How to forward traffic across two Ethernet cards

network-interfacenetworkingrouting

I'm having a hard time figuring out how to set this up right. I can barely formulate a google query that explains it, so I'll try to do my best.

I have a Ubuntu PC with two NIC cards.

eth0 (192.168.1.0) goes to the main default gateway and out to the internet, and
eth1 (192.168.176.0) goes to a network switch with a bunch of IP cams connected to it.

I've enabled IP forwarding and iptables rules and hosts on the router PC. Hosts inside the eth1 network can reach the internet and can reach other hosts on the eth0 network. So this is good.

What I'm trying to do now, is get hosts inside the eth0 network to be able to access the hosts inside the eth1 network.

The computers are on eth0 network but the network cameras are on eth1 network. A single computer with two NIC cards acts as the bridge. Ultimately I want the computers on eth0 to be able to see the IP cameras on eth1.

Trying to map it out:
hosts on 192.168.1.1 should be able to see hosts on 192.168.176.1 but can't.

hosts on 192.168.176.1 CAN see hosts on 192.168.1.1 (these hosts can also get out to the internet). So all good here.

So far I have these IP rules and these have allowed the eth1 network to get out.

iptables --table nat --append POSTROUTING --out-interface enp1s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp3s0 -j ACCEPT

I guess my question is: how can the eth0 network get to hosts in the eth1 network?

Do I have to add routes on the individual computers that want to access the eth1 network?

Do I need to set up forwarding between the eth0 & eth1 interfaces on the router PC?

Here's my current add route command, /etc/network/interfaces and iptables rules:

(On macos:)
sudo route -n add -net 192.168.176.0/24 192.168.1.1



(on two-NIC PC)
/etc/network/interfaces
#primary interface enp3s0
auto enp1s0
iface enp1s0 inet static
address 192.168.1.12
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
dns-nameservers 8.8.4.4 8.8.8.8



#secondary interface enp3s0
auto enp3s0
iface enp3s0 inet static
address 192.168.176.1
netmask 255.255.255.0
broadcast 192.168.176.255
network 192.168.176.0



(on two-NIC PC)
iptables -t filter -A FORWARD -i enp1s0 -o enp3s0 -j ACCEPT
iptables -t filter -A FORWARD -i enp3s0 -o enp1s0 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

Best Answer

Your issue is mainly the route configuration of the hosts. I assume your current setup is as follow:

  • enp1s0 interface has ip address 192.168.1.1/24
  • enp3s0 interface has ip address 192.168.176.1/24

For hosts between the two IP network to communicate, they need a dedicated entry in their routing table.

  1. The hosts on 192.168.1.0/24 that need to access the IP camera need to know that 192.168.1.1 is the router for 192.168.176.0/24.
  2. The hosts on 192.168.176.0/24 need a route to 192.168.1.0/24.

Now I assume that the static/DHCP configuration for the IP cameras is to route default traffic through 192.168.176.1, so they know where to send packets for the PCs. But the PCs on 192.168.1.0/24 have only one default entry the internet router. So any packet to 192.168.176.0/24 get sent there and lost.

You can either

  • configure your DHCP router on 192.168.1.0/24 to advertise a static route to 192.168.176.0/24 via 192.168.1.1 with the "classless static route" option
  • add manually 192.168.1.1 as a gateway to 192.168.176.0/24 on the PCs

You will also need to flush your iptables rules. The POSTROUTING rule will mess up the routing and the FORWARD rule is useless (unless you have a DROP policy). 

iptables -t nat -F POSTROUTING
iptables -F FORWARD

Your cameras could see the PCs because they were configured with a default gateway of 192.168.176.1 and the nat POSTROUTING entry. For example if IP camera 192.168.176.10 sends a packet to PC 192.168.1.20, the packet will first be sent to 192.168.176.1 (enp3s0) the default gateway. The Ubuntu PC will forward the packet to enp1s0, rewriting the sender's address as its own, 192.168.1.1. When 192.168.1.20 replies the packet, it sends it back to the substituted address, 192.168.1.1. When the Ubuntu PC receives it, it knows it is a reply to the IP camera 192.168.176.10. So it rewrites the destination address to 192.168.176.10 and fowards it through enp3s0.

Now you don't want to mess packets with NAT, you just need IP routing. In the preceding example, the PC sees the camera IP address as 192.168.1.1, as it was substituted by the Ubuntu PC. Once you have set correct routes,

  • in a connection initiated by the PC to the camera, the PC will see the camera IP address as 192.168.176.10.
  • in a connection initiated by the camera to the PC, the PC will still see the camera IP address as 192.168.1.1 (NAT'ed address)

For simple IP devices, the second is unlikely to matter. But that could lead to buggy behaviour. As an example, if you had a managed switch and you wanted to use SNMP traps. You should delete the iptables -t nat -A POSTROUTING -j MASQUERADE rule.

One issue that will arise: Do you want your IP cameras to access the internet? If not, I would include an iptables FORWARD route to deny packets from 192.168.176.0/24 going anywhere except 192.168.1.0/24. If you wish to grant access, you will need to configure your router with a static route to 192.168.176.0/24.

Related Question