Linux – Routing via gateway to another subnet

gatewaylinuxrouteroutingsubnet

Unfortunately I have very little practice with routing in linux and also I was not able to properly phrase my issue for a search.

So I will explain the issue here. In the picture below you see the topolgy of my network. The goal is that the client device with the ip 10.0.0.50 can access the target device with the ip 192.168.0.1.

Picture of the network topology

Setting the proper route on the client device is not my goal, because there may be multiple client devices with the need to access 192.168.0.1. Due to the reason that I do not have access to all of the clients it is not the goal to configure them individually to achieve the goal.

So far I tried setting a route on the gateway 10.0.0.1 with route add -net 192.168.0.0/25 gw 10.0.0.99. The gateway is (should be) properly configured to forward the packages, because I use it as the gateway for the whole network to access the internet. So iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE is set as well as ip forwarding with echo 1 > /proc/sys/net/ipv4/ip_forward. route shows the following output on the gateway:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         123.123.123.1   0.0.0.0         UG    202    0        0 eth0
10.0.0.0        *               255.255.255.128 U     0      0        0 br0
123.123.123.2   *               255.255.255.252 U     0      0        0 eth0
192.168.0.0     10.0.0.99       255.255.255.128 UG    0      0        0 br0

The configuration on the server 10.0.0.99 includes the iptable rules for masquerading and the ip forwarding as well. route shows the following output on the server:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         tower           0.0.0.0         UG    204    0        0 br0
default         192.168.0.1     0.0.0.0         UG    303    0        0 wlan0
10.0.0.0        *               255.255.255.128 U     0      0        0 br0
192.168.0.0     *               255.255.255.128 U     0      0        0 wlan0

With the setup explained above I can ping 192.168.0.1 from the server as well as from the gateway, but the clients are not able to do it. A traceroute to test what is happening gets stuck at the gateway 10.0.0.1 and does not progress any further.

I have also tried to set iptables -A POSTROUTING -t nat -o br0 -j MASQUERADE on the gateway as well to check if that is the issue, but that rule did not help so I removed it again.

What am I missing here? Please help me out. Thank you very much!

Best Answer

  1. If you use the linux, stop use the ifconfig and the route. Use the ip (man ip and read the iproute tutorials).
  2. Setup the route on the internet gateway: ip route add 192.168.0.0/25 via 10.0.0.99
  3. Disable the redirects: sysctl -w sys.net.ipv4.conf.br0.send_redirects.
  4. Check the routing with command ip route get 192.168.0.1 from 10.0.0.50 iif br0. The output should be seem like
192.168.0.1 from 10.0.0.50 via 10.0.0.99 dev br0 
    cache iif br0
  1. Optionally add the SNAT/MASQUERADE rule to make the replies passed through the internet gateway, not directly from the server to the client:
iptables -t nat -A POSTROUTING \
         -o br0 \
         --src 10.0.0.0/24 --dst 192.168.0.0/25 \
    -j SNAT --to 10.0.0.1
  1. Enable the forwarding on the server: sysctl -w sys.net.ipv4.ip_forward=1
  2. Above steps are enough in most cases. Optionally, if the target has other default gateway (not through the server), you can add the route on the target (ip route add 10.0.0.0/24 via 192.168.0.X, where 192.168.0.X is address of the server in 192.168.0.0/25 subnet) or setup the NAT on the server itself (iptables -t nat -A POSTROUTING -o wlan0 --src 10.0.0.0/24 --dst 192.168.0.1 -j MASQUERADE).
  3. Check connectivity:
    • on the gateway ping the server and the target.
    • on the server ping the gateway and the target.
    • use the tcpdump to troubleshoot future issues.
Related Topic