Welcome to the Linux Foundation Forum!

Debian as gateway for subnet/2nd network

Hello, guys! How are you?

I'm facing a problem. I have 2 networks (192.168.1.0/24 and 192.168.2.0/24) and what happen is this: in the 1st network (192.168.1.0/24) there's a gateway (192.168.1.1) to the Internet, and the 2nd network needs to pass through the 1st network to reach Internet.
To connect both networks, I have 2 servers (Debian "Stretch" 9.6.0) working as MASTER and SLAVE, and the idea is to use them as gateway for the 2nd network, like this:

[INTERNET] --- [1st GATEWAY] --- [192.168.1.0/24] --- [2nd GATEWAY (Servers MASTER/SLAVE: Debian)] --- [192.168.2.0/24]
Both servers are using enp0s3 to connect to 192.168.1.0/24 and enp0s8 to connect to 192.168.2.0/24, and they are working as DNS and DHCP for 192.168.2.0/24

I tried to add a default route to 192.168.1.1 (my 1st gateway) like this:
route add 192.168.1.1/32 dev enp0s8 (interface connected to my 2nd network)
route add default gw 192.168.1.1

But when I try to install Debian in a client on 192.168.2.0/24, during the network auto detection, it says there's no default route to Internet. When I proceed the installation (pointing to the server 192.168.2.1) the installer tries to set a repository mirror but it fails, saying that it wasn't possible to get that mirror, either because the network (repository) is unreachable or because the repository is broken/offline.
About Windows client, when I am setting Primary and Secondary DNS, instead of use 192.168.2.1 and 192.168.2.2 as my DNS for 192.168.2.0/24, I need to set 192.168.1.1 as Primary DNS.

My network interfaces are set like this:

FILE: /etc/network/interfaces

  1. source /etc/network/interfaces.d/*
  2.  
  3. auto lo
  4. iface lo inet loopback
  5.  
  6. auto enp0s3
  7. iface enp0s3 inet static
  8. network 192.168.1.0
  9. gateway 192.168.1.1
  10. broadcast 192.168.1.255
  11. netmask 255.255.255.0
  12. address 192.168.1.181 // 2nd server: address 192.168.1.182
  13.  
  14. auto enp0s8
  15. iface enp0s8 inet static
  16. network 192.168.2.0
  17. broadcast 192.168.2.255
  18. netmask 255.255.255.0
  19. address 192.168.2.1 // 2nd server: address 192.168.2.2

Also, my DHCP is set like this (with failover setting):
cat /etc/dhcp/dhcpd.conf
// This is the Master Server, while the Slave Server is almost equal, except few details to make it work as FAILOVER server

  1. authoritative;
  2. ddns-update-style interim;
  3. option domain-name "mynetwork.local";
  4. option domain-name-servers ns1.mynetwork.local, ns2.mynetwork.local, 192.168.2.1, 192.168.2.2;
  5. default-lease-time 600;
  6. max-lease-time 7200;
  7. log-facility local7;
  8.  
  9. failover peer "DHCP-FAILOVER" {
  10. primary;
  11. address 192.168.2.1;
  12. port 647;
  13.  
  14. peer address 192.168.2.2;
  15. peer port 647;
  16. max-response-delay 30;
  17. max-unacked-updates 10;
  18. load balance max seconds 3;
  19. mclt 1800;
  20. split 128;
  21. }
  22.  
  23. subnet 192.168.2.0 netmask 255.255.255.0 {
  24. option routers 192.168.2.1, 192.168.2.2;
  25. option subnet-mask 255.255.255.0;
  26. option domain-name "mynetwork.local";
  27. option domain-name-servers 192.168.2.1, 192.168.2.2;
  28.  
  29. option netbios-dd-server 192.168.2.1, 192.168.2.2;
  30. option netbios-name-servers 192.168.2.1, 192.168.2.2;
  31. option netbios-node-type 8;
  32. option nis-domain "mynetwork.local";
  33. option nis-servers 192.168.2.1, 192.168.2.2;
  34. option nisplus-domain "mynetwork.local";
  35. option nisplus-servers 192.168.2.1, 192.168.2.2;
  36. option ntp-servers 192.168.2.1, 192.168.2.2;
  37. option time-offset -18000;
  38. pool {
  39. failover peer "DHCP-FAILOVER";
  40. range 192.168.2.3 192.168.2.254;
  41. }
  42. }

