How can I forward traffic across two Ethernet cards?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I'm having a hard time figuring out how to set this up right. I can barely formulate a google query that explains it, so I'll try to do my best.
I have a Ubuntu PC with two NIC cards.
eth0 (192.168.1.0) goes to the main default gateway and out to the internet, and
eth1 (192.168.176.0) goes to a network switch with a bunch of IP cams connected to it.
I've enabled IP forwarding and iptables rules and hosts on the router PC. Hosts inside the eth1 network can reach the internet and can reach other hosts on the eth0 network. So this is good.
What I'm trying to do now, is get hosts inside the eth0 network to be able to access the hosts inside the eth1 network.
The computers are on eth0 network but the network cameras are on eth1 network. A single computer with two NIC cards acts as the bridge. Ultimately I want the computers on eth0 to be able to see the IP cameras on eth1.
Trying to map it out:
hosts on 192.168.1.1 should be able to see hosts on 192.168.176.1 but can't.
hosts on 192.168.176.1 CAN see hosts on 192.168.1.1 (these hosts can also get out to the internet). So all good here.
So far I have these IP rules and these have allowed the eth1 network to get out.
iptables --table nat --append POSTROUTING --out-interface enp1s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp3s0 -j ACCEPT
I guess my question is: how can the eth0 network get to hosts in the eth1 network?
Do I have to add routes on the individual computers that want to access the eth1 network?
Do I need to set up forwarding between the eth0 & eth1 interfaces on the router PC?
Here's my current add route command, /etc/network/interfaces and iptables rules:
(On macos:)
sudo route -n add -net 192.168.176.0/24 192.168.1.1(on two-NIC PC)
/etc/network/interfaces
#primary interface enp3s0
auto enp1s0
iface enp1s0 inet static
address 192.168.1.12
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
dns-nameservers 8.8.4.4 8.8.8.8#secondary interface enp3s0
auto enp3s0
iface enp3s0 inet static
address 192.168.176.1
netmask 255.255.255.0
broadcast 192.168.176.255
network 192.168.176.0(on two-NIC PC)
iptables -t filter -A FORWARD -i enp1s0 -o enp3s0 -j ACCEPT
iptables -t filter -A FORWARD -i enp3s0 -o enp1s0 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
networking routing network-interface
edited Dec 8 '17 at 2:49
G-Man
11.6k82657
asked Dec 7 '17 at 20:13
Mike
113
add a comment |Â
up vote
2
down vote
favorite
I'm having a hard time figuring out how to set this up right. I can barely formulate a google query that explains it, so I'll try to do my best.
I have a Ubuntu PC with two NIC cards.
eth0 (192.168.1.0) goes to the main default gateway and out to the internet, and
eth1 (192.168.176.0) goes to a network switch with a bunch of IP cams connected to it.
I've enabled IP forwarding and iptables rules and hosts on the router PC. Hosts inside the eth1 network can reach the internet and can reach other hosts on the eth0 network. So this is good.
What I'm trying to do now, is get hosts inside the eth0 network to be able to access the hosts inside the eth1 network.
The computers are on eth0 network but the network cameras are on eth1 network. A single computer with two NIC cards acts as the bridge. Ultimately I want the computers on eth0 to be able to see the IP cameras on eth1.
Trying to map it out:
hosts on 192.168.1.1 should be able to see hosts on 192.168.176.1 but can't.
hosts on 192.168.176.1 CAN see hosts on 192.168.1.1 (these hosts can also get out to the internet). So all good here.
So far I have these IP rules and these have allowed the eth1 network to get out.
iptables --table nat --append POSTROUTING --out-interface enp1s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp3s0 -j ACCEPT
I guess my question is: how can the eth0 network get to hosts in the eth1 network?
Do I have to add routes on the individual computers that want to access the eth1 network?
Do I need to set up forwarding between the eth0 & eth1 interfaces on the router PC?
Here's my current add route command, /etc/network/interfaces and iptables rules:
(On macos:)
sudo route -n add -net 192.168.176.0/24 192.168.1.1(on two-NIC PC)
/etc/network/interfaces
#primary interface enp3s0
auto enp1s0
iface enp1s0 inet static
address 192.168.1.12
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
dns-nameservers 8.8.4.4 8.8.8.8#secondary interface enp3s0
auto enp3s0
iface enp3s0 inet static
address 192.168.176.1
netmask 255.255.255.0
broadcast 192.168.176.255
network 192.168.176.0(on two-NIC PC)
iptables -t filter -A FORWARD -i enp1s0 -o enp3s0 -j ACCEPT
iptables -t filter -A FORWARD -i enp3s0 -o enp1s0 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
networking routing network-interface
edited Dec 8 '17 at 2:49
G-Man
11.6k82657
asked Dec 7 '17 at 20:13
Mike
113
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I'm having a hard time figuring out how to set this up right. I can barely formulate a google query that explains it, so I'll try to do my best.
