0

My setup is a VM host with two network interfaces where I want to use one as private/internal and the other one as public (which will get a public address on the host), where all the NAT magic to the guest machines will happen.

Two interfaces means two gateways (one via eth0, 10.0.0.1 and the fake address on eth1, 2.0.0.1).

If I understood routing correctly, I have to setup a routing table for the 2.0.0.1 network with its own default gateway. Unfortunately guest's traffic can't be routed unless I add a default gateway to the default table on the host. I want the host to use 10.0.0.1 as its default gateway, but I have no idea how to do that.

Details:

Specifically, I'd like to get rid of default via 2.0.0.1 dev eth1 on the host, but if I remove it, the tcpdump -i vbr0 doesn't look too good (trying to lookup serverfault.com from a guest in the example below):

IP 192.168.10.2.32804 > 8.8.4.4.domain: 41116+ A? serverfault.com. (24)
IP 192.168.10.1 > 192.168.10.2: ICMP net 8.8.4.4 unreachable, length 60

Still, the guest is able to reach 192.168.10.1 (its gateway) and 2.0.0.1. Moreover, using 2.0.0.1 to lookup an address (that router has a DNS service as well) from the guest works, so local routing seems to work, "only" the default gateway part seems to be messed up somehow.

Shouldn't all traffic from guest (or vb0) use the default gateway 2.0.0.1, as defined in the routing table "public"?

Setup:

# ip route
default via 2.0.0.1 dev eth1
10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.15
2.0.0.0/24 dev eth1  proto kernel  scope link  src 2.0.0.55
192.168.10.0/24 dev vbr0  proto kernel  scope link  src 192.168.10.1


# ip route show public
default via 2.0.0.1 dev eth1
2.0.0.0/24 dev eth1  scope link  src 2.0.0.55
192.168.10.0/24 dev vbr0  scope link  src 192.168.10.1


# ip rule
0:      from all lookup local
32761:  from 192.168.10.1 lookup public
32762:  from all to 192.168.10.1 lookup public
32763:  from all to 2.0.0.55 lookup public
32765:  from 2.0.0.55 lookup public
32766:  from all lookup main
32767:  from all lookup default


# iptables -vnL
Chain INPUT (policy ACCEPT 1222 packets, 91256 bytes)
 pkts bytes target     prot opt in     out     source               destination
   13   648 REJECT     all  --  *      *       0.0.0.0/0            2.0.0.55          reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 193 packets, 297K bytes)
 pkts bytes target     prot opt in     out     source               destination
  266 51860 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.10.0/24      ctstate NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 1157 packets, 149K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain LOGDROP (0 references)
 pkts bytes target     prot opt in     out     source               destination


# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 49 packets, 5494 bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   360 DNAT       tcp  --  *      *       0.0.0.0/0            2.0.0.55          tcp dpt:80 to:192.168.10.2:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            2.0.0.55          tcp dpt:443 to:192.168.10.2:443
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            2.0.0.55          tcp dpt:22022 to:192.168.10.2:22

Chain INPUT (policy ACCEPT 24 packets, 3414 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5 packets, 317 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 12 packets, 737 bytes)
 pkts bytes target     prot opt in     out     source               destination
    5   318 SNAT       all  --  *      *       192.168.10.2         0.0.0.0/0            to:2.0.0.55
Alex
  • 538
  • 1
  • 4
  • 15
  • 2
    All other considerations aside, I **very strongly** advise you not to use real IP addresses (`2./24`) for a private network, unless you happen to control those IP addresses. It will cause you nothing but pain in the long run, and since you only want a `/24`, there are other RFC1918 reserved-private subnets from which it could be taken (`172.16/12`, for example). Or have I misunderstood what you meant when you described that address as a "*fake address*"? – MadHatter Dec 18 '13 at 12:03
  • @MadHatter: Yeah, with _fake address_ I meant: I used "2./24" in the output below to make it easier to type and distinguish from my private "10./24" and "192.168.10.0/24". Actually, as you might have guessed, I don't control that segment ;) – Alex Dec 18 '13 at 12:12
  • Are you saying you used `2./24` to represent real address space which you do control? – MadHatter Dec 18 '13 at 12:23
  • Exactly. To be more precise, the real one's a /29 segment provided by my ISP. – Alex Dec 18 '13 at 12:28
  • OK, I withdraw my comment. Sorry about that. – MadHatter Dec 18 '13 at 12:42
  • Absolutely not! You don't have to apologize for a completely valid objection! A client of mine decided it would be a good idea to use 199.?.?.0/24 for his internal network (for quite obscure reasons), which resulted in various severe problems with his cheap routers. – Alex Dec 19 '13 at 13:09

0 Answers0