And, finally, my firewall script is this:

  1. #!/bin/bash
  2.  
  3. modprobe iptable_nat
  4. modprobe iptable_filter
  5. modprobe iptable_mangle
  6. modprobe ipt_MASQUERADE
  7. modprobe ip_tables
  8. modprobe nf_conntrack
  9. modprobe nf_conntrack_ipv4
  10. modprobe nf_nat
  11. modprobe nf_tables
  12. modprobe nf_tables_ipv4
  13. modprobe nft_masq
  14. modprobe nft_masq_ipv4
  15. modprobe nft_nat
  16. modprobe nft_redir
  17. modprobe nft_redir_ipv4
  18.  
  19. iptables -t filter -F
  20. iptables -t mangle -F
  21. iptables -t nat -F
  22.  
  23. iptables -P INPUT DROP
  24. iptables -P FORWARD DROP
  25. iptables -P OUTPUT ACCEPT
  26.  
  27. EXTERNAL_NETWORK=192.168.1.0 # My 1st network
  28. EXTERNAL_INTERFACE=enp0s3 # Interface connected to 192.168.1.0/24
  29. INTERNAL_NETWORK=192.168.2.0 # My 2nd network
  30. INTERNAL_INTERFACE=enp0s8 # Interface connected to 192.168.2.0/24
  31.  
  32. [[ $(hostname) = master ]] && SRV_IP_ADDR=192.168.2.1 || SRV_IP_ADDR=192.168.2.2
  33.  
  34. echo 1 > /proc/sys/net/ipv4/ip_forward
  35. iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j MASQUERADE
  36.  
  37. iptables -A INPUT -i lo -j ACCEPT
  38. iptables -A OUTPUT -o lo -j ACCEPT
  39. iptables -A INPUT -i $EXTERNAL_INTERFACE -j ACCEPT # Interface enp0s3
  40. iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j ACCEPT
  41. iptables -A FORWARD -i $EXTERNAL_INTERFACE -j ACCEPT
  42.  
  43. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  44. iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  45. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  46.  
  47. // SSH Connections
  48. iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --dport 1024 -j ACCEPT
  49. iptables -A INPUT -s $EXTERNAL_NETWORK/24 -p tcp --dport 1024 -j ACCEPT
  50.  
  51. //If a package goes to the internet (external network), it must return to the internal network
  52. iptables -A FORWARD -d $INTERNAL_NETWORK/24 -p tcp -j ACCEPT
  53. iptables -A FORWARD -s $INTERNAL_NETWORK/24 -p tcp -j ACCEPT
  54. // Accepting WWW, WWWS, DHCP and DNS connections/queries
  55. iptables -A FORWARD -s $SRV_IP_ADDR -m multiport -p tcp --dport 80,443 -j ACCEPT
  56. iptables -A FORWARD -d $SRV_IP_ADDR -m multiport -p tcp --sport 80,443 -j ACCEPT
  57. // These 2 lines bellow are for TCP
  58. iptables -A FORWARD -s $INTERNAL_NETWORK/24 -m multiport -p tcp --dport 53,67 -j ACCEPT
  59. iptables -A FORWARD -d $INTERNAL_NETWORK/24 -m multiport -p tcp --sport 53,67 -j ACCEPT
  60. // These 2 lines bellow are for UDP
  61. iptables -A FORWARD -s $INTERNAL_NETWORK/24 -m multiport -p udp --dport 53,67 -j ACCEPT
  62. iptables -A FORWARD -d $INTERNAL_NETWORK/24 -m multiport -p udp --sport 53,67 -j ACCEPT

What do I need to do to make my servers work as gateway / Primary-Secondary DNS for 192.168.2.0/24?
And how do I set a default route from 192.168.2.0/24 ---> 192.168.1.0/24?

Thank you for your attention.

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training