I have a Ubuntu PC with two NIC cards.
eth0 (192.168.1.0) goes to the main default gateway and out to the internet, and
eth1 (192.168.176.0) goes to a network switch with a bunch of IP cams connected to it.
I've enabled IP forwarding and iptables rules and hosts on the router PC. Hosts inside the eth1 network can reach the internet and can reach other hosts on the eth0 network. So this is good.
What I'm trying to do now, is get hosts inside the eth0 network to be able to access the hosts inside the eth1 network.
The computers are on eth0 network but the network cameras are on eth1 network. A single computer with two NIC cards acts as the bridge. Ultimately I want the computers on eth0 to be able to see the IP cameras on eth1.
Trying to map it out:
hosts on 192.168.1.1 should be able to see hosts on 192.168.176.1 but can't.
hosts on 192.168.176.1 CAN see hosts on 192.168.1.1 (these hosts can also get out to the internet). So all good here.
So far I have these IP rules and these have allowed the eth1 network to get out.
iptables --table nat --append POSTROUTING --out-interface enp1s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp3s0 -j ACCEPT
I guess my question is: how can the eth0 network get to hosts in the eth1 network?
Do I have to add routes on the individual computers that want to access the eth1 network?
Do I need to set up forwarding between the eth0 & eth1 interfaces on the router PC?
Here's my current add route command, /etc/network/interfaces and iptables rules:
(On macos:)
sudo route -n add -net 192.168.176.0/24 192.168.1.1(on two-NIC PC)
/etc/network/interfaces
#primary interface enp3s0
auto enp1s0
iface enp1s0 inet static
address 192.168.1.12
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
dns-nameservers 8.8.4.4 8.8.8.8#secondary interface enp3s0
auto enp3s0
iface enp3s0 inet static
address 192.168.176.1
netmask 255.255.255.0
broadcast 192.168.176.255
network 192.168.176.0(on two-NIC PC)
iptables -t filter -A FORWARD -i enp1s0 -o enp3s0 -j ACCEPT
iptables -t filter -A FORWARD -i enp3s0 -o enp1s0 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
networking routing network-interface
edited Dec 8 '17 at 2:49
G-Man
11.6k82657
asked Dec 7 '17 at 20:13
Mike
113
I'm having a hard time figuring out how to set this up right. I can barely formulate a google query that explains it, so I'll try to do my best.
I have a Ubuntu PC with two NIC cards.
eth0 (192.168.1.0) goes to the main default gateway and out to the internet, and
eth1 (192.168.176.0) goes to a network switch with a bunch of IP cams connected to it.
I've enabled IP forwarding and iptables rules and hosts on the router PC. Hosts inside the eth1 network can reach the internet and can reach other hosts on the eth0 network. So this is good.
What I'm trying to do now, is get hosts inside the eth0 network to be able to access the hosts inside the eth1 network.
The computers are on eth0 network but the network cameras are on eth1 network. A single computer with two NIC cards acts as the bridge. Ultimately I want the computers on eth0 to be able to see the IP cameras on eth1.
Trying to map it out:
hosts on 192.168.1.1 should be able to see hosts on 192.168.176.1 but can't.
hosts on 192.168.176.1 CAN see hosts on 192.168.1.1 (these hosts can also get out to the internet). So all good here.
So far I have these IP rules and these have allowed the eth1 network to get out.
iptables --table nat --append POSTROUTING --out-interface enp1s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp3s0 -j ACCEPT
I guess my question is: how can the eth0 network get to hosts in the eth1 network?
Do I have to add routes on the individual computers that want to access the eth1 network?
Do I need to set up forwarding between the eth0 & eth1 interfaces on the router PC?
