Linux – Ubuntu Linux Router: Set outbound NAT on 2 interfaces

linuxnetworking

I'm setting up a router using Ubuntu 12.04. I need my router to route between our internet modem and my client's network, for which we're given one IP address.

The box has 3 interfaces:

  1. eth0 – port to client's network. Configured using static IP.
  2. eth1 – our LAN. Configured as static IP 192.168.1.1 and serving DHCP/DNS.
  3. eth2 – uplink to 3G router modem. Configured as DHCP client.

My /etc/network/interfaces looks like:

# The primary network interface
auto eth2
iface eth2 inet dhcp

# LAN point to our client's network
auto eth0
iface eth0 inet static
address 10.198.250.171
#gateway 10.198.0.4
netmask 255.255.0.0
network 10.198.0.0
broadcast 10.198.255.255
hwaddress ether 00:1E:EC:72:ED:92

# eth1 acts as our LAN's router IP
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255

I've configured eth1 to serve as DHCP and configured NAT from my LAN to internet as follows in /etc/rc.local:

# IP forwarding script from our LAN to internet
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables --table nat -A POSTROUTING -o eth2 -j MASQUERADE

In order to access my client's LAN (which is a private class A network), I've configured a static route as follows:

up route add -net 10.0.0.0/8 gw 10.198.250.171 dev eth0

Thus far, I can ping and access my client's LAN from the router itself, but from any of my LAN clients, I cannot get the router to route to my client's LAN.

Can anybody advise what else I need to do? Do I need to set outbound NAT for both eth0 and eth2?

Any advice much appreciated.

Best Answer

The problem lies in getting a response from the client LAN I think, and so yes you need to use NAT to the client-LAN as well.

Let me explain:

Nodes on your LAN have your gateway as their default gateway.

Thus any traffic from them, be it to the client network (10.0.0.0/8) or the wider world (0.0.0.0/8) goes to it.

Traffic to the wider world is then NAT'd onto the Internet.

Traffic to the client's LAN is forwarded as is (I'm assuming here forwarding is working which the NAT working indicates it is).

So a packet from a node on your internal LAN, let us say it's IP is 192.168.1.200 goes to your gateway and is forward to the client LAN. However it's source address is still 192.168.1.200.

The client machine receives this and tried to reply, to 192.168.1.200.

Unless the client LAN machines have routes set for 192.168.1.0/24, or their default gateway is able to forward the packets to your gateway, they will not be able to route.

With NAT enabled then at the gateway the source address 192.168.1.200 is NAT'd to your client LAN gateway address, which client LAN nodes can respond to, where it will be re-addressed by your gateway and returned.

Related Question