ip ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
I am not familiar with the commands: ip r; ip ru. Could you educate me?
The ip command has subcommands. It allows us to abbreviate some of them to some extent.
The r clearly resolves ro route and since show is the default action for that, the ip r
is same as writing ip route show
The ru is likewise the shortest form of ip rule show
All the zones. What counts are the active zones:
The @iwalker example did select zones internal and external.
You have internal and public.
The external zone, when active, does enable net.ipv4.ip_forward and masquerade (on that zone).
Additionally, and this is still relatively new way to configure router with FirewallD, there is a need to define policy objects for inter-zone traffic. The @iwalker example does that too.
If you want to check what actual rules the FirewallD (or anyone else) puts into kernel, do:
sudo dnf list ruleset
Also the fact you have configured two default gateways is going to confuse things on this machine as well. So no wonder none of your other machines can access the internet.
We don’t know if 192.168.12.0 is the network to the internet or if 192.168.99.0 is the network to the internet. But whichever it is, you need to delete the default route for the one that doesn’t have internet.
As already mentioned your firewalld config is wrong because otherwise it would be configured like the example I posted which @jlehtone mentioned. But again, even with this, there must only be one default route and it should be for whichever interface is assigned to the external zone of firewalld.
I have redone my firewall/router from scratch. I configured it exactly as @jehtone mentioned. Still no internet access for my lan. My interface configurations must have error(s). My WAN interfaceis configures as “automatic” and has ipv6 disabled. My LAN interface is configured as manual ip=192.168.99.0/24, the gateway=192.168.99.1, the dns servers are set to my desired dns servers
ip r
0.0.0.0 via 192.168.12.1 dev enp2s0 proto static metric 100
default via 192.168.12.1 dev enp1s0 proto dhcp src 192.168.12.184 metric 101
127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1 metric 30
192.168.12.0/24 dev enp1s0 proto kernel scope link src 192.168.12.184 metric 101
192.168.12.1 dev enp2s0 proto static scope link metric 100
192.168.99.0/24 dev enp2s0 proto kernel scope link src 192.168.99.1 metric 100
ip ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
I made a mistake int the post listing my LAN interface configuration. The gateway=192.168.12.1. This is the gateway provided by my ISP.
I have been trying different configurations for the router/firewall interfaces. When the WAN is set to automatic and has dns servers configured and LAN configured with a static ip, no gateway, and no dns I can ping google.com and 8.8.8.8. The LAN is unable to reach the internet.
ip r
default via 192.168.12.1 dev enp1s0 proto dhcp src 192.168.12.184 metric 101
127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1 metric 30
192.168.12.0/24 dev enp1s0 proto kernel scope link src 192.168.12.184 metric 101
192.168.12.1 dev enp2s0 proto static scope link metric 100
192.168.99.0/24 dev enp2s0 proto kernel scope link src 192.168.99.1 metric 100
192.168.99.0/24 via 192.168.12.1 dev enp2s0 proto static metric 100
It is… unusual, for want of a better word, for an ISP’s gateway to be specified as a 192.168 address unless maybe the ISP has provided you with some kind of a router?
192.168 addresses are private IP addresses used for local networks, commonly as default gateways for home routers. They are not routable on the public internet.
Maybe you’re behind some kind of cgnat? I have no experience with that and have never had any reason to figure out how they work.
My internet service provider is T-Mobile. I have a 5G modem/gateway connected via ethernet to my firewall/router. The T-Mobile router has two nic’s and dhcp. The router gateway is 192.168.12.1.
I have, once again, removed firewalld. I also removed the configurations for my WAN and LAN. I then configured the two interfaces, WAN as automatic with no additional configuration and LAN with static ip=192.168.99.1 and no additional configuration. I then installed and started firewalld. I can ping google.com and the LAN computers.
My LAN computers have no internet access.
Do you now have something like:
$ ip ro
default via 192.168.12.1 dev enp1s0 proto dhcp src 192.168.12.184 metric 101
192.168.12.0/24 dev enp1s0 proto kernel scope link src 192.168.12.184 metric 101
192.168.99.0/24 dev enp2s0 proto kernel scope link src 192.168.99.1 metric 100
in the Rocky “mini computer” router?
Now go back to FirewallD and set:
enp1s0to external zoneenp2s0to internal zone- policy object to allow new traffic from internal to external
All your “LAN computers” must have IP address within the 192.168.99.0/24 subnet, that is IP address 192.168.99.X, where the X is in [2, .. 254], and their default route is via 192.168.99.1 (that is, if you set “gateway” in Windows, then it must be 192.168.99.1).
DHCP would make it easier to configure the LAN computers, but then you have to set that up for the LAN. The ISP’s DHCP configures only the members of 192.168.12.0/24 and there you have only this “mini computer”-router.
The dnsmasq is relatively easy DHCP and DNS server to set up, but you would have to make sure that it serves only the enp2s0.
The two interfaces are currently configured: WAN automatic and no other settings; and, LAN static ip=192.168.99.1. To clarify, the LAN computers are all in the 192.168.99.0/24 subnet.
Still no internet access from the LAN computers.
firewall-cmd --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=“ipv6” icmp-type name=“neighbour-advertisement” accept
rule family=“ipv6” icmp-type name=“neighbour-solicitation” accept
rule family=“ipv6” icmp-type name=“router-advertisement” accept
rule family=“ipv6” icmp-type name=“redirect” accept
rule family=“ipv6” icmp-type name=“mld-listener-done” accept
rule family=“ipv6” icmp-type name=“mld-listener-query” accept
rule family=“ipv6” icmp-type name=“mld-listener-report” accept
rule family=“ipv6” icmp-type name=“mld2-listener-report” accept
internal-external (active)
priority: -1
target: ACCEPT
ingress-zones: internal
egress-zones: external
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
ip r
default via 192.168.12.1 dev enp1s0 proto dhcp src 192.168.12.184 metric 101
192.168.12.0/24 dev enp1s0 proto kernel scope link src 192.168.12.184 metric 101
192.168.99.0/24 dev enp2s0 proto kernel scope link src 192.168.99.1 metric 100
firewall-cmd --get-active-zones
external
interfaces: enp1s0
internal
interfaces: enp2s0
sources: 192.168.99.0/24
Here’s what I get from a computer on my network:
ping google.com
ping: google.com: Name or service not known
When I run a traceroute to google.com from the firewall/router the result doesn’t look correct. The first couple of hops (I think) should have my gateway’s ip in one of them - It’ not.
traceroute google.com
traceroute to google.com (142.251.218.174), 30 hops max, 60 byte packets
1 TMO-G4SE.lan (192.168.12.1) 0.646 ms 0.487 ms 0.497 ms
2 192.0.0.1 (192.0.0.1) 0.653 ms 0.564 ms 0.550 ms
3 192.0.0.1 (192.0.0.1) 28.797 ms 28.745 ms 28.693 ms
4 * * *
5 192.0.0.1 (192.0.0.1) 36.125 ms 35.342 ms 36.024 ms