Here's my current add route command, /etc/network/interfaces and iptables rules:
(On macos:)
sudo route -n add -net 192.168.176.0/24 192.168.1.1(on two-NIC PC)
/etc/network/interfaces
#primary interface enp3s0
auto enp1s0
iface enp1s0 inet static
address 192.168.1.12
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
dns-nameservers 8.8.4.4 8.8.8.8#secondary interface enp3s0
auto enp3s0
iface enp3s0 inet static
address 192.168.176.1
netmask 255.255.255.0
broadcast 192.168.176.255
network 192.168.176.0(on two-NIC PC)
iptables -t filter -A FORWARD -i enp1s0 -o enp3s0 -j ACCEPT
iptables -t filter -A FORWARD -i enp3s0 -o enp1s0 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
networking routing network-interface
edited Dec 8 '17 at 2:49
G-Man
11.6k82657
asked Dec 7 '17 at 20:13
Mike
113
edited Dec 8 '17 at 2:49
G-Man
11.6k82657
edited Dec 8 '17 at 2:49
G-Man
11.6k82657
edited Dec 8 '17 at 2:49
G-Man
11.6k82657
11.6k82657
asked Dec 7 '17 at 20:13
Mike
113
asked Dec 7 '17 at 20:13
Mike
113
asked Dec 7 '17 at 20:13
Mike
113
113
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
2
down vote
Your issue is mainly the route configuration of the hosts. I assume your current setup is as follow:
- enp1s0 interface has ip address 192.168.1.1/24
- enp3s0 interface has ip address 192.168.176.1/24
For hosts between the two IP network to communicate, they need a dedicated entry in their routing table.
- The hosts on 192.168.1.0/24 that need to access the IP camera need to know that 192.168.1.1 is the router for 192.168.176.0/24.
- The hosts on 192.168.176.0/24 need a route to 192.168.1.0/24.
Now I assume that the static/DHCP configuration for the IP cameras is to route default traffic through 192.168.176.1, so they know where to send packets for the PCs. But the PCs on 192.168.1.0/24 have only one default entry the internet router. So any packet to 192.168.176.0/24 get sent there and lost.
You can either
- configure your DHCP router on 192.168.1.0/24 to advertise a static route to 192.168.176.0/24 via 192.168.1.1 with the "classless static route" option
- add manually 192.168.1.1 as a gateway to 192.168.176.0/24 on the PCs
You will also need to flush your iptables rules. The POSTROUTING rule will mess up the routing and the FORWARD rule is useless (unless you have a DROP policy).
iptables -t nat -F POSTROUTING
iptables -F FORWARD
Your cameras could see the PCs because they were configured with a default gateway of 192.168.176.1 and the nat POSTROUTING entry. For example if IP camera 192.168.176.10 sends a packet to PC 192.168.1.20, the packet will first be sent to 192.168.176.1 (enp3s0) the default gateway. The Ubuntu PC will forward the packet to enp1s0, rewriting the sender's address as its own, 192.168.1.1. When 192.168.1.20 replies the packet, it sends it back to the substituted address, 192.168.1.1. When the Ubuntu PC receives it, it knows it is a reply to the IP camera 192.168.176.10. So it rewrites the destination address to 192.168.176.10 and fowards it through enp3s0.
Now you don't want to mess packets with NAT, you just need IP routing. In the preceding example, the PC sees the camera IP address as 192.168.1.1, as it was substituted by the Ubuntu PC. Once you have set correct routes,
- in a connection initiated by the PC to the camera, the PC will see the camera IP address as 192.168.176.10.
- in a connection initiated by the camera to the PC, the PC will still see the camera IP address as 192.168.1.1 (NAT'ed address)
For simple IP devices, the second is unlikely to matter. But that could lead to buggy behaviour. As an example, if you had a managed switch and you wanted to use SNMP traps. You should delete the iptables -t nat -A POSTROUTING -j MASQUERADE rule.
One issue that will arise: Do you want your IP cameras to access the internet? If not, I would include an iptables FORWARD route to deny packets from 192.168.176.0/24 going anywhere except 192.168.1.0/24. If you wish to grant access, you will need to configure your router with a static route to 192.168.176.0/24.
answered Dec 7 '17 at 21:43
jaem
313
I tried to explain in more detail why the NAT rule should be discarded - bottom of the post.
– jaem
Dec 9 '17 at 10:38
add a comment |Â
up vote
0
down vote
Example sub-net addresses and names
net “main†192.168.1.0/24 (255.255.255.0) – enp1s0
net “cameras†192.168.176/24 (255.255.255.0) – enp3s0
You are forwarding from “cameras†to "main" with:
iptables --table nat --append POSTROUTING --out-interface enp1s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp3s0 -j ACCEPT
main has a default gateway that “routes†traffic to the local subnet or the internet.
If you added the opposite rules to the bridge:
iptables --table nat --append POSTROUTING --out-interface enp3s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp1s0 -j ACCEPT
AND
Add a route in the default gateway on “main†to the bridge computer for the sub-net 192.168.176.0/24.
wrong syntax but you get the idea
route add -net 192.168.2.176/24 gateway “bridge computerâ€Â
I think that will accomplish what you want without adding or changing gateways info on the cameras.
answered Dec 7 '17 at 21:22
jc__
1,308416
mmmmm, I should have read your question better.
