LAN Workstations Can't See the Internet

I installed 8.5 server and it works a treat with one major exception. My internal workstations on my LAN can’t see the Internet. Using Squid I can use browsers but apps can’t seem to find the 'net.

Network Settings

enp1s0Broadcom Inc. and subsidiaries NetLink BCM57780 Gigabit Ethernet PCIe tg3
Status: 192.168.209.12/24, fe80:0:0:0:a6ba:dbff:fef9:681c/64
Carrier: 1 Gbps
General: Connect automatically
IPv4: Address 192.168.209.12/24
DNS 199.167.26.131, 199.167.26.132, 192.168.209.12, 8.8.4.4
DNS search domains swanlan.org

enp2s1D-Link System Inc DGE-528T Gigabit Ethernet Adapter r8169
Status: 192.168.1.20/24, fe80:0:0:0:eacc:18ff:fee8:4d3/64
Carrier: 1 Gbps
General: Connect automatically
IPv4: Automatic (DHCP)
IPv6: Automatic

Routing & Gateways

Destination Gateway Netmask Interface
Default Route 192.168.1.1 enp2s1
Default Route 192.168.1.20 enp1s0
192.168.1.0 None 255.255.255.0 enp2s1
192.168.1.20 None 255.255.255.255 enp1s0
192.168.209.0 None 255.255.255.0 enp1s0

Yes I am running DNS (Bind 9)

  • my Internal network is 192.168.209.0
  • server: 192.168.209.12
  • two workstations (so far) 192.168.209.27 and 29

I installed a local network numbers to addresses and entered the server, workstations and other DNS sources.

Installed DND Masq … it made no difference so I uninstalled it.

Standard Rocky-Linux firewall.


What did I miss?

Thanks

What do you get with these

sysctl net.ipv4.ip_forward
firewall-cmd --get-active-zones

With sysctl I get: cannot stat no such file or directory

firewall-cmd --get-active-zones: internal enp1s0 and public enp2s1

Change enp2s1 into zone external. I think it does both masquerade and enable routing (the ip_forward). Do not masquerade on the internal zone.

I have no idea whether forwarding from internal zone to external (or public) zone is allowed. Probably not. (From trusted to external was allowed.)
Rocky Linux 8.5 rebased FirewallD to version 0.9, which introduced “policy objects”. With those one can
configure forwarding policies. I haven’t studied them yet. Fact is that before 8.5, firewalld was not for router.

Default Route 192.168.1.1 enp2s1
Default Route 192.168.1.20 enp1s0 ***
192.168.1.0 None 255.255.255.0 enp2s1
192.168.1.20 None 255.255.255.255 enp1s0 ***
192.168.209.0 None 255.255.255.0 enp1s0

The *** make no sense. The routing should be:

  • IF to internal subnet (192.168.209.0/24) THEN toss out from enp1s0
  • IF to external subnet (192.168.1.0/24) THEN toss out from enp2s1
  • Everything else, send to ISP’s router (192.168.1.1). (The 192.168.1.1 is in 192.168.1.0/24, so toss from enp2s1)

On your workstations the routes are simpler:

  • IF to internal subnet (192.168.209.0/24) THEN toss out
  • Everything else, send to router (192.168.209.12).

Interesting:

  1. Changed ‘Public’ to External. Done and up.
  2. Do not have a ‘Trusted’ zone option in Firewalld, in cockpit. There is a trusted zone visible using webmin. Made and applied changes. Firewall did not bork when I applied the changes.

and nope … failed some of the checks. Some programs connect, others not so much. Still, the firewall is up and important apps have access. I’ll work with it to see what I can improve.

Thank you.

Under lessons learned:

I did not follow the instructions closely enough and screwed up the routing. I did find a clear set of more general instructions that showed me how to delete my errors. I also deleted the bad settings I had inserted in the ethernet instructions. One reboot later … the server came bad but still would not let workstations see the Internet.

I reread your instructions and tried again. Here are the results.

Default Route 192.168.1.1 enp2s1
Default Route 192.168.1.20 enp1s0
192.168.1.0 None 255.255.255.0 enp2s1
192.168.1.20 None 255.255.255.255 enp1s0
192.168.209.0 None 255.255.255.0 enp1s0

Its working well.

Next project: Upgrade the CPU and RAM.

Thanks again.

Fine if it’s working, however where are the two default routes are coming from? Seems not correct to me.

On reboot this is what I saw:

Default Route 192.168.1.1 enp2s1
Default Route 192.168.1.20 enp1s0
192.168.1.0 None 255.255.255.0 enp2s1
192.168.1.20 None 255.255.255.255 enp1s0
192.168.209.0 None 255.255.255.0 enp1s0

When I got to my workstation … no Internet access. I deleted Default Route 192.168.1.20, applied the changes and tested for Internet access. Success.

When I checked for active routes the only difference was that Default Route 192.168.1.20 was the second default route, not the first.

As to where it comes from, I found this under Network Scripts ‘route-enp1s0’ GATEWAY0=192.168.1.20

The other Default Route 192.168.1.1 is listed that way in Webmin.

Thanks for the ongoing support.

Disclaimer: I have never even seen “webmin” and never used “cockpit”.

For what I know, there should be no ‘route-enp1s0’ on that router, because there should be no routes:

Default Route 192.168.1.20 enp1s0
192.168.1.20 None 255.255.255.255 enp1s0

1 Like

I agree.
The route-* files are optional and we definitely don’t want a default route out of the internal interface. If the default route is the only content of that file I would remove the whole file.

P.S. I am not sure if removing the file is enough or if a Network Manager connection reload/up is also necessary, i.e. I don’t know if route-* files are managed by NM.

I think there are (at least) two levels of “management”.

There is a NM subpackage that, when installed, adds NM support for rule-* and route-* to allow policy routing be configured via those files. While NM reads, it might not write.

There is nmcli syntax to add static routes. Been there, done that, but never bothered to check where NM saves the config. Might be the route-* files. (NM has its own format, but on EL systems it has module that adds support for the Red Hat’s “network.service” formats.)

Creating, modifying, removing files is one level of management. Having a notify event to change runtime config whenever config files are modified by a third party is another level. There are not many services that “watch” files and react.

Yes, a restart (of connection/service/system) is probably necessary.

Furthermore, if those files were added by “webmin”, then what else has it done and will it “restore” the config that it desires?