How to only allow routing to IP range on particular interface?

Question

I have two interfaces eth0 (192.168.10.x) and wlan0 (172.16.30.x) on my device (Raspberry Pi, Raspbian GNU/Linux 10 (buster)).

Both networks have access to the internet, but I want my device to only use the eth0 for any IP ranges apart from the 172.16.30.x range which should only go via the wlan0.

(Why? I'm trying to segregate messages on IoT WiFi network from my "safe" one - please don't suggest a router solution, that's not possible for other reasons.)

So

172.16.30.x      -->  wlan0
everything else  -->  eth0

I also want the changes to persist after reboots.

I assumed that I should use the route command, but failed in understanding it.

I've tried the following in ufw and it blocks all packets (well, I'm testing with ping) on the wlan0 interface.

sudo ufw route allow out on wlan0 to 172.16.30.0/24
sudo ufw deny out on wlan0

Can someone help please?

EDIT

My routing table (ip route show) is

default via 192.168.10.1 dev eth0 src 192.168.10.50 metric 202
default via 172.16.30.1 dev wlan0 proto dhcp src 172.16.30.103 metric 303
169.254.0.0/16 dev vethd1130f6 scope link src 169.254.204.146 metric 208
172.16.30.0/24 dev wlan0 proto dhcp scope link src 172.16.30.103 metric 303
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.19.0.0/16 dev br-97b0ae2f260f7 proto kernel scope link src 172.19.0.1
172.20.0.0/16 dev br-17f0570004a4 proto kernel scope link src 172.20.0.1 linkdown
192.168.10.0/24 dev eth0 proto dhcp scope link src 192.168.10.50 metric 202

There's a whole lot of additional Docker networks there.

What is in your routing table, `ip route show`? – tater Nov 26 '20 at 05:45 — tater, Nov 26 '20 at 05:45

score 0 · Accepted Answer · answered Nov 26 '20 at 05:50

Assuming 172.16.30.0/24 is the subnet for your WiFi network and the gateway is 172.16.30.1, you could simply remove the default gateway for the interface using e.g.

sudo ip route delete default via 172.16.30.1 dev wlan0

If the 172.16.30.0/24 is on another subnet, and your WiFi is e.g. 192.168.1.0/24 with GW 192.168.1.1, you would need to remove the default gateway and add a static route:

sudo ip route delete default via 192.168.1.1 dev wlan0
sudo ip route add 172.16.30.0/24 via 192.168.1.1 dev wlan0

Do not try to do this by playing with the firewall rules alone: you will end up in situation where the computer still tries to use the route but it simply fails without trying to use the other interface instead.

That works, but now how do I persist the delete between reboots? I can't see how to delete routes with `man 5 interfaces` for example. — ItsBoffo, Nov 27 '20 at 06:04

How to only allow routing to IP range on particular interface?

1 Answers1