– jc__
Dec 7 '17 at 21:59
Thanks your message helped me a lot with understanding, but I am not quite there yet. To make it easier I've copied my current /etc/networking/interfaces, iptables and route add commands. I still haven't been able to get it to work, but I think I'm close.
– Mike
Dec 7 '17 at 22:10
i edited my original question to show the routing command I'm adding to my mac, the network/interfaces file and iptables for the router PC. currently when I ping anything on the eth1/176 network it says network unreachable.
– Mike
Dec 7 '17 at 22:19
I must go now and will not be back until tomorrow, but I think you are almost there. Just add a route on your default gateway for the 'other' sub net because all traffic will go through it (default gateway).
– jc__
Dec 7 '17 at 22:23
I hope its okay to delete the answer and change it...
– jc__
Dec 7 '17 at 22:24
 |Â
show 1 more comment
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
Your issue is mainly the route configuration of the hosts. I assume your current setup is as follow:
- enp1s0 interface has ip address 192.168.1.1/24
- enp3s0 interface has ip address 192.168.176.1/24
For hosts between the two IP network to communicate, they need a dedicated entry in their routing table.
- The hosts on 192.168.1.0/24 that need to access the IP camera need to know that 192.168.1.1 is the router for 192.168.176.0/24.
- The hosts on 192.168.176.0/24 need a route to 192.168.1.0/24.
Now I assume that the static/DHCP configuration for the IP cameras is to route default traffic through 192.168.176.1, so they know where to send packets for the PCs. But the PCs on 192.168.1.0/24 have only one default entry the internet router. So any packet to 192.168.176.0/24 get sent there and lost.
You can either
- configure your DHCP router on 192.168.1.0/24 to advertise a static route to 192.168.176.0/24 via 192.168.1.1 with the "classless static route" option
- add manually 192.168.1.1 as a gateway to 192.168.176.0/24 on the PCs
You will also need to flush your iptables rules. The POSTROUTING rule will mess up the routing and the FORWARD rule is useless (unless you have a DROP policy).
iptables -t nat -F POSTROUTING
iptables -F FORWARD
Your cameras could see the PCs because they were configured with a default gateway of 192.168.176.1 and the nat POSTROUTING entry. For example if IP camera 192.168.176.10 sends a packet to PC 192.168.1.20, the packet will first be sent to 192.168.176.1 (enp3s0) the default gateway. The Ubuntu PC will forward the packet to enp1s0, rewriting the sender's address as its own, 192.168.1.1. When 192.168.1.20 replies the packet, it sends it back to the substituted address, 192.168.1.1. When the Ubuntu PC receives it, it knows it is a reply to the IP camera 192.168.176.10. So it rewrites the destination address to 192.168.176.10 and fowards it through enp3s0.
Now you don't want to mess packets with NAT, you just need IP routing. In the preceding example, the PC sees the camera IP address as 192.168.1.1, as it was substituted by the Ubuntu PC. Once you have set correct routes,
- in a connection initiated by the PC to the camera, the PC will see the camera IP address as 192.168.176.10.
- in a connection initiated by the camera to the PC, the PC will still see the camera IP address as 192.168.1.1 (NAT'ed address)
For simple IP devices, the second is unlikely to matter. But that could lead to buggy behaviour. As an example, if you had a managed switch and you wanted to use SNMP traps. You should delete the iptables -t nat -A POSTROUTING -j MASQUERADE rule.
One issue that will arise: Do you want your IP cameras to access the internet? If not, I would include an iptables FORWARD route to deny packets from 192.168.176.0/24 going anywhere except 192.168.1.0/24. If you wish to grant access, you will need to configure your router with a static route to 192.168.176.0/24.
answered Dec 7 '17 at 21:43
jaem
313
I tried to explain in more detail why the NAT rule should be discarded - bottom of the post.
– jaem
Dec 9 '17 at 10:38
add a comment |Â
up vote
2
down vote
Your issue is mainly the route configuration of the hosts. I assume your current setup is as follow:
- enp1s0 interface has ip address 192.168.1.1/24
- enp3s0 interface has ip address 192.168.176.1/24
For hosts between the two IP network to communicate, they need a dedicated entry in their routing table.
- The hosts on 192.168.1.0/24 that need to access the IP camera need to know that 192.168.1.1 is the router for 192.168.176.0/24.
- The hosts on 192.168.176.0/24 need a route to 192.168.1.0/24.
