Routing between 2 NIC's

[BOFFBOY]

Hello fellow Linux gurus,

Seeking for some assistance on this.
I have NIC1 on 192.168.100.1/24 network with gateway set as 192.168.100.254 < this cant be changed. with a few PC’s connected to this.

And NIC2 on 10.10.10.1/24 with a few devices on this.

I want to be able to ping from PC1 connected to NIC1 on 192.168.100.100/24 to devices connected to NIC2 on 10.10.10.100/24

Could someone advise on the route settings I need to configure to make this work please ?
 

[djurny]

Hi there,

Not sure if your question is complete, are both NIC1 and NIC2 in the same PC1 ? (NIC being network interface controller/card.)

If NIC1 and NIC2 are both in the same computing node, the routes should be there already, if the configuration is plain and not something funky.

Can you share the output of `ip a s` and `ip route` ?

Also, do you have any firewall enabled?

Gr,

[BOFFBOY]

Hi there,

the 2 NICs are on my RPi Armbian.

 

ip route output. > modified it abit to match but concept is below.
default via 10.10.10.254 dev enp4s0 proto static metric 100
169.254.0.0/16 dev enp4s0 scope link metric 1000
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.10 metric 101
10.10.10.10/24 dev enp4s0 proto kernel scope link src 10.10.10.2 metric 100

 

I have only PC1 connected to NIC1 with 192.168.100.101 GW - 192.168.100.254

This PC1 can NOT be changed.

Device1 on NIC2 10.10.10.100/24 < this have no Gateway as its only a slave device.

I need to reach Device1 on NIC2 from the PC1 on NIC1..how is this achieved?

I tried /etc/sysctl.conf

net.ipv4.ip_forward=1
still missing something…

I failed to mention is that I can only modify settings within the Linux box containing the 2 NICs.

I need some sort of interlinking NIC1 on 192.168 to forward packets to 10.10 network…

Edited yesterday at 01:53 PM by BOFFBOY

[djurny]

Hi there,

The `net.ipv4.ip_forward=1` will make the packets coming in on NIC1 be routed/sent to NIC2 due to the destination fitting in the network, but the device on NIC2 will not know how to send return packets to 192.168.100.*/24 as it does not have any fitting directly connected networks. Usually you could use default gateway/route to point them back to the Pi, but you said you cannot configure that.

 

Try the following on the Pi:

sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o enp4s0

 

That should enable NAT on NIC2, which will masquerade any packet sent from NIC2 with "source address" 10.10.10.*/24 which it does know how to talk to.

 

Btw, can you confirm the following was indeed the output of `ip route`:

10.10.10.10/24 dev enp4s0 proto kernel scope link src 10.10.10.2 metric 100

One would expect 10.10.10.0/24 as network instead of 10.10.10.10/24. 

 

Groetjes,

[BOFFBOY]

Hi all.
Thank you all for helping on this.
I have created a diagram. - Armbian not rocky.
the red box is what I CAN NOT change - no access.
I do have access to the Linux box - so I want to be able to ping from PC 1 to Device 1 on 10.10.10.2.

Device 1 - do have access to it and configure whatever it needs.

Edited 12 hours ago by BOFFBOY

[djurny]

Hi there,

Ah that diagram changes things a little.

 

You would need to add a route to PC1, so that it knows to send packets for device 1 via 'rocky linux'.

sudo route add -net 10.10.10.0/24 gateway 192.168.100.101

 

That will make sure packets with destination 10.10.10.0/24 will be sent to 'rocky linux'.

Then on 'rocky linux' the forwarding should handle forwarding those packages from NIC1 to NIC2. You will have NIC2 masquerade outgoing packets as 10.10.10.1 instead of the real source address 192.168.100.102, so 'device 1' will respond to 10.10.10.1 instead of 192.168.100.102 - as 'device 1' has no default route.

Then on 'device 1', packets will arrive from "masqueraded" NIC2 10.10.10.1 and it should respond accordingly.

Then on 'rocky linux' responses from 'device 1' will be received on NIC2, conntrack will know where the packet originally came from and send stuff back to 'PC1'

 

This should work, but this is a little messy 🙂

 

Do ping back here!

Groetjes,

 

[BOFFBOY]

root@rpi4b:~# sudo route add -net 10.10.10.0/24 gateway 192.168.100.101
sudo: route: command not found
root@rpi4b:~#
Do i need to add dev eth0 or enp4s0 ?

 

[BOFFBOY]

I have also installed firewalld
any ports or routing i should allow ?
eg :
sudo firewall-cmd --zone=public --add-masquerade
?

Edited 12 hours ago by BOFFBOY

[djurny]

Hi there,

Not sure about the syntax of `firewall-cmd`, but you should only masquerade on the NIC connected to the 10.10.10.0/24 network, as masquerading does have some performance impact to/from that NIC. Seems you need to check which `zones` are defined and create a `zone` to only cover NIC2 on 'rocky linux'.

 

For the `route` command, you can use the "new" `ip route` way:

# type on PC1
sudo ip route add 10.10.10.0/24 via 192.168.100.101

This will tell PC1 to throw packets that are destined to reach the 10.10.10.0/24 network towards 'rocky linux''s NIC1.

