We have an external NAT that our Linux servers can’t seem to figure out when the traffic arrives. Thus we have to manually add the routes with internal NAT source IP. I can manually add routes with an IP source like so:
ip route add 10.0.0.0/16 via 192.168.10.1 src 192.168.10.2
And I could add that to the old network file “route-eth0” just by adding the line:
10.0.0.0/16 via 192.168.10.1 src 192.168.10.2
However I can’t figure out how to add the persistent route to NetworkManager with the nmcli command. I can do this all day long:
nmcli con mod eth0 +ipv4.routes “10.0.0.0/16 192.168.10.1”
But the when I try to add a source I get an error. These versions of this command fail:
nmcli con mod eth0 +ipv4.routes “10.0.0.0/16 192.168.10.1 src 192.168.10.2”
nmcli con mod eth0 +ipv4.routes “10.0.0.0/16 192.168.10.1" src 192.168.10.2
How do I achieve this without having to resort to using rc.local to get this done at boot?
Edit: Originally I forgot to add that this interface has two IP addresses - 192.168.10.2 and 192.168.10.3
For “regular” routes, if connection “eth0” has address 192.168.10.2/X (where 192.168.10.0/X includes 192.168.10.1),
there is already link-local route 192.168.10.0/X dev eth0 src 192.168.10.2 (or something to that effect).
Adding 10.0.0.0/16 via 192.168.10.1 means that packet to 10.0.0.0/16 has to go out from eth0 (and will have src=192.168.10.2) in order to reach the router 192.168.10.1.
It is not entirely clear (to me) what your NAT does to the picture.
The NAT is performed by a Cisco firewall. Windows servers have no problem responding to inbound traffic however our Linux servers need to have the route ‘forced’ to the internal IP of the NAT. For example if the NAT is 10.1.1.0/24 > 192.168.10.2 the Windows server has no problem properly responding to the traffic. Our Linux servers however do not respond until we force that traffic to go back via the internal NAT with that command:
ip route add 10.0.0.0/16 via 192.168.10.1 src 192.168.10.2
Edit: What I forgot to add is that there are two IP addresses on this interface. Eth0 has 192.168.10.2 and 192.168.10.3. Sorry, this makes the question have a lot more sense.
WAN — Cisco Firewall — LAN Switch — Rocky
Inbound 10.1.1.1 >>> Cisco Xlate 10.1.1.1 to 192.168.10.2 >>> Rocky has 192.168.10.2 and .3
Sometimes however (at least on older Linux distros) the OS gets confused and sends the traffic back out the other IP.
OR
The NATed IP is not the primary/first IP on the list. If this is the case then the traffic is sent out the first IP instead of the one the traffic arrived on.
Whatever the case this issue is resolved by forcing those routes out the proper interface with the “src” directive.
Thanks for the link. It does show the “src” directive and that it needs an “=” sign. This is what works:
nmcli con mod eth0 +ipv4.routes “10.0.0.0/16 192.168.10.1 src=192.168.10.2”
That is dNAT (aka port-forwarding), rather than sNAT, isn’t it?
That is, client sends packet (SRC=10.0.2.3 DST=10.0.1.1)
The Cisco does dNAT (DST=10.0.1.1 → DST=192.168.10.2)
and the server receives (SRC=10.0.2.3 DST=192.168.10.2)