Now I assume that the static/DHCP configuration for the IP cameras is to route default traffic through 192.168.176.1, so they know where to send packets for the PCs. But the PCs on 192.168.1.0/24 have only one default entry the internet router. So any packet to 192.168.176.0/24 get sent there and lost.
You can either
- configure your DHCP router on 192.168.1.0/24 to advertise a static route to 192.168.176.0/24 via 192.168.1.1 with the "classless static route" option
- add manually 192.168.1.1 as a gateway to 192.168.176.0/24 on the PCs
You will also need to flush your iptables rules. The POSTROUTING rule will mess up the routing and the FORWARD rule is useless (unless you have a DROP policy).
iptables -t nat -F POSTROUTING
iptables -F FORWARD
Your cameras could see the PCs because they were configured with a default gateway of 192.168.176.1 and the nat POSTROUTING entry. For example if IP camera 192.168.176.10 sends a packet to PC 192.168.1.20, the packet will first be sent to 192.168.176.1 (enp3s0) the default gateway. The Ubuntu PC will forward the packet to enp1s0, rewriting the sender's address as its own, 192.168.1.1. When 192.168.1.20 replies the packet, it sends it back to the substituted address, 192.168.1.1. When the Ubuntu PC receives it, it knows it is a reply to the IP camera 192.168.176.10. So it rewrites the destination address to 192.168.176.10 and fowards it through enp3s0.
Now you don't want to mess packets with NAT, you just need IP routing. In the preceding example, the PC sees the camera IP address as 192.168.1.1, as it was substituted by the Ubuntu PC. Once you have set correct routes,
- in a connection initiated by the PC to the camera, the PC will see the camera IP address as 192.168.176.10.
- in a connection initiated by the camera to the PC, the PC will still see the camera IP address as 192.168.1.1 (NAT'ed address)
For simple IP devices, the second is unlikely to matter. But that could lead to buggy behaviour. As an example, if you had a managed switch and you wanted to use SNMP traps. You should delete the iptables -t nat -A POSTROUTING -j MASQUERADE rule.
One issue that will arise: Do you want your IP cameras to access the internet? If not, I would include an iptables FORWARD route to deny packets from 192.168.176.0/24 going anywhere except 192.168.1.0/24. If you wish to grant access, you will need to configure your router with a static route to 192.168.176.0/24.
answered Dec 7 '17 at 21:43
jaem
313
I tried to explain in more detail why the NAT rule should be discarded - bottom of the post.
– jaem
Dec 9 '17 at 10:38
add a comment |Â
up vote
2
down vote
up vote
2
down vote
Your issue is mainly the route configuration of the hosts. I assume your current setup is as follow:
- enp1s0 interface has ip address 192.168.1.1/24
- enp3s0 interface has ip address 192.168.176.1/24
For hosts between the two IP network to communicate, they need a dedicated entry in their routing table.
- The hosts on 192.168.1.0/24 that need to access the IP camera need to know that 192.168.1.1 is the router for 192.168.176.0/24.
- The hosts on 192.168.176.0/24 need a route to 192.168.1.0/24.
Now I assume that the static/DHCP configuration for the IP cameras is to route default traffic through 192.168.176.1, so they know where to send packets for the PCs. But the PCs on 192.168.1.0/24 have only one default entry the internet router. So any packet to 192.168.176.0/24 get sent there and lost.
You can either
- configure your DHCP router on 192.168.1.0/24 to advertise a static route to 192.168.176.0/24 via 192.168.1.1 with the "classless static route" option
- add manually 192.168.1.1 as a gateway to 192.168.176.0/24 on the PCs
You will also need to flush your iptables rules. The POSTROUTING rule will mess up the routing and the FORWARD rule is useless (unless you have a DROP policy).
iptables -t nat -F POSTROUTING
iptables -F FORWARD
Your cameras could see the PCs because they were configured with a default gateway of 192.168.176.1 and the nat POSTROUTING entry. For example if IP camera 192.168.176.10 sends a packet to PC 192.168.1.20, the packet will first be sent to 192.168.176.1 (enp3s0) the default gateway. The Ubuntu PC will forward the packet to enp1s0, rewriting the sender's address as its own, 192.168.1.1. When 192.168.1.20 replies the packet, it sends it back to the substituted address, 192.168.1.1. When the Ubuntu PC receives it, it knows it is a reply to the IP camera 192.168.176.10. So it rewrites the destination address to 192.168.176.10 and fowards it through enp3s0.
Now you don't want to mess packets with NAT, you just need IP routing. In the preceding example, the PC sees the camera IP address as 192.168.1.1, as it was substituted by the Ubuntu PC. Once you have set correct routes,
- in a connection initiated by the PC to the camera, the PC will see the camera IP address as 192.168.176.10.
