There are two problems with this setup:
- The hosts on LAN1 know nothing about the LAN2 segment. When you ping a host on LAN1 (let's call it host1) from SRV-02, the packet will be routed through SRV-01 and will reach host1. However, host1 will send the reply to it's default gateway (ISP router) as it doesn't have a specific route to LAN2. (The ISP router will either a) also send it to it's default gateway as it also doesn't know about LAN2, or b) drop the packet as it comes from an unknown source not it's local LAN.)
- When trying to reach WAN from LAN2, the packets will be routed through SRV-02 to ISP router where two situations are possible:
- The router will not NAT translate the packet as the source of the packet (LAN2) is not it's local LAN (this is the more probable situation), or
- The router will NAT translate the packet and send it to the Internet. However, when the reply comes and the destination is translated back to the LAN2 address, the packet will not be delivered as the ISP router doesn't have a route for that network. The packet will be sent incorrectly to the default gateway (ISP).
These issues could be fixed by adding a static route to LAN2 to ISP router and adding a source NAT configuration for LAN2 on SRV-01. However, that is not possible due to no admin access to the ISP router.
There are two solutions that get around it:
A. Make SRV-01 a full router for LAN1 and LAN2 hosts
- Add another network adapter to SRV-01 (making it 3 in total)
- Change the topology as follows:
.
WAN -> ISP router -> LAN1 -> SRV-01 +-> LAN3 (for hosts originally in LAN1)
+-> LAN2 -> SRV-02
Basically, we're making SRV-01 a router for both LAN segments.
- This will require moving hosts originally in LAN1 to a new subnet LAN3 - let's say we use
10.0.1.0/24
- The network configuration of SRV-01 will need to be changed as follows:
/etc/network/interfaces:
# LAN1 - to ISP router
auto eth0
iface eth0 inet dhcp
# we can even use dhcp as the IP address is not really important
# - there are no more hosts on LAN1 apart from ISP router and SRV-01
# LAN3 - for hosts originally in LAN1
iface eth1
address 10.0.1.1
netmask 255.255.255.0
# LAN2
iface eth2
address 10.0.2.1
netmask 255.255.255.0
iptables rules to make WAN access work:
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j MASQUERADE
Alternatively, if you choose to keep the static IP address on SRV-01 on eth0 the rules could be changed (although MASQUERADE
would still work):
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j SNAT --to-source 192.168.5.8
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j SNAT --to-source 192.168.5.8
- DHCP will need to be configured on SRV-01 on eth1 (LAN3, for hosts originally on LAN1), and possibly on eth2 (LAN2) as well if required. (In both cases the gateway will be the local address of eth1 or eth2 respectively, but that goes without saying :)
This will make communication possible between LAN3 and LAN2 (via SRV-01 which is the default gateway for both). WAN access will also work from both LAN3 and LAN2 thanks to the double source NAT.
B. Make SRV-01 a DHCP server for LAN1
This approach is not as clean as above but is slightly simpler. It assumes you are able to disable DHCP on ISP router
- Disable DHCP on ISP router
- Set up DHCP for LAN1 on SRV-01 and make SRV-01 (192.168.5.8) the default gateway for LAN1
- Set up source NAT translation for LAN2 on SRV-01 so that the WAN access works from LAN2:
.
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -d 192.168.5.4 -j SNAT --to-source 192.168.5.8
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 ! -d 192.168.5.0/24 -j SNAT --to-source 192.168.5.8
The first line enables SNAT so that LAN2 hosts can access the ISP router itself and the second line disables SNAT for LAN2-LAN1 access.
Again, this approach is not as clean as the one above as there are two routers in the same subnet (SRV-01, ISP router). When I used this approach myself I noticed my second router (SRV-01 in this scenario) would send ICMP redirects to the ISP router as it would see that the client (host on LAN1) and the upstream router (ISP router) are on the same LAN. This might not be desired as network policies implemented on SRV-01 could be circumvented.
Hope that helps.
Best Answer
The easiest way to achieve this is to give white (public) IPs to VMs via bridging (not proxy-arp). You will still be able to firewall traffic for all VMs on the host, because netfilter in Linux supports checking bridge traffic with iptables rules.
In this case the config will probably look like this:
You have to put VM which should appear on eth0 into vmbr0, the VM which should appear on eth1 into vmbr1, and everything else is going to vmbr2, any traffic from that network will be masqueraded. Note vmbr1 doesn't have any IP address, it doesn't need any, because the sole purpose of that bridge is to link eth1 and VM virtual interface. All host communication is done via vmbr0.
I don't know why you added 'pointtopoint' keyword for eth0. I retained it in the vmbr0; still I think this is a mistake and it is not needed. You have BMA network on eth0 with mask /25, it has 128 addresses (126 usable), so 'pointtopoint' (which means you have only one peer) looks wrong there. I also disabled stp in all bridges. There isn't much use of it, because you will not bridge any interfaces which are connected elsewhere.
In any case, tcpdump is your best friend.
You can set up proxy-arp instead of bridging first VM (which appear on eth0). I think this will make things less robust and I suggest you not going this way.
From your description I deduce your host should only have one IP address, and that address should be seen on eth0, so eth1 will be unnumbered in the host (shouldn't have any address), only VM address will appear there. I don't know, if it is possible to set up proxy-arp and routing in Linux on unnumbered interface (the one without any IP address), so to clarify this part I need to do some investigation on my own.