0

Network structure

I have a device DEV1 which should communicate with device DEV3, however in the middle there is DEV2.

My understanding is that I need to use IP Forwarding in DEV2 and edit route tables on DEV1 and DEV3.

For DEV2 I have enabled IP Forwarding:

-> sysctl net.ipv4.ip_forward

net.ipv4.ip_forward = 1

I can’t set up rest of the things. What should I do to get this to work?

Giacomo1968
  • 211
Oleksii
  • 115
  • Is there any way to make the two routers talk to each other directly? If not, do you control the two routers in between? – MariusMatutiae Jan 21 '20 at 08:27
  • No. I don`t have an access to them – Oleksii Jan 21 '20 at 08:28
  • Do the two routers allow all communications to pass? Normal routers are set up so that they have an inner side and an outer side, and communications originating on the inside for the outside are allowed, while the reverse is not. In other words, can you talk from DEV1 to DEV2 and viceversa, and from DEV2 to DEV3 and viceversa? – MariusMatutiae Jan 21 '20 at 08:37
  • Yes, DEV2 can communicate with DEV1 and DEV3 – Oleksii Jan 21 '20 at 08:40

1 Answers1

1

Given that the two routers allow all connections to pass from either side the simplest thing is to add new IP addresses to the two interfaces of DEV2. We do this so that DEV2 can easily distinguish between packets meant for it, and packets meant to go through: 

ip addr add 192.168.2.3/24 dev INTERFACE2
ip addr add 10.12.0.218/24 dev INTERFACE3

(substitute the real interfaces names for INTERFACE2/3, and make sure that these addresses are not taken, to do so just ping -c 192.168.2.3 for instance and see whether you get any reply. Also, I guessed the two masks are /24, if not please adjust accordingly). Now anything for 192.168.2.3 and 10.12.0.218 is for DEV1/3, while anything for 192.168.2.1-10.12.0.217 is for DEV2.

Now we forward anything arriving on the two new addresses:

iptables -A FORWARD -j ACCEPT
iptables -A PREROUTING -t nat -d 192.168.2.3 -j DNAT --to 10.10.3.154
iptables -A PREROUTING -t nat -d 10.12.0.218 -j DNAT --to 192.168.2.2
iptables -t nat -A POSTROUTING -j MASQUERADE

The first rule allows packets to migrate from one interface to the other (the rule net.ipv4.ip_forward = 1 is necessary but not sufficient), the last rule rewrites all packet headers as if coming from the outgoing interface so that replies are again routed thru DEV2; the two rules in between rewrite the packet headers so that packets are sent from DEV1 to DEV3 (rule n.2) and from DEV3 to DEV1 (rule n.3).

The advantage of this setup is that it is clean: all protocols, and all ports are routed simultaneously, without any need to add unnecessary complications.

CAVEAT: interface1 on DEV1 and interface2 on DEV2 belong to the same subnet, which is strange since you say that the two are separated by a router: by definition, a router joins two distinct subnets. So, either router1 is not a router, or, if it is, there is an error in its configuration since it is surrounded by the same networks on both sides. I have assumed the former, not the latter.

MariusMatutiae
  • 4,372
  • 1
  • 25
  • 36
  • Probably router is not a router... Between DEV1 and DEV2 there is an LTE network simulator which is working as a base station of mobile operator. I am not sure how to interpret this device. Thanks a lot for your reply. – Oleksii Jan 21 '20 at 10:06
  • Could you please explain how two IP address ( (192.168.2.3 and 192.168.2.1) or (10.12.0.217 and 10.12.0.218) ) co-exist together on one device? – Oleksii Jan 21 '20 at 10:22
  • @Алекс it is really standard Linux lore: search for linux two ip addresses on one nic with Google, you will see lots of references. You could also have multiple addresses belonging to disjoint subnets. Basically, the reason for this is that an IP address identifies a connection, while a MAC address identifies a device. A device can have many simultaneous connections! – MariusMatutiae Jan 21 '20 at 11:35
  • Everything works perfectly. I have one more question. Is it possible to specify via which IP address data packet will be routed? In current set up each interface has 2 IP addresses and I would like to use them to decouple data from default interfaces. When I send something to 192.168.2.3 data is forwarded to 10.12.0.217, but I wold like to see it on 10.12.0.218 and vice versa. – Oleksii Jan 23 '20 at 15:32
  • @Алекс Sorry for replying so late, for some reason I did not see your question. Yes, it is possible, it is called policy or source routing. It is too long to describe in a comment,but you will find an excellent introduction here, https://unix.stackexchange.com/a/22794/49626 – MariusMatutiae Apr 27 '20 at 08:33