- in a connection initiated by the camera to the PC, the PC will still see the camera IP address as 192.168.1.1 (NAT'ed address)
For simple IP devices, the second is unlikely to matter. But that could lead to buggy behaviour. As an example, if you had a managed switch and you wanted to use SNMP traps. You should delete the iptables -t nat -A POSTROUTING -j MASQUERADE rule.
One issue that will arise: Do you want your IP cameras to access the internet? If not, I would include an iptables FORWARD route to deny packets from 192.168.176.0/24 going anywhere except 192.168.1.0/24. If you wish to grant access, you will need to configure your router with a static route to 192.168.176.0/24.
answered Dec 7 '17 at 21:43
jaem
313
Your issue is mainly the route configuration of the hosts. I assume your current setup is as follow:
- enp1s0 interface has ip address 192.168.1.1/24
- enp3s0 interface has ip address 192.168.176.1/24
For hosts between the two IP network to communicate, they need a dedicated entry in their routing table.
- The hosts on 192.168.1.0/24 that need to access the IP camera need to know that 192.168.1.1 is the router for 192.168.176.0/24.
- The hosts on 192.168.176.0/24 need a route to 192.168.1.0/24.
Now I assume that the static/DHCP configuration for the IP cameras is to route default traffic through 192.168.176.1, so they know where to send packets for the PCs. But the PCs on 192.168.1.0/24 have only one default entry the internet router. So any packet to 192.168.176.0/24 get sent there and lost.
You can either
- configure your DHCP router on 192.168.1.0/24 to advertise a static route to 192.168.176.0/24 via 192.168.1.1 with the "classless static route" option
- add manually 192.168.1.1 as a gateway to 192.168.176.0/24 on the PCs
You will also need to flush your iptables rules. The POSTROUTING rule will mess up the routing and the FORWARD rule is useless (unless you have a DROP policy).
iptables -t nat -F POSTROUTING
iptables -F FORWARD
Your cameras could see the PCs because they were configured with a default gateway of 192.168.176.1 and the nat POSTROUTING entry. For example if IP camera 192.168.176.10 sends a packet to PC 192.168.1.20, the packet will first be sent to 192.168.176.1 (enp3s0) the default gateway. The Ubuntu PC will forward the packet to enp1s0, rewriting the sender's address as its own, 192.168.1.1. When 192.168.1.20 replies the packet, it sends it back to the substituted address, 192.168.1.1. When the Ubuntu PC receives it, it knows it is a reply to the IP camera 192.168.176.10. So it rewrites the destination address to 192.168.176.10 and fowards it through enp3s0.
Now you don't want to mess packets with NAT, you just need IP routing. In the preceding example, the PC sees the camera IP address as 192.168.1.1, as it was substituted by the Ubuntu PC. Once you have set correct routes,
- in a connection initiated by the PC to the camera, the PC will see the camera IP address as 192.168.176.10.
- in a connection initiated by the camera to the PC, the PC will still see the camera IP address as 192.168.1.1 (NAT'ed address)
For simple IP devices, the second is unlikely to matter. But that could lead to buggy behaviour. As an example, if you had a managed switch and you wanted to use SNMP traps. You should delete the iptables -t nat -A POSTROUTING -j MASQUERADE rule.
One issue that will arise: Do you want your IP cameras to access the internet? If not, I would include an iptables FORWARD route to deny packets from 192.168.176.0/24 going anywhere except 192.168.1.0/24. If you wish to grant access, you will need to configure your router with a static route to 192.168.176.0/24.
answered Dec 7 '17 at 21:43
jaem
313
edited Dec 9 '17 at 10:34
answered Dec 7 '17 at 21:43
jaem
313
answered Dec 7 '17 at 21:43
jaem
313
answered Dec 7 '17 at 21:43
jaem
313
313
I tried to explain in more detail why the NAT rule should be discarded - bottom of the post.
– jaem
Dec 9 '17 at 10:38
add a comment |Â
I tried to explain in more detail why the NAT rule should be discarded - bottom of the post.
– jaem
Dec 9 '17 at 10:38
I tried to explain in more detail why the NAT rule should be discarded - bottom of the post.
– jaem
Dec 9 '17 at 10:38
I tried to explain in more detail why the NAT rule should be discarded - bottom of the post.
