Welcome to the Linux Foundation Forum!

Debian Stretch and 2 different networks

Hello, guys! How are you?

I'm facing a problem. I have 2 networks (192.168.1.0/24 and 192.168.2.0/24) and what happen is this: in the 1st network (192.168.1.0/24) there's a gateway (192.168.1.1) to the Internet, and the 2nd network needs to pass through the 1st network to reach Internet.
To connect both networks, I have 2 servers (Debian "Stretch" 9.6.0) working as MASTER and SLAVE, and the idea is to use them as gateway for the 2nd network, like this:

[INTERNET] --- [1st GATEWAY] --- [192.168.1.0/24] --- [2nd GATEWAY (Servers MASTER/SLAVE: Debian)] --- [192.168.2.0/24]
Both servers are using enp0s3 to connect to 192.168.1.0/24 and enp0s8 to connect to 192.168.2.0/24, and they are working as DNS and DHCP for 192.168.2.0/24

I tried to add a default route to 192.168.1.1 (my 1st gateway) like this:

route add 192.168.1.1/32 dev enp0s8 (interface connected to my 2nd network)

route add default gw 192.168.1.1

But when I try to install Debian in a client on 192.168.2.0/24, during the network auto detection, it says there's no default route to Internet. When I proceed the installation (pointing to the server 192.168.2.1) the installer tries to set a repository mirror but it fails, saying that it wasn't possible to get that mirror, either because the network (repository) is unreachable or because the repository is broken/offline.
About Windows client, when I am setting Primary and Secondary DNS, instead of use 192.168.2.1 and 192.168.2.2 as my DNS for 192.168.2.0/24, I need to set 192.168.1.1 as Primary DNS.

My network interfaces are set like this:

cat /etc/network/interfaces

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
network 192.168.1.0
gateway 192.168.1.1
broadcast 192.168.1.255
netmask 255.255.255.0
address 192.168.1.181 # 2nd server: 192.168.1.182

auto enp0s8
iface enp0s8 inet static
network 192.168.2.0
#gateway 192.168.2.1
broadcast 192.168.2.255
netmask 255.255.255.0
address 192.168.2.1 # 2nd server: 192.168.2.2

Also, my DHCP is set like this (with failover setting):

cat /etc/dhcp/dhcpd.conf

Master Server // The Slave Server is almost equal, except few details to make it work as FAILOVER server

authoritative;
ddns-update-style interim;
option domain-name "mynetwork.local";
option domain-name-servers ns1.mynetwork.local, ns2.mynetwork.local, 192.168.2.1, 192.168.2.2;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;

failover peer "DHCP-FAILOVER" {
primary;
address 192.168.2.1;
port 647;

  1. peer address 192.168.2.2;
  2. peer port 647;
  3.  
  4. max-response-delay 30;
  5. max-unacked-updates 10;
  6.  
  7. load balance max seconds 3;
  8. mclt 1800;
  9. split 128;

}

subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.1, 192.168.2.2;
option subnet-mask 255.255.255.0;
option domain-name "mynetwork.local";
option domain-name-servers 192.168.2.1, 192.168.2.2;

  1. option netbios-dd-server 192.168.2.1, 192.168.2.2;
  2. option netbios-name-servers 192.168.2.1, 192.168.2.2;
  3. option netbios-node-type 8;
  4.  
  5. option nis-domain "mynetwork.local";
  6. option nis-servers 192.168.2.1, 192.168.2.2;
  7. option nisplus-domain "mynetwork.local";
  8. option nisplus-servers 192.168.2.1, 192.168.2.2;
  9.  
  10. option ntp-servers 192.168.2.1, 192.168.2.2;
  11.  
  12. option time-offset -18000;
  13.  
  14. pool {
  15. failover peer "DHCP-FAILOVER";
  16. range 192.168.2.3 192.168.2.254;
  17. }

}

And, finally, my firewall script is this:

!/bin/bash

modprobe iptable_nat
modprobe iptable_filter
modprobe iptable_mangle
modprobe ipt_MASQUERADE
modprobe ip_tables
modprobe nf_conntrack
modprobe nf_conntrack_ipv4
modprobe nf_nat
modprobe nf_tables
modprobe nf_tables_ipv4
modprobe nft_masq
modprobe nft_masq_ipv4
modprobe nft_nat
modprobe nft_redir
modprobe nft_redir_ipv4

iptables -t filter -F
iptables -t mangle -F
iptables -t nat -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

EXTERNAL_NETWORK=192.168.1.0 # My 1st network
EXTERNAL_INTERFACE=enp0s3 # Interface connected to 192.168.1.0/24
INTERNAL_NETWORK=192.168.2.0 # My 2nd network
INTERNAL_INTERFACE=enp0s8 # Interface connected to 192.168.2.0/24

Getting hostname to set the variable "SRV_IP_ADDR"

[[ $(hostname) = master ]] && SRV_IP_ADDR=192.168.2.1 || SRV_IP_ADDR=192.168.2.2

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j MASQUERADE

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -j ACCEPT # Interface enp0s3
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Accepting SSH connections

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --dport 1024 -j ACCEPT
iptables -A INPUT -s $EXTERNAL_NETWORK/24 -p tcp --dport 1024 -j ACCEPT

If a package goes to the internet (external network), it must return to the internal network

iptables -A FORWARD -d $INTERNAL_NETWORK/24 -p tcp -j ACCEPT
iptables -A FORWARD -s $INTERNAL_NETWORK/24 -p tcp -j ACCEPT

Accepting WWW, WWWS, DHCP and DNS connections/queries

iptables -A FORWARD -s $SRV_IP_ADDR -m multiport -p tcp --dport 80,443 -j ACCEPT
iptables -A FORWARD -d $SRV_IP_ADDR -m multiport -p tcp --sport 80,443 -j ACCEPT

These 2 lines bellow are for TCP

iptables -A FORWARD -s $INTERNAL_NETWORK/24 -m multiport -p tcp --dport 53,67 -j ACCEPT
iptables -A FORWARD -d $INTERNAL_NETWORK/24 -m multiport -p tcp --sport 53,67 -j ACCEPT

These 2 lines bellow are for UDP

iptables -A FORWARD -s $INTERNAL_NETWORK/24 -m multiport -p udp --dport 53,67 -j ACCEPT
iptables -A FORWARD -d $INTERNAL_NETWORK/24 -m multiport -p udp --sport 53,67 -j ACCEPT

What do I need to do to make my servers work as gateway / Primary-Secondary DNS for 192.168.2.0/24?
And how do I set a default route from 192.168.2.0/24 ---> 192.168.1.0/24?

Thank you for your attention.

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training