0

I have a router with two nets

eth0: 192.168.1.0/24, default gateway is 192.168.1.1

eth2: 10.0.88.0/24, default gateway is 10.0.88.1

Both networks use Gateway 192.168.2.1 to the Internet being connected to the router via third interface. All servers from both nets having one Nic each can ping any address properly.

I need now to set up a few ubuntu servers with 2 Nics, one leg in each net (eno1 in 192.168.1.0 and eno4 in 10.0.88.0). Consequently I have used iproute2 and have the following config:

ip route show
default via 192.168.1.1 dev eno1 onlink
10.0.88.0/24 dev eno4  proto kernel  scope link  src 10.0.88.11
192.168.1.0/24 dev eno1  proto kernel  scope link  src 192.168.1.14

and

ip route show table mng
default via 10.0.88.1 dev eno4 
10.0.88.0/24 dev eno4  scope link  src 10.0.88.11

The rules are set as follows

ip rule show
0:  from all lookup local 
32760:  from all to 10.0.88.11 lookup mng
32761:  from 10.0.88.11 lookup mng 
32762:  from all lookup main
32763:  from all lookup default

I have furthermore set my rp_filter to 1 for all networks/nics.

Now to the question: I can successfully ping the default gateways on both interfaces.

I can successfully ping my Internet gateway from the eno1 network

ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=0.572 ms
(...)

but I can NOT ping the Internet gateway from the eno4 network:

ping -I eno4 192.168.2.1
PING 192.168.2.1 (192.168.2.1) from 10.0.88.11 eno4: 56(84) bytes of data.
From 10.0.88.11 icmp_seq=1 Destination Host Unreachable

This also what the command confirms:

ip neigh show
(...)
192.168.2.1 dev eno4  FAILED
(...)

What do I need to configure that eno4 can also reach my gateway to the internet (and any other internet address) via its default gateway?

Thank you very much in advance for any answer

Best regards

br

bringha
  • 1
  • 1
  • To confirm, can you ping both 192.168.1.1 and 10.0.88.1 from eno4? – Mark Riddell Aug 21 '16 at 11:58
  • For info, if you are wanting to turn rp_filter off, it should be set to 0. You would only need to do that however if you expected the ICMP replies to arrive on eno1 rather than eno4. – Mark Riddell Aug 21 '16 at 12:02
  • I think you also have to add `oif` and `iif` rules. `ip rule add oif en04 table mng` and `ip rule add iif en04 table mng`. Also ensure that the gateway with address `192.168.2.1` has a route to the `10.0.88.0/24` network. – Thomas Aug 21 '16 at 12:20
  • @MarkoPolo: No, I can only ping 10.0.88.1 as Gateway from eno4; this is as it is wanted – bringha Aug 21 '16 at 15:26
  • @MarkoPolo This was my suspicion too, but no evidence that ICMP packages are not coming back: Interesting wise, eno4 sends an arp request for 192.168.2.1 which is never answered instead of imp pings... – bringha Aug 21 '16 at 15:36
  • @Thomas Not sure that I understand you correctly: In my router 192.168.2.1 is the default gateway. What will oif and iif will do? – bringha Aug 21 '16 at 15:37

1 Answers1

0

There are two points to consider, as long as I got it right.

  1. Your main gateway at 192.168.2.1 needs to know how to access the 10.0.88.0/24 and 192.168.1.0/24 networks.
    This can be established either by using iptables and masquerading on the router with the two nets, or with plain routing tables.
    In case of masquerading, your gateway at 192.168.2.1 will only receive packets from the router ( with the two nets ) of the third interface ( 192.168.2.??? ) because addresses are rewritten and everything works well.
    If you are not using masquerading, then your gateway at 192.168.2.1 will get packets from 192.168.1.0/24 and 10.0.88.0/24 directly. If your gateway at 192.168.2.1 does not have routes to these subnets, then it will select the default route.
    So this depends on your configuration on the router with the two nets.

  2. On your Ubuntu servers, the default via 10.0.88.1 dev eno4 entry in the mng table should be sufficient. Then you need to tell the routing rule to use mng for traffic that is received from the 10.0.88.0/24 subnet.

    ip rule add from 10.0.88.0/24 table mng

    Next, add a rule to use the mng table for anything that should leave eno4.

    ip rule add oif eno4 table mng
Thomas
  • 4,225
  • 5
  • 23
  • 28
  • Thanks Thomas!! The last rule with eno4 (I think this was meant with ens11) made the trick. It works now! – bringha Aug 21 '16 at 17:49
  • Ah, right. The `ens11` was the interface of my VM. Sorry for that. Updated the answer. – Thomas Aug 21 '16 at 17:51