Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
Igor S2016-03-28 16:43:52
linux
Igor S, 2016-03-28 16:43:52

How to give access to the Internet from a different subnet?

Firework!
There is a task: to give access to certain resources through a remote server (so that they go to Yandex as usual, and to Google through a server in Belgium), plus connect the remote server to the local office.
We have a server in the data center, on which several VMs are deployed. The server has a physical interface with Internet access (masquerade) and a local virtual bridge virbr1 (172.16.18.1/24) to which VM interfaces are added (libvirt standard practice)
SoftEther VPN is installed on the server.
It has two hubs (local for connecting from the office, and vpn for connecting users)
A tap bridge has been created for the local hub, added to virbr1. When a user connects to this hub, sets himself an IP from 172,16,18,0/24, then he gets access to the virtual local area through virbr1, and if you write

route add -host 213.180.193.3 gw 172.16.18.1 (ip yandex.ru)

then access to Yandex through a remote server.
To connect two hubs, create a virtual router with the following parameters:
>routeriflist router
IP Address |Subnet Mask  |Virtual Hub Name
-----------+-------------+----------------
172.16.18.3|255.255.255.0|local
172.16.20.1|255.255.254.0|vpn

>routertablelist router
Network Address|Subnet Mask  |Gateway Address|Metric
---------------+-------------+---------------+------
0.0.0.0        |0.0.0.0      |172.16.18.1    |    10
172.16.20.0    |255.255.254.0|172.16.20.1    |    10

Also, for the vpn hub, NAT was disabled and DHCP was enabled (to activate it, you need to enable SecureNat, which has IP 172,16,21,250 / 23) in order to distribute IP to users and "push" routes (since only certain resources need to be routed
) as a result, it turns out that the client sees the virtual local area network, the client is visible from it, but when I try to access the Internet, I get Destination Port Unreachable
routes on the server:
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         x.x.x.x    0.0.0.0         UG    100    0        0 enp1s0f0
y.y.y.y    0.0.0.0         255.255.255.248 U     100    0        0 enp1s0f0
172.16.18.0     0.0.0.0         255.255.255.0   U     0      0        0 virbr1
172.16.20.0     172.16.18.3     255.255.254.0   UG    0      0        0 virbr1

routes on the client:
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.4.1      0.0.0.0         UG    202    0        0 enp2s0
213.180.193.3    172.16.20.1     255.255.255.255 UGH   203    0        0 vpn_vpn0
172.16.4.0      0.0.0.0         255.255.255.0   U     202    0        0 enp2s0
172.16.18.0     172.16.20.1     255.255.255.0   UG    203    0        0 vpn_vpn0
172.16.20.0     0.0.0.0         255.255.254.0   U     203    0        0 vpn_vpn0

172,16,4,0/24 internal LAN
Tell me, what could I have missed, why, there is no access to the server's external interface?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
I
Igor S, 2016-03-30
@xarek1986

The problem turned out to be FirewallD. In view of the specifics of its work (or my curvature), access to the external interface was allowed only from the network 172.16.18.0/24, as evidenced by the rule

-A FORWARD -d 172.16.18.0/24 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -s 172.16.18.0/24 -i eth1 -o eth0 -j ACCEPT

At the same time, if you try to add direct-rule
ipv4 filter FORWARD 0 -i eth0 -o eth1 -d 172.16.4.0/24 -j ACCEPT
ipv4 filter FORWARD 0 -i eth1 -o eth0 -s 172.16.4.0/24 -j ACCEPT

then they did not work out (for some reason).
It worked only after manual intervention, which is not very good, although not yet critical
iptables -I FORWARD 1 -d 172.16.4.0/24 -i eth0 -o eth1 -j ACCEPT
iptables -I FORWARD 1 -s 172.16.4.0/24 -o eth0 -i eth1 -j ACCEPT

In general, thanks to the invaluable contribution of Alexander Karabanov , we managed to understand what the problem is.
for myself, I wrote a script where the necessary routes are prescribed and the above rules are added

Report
V
vvs-ts9, 2016-03-30
@vvs-ts9

I do not really understand the picture, because the question is: where are the subnet routes "out"?

Similar questions
C
chuhnevdan2021-04-13 09:38:42
Hello, I have a Django project, the task is the following, there is a csv file, it is necessary to create a table on the page based on it, what is the mistake? 2Reply
E
eight_bit2019-10-21 11:41:25
Laptop freezes on reboot after installing additional SSD, how to diagnose? 1Reply
B
BlackTritium2014-09-23 17:54:31
Setting up Cent os 6. Where to start? 5Reply
L
Levani Ramazashvili2016-09-27 21:50:30
Is the site's ssl certificate suitable for the mail server? 3Reply
H
HeroFromEarth2016-09-28 11:23:35
Application monitoring in Zabbix 3.2? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question