I'm attempting to configure my server, but it's proving to be impossible. Thus, you are my last hope!
To provide some context, my virtual server (Ubuntu 22.04 server TLS) has 3 network devices connected to different networks:
- ens160 (Internet)
- ens192 (service)
- ens224 (management)
In my company, it is mandatory to separate the management service from the web service on my internal network. Therefore, I need to route the incoming traffic accordingly.
As far as I know, netplan cannot achieve this as it is based on static routing. That's why I'm trying to accomplish it with PBR (iptables), but I'm not succeeding!
Here are the steps I have taken:
- iptables -t mangle -A PREROUTING -i ens192 -j MARK --set-mark 1
- iptables -t mangle -A PREROUTING -i ens224 -j MARK --set-mark 2
- Add tables in /etc/iproute2/rt_tables:
- 201 ens192_table
- 202 ens224_table
- ip route add 10.10.0.0/16 dev ens192 table ens192_table
- ip route add 10.10.0.0/16 dev ens224 table ens224_table
- ip rule add fwmark 1 table ens192_table
- ip rule add fwmark 2 table ens224_table
- uncomment net.ipv4.ip_forward=1 in /etc/sysctl.conf
- sudo sysctl -p
- Netplan:
network:
version: 2
renderer: networkd
ethernets:
ens160:
dhcp4: no
addresses: [172.16.0.4/24]
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4
search: []
routes:
- to: 0.0.0.0/0
via: 172.16.0.1
ens192:
dhcp4: no
addresses: [172.16.1.4/24]
routes:
- to: 10.10.0.0/16
via: 172.16.1.1
ens224:
dhcp4: no
addresses: [172.16.2.4/16]
routes:
- to: 10.10.0.0/16
via: 172.16.2.1
The local and perimeter firewalls are working perfectly.
Here's the issue I'm facing: When I ping from the IP 10.10.5.20 to the IP 172.16.1.4, the traffic goes back through ens192 (OK). However, when I ping from the IP 10.10.5.20 to the IP 172.16.2.4, the traffic also goes back through ens192 (Not OK). It should be going back through ens224.
Finally, my question is:
Is it possible to achieve what I'm trying to do?
Thank you for your assistance.