Two Outfacing IP and Two Internal Networks

[JordanI]

Hey everyone, I am working on a school project and I am a little stuck. I spent all day yesterday searching for tutorials and could not find anything that worked.

My setup is:
I have two internal networks, 10.0.01/24 and 10.0.1.1/24
10.0.0.1 shares the same IP as the interface xxx.xxx.xxx.xxx (and works)
10.0.1.1 should have another IP yyy.yyy.yyy.yyy

I have gone through probably 100 configurations at this point, using different IPtables rules.

I can easily get yyy.yyy.yyy.yyy pingable and use it on the host, it is on another subnet.


Here is my config:

auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

iface eno3 inet manual

iface eno4 inet manual

auto vmbr0
iface vmbr0 inet static
        address  199.83.xxx.xxx
        netmask  255.255.255.0
        gateway  199.83.xxx.1
        bridge_ports eno1
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        address  208.68.yyy.yyy
        netmask  255.255.255.0
        bridge_ports eno2
        bridge_stp off
        bridge_fd 0


auto vmbr172
iface vmbr172 inet static
        address  10.0.0.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.0.0.1/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.1/24' -o vmbr0 -j MASQUERADE


auto vmbr63
iface vmbr63 inet static
        address  10.0.1.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up iptables -t nat -A POSTROUTING -s '10.0.1.1/24' -o vmbr1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.1.1/24' -o vmbr1 -j MASQUERADE

 

[Richard]

auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

iface eno3 inet manual

iface eno4 inet manual

auto vmbr0
iface vmbr0 inet static
        address  199.83.xxx.xxx
        netmask  255.255.255.0
        gateway  199.83.xxx.1
        bridge_ports eno1
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        address  208.68.yyy.yyy
        netmask  255.255.255.0
        bridge_ports eno2
        bridge_stp off
        bridge_fd 0


auto vmbr172
iface vmbr172 inet static
        address  10.0.0.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.0.0.1/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.1/24' -o vmbr0 -j MASQUERADE


auto vmbr63
iface vmbr63 inet static
        address  10.0.1.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up iptables -t nat -A POSTROUTING -s '10.0.1.1/24' -o vmbr1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.1.1/24' -o vmbr1 -j MASQUERADE

Since the default router is at xxx.xxx.xxx.xxx for all outgoing connection this network (where vmbr0 is connected to) will be used, regardless where you come from. In case of a connection originated in 10.0.1.0/24 not NAT will be made: sends packets via vmbr0, but they are not NATed (according to iptables nat at vmbr0 works only for 10.0.0.0/24 sources).


Possible solutions:

- source based routing, saying 10.0.1.0/24 sources have to be routed to yyy.yyy.yyy.yyy via vmbr1
or
- eliminate restriction "-s 10.0.0.1/24" in iptables, all traffic will be routed to xxx.xxx.xxx.xxx via vmbr0