– jaem
Dec 9 '17 at 10:38
add a comment |Â
up vote
0
down vote
Example sub-net addresses and names
net “main†192.168.1.0/24 (255.255.255.0) – enp1s0
net “cameras†192.168.176/24 (255.255.255.0) – enp3s0
You are forwarding from “cameras†to "main" with:
iptables --table nat --append POSTROUTING --out-interface enp1s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp3s0 -j ACCEPT
main has a default gateway that “routes†traffic to the local subnet or the internet.
If you added the opposite rules to the bridge:
iptables --table nat --append POSTROUTING --out-interface enp3s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp1s0 -j ACCEPT
AND
Add a route in the default gateway on “main†to the bridge computer for the sub-net 192.168.176.0/24.
wrong syntax but you get the idea
route add -net 192.168.2.176/24 gateway “bridge computerâ€Â
I think that will accomplish what you want without adding or changing gateways info on the cameras.
answered Dec 7 '17 at 21:22
jc__
1,308416
mmmmm, I should have read your question better.
– jc__
Dec 7 '17 at 21:59
Thanks your message helped me a lot with understanding, but I am not quite there yet. To make it easier I've copied my current /etc/networking/interfaces, iptables and route add commands. I still haven't been able to get it to work, but I think I'm close.
– Mike
Dec 7 '17 at 22:10
i edited my original question to show the routing command I'm adding to my mac, the network/interfaces file and iptables for the router PC. currently when I ping anything on the eth1/176 network it says network unreachable.
– Mike
Dec 7 '17 at 22:19
I must go now and will not be back until tomorrow, but I think you are almost there. Just add a route on your default gateway for the 'other' sub net because all traffic will go through it (default gateway).
– jc__
Dec 7 '17 at 22:23
I hope its okay to delete the answer and change it...
– jc__
Dec 7 '17 at 22:24
 |Â
show 1 more comment
up vote
0
down vote
Example sub-net addresses and names
net “main†192.168.1.0/24 (255.255.255.0) – enp1s0
net “cameras†192.168.176/24 (255.255.255.0) – enp3s0
You are forwarding from “cameras†to "main" with:
iptables --table nat --append POSTROUTING --out-interface enp1s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp3s0 -j ACCEPT
main has a default gateway that “routes†traffic to the local subnet or the internet.
If you added the opposite rules to the bridge:
iptables --table nat --append POSTROUTING --out-interface enp3s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp1s0 -j ACCEPT
AND
Add a route in the default gateway on “main†to the bridge computer for the sub-net 192.168.176.0/24.
wrong syntax but you get the idea
route add -net 192.168.2.176/24 gateway “bridge computerâ€Â
I think that will accomplish what you want without adding or changing gateways info on the cameras.
answered Dec 7 '17 at 21:22
jc__
1,308416
mmmmm, I should have read your question better.
– jc__
Dec 7 '17 at 21:59
Thanks your message helped me a lot with understanding, but I am not quite there yet. To make it easier I've copied my current /etc/networking/interfaces, iptables and route add commands. I still haven't been able to get it to work, but I think I'm close.
– Mike
Dec 7 '17 at 22:10
i edited my original question to show the routing command I'm adding to my mac, the network/interfaces file and iptables for the router PC. currently when I ping anything on the eth1/176 network it says network unreachable.
– Mike
Dec 7 '17 at 22:19
I must go now and will not be back until tomorrow, but I think you are almost there. Just add a route on your default gateway for the 'other' sub net because all traffic will go through it (default gateway).
– jc__
Dec 7 '17 at 22:23
I hope its okay to delete the answer and change it...
– jc__
Dec 7 '17 at 22:24
 |Â
show 1 more comment
up vote
0
down vote
up vote
0
down vote
Example sub-net addresses and names
net “main†192.168.1.0/24 (255.255.255.0) – enp1s0
net “cameras†192.168.176/24 (255.255.255.0) – enp3s0
You are forwarding from “cameras†to "main" with:
iptables --table nat --append POSTROUTING --out-interface enp1s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp3s0 -j ACCEPT
main has a default gateway that “routes†traffic to the local subnet or the internet.
If you added the opposite rules to the bridge:
iptables --table nat --append POSTROUTING --out-interface enp3s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp1s0 -j ACCEPT
AND
Add a route in the default gateway on “main†to the bridge computer for the sub-net 192.168.176.0/24.
wrong syntax but you get the idea
route add -net 192.168.2.176/24 gateway “bridge computerâ€Â
I think that will accomplish what you want without adding or changing gateways info on the cameras.
answered Dec 7 '17 at 21:22
jc__
1,308416
Example sub-net addresses and names
net “main†192.168.1.0/24 (255.255.255.0) – enp1s0
net “cameras†192.168.176/24 (255.255.255.0) – enp3s0
You are forwarding from “cameras†to "main" with:
iptables --table nat --append POSTROUTING --out-interface enp1s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp3s0 -j ACCEPT
main has a default gateway that “routes†traffic to the local subnet or the internet.