 

Quote

any ports or routing i should allow ?

No, masquerading is done on the destination address of the IP packet, it will not change any source/destination port number. Masquerade here uses NAT, port is not translated.

 

Groetjes,

[BOFFBOY]

Arhhh still no good.

PC1 still can NOT ping 10.10.10.2

root@rpi4b:~# ip route show
default via 192.168.100.254 dev eth0 proto static metric 101
10.10.10.0/24 dev enp4s0 proto kernel scope link src 10.10.10.1 metric 100
169.254.0.0/16 dev enp4s0 scope link metric 1000
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.101 metric 101
root@rpi4b:~#

 

 

anything needed for  ?

net.ipv4.ip_forward=1

?

note: NIC2 and Device 1 have no gateway.. dont think it matters right ?

 

Edited 11 hours ago by BOFFBOY

[djurny]

Hi there,

Ah so PC1 is windows based? You need to set the route to 'rocky linux' on that box. Some googling shows you can add a route on windows: https://www.howtogeek.com/22/adding-a-tcpip-route-to-the-windows-routing-table/. I do not have any Windows PCs around to test this out though.

Is your goal to only ping 'device 1' ? I presume that you have other things in mind that just pinging 'device 1' ? Another route you can try is to connect from PC1 to a specific port on 'rocky linux' and then have that port traffic forwarded/NATed to 'device 1'. Have not done that myself ever, but let's see.

Groetjes,

 

[djurny]

Hi there,

To make it more clear:

 

1. On PC1:
   1. [As administrator] Add a route/hop via 'rocky linux' for packets destined for 10.10.10.0/24
      https://www.howtogeek.com/22/adding-a-tcpip-route-to-the-windows-routing-table/

      route ADD 10.10.10.0 MASK 255.255.255.0 192.168.100.101

2. On 'rocky linux' Raspberry Pi:
   1. Enable IPv4 forwarding:

      sudo sysctl -w net.ipv4.ip_forward=1

   2. Add masquerading for NIC2 (10.10.10.1):

      sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o enp4s0

      Or use the firewall-cmd thing, which you posted:

      sudo firewall-cmd --zone=public --add-masquerade

Then try to ping 'device 1' from PC1 once more. The traceroute should show nexthop to be 'rocky linux' for any IP address in the range 10.10.10.0/24 if you configured the route/hop on PC1 correctly.

 

Groetjes,

[BOFFBOY]

Hi djurny,

Appreciate your replies and assisting.

regards to #1 - I can not add any routes on this Windows machine - its managed by others, I only have user access with only limited access.

 

Points for #2 - tried those no luck.

 

I was thinking what if i was to change NIC2 within the subnet as NIC1 - will this work ?

 

 

Or am i really missing something in terms of static routing on the Linux Box... ?

 

[djurny]

Hi there,

In this setup with these networks you specified, it is really PC1 - or the gateway/router in the red box that need to know where to send packets to for 10.10.10.0/24. This is usually done by a static route on the gateway/router, or by adding a hop in the routing on PC1. If neither know where packets for 10.10.10.0/24 need to go to, they will be forwarded to the default route of firstly PC1 (which is the gateway) and on the gateway/router's default route. If you can change neither, you will need to think about more exotic solutions, like setting up an ssh tunnel from PC1 and using rocky linux as a jumphost. Or, as you also imply, perhaps bridging 192.168.100.0/24 with 10.10.10.0/24, which (i think) will chaning 10.10.10.0/24 to a subnet of 192.168.100.0/24.

What are your options/abilities in PC1 here? What can you change and what not? Do you have administrator rights for example? Can you run/install cygwin or any windows flavor of ssh for example?

What is the WAN side of the gateway/router? The internets or some other network? What can also work is to put 'device 1' in that network, if all you need is to ping it.

Groetjes,

[BOFFBOY]

Nothing I can change on PC1 - Also PC1 could be a master device with pre-defined IP settings beyond my control hence Im using PC1 as an example.

 

I have altered the diagram abit however the IP settings for PC1 can NOT be adjusted... does this allow any further options we can think off ?

 

 

 

[djurny]

Hi there,

You could try to change 10.10.10.0/24 to 192.168.100.0 but this can cause IP overlap if you do not have control over the 192.168.100.0/24 network. If NIC1 and NIC2 are part of the same network, you will have to make sure that all traffic to the default gateway will exit via NIC1, `ip route` should show the device it will use. I do not have any experience with setting up bridge networks, perhaps someone else can help with that - using bridge containing both NIC1 and NIC2 might be the easiest way, but you will have to fix/work the IP address overlap it will create. (link: https://www.baeldung.com/linux/bridging-network-interfaces)

Hope that helps,

Groetjes,

[djurny]

Not to forget this: What is your endgoal here? You just want to ping 'device 1' from PC1 ? Or you want to connect to 'device 1' from PC1  using some protocol?

Gr,

[BOFFBOY]

endgoal is Device 1 is reachable from PC1 - with PC1 settings all can NOT be changed and ideally Device1 on completely different subnet...

Edited 7 minutes ago by BOFFBOY