3

First of all, I've searched the internet and try many methods. Still couldn't work this out.

I want my RPi to be between an end-point and a router, and eventually be kind of firewall, that all the traffic will be transferred from/to the router to/from the end-point.

Therefore I think bridging the internet from the router to the end-point will be a solution.

The setup is:

                 10.0.0.138   10.0.0.12
internet <--> Router <-------------> RPi <--------------> end-point
                                      169.254.25.136   169.254.25.25

The Pi's eth0 is wired to the router, and the Pi's eth1 is wired to the endpoint.

In this setup, my Pi has internet connection, but my end-point doesn't, which it seems logical.

What can I do in order to bridge the connection? By the way, my IPs are static (through dhcpcd.conf, do I need to change it in /etc/network/interfaces also?)

My IPs are:

router- ip: 10.0.0.138
|
Rpi- eth0(to router): 10.0.0.12
default gateway: 10.0.0.138

Rpi- eth1(to end-point): 169.254.25.136
default gateway: 10.0.0.12
|
Endpoint - ip: 169.254.25.25
default gateway: 169.254.25.136

edit - Routing is what i need, not bridging.

Ingo
  • 40,606
  • 15
  • 76
  • 189
Matan Hasan
  • 33
  • 1
  • 7
  • This is honestly more of a [Unix SE](https://unix.stackexchange.com) type question. Search "Linux Ethernet bridging" in your [favourite search engine](https://startpage.com) in order to make this work. Note that the `169.254.0.0/16` address is a local, non-connectible [RFC 3927](https://www.ietf.org/rfc/rfc3927.txt) IP address, so that'll never connect anywhere but the local Layer-2 network, unless you've got the infrastructure to ensure it will (very, very unlikely). – stevieb Apr 02 '18 at 22:47
  • Your question is too general, but one thing is clear. You **CAN NOT** use a [Link-local address](https://en.wikipedia.org/wiki/Link-local_address) which is not routable. – Milliways Apr 03 '18 at 01:35
  • I think you should not go for bridging but for routing. Just a tip as this allows more control over what happens. Just my 50 ct. – Christian Wolf Apr 03 '18 at 09:54
  • thank you guys! @stevieb ok, i read about it, and i changed the ip. i will search for "Linux Ethernet Routing" – Matan Hasan Apr 03 '18 at 18:04
  • @Milliways i need my Rpi to be like a firewall, to monitor my traffic(i.e if the user wants to enter a website, i will decide if he can. – Matan Hasan Apr 03 '18 at 18:04
  • @ChristianWolf ok, so that's what i need.. do you know of a way to do it? – Matan Hasan Apr 03 '18 at 18:05
  • If I'm following this right... On a *BSD system you'd want to turn on IP Forwarding in the kernel, I assume there is probably something similar in the Linux kernel. – dlu Apr 03 '18 at 22:44
  • Please edit the topic, because you want routing, not bridging. Bridging works on the ethernet frame level and handles MAC addresses. – Janka Apr 04 '18 at 14:00
  • @MatanHasan You got already one answer that should help you quite much. If you got it running, please mark the answer as solution. If not, please show us your problems and tell your issues. – Christian Wolf Apr 04 '18 at 16:34
  • @ChristianWolf see my comment to Ingo i set ip_farwarding to 1, but still nothing on end-point. – Matan Hasan Apr 05 '18 at 14:00

1 Answers1

5

You are building a router with firewall. It does not make sense to give two default routes. The default route is the route ip addresses are send to that do not belong to local networks. If the router do not know where to send an ip address it will send it to the next hop on the network with the ip address of the default route. If you have two default routes where should the router send unknown ip addresses to?

You should only set up one default route in the raspi to your internet router, in your example to 10.0.0.138. But how get the packets from network 169.254.25.0/24 to the internet? The packets have to pass from eth1 to eth0 and backwards. To enable this you have to turn on ip forwarding as @dlu already commented. There are several ways to do it. I don't know what configuration you are using. You can enable it direct to the kernel with:

rpi3 ~$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Or you can uncomment it in /etc/sysctl.conf and reboot:

rpi3 ~$ grep -B 1 'ipv4.ip_forward' /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

Or with systemd-networkd you can add IPForward=yes to the [Network] section in one of your /etc/systemd/network/eth*.network files.

