface is eth0, run tcpdump -i eth0 icmp and then ping a WAN address (or any external address) from the Windows VM. My guess is you'll see outgoing ICMP ping packets, but no replies.
Alright. Got stuff mostly working. Both the Windows host and the Linux host are on their own little network (ended up just using VirtalBox's "NAT Network", though I do thinkg the previously mentioned "Internal Network" mode could work as well), they have WAN access, they can see each other and I think I can use VirtualBox's "promiscuous mode" to get the traffic from the Windows host.
Came across this and it works PERFECTLY now!! The Kali machine is acting as a router for the Windows machine! Now, to sniff all traffic to/from the Windows machine, all I have to do is crank up Wireshark on the Kali NIC it's connected to and that's it! Awesome!
If anyone comes across this thread in the future, I was so close but Masquerading was the last piece of the puzzle!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.