If you added the opposite rules to the bridge:
iptables --table nat --append POSTROUTING --out-interface enp3s0 -j MASQUERADE
iptables --append FORWARD --in-interface enp1s0 -j ACCEPT
AND
Add a route in the default gateway on “main†to the bridge computer for the sub-net 192.168.176.0/24.
wrong syntax but you get the idea
route add -net 192.168.2.176/24 gateway “bridge computerâ€Â
I think that will accomplish what you want without adding or changing gateways info on the cameras.
answered Dec 7 '17 at 21:22
jc__
1,308416
edited Dec 7 '17 at 22:14
answered Dec 7 '17 at 21:22
jc__
1,308416
answered Dec 7 '17 at 21:22
jc__
1,308416
answered Dec 7 '17 at 21:22
jc__
1,308416
1,308416
mmmmm, I should have read your question better.
– jc__
Dec 7 '17 at 21:59
Thanks your message helped me a lot with understanding, but I am not quite there yet. To make it easier I've copied my current /etc/networking/interfaces, iptables and route add commands. I still haven't been able to get it to work, but I think I'm close.
– Mike
Dec 7 '17 at 22:10
i edited my original question to show the routing command I'm adding to my mac, the network/interfaces file and iptables for the router PC. currently when I ping anything on the eth1/176 network it says network unreachable.
– Mike
Dec 7 '17 at 22:19
I must go now and will not be back until tomorrow, but I think you are almost there. Just add a route on your default gateway for the 'other' sub net because all traffic will go through it (default gateway).
– jc__
Dec 7 '17 at 22:23
I hope its okay to delete the answer and change it...
– jc__
Dec 7 '17 at 22:24
 |Â
show 1 more comment
mmmmm, I should have read your question better.
– jc__
Dec 7 '17 at 21:59
Thanks your message helped me a lot with understanding, but I am not quite there yet. To make it easier I've copied my current /etc/networking/interfaces, iptables and route add commands. I still haven't been able to get it to work, but I think I'm close.
– Mike
Dec 7 '17 at 22:10
i edited my original question to show the routing command I'm adding to my mac, the network/interfaces file and iptables for the router PC. currently when I ping anything on the eth1/176 network it says network unreachable.
– Mike
Dec 7 '17 at 22:19
I must go now and will not be back until tomorrow, but I think you are almost there. Just add a route on your default gateway for the 'other' sub net because all traffic will go through it (default gateway).
– jc__
Dec 7 '17 at 22:23
I hope its okay to delete the answer and change it...
– jc__
Dec 7 '17 at 22:24
mmmmm, I should have read your question better.
– jc__
Dec 7 '17 at 21:59
mmmmm, I should have read your question better.
– jc__
Dec 7 '17 at 21:59
Thanks your message helped me a lot with understanding, but I am not quite there yet. To make it easier I've copied my current /etc/networking/interfaces, iptables and route add commands. I still haven't been able to get it to work, but I think I'm close.
– Mike
Dec 7 '17 at 22:10
Thanks your message helped me a lot with understanding, but I am not quite there yet. To make it easier I've copied my current /etc/networking/interfaces, iptables and route add commands. I still haven't been able to get it to work, but I think I'm close.
– Mike
Dec 7 '17 at 22:10
i edited my original question to show the routing command I'm adding to my mac, the network/interfaces file and iptables for the router PC. currently when I ping anything on the eth1/176 network it says network unreachable.
– Mike
Dec 7 '17 at 22:19
i edited my original question to show the routing command I'm adding to my mac, the network/interfaces file and iptables for the router PC. currently when I ping anything on the eth1/176 network it says network unreachable.
– Mike
Dec 7 '17 at 22:19
I must go now and will not be back until tomorrow, but I think you are almost there. Just add a route on your default gateway for the 'other' sub net because all traffic will go through it (default gateway).
– jc__
Dec 7 '17 at 22:23
I must go now and will not be back until tomorrow, but I think you are almost there. Just add a route on your default gateway for the 'other' sub net because all traffic will go through it (default gateway).
– jc__
Dec 7 '17 at 22:23
I hope its okay to delete the answer and change it...
– jc__
Dec 7 '17 at 22:24
I hope its okay to delete the answer and change it...
– jc__
Dec 7 '17 at 22:24
 |Â
show 1 more comment
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f409570%2fhow-can-i-forward-traffic-across-two-ethernet-cards%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