Your internet router 10.0.0.138 does not know where to send packets from network 169.254.25.0/24. We have to tell it with a static route. On most internet router I know you can set a static route but how to do that varies from model to model. It's up to you to find it out. On a Raspberry Pi it would look like this (don't set it on your Raspi router!)

~$ sudo ip route add 169.254.25.0/24 via 10.0.0.12 dev ethX

That means: "send all packets belonging to network 169.254.25.0/24 (destination network) to the next router 10.0.0.12 (gateway). It knows where to go on."

summarize Raspberry Pi settings
Settings on RPi (router):

rpi3 ~$ ip addr   # stripped to relevant settings
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 10.0.0.12/24 brd 10.0.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 169.254.25.136/24 brd 169.254.25.255 scope global eth1
rpi3 ~$ ip route
default via 10.0.0.138 dev eth0 proto static
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.12
169.254.25.0/24 dev eth1 proto kernel scope link src 169.254.25.136

Settings on end-point:

end-point ~$ ip addr   # stripped to relevant settings
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 169.254.25.25/24 brd 169.254.25.255 scope global eth0
end-point ~$ ip route
default via 169.254.25.136 dev eth0 proto static
169.254.25.0/24 dev eth0 proto kernel scope link src 169.254.25.25

troubleshooting
ip forwarding works without iptables. iptables as firewall only restricts communication so for troubleshooting make sure iptables is complete transparent. If you have some rules there then save them (out of scope here) before flushing [1]:

rpi3 ~$ sudo -Es
rpi3 ~# iptables --policy INPUT ACCEPT
rpi3 ~# iptables --policy FORWARD ACCEPT
rpi3 ~# iptables --policy OUTPUT ACCEPT
rpi3 ~# iptables --table nat --flush
rpi3 ~# iptables --table mangle --flush
rpi3 ~# iptables --table raw --flush
rpi3 ~# iptables --flush
rpi3 ~# iptables --delete-chain
rpi3 ~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
rpi3 ~# exit
rpi3 ~$

Check if ip_forward is set to 1:

rpi3 ~$ cat /proc/sys/net/ipv4/ip_forward
1

From your end-point you should be able to ping your raspi on this side. This should always work. If not you have a general problem with your connection e.g. a broken ethernet wire, loose plugged in ethernet cable into port, wrong drivers for your interfaces or something else.

end-point ~$ ping -nc1 169.254.25.136
PING 169.154.25.136 (169.154.25.136) 56(84) bytes of data.
64 bytes from 169.154.25.136: icmp_seq=1 ttl=64 time=0.663 ms
[...]

Then you should see the other side (forwarding the ip) of the raspi and your internet router:

end-point ~$ ping -nc1 10.0.0.12
PING 10.0.0.12 (10.0.0.12) 56(84) bytes of data.
64 bytes from 10.0.0.12: icmp_seq=1 ttl=64 time=0.663 ms
[...]
end-point ~$ ping -nc1 10.0.0.138
PING 10.0.0.138 (10.0.0.138) 56(84) bytes of data.
64 bytes from 10.0.0.138: icmp_seq=1 ttl=64 time=0.663 ms
[...]

And you should get responses out from the internet, e.g. from the google nameserver. First try from the raspi then from the end-point:

rpi3 ~$ ping -nc1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=2 ttl=61 time=12.4 ms
[...]
end-point ~$ ping -nc1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=2 ttl=61 time=12.4 ms
[...]

And it should take the default routes on your network, hop by hop (look at the first two responses):

end-point ~$ traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  169.254.25.136  0.504 ms  0.580 ms  0.642 ms
 2  10.0.0.138  0.504 ms  0.580 ms  0.642 ms
 3  62.155.246.85  9.556 ms  9.493 ms  11.073 ms
 4  217.239.51.58  13.707 ms  14.051 ms  15.524 ms
 5  80.156.160.118  15.655 ms  17.208 ms  17.144 ms
 6  * * *
 7  216.239.48.42  18.655 ms 72.14.233.46  20.237 ms  21.819 ms
 8  108.170.238.245  19.712 ms 108.170.233.39  13.247 ms 216.239.59.113  13.366 ms
 9  8.8.8.8  13.926 ms  12.564 ms  12.596 ms


