Connecting TO Multiple Networks With Ubuntu/Debian

So I had an issue today with my main lab server

I have multiple subnets in my lab some that can reach the  Internet some are strictly internal

I have an Ubuntu server that  I want to connect to 2 subnets one is connected to my fast Gigabit network while the other is connected to my slow 10/100 network but I want to make sure that the internet traffic goes out my internet firewall.

My server has 2 NIC’s  I ran into a reverse path filtering roadblock! GRR reverse path verify is a great security feature but it can be messy  to deal with

Here is how I solved my problem

First here is my interfaces config

 

# Managment
auto enp3s0
iface enp3s0 inet static
network 192.168.1.0
address 192.168.1.2
gateway 192.168.1.254
netmask 255.255.255.0
dns-nameservers 208.67.222.222

###Payload
auto enp1s5
iface enp1s5 inet static
network 192.168.2.0
address 192.168.2.2
netmask 255.255.255.0
dns-nameservers 208.67.222.222
post-up route add -net 192.168.2.0/24 gw 192.168.2.254

Here is what my routing table looks like

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 enp3s0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s5
192.168.2.0 192.168.2.254 255.255.255.0 UG 10 0 0 enp1s5

 

I first added a post-up directive under the payload interface to install a route after the interface comes up during a reboot also note that only 1 of the nic’s has a gateway configured.

with the above setup, I had an issue with SSH to 192.168.1.2 from the 192.168.2.0/24 network  because my traffic from the 2.0 network would get dropped because the server is doing a reverse check

I was able to resolve this by

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/enp3s0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/enp1s5/rp_filter

This will disable reverse path verify which in my case fixed my issue!

 

Hope this helps!

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.