Internet <---> router <---> PC12 (gets reserved IP address 192.168.0.112 from router on NIC enp5s0)
PC12 (manual IP 192.168.7.112 mask 255.255.255 on NIC enp6s1) <---> switch <---> PC15 (manual IP 192.168.7.115 mask 255.255.255 gateway 192.168.7.112)
I am attempting to follow the instructions here http://blog.redbranch.net/2015/07/30...ivate-network/ with adjustments for my addresses and NIC names.
What I can do:
From PC15 I can ping other the router PC12 at 192.168.7.112.
From PC15 I can ping other PCs on my 192.168.0 subnet.
From PC15 I can ping a DNS server 208.67.222.222
From PC12 - the router - I can ping PC15
From PC12 I can connect to the Internet (using the DNS specified on my real router)
And what I cannot do:
I cannot ping PC15 from other PCs on my 192.168.0 subnet
I cannot connect to the Internet with a web browser nor ping http://www.wral.com from PC15.
Below is a transcript of my activities step by step. I have looked over it until I am cross eyed. I probably missed something simple (I hope). Suggestions please!
TIA,
Ken
Code: Select all
PC12 (aka taylor12) started out with this configuration:
[root@taylor12 ken]# ifconfig
enp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.112 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::225:64ff:fee8:182c prefixlen 64 scopeid 0x20<link>
ether 00:25:64:e8:18:2c txqueuelen 1000 (Ethernet)
RX packets 6775 bytes 8206616 (7.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5127 bytes 527151 (514.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17
enp6s1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.7.112 netmask 255.255.255.0 broadcast 192.168.7.255
inet6 fe80::240:5ff:fe36:71c5 prefixlen 64 scopeid 0x20<link>
ether 00:40:05:36:71:c5 txqueuelen 1000 (Ethernet)
RX packets 11 bytes 888 (888.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 1722 (1.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@taylor12 ken]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 enp5s0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp5s0
192.168.7.0 0.0.0.0 255.255.255.0 U 100 0 0 enp6s1
[root@taylor12 ken]# firewall-cmd --list-all-zones
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0 enp6s1
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
----------------------------------------------------------------------------------
iptables-save > savedrules.txt
----------------------------------------------------------------------------------
Here I start tweaking...
vim /etc/sysctl.conf
add the lines
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
#sysctl -w net.ipv4.ip_forward=1
192.168.0.0 enp5s0 move to external
192.168.7.0 enp6s1 move to internal
[root@taylor12 ken]# firewall-cmd --zone=internal --add-interface=enp5s0 --permanent
The interface is under control of NetworkManager, setting zone to 'internal'.
success
[root@taylor12 ken]# firewall-cmd --zone=external --add-interface=enp6s1 --permanent
The interface is under control of NetworkManager, setting zone to 'external'.
success
[root@taylor12 ken]# firewall-cmd --complete-reload
[root@taylor12 ken]# firewall-cmd --list-all-zones
internal (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
external (active)
target: default
icmp-block-inversion: no
interfaces: enp6s1
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[root@taylor12 ken]# iptables-save > savedrules1.txt
[root@taylor12 ken]# firewall-cmd --zone=external --add-masquerade --permanent
Warning: ALREADY_ENABLED: masquerade
success
[root@taylor12 ken]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o enp5s0 -j MASQUERADE -s 192.168.7.0/24
success
[root@taylor12 ken]# firewall-cmd --complete-reload
[root@taylor12 ken]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 enp5s0
0.0.0.0 192.168.0.112 0.0.0.0 UG 101 0 0 enp6s1
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp5s0
192.168.0.112 0.0.0.0 255.255.255.255 UH 100 0 0 enp6s1
192.168.7.0 0.0.0.0 255.255.255.0 U 100 0 0 enp6s1