Hello all,
I have a simple network. I have several computers on my home network. these computers need ssh, nfs, internet, and not much else. I have a mini computer with two ethernet interfaces and I have spent the last two weeks trying to get my fw/router to allow the network to reach the internet and have had no success. Can anyone help? I have redone the rules many times starting from scratch at least a dozen tomes.
You should provide more information about what the issue here is. Your “mini computer” is the one with Rocky Linux installed on it? You are attempting to have other computers with Rocky Linux installed on them connect to the Internet through your “mini computer” with an unspecified operating system on it? Something else altogether?
How are you attempting to map your internal network? Do you require, for example, dhcp, and, if so, have you set up a dhcp server on your network somewhere? Is it working? Does it assign network addresses within the expected range and is the gateway setting what you think it should be?
That’s just one example, of course. Another is how you set up firewalld on both the router and the client computers, and what happens that different from what you expect to happen.
Etc.
There’s a lot of stuff that may not be working as expected or possibly not set up at all, but based on the information you provided there’s no way to know.
Hi,
Thanks for the quick response. All of my computers are running Rocky Linux 9.7 except the laptop running Rocky Linux 10.1 which connects via AP. I have been setting the firewall up with “public” as my WAN connection and “internal” for my network.,
Which still doesn’t answer any of the questions.
Assuming that your “mini computer” has a direct connection to the Internet (does it?) can it actually connect to the Internet? Assuming that your “mini computer” is intended to be used as a router (is that correct?) and that this is the computer that you’re having trouble with (is it?) can you connect to the “mini computer” from any of your other computers?
Do your other computers that you are attempting to connect with have a network address? Is it correct/within the right network, is the subnet mask correct?
You really need to give more details about what you’re doing and how you’re doing it and what actually happens and how that differs from what you expect to or want to see happen. Remember, we can’t see what you’re doing and there’s no way for us to know what you’re trying unless you tell us.
Hi Frank,
the mini computer (firewall/router) connects to the internet just fine with the firewalld disabled . All computers on the network have static ip addresses and can talk with one another quite well and can ssh into the firewall/router. The two NICs are assigned to WAN and LAN using nmtui.
Hi Frank,
You ask what the problem is that I am trying to solve. As I explained in the IP my network (LAN) can not connect to the internet. I want my network (LAN) to be able to access the internet.
I guess that’s a start, but you’re still being awfully vague about what exactly is failing here.
Lets start here.
The firewall/router can connect to the Internet with firewalld disabled. Can it connect to the Internet with firewalld enabled?
What routing tables have you set up on the firewall/router to pass the traffic between the Internet and your internal network?
On the many times that I have gone through the firewall configuration I have started with firewalld uninstalled. With no firewalld installed the firewall/router connects to the internet. the firewall router is also available to the network via ping and ssh. After installing firewalld the same is true. binding the WAN interface to the “public” zone and the LAN interface to the “internal” network the computers on the network can all communicate with the firewall/router and each other and the firewall/router can connect to the internet. This is true with firewalld started and enabled
As far as the routing tables, I have followed dozens of web site how-to’s for the setup. none of the “how-to’s” has resulted in success.
Fith firewalld installed, started and enabled and firewalld reset-to-defaults, both network interfaxes are bound to zone=public.
I am creating numerous typos. It’s time for me to go to bed and pursue this tomorrow.
cat /proc/sys/net/ipv4/ip_forward
if the answer is 0
cat <<'EOF' > /etc/sysctl.d/99-forward.conf
net.ipv4.ip_forward = 1
EOF
Apply now
sysctl -p /etc/sysctl.d/99-forward.conf
And check again internet connection.
With firewalld, you can also configure it like I did in this post and it will do everything correctly also
Since all your computers are behind the mini pc they are NAT’ed from the internet which means unless routing is enabled as per @Xino’s post or by configuring firewalld to NAT the packets, then they won’t be able to get to the internet.
The link inserted doesn’t format well, but when you visit the post you’ll see it correctly formatted and the steps required to configure firewalld.
When I sshed into the firewall/router I was able to reach (by ping) the internet and my network. I then followed @Xino’s instructions, exactly, and the firewall/router is unable to reach the internet. I can ping the computers on the network.
I need to correct previous post. After following @Xino’s instructions, the firewall/router is able to reach BOTH the internet and the internal network (by ping) and the internal network (LAN) has no internet access. The LAN computers are able to communicate with one another.
The net.ipv4.ip_forward = 1 enables forwarding in the kernel. Without it the kernel will not route traffic through (in from one interface, out from another). Not even try.
However, the firewall has to allow the routing too, and there must also be SNAT (masquerade) so that traffic is actually allowed and that replies will find back. For those you should do what @iwalker said.
masquerade and forwarding are both enabled.
Here’s a list of all my zones:
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority=“32767” reject
public (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0 lo
sources:
services: cockpit dhcpv6-client dns http https ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Log-on to router
Enter command => ip r
Post result
Enter command => ip ru
Post result
$ ip r
default via 192.168.12.1 dev enp1s0 proto dhcp src 192.168.12.184 metric 100
default via 192.168.99.1 dev enp2s0 proto static metric 101
127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1 metric 30
192.168.12.0/24 dev enp1s0 proto kernel scope link src 192.168.12.184 metric 100
192.168.99.0/24 dev enp2s0 proto kernel scope link src 192.168.99.1 metric 101