Join Log in
Score:1
Jeffwhen avatar Server

Linux ipv4 forwarding not working as expected

uy flag
Jeffwhen

I wanna use my raspberry pi as a intermediate router to access other LANs. Something like the following.

──────────────────────vpn 10.1.4.x─┐
                                   │
router 10.1.1.1────────────pi4b 10.1.1.42─────────>pc 10.1.1.43
      │
      ├───────────────────────────────────────────>tv
      │
      ├───────────────────────────────────────────>ps5
      │
      └───────────────────────────────────────────>etc...

So I enabled ipv4 forwarding in pi4b kernel.

net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 1

On pi there is a default route to router(10.1.1.1). And pc has default route set to pi(10.1.1.42). Router's routing tables I don't have access, but I assume nothing special. It's a Redmi AX6, SSH not available.

But then I cannot access internet on my pc.

magrathea:~ jeffwhen$ traceroute 223.5.5.5
traceroute to 223.5.5.5 (223.5.5.5), 64 hops max, 52 byte packets
 1  * pi4b (10.1.1.42)  2.248 ms *
 2  xiaoqiang (10.1.1.1)  2.292 ms  1.317 ms  1.258 ms
 3  * * *
 4  * * *

What did I do wrong? Any help would be appreciated.

Another piece of info which might be helpful: after adding masquerade in nat POSTROUTING chain, I can access internet on my pc. I think this means the pc does send everything through my raspberry pi. But why is masquerading necessary?

247
1 + 5
vidarlo avatar
ar flag
vidarlo
What is the routing table on the PC? What is the routing table on the Pi? What is the routing table on your router?
0
Reply
Jeffwhen avatar
uy flag
Jeffwhen
@vidarlo pc has default route to pi. And pi has default route to router. Router I can't access it routing table. ```
0
Reply
vidarlo avatar
ar flag
vidarlo
Does the Pi have two interfaces?
0
Reply
Jeffwhen avatar
uy flag
Jeffwhen
@vidarlo Not yet.
0
Reply
Jeffwhen avatar
uy flag
Jeffwhen
My plan is connect to office VPN on pi, then nat certain traffic to vpn link by masquerading. But I haven't started those configurations. I figure I have to be able to access internet via my router first.
0
Reply
Score:1
vidarlo avatar Server
ar flag
vidarlo

When your Pi gets a package that is not handled directly, it probably issues a ICMP route redirect, telling your PC to use 10.1.1.1 directly. This however doesn't work very well; it's a security risk, so many modern operating systems ignore them.

The proper solution is one of two:

  • Have one router per subnet
  • Have a route explicitly declared on the client.

One router per subnet

Configure the network between your Pi and your PC to a different subnet than the rest of your LAN, e.g. 10.1.2.0/24. Your Pi will then have a default route with gw 10.1.1.1, and 10.1.4.0/24 with some gateway.

Any machines behind the Pi will simply have 10.1.2.0/24 with Pi as gateway.

Declare route on client

Configure your Pi to have a IP in the 10.1.1.0/24-subnet. Do not set it as default gateway on any PC's; they should all have 10.1.1.1.

Add a route to 10.1.4.0/24 via the Pi. On windows this can be done with

route ADD 10.1.4.0 MASK 255.255.255.0 10.1.1.42

Use route -p ADD... to persist the route across reboots.

0 + 2
Jeffwhen avatar
uy flag
Jeffwhen
This is very detailed. Thank you. So I tried to capture the ICMP redirect in wireshark using expression `icmp.type == 5`. But I couldn't get any. Why is that?
0
Reply
vidarlo avatar
ar flag
vidarlo
I'll admit it's a bit of a shot from the hip, based on expirience ;)
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.