references:
[1]: best way to clear all iptables rules

Ingo
  • 40,606
  • 15
  • 76
  • 189
  • thank you for responding. yes, my problem is with the packets transfer for `eth0` to `eth1` and backwards. I did `ip_forwarding = 1` ( uncomment in `sysctl.conf`) i still got nothing in my end-point. do i need to consider ip-tables maybe? – Matan Hasan Apr 05 '18 at 13:22
  • @MatanHasan I don't know what configuration you are using. I use [`systemd-networkd` instead of `networking`](https://raspberrypi.stackexchange.com/a/78788/79866). But I have updated my answer with some generic troubleshooting hints. – Ingo Apr 05 '18 at 20:49
  • Just one more thing to check if the rpi can reach the internet, e.g. 8.8.8.8. please tell us if this helped you. – Christian Wolf Apr 06 '18 at 06:25
  • @Ingo I followed your troubleshooting. `ip_forward` is set to 1, my `ip route` looks a little different. i have `default via 10.0.0.138 dev eth0 metric 202` and `default via 10.0.0.138 dev eth1 metric 204` then I pinged `169.154.25.136` from my end-point, and got echo-back, but I couldnt ping the other side of the Rpi (`10.0.0.12`) saying - `destination host unreachable`. also for `8.8.8.8`. I think i'm working with `networking` - should I replace? – Matan Hasan Apr 07 '18 at 19:08
  • @MatanHasan Please delete `default via 10.0.0.138 dev eth1`. There **must** be only **one** default route! And `eth1` belongs to network `169.154.25.0/24` not to network `10.0.0.0/24` so there can't never be a destination to the next hop `10.0.0.138`. – Ingo Apr 07 '18 at 19:49
  • @MatanHasan And we should try to get it to work with `networking`. We should not screw on two places. – Ingo Apr 07 '18 at 20:00
  • ok, now I have only one default route. I've got ping `10.0.0.12` from end-point, which is great, but i still got no ping from `8.8.8.8`. also, my internet on Rpi is working fine. I think maybe it's something in my ipv4 settings on my endpiont. `ip- 169.254.25.25` and `gateway - 169.254.25.136` should i also insert the gateway as DNS server? – Matan Hasan Apr 07 '18 at 21:51
  • @MatanHasan That is a big step forward. `ip forwarding` is working. Routing on your end-point seems to be ok. Otherwise you wouldn't be able to ping `10.0.0.12`. Can you ping the router `10.0.0.138`? Can you ping `8.8.8.8` from the raspi? What `traceroute` say? And no, don`t add any DNS issues. We first must get responses on IP level. – Ingo Apr 08 '18 at 17:13
  • @Ingo I cant ping neither `10.0.0.138` nor `8.8.8.8` from my end-point. I can ping both `10.0.0.138` and `8.8.8.8` from my Rpi. `tracert 8.8.8.8` from end-point saying 1 hop to reaching `169.254.25.136` and from now on its `request timed out` – Matan Hasan Apr 08 '18 at 17:32
  • @MatanHasan OK, I forgot that we have two router. Your internet router does not know where to send packets with 169.254.25.0/24. There we have to set a static route. I will update my answer next. – Ingo Apr 09 '18 at 02:00
  • @Ingo ok, I've tried to add static route to my Rpi, but when i do so, suddenly i've got no ping even to `169.254.25.136`, so it made it worse.. i'm trying to figure out what i'm doing wrong here.. in addition, i add a `static route` in my router with: `destination - 169.254.25.0` and `gateway 10.0.0.138`, but something dosen't seem right here. – Matan Hasan Apr 09 '18 at 21:09
  • @MatanHasan Please NO static route on the RPi! It's setup was OK before. Static route only on your internet router. `destination - 169.254.25.0` is OK (`netmask 255.255.255.0`). But gateway must be `10.0.0.12`. – Ingo Apr 10 '18 at 07:06
  • @Ingo I made it! thank you very much!! and now for my second part of my project :) – Matan Hasan Apr 10 '18 at 18:01
  • @MatanHasan I'm pleased to help you :) I would like to use this question as reference for making a raspi a router. So for this and to finalize the question can you please accept the answer? Thank you for your assistance. – Ingo Apr 10 '18 at 18:34