CentOS 7 as a router (almost)

Issues related to configuring your network
Post Reply
taylorkh
Posts: 534
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

CentOS 7 as a router (almost)

Post by taylorkh » 2017/03/16 18:02:32

I am attempting to configure a PC with 2 NICs to sit between my router and my LAN for the purposes of running/sharing a VPN connection to the Internet. Yes, I could get a router with DD-WRT or Open WRT but I already have the PC and based on prior experience a cheap DD-WRT router will bog down with heavy traffic and I do not want to spend a lot of $$$ for a high powered wireless router as I only have one wireless device. Here is my test configuration. The PCs are running CentOS 7.3.

Internet <---> router <---> PC12 (gets reserved IP address 192.168.0.112 from router on NIC enp5s0)
PC12 (manual IP 192.168.7.112 mask 255.255.255 on NIC enp6s1) <---> switch <---> PC15 (manual IP 192.168.7.115 mask 255.255.255 gateway 192.168.7.112)

I am attempting to follow the instructions here http://blog.redbranch.net/2015/07/30...ivate-network/ with adjustments for my addresses and NIC names.

What I can do:

From PC15 I can ping other the router PC12 at 192.168.7.112.

From PC15 I can ping other PCs on my 192.168.0 subnet.

From PC15 I can ping a DNS server 208.67.222.222

From PC12 - the router - I can ping PC15

From PC12 I can connect to the Internet (using the DNS specified on my real router)

And what I cannot do:

I cannot ping PC15 from other PCs on my 192.168.0 subnet

I cannot connect to the Internet with a web browser nor ping http://www.wral.com from PC15.

Below is a transcript of my activities step by step. I have looked over it until I am cross eyed. I probably missed something simple (I hope). Suggestions please!

TIA,

Ken

Code: Select all

PC12 (aka taylor12) started out with this configuration:

[root@taylor12 ken]# ifconfig
enp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.112  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::225:64ff:fee8:182c  prefixlen 64  scopeid 0x20<link>
        ether 00:25:64:e8:18:2c  txqueuelen 1000  (Ethernet)
        RX packets 6775  bytes 8206616 (7.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5127  bytes 527151 (514.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 17  

enp6s1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.7.112  netmask 255.255.255.0  broadcast 192.168.7.255
        inet6 fe80::240:5ff:fe36:71c5  prefixlen 64  scopeid 0x20<link>
        ether 00:40:05:36:71:c5  txqueuelen 1000  (Ethernet)
        RX packets 11  bytes 888 (888.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 22  bytes 1722 (1.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@taylor12 ken]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp5s0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp5s0
192.168.7.0     0.0.0.0         255.255.255.0   U     100    0        0 enp6s1

[root@taylor12 ken]# firewall-cmd --list-all-zones
work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp5s0 enp6s1
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
----------------------------------------------------------------------------------
iptables-save > savedrules.txt 
----------------------------------------------------------------------------------
Here I start tweaking...

vim /etc/sysctl.conf

add the lines

	# Controls IP packet forwarding
	net.ipv4.ip_forward = 1

#sysctl -w net.ipv4.ip_forward=1

192.168.0.0 enp5s0 move to external
192.168.7.0 enp6s1 move to internal

[root@taylor12 ken]# firewall-cmd --zone=internal --add-interface=enp5s0 --permanent
The interface is under control of NetworkManager, setting zone to 'internal'.
success

[root@taylor12 ken]# firewall-cmd --zone=external --add-interface=enp6s1 --permanent
The interface is under control of NetworkManager, setting zone to 'external'.
success

[root@taylor12 ken]# firewall-cmd --complete-reload

[root@taylor12 ken]# firewall-cmd --list-all-zones

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp5s0
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp6s1
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

[root@taylor12 ken]# iptables-save > savedrules1.txt 

[root@taylor12 ken]# firewall-cmd --zone=external --add-masquerade --permanent
Warning: ALREADY_ENABLED: masquerade
success

[root@taylor12 ken]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o enp5s0 -j MASQUERADE -s 192.168.7.0/24
success

[root@taylor12 ken]# firewall-cmd --complete-reload

[root@taylor12 ken]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp5s0
0.0.0.0         192.168.0.112   0.0.0.0         UG    101    0        0 enp6s1
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp5s0
192.168.0.112   0.0.0.0         255.255.255.255 UH    100    0        0 enp6s1
192.168.7.0     0.0.0.0         255.255.255.0   U     100    0        0 enp6s1

jabuzzard
Posts: 30
Joined: 2008/09/18 12:35:09

Re: CentOS 7 as a router (almost)

Post by jabuzzard » 2017/04/06 22:44:29

You have ended up with two default roots on PC12 which is not a good thing, expect all sorts of wacky routing problems in your setup.

Getting PC12 to masquerade/NAT PC15 to the wider internet will never allow you to ping PC15 from anything on the other network, as you don't detail any firewall rules that would enable that to happen. I can't think of the right rule of the top of my head because you want stuff from PC15 to pass through to the 192.168.0.0/24 network unmasqueraded, but that destined for the internet to be masqueraded.

This would be the start, aka get PC12 to forward packets from the 192.168.0.0/24 network to the 192.168.7.0/24 network.

Code: Select all

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i  enp5s0 -o enp6s1 -j ACCEPT
The reverse rule is more complicated if at all possible and you are on your own. However what the point would be escapes me. Why have two networks if you want then to talk to each other?

Anyway a decent router and switch with VLAN's makes more sense to me. There are some very cheap Ubiquiti routers that will handle more traffic than a 1Gbps link can shift. and a 16 port 1Gbps switch with VLAN support is also remarkably cheap these days.

taylorkh
Posts: 534
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

Re: CentOS 7 as a router (almost)

Post by taylorkh » 2017/04/06 23:18:22

Thanks jabuzzard

I apologize for not sicking a fork in this thread. This attempt is dead. I took another run at the problem and set one of the NICs to "Shared with other computers" in Network Manager. That automagically configured everything, set the shared NIC to 10.42.0.1 and everything works. I even have a DHCP server setup on my "router" PC and direct all of my LAN traffic through the PC into a VPN tunnel. No DNS leaks and no IPv6 leaks (so far).

Ken

Post Reply