A network device with multiple IP addresses can be configured as a router.
Following is the command to setup a router under linux.
# echo 1 > /proc/sys/net/ipv4/ip_forward sudo sysctl -w net.ipv4.conf.all.forwarding=1To make the selection permanent:
sudo vi /etc/sysctl.conf
net.ip4.ip_forward = 1
On LAN2 client, Router needs to be configured as default GW
sudo ip route add default via 192.168.20.1 # route add default gw 192.168.20.1 eth1
On LAN1 clients that need to access LAN 2 (or on default GW)
ip route add 10.0.2.0/24 via 192.168.0.2
To make changes permanent:
/lib/dhcpcd/dhcpcd-hooks/40-route
ip route add 10.0.2.0/24 via 192.168.0.2
By default, Linux will route all traffic between those 2 interfaces...
But whenever more restrictive netfilter rules are in place, specific rules should be added to allow connection across subnets.
We could also increase security by restricting data going across the bridge.
To restrict routing to traffic between LAN1 and LAN2:
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.20.0/24 -d 192.168.10.0/24 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -s 192.168.10.0/24 -d 192.168.20.0/24 -j ACCEPT iptables -P FORWARD DROP
Note: this will prevent all external traffic (Ex: internet access @ LAN1) to reach LAN2
In case a single IP address must be shared between all LAN2 device, NAT could be used:
ifconfig eth1 192.168.20.1 iptables -A FORWARD -i eth0 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# sudo apt-get install build-essential ppp # Install RP-PPPOE cd ~/tmp wget https://www.roaringpenguin.com/files/download/rp-pppoe-3.12.tar.gz tar xvzf rp-pppoe-*.tar.gz cd rp-pppoe-*/src/ ./configure make sudo make install cd - rm -rf rp-pppoe-*
Client: | | PPP Server: | | Gateway lan: 192.168.1.x | 192.168.20.2 192.168.20.1 | | 192.168.10.210 192.168.10.100 | user: brcm-test |<------------------------------>| ppp0 eth0 |<-------------------------------->| DNS ... pswd: brcm-password | | | |
PPPoE Server is setup via configuration file:
/etc/ppp/pppoe-server-options
require-pap require-chap login # login lcp-echo-interval 10 lcp-echo-failure 2 mru 1452 mtu 1452 ms-dns 192.168.10.100 netmask 255.255.255.0 defaultroute # noipdefault # usepeerdns # debug dump
PPP clients (name, password and IP Address) are defined in pppd configuration file:
"username" * "" # "username" * "" "brcm-test" * "brcm-password" 192.168.20.80
# start PPPoE server echo 1 > /proc/sys/net/ipv4/ip_forward sudo pppoe-server -I eno1 -C brcm-pppoe-server -S brcm-pppoe -L 192.168.20.1 -R 192.168.20.2 # Stop PPPoE server killall pppoe-server pppd echo 0 > /proc/sys/net/ipv4/ip_forward
# if not done automatically sudo route add -net 192.168.20.0/24 gw 192.168.20.80 ppp0 # enable debug in pppoe-server-options cat /var/log/syslog # To ping LAN/WAN systems on the gw router route add -net 192.168.20.0/24 gw 192.168.10.210 iptables -t nat -A POSTROUTING -o eth0.1 -j MASQUERADE # Dump local traffic sudo tcpdump -i eno1 "pppoed or pppoes"
Proxy ARP allows to bridge an Ethernet LAN to a WiFi STA
sudo apt-get install parprouted dhcp-helper avahi-daemon echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp echo 1 > /proc/sys/net/ipv4/ip_forward ip link set wlan0 promisc on ip ro add 192.168.0.111/32 dev eth0dhcp: sudo vi /etc/sysctl.conf net.ipv4.ip_forward=1
more /etc/systemd/network/99-default.link vim.tiny /etc/default/dhcp-helper vim.tiny /etc/avahi/avahi-daemon.conf22-Feb-2020
