Seeking for some assistance on this.
I have NIC1 on 192.168.100.1/24 network with gateway set as 192.168.100.254 < this cant be changed. with a few PC’s connected to this.
And NIC2 on 10.10.10.1/24 with a few devices.
I want to be able to ping from PC1 connected to NIC1 on 192.168.100.100/24 to devices connected to NIC2 on 10.10.10.100/24
Could someone advise on the route settings I need to configure to make this work please ?
I have Desktop GUI RL installed to make it slightly easier.
This is enough if NIC1 and NIC2 are on the router managing the networks in question. If they are not, the network needs to be fixed, or write static routes, for everything, from everything.
This machine with two NICs (“Rocky”) does already have routes to both subnets, so it does not need any more routes.
As mentioned by @Xino there are two things:
Firewall rules must allow traffic to pass through the machine. Removal of the firewall entirely is one option. If one wants to keep firewall and does use the (default) FirewallD, then question is are the both subnets in same or different “zones”, as config differs. The latter requires “policy objects”.
Kernel must pass the traffic. The default is to not pass. Some FirewallD configs do enable the passing, but one can be explicit too and create a file, for example /etc/sysctl.d/buffboy.conf woith line the sysctl line it:
net.ipv4.ip_forward = 1
You have PC1 with address 192.168.100.100. It decides to ping 10.10.10.42 (“PC2”).
What should it do with the packet (that has 10.10.10.42 as destination)?
That is not anyone in 192.168.100.0/24
If PC1 has explicit route to 10.10.10.0/24 via 192.168.100.1, then it can send the packet to 192.168.100.1
If not, then it will use its default route, presumably send to 192.168.100.254. Does the 192.168.100.254 know where to forward packet destined to 10.10.10.42?
Lets say that Rocky does pass traffic and does allow ping from 192.168.100.0/24 to 10.10.10.0/24. Packet will continue towards PC2. PC2 creates reply (pong) with destination 192.168.100.100. Where will it send that packet?
If PC2 has explicit route to 10.10.10.0/24 via 192.168.100.1 or default route (aka “gateway”) default via 192.168.100.1, then the reply returns via Rocky to PC1.
Note, if machines in 192.168.100.0/24 do already have 192.168.100.1 as gateway, then the Rocky must already pass traffic, i.e. the net.ipv4.ip_forward is already set “1” and the firewall allows something.
Config is possible to do with both GUI and command line on systen that has GUI. Maybe.
I, however, have never used the GUI for configuration.
Could I get some instructions on what to add in terms of routes for NIC1 and if any on NIC2 ?
Note: on my NIC1 PC1, its got static IP and Gateway - windows machine can not be changed.
Example:
NIC1:
PC1 192.168.100.101/24 with Gateway 192.168.100.254
NIC2:
Device on NIC2 is on 10.10.10.100/24 no gateway set as this is on the separated LAN side.
So with the above how can i enable PC1 to reach NIC2 on 10.100 subnet ? note I can NOT change anything on the PC1 as its static and non admin windows machine. however I can do whatever is needed on Rocky with the two NICs.
Please provide simple steps if possible.
NOTE:
The problem could it be the PC1 is on 192.168.100.101 network how can this ping 10.10 network ?? just abit confused.
There are two subnets: 10.10.10.100/24 and 192.168.100.0/24
The 192.168.100.0/24 has three members: PC1 (with 192.168.100.1/24), PC2 (with 192.168.100.100), and Gateway (with 192.168.100.254)
The 10.10.10.100/24 has two members: PC1 (with 10.10.10.1) and PC3 (with 10.10.10.42)
If PC2 wants to send to PC3, then PC2 must have a route that sends the packet to correct direction.
You say that you cannot change the PC2 in any way and that it has only two routes:
to 192.168.100.0/24 from its NIC
to everywhere else via Gateway (it can reach Gateway with the help of the first route)
Therefore, the PC2 must send the “ping PC3” to Gateway. It has no other options.
The Gateway has most likely three routes:
to 192.168.100.0/24 from NIC that is linked to that subnet
to ISP subnet from NIC that is linked to that subnet
to everywhere else via some “next gateway” that is in the ISP subnet
If it does not have, nor cannot be modified to have an additional route:
to 10.10.10.100/24 via 192.168.100.1
then the “ping PC3” will never reach PC1 (and therefore has no possibility to reach PC3).
Nothing that you do in PC1 will change that. The route “to 10.10.10.100/24” must be set in PC2 or Gateway.
IF the Gateway would use DHCP to give network config to PC1 (NIC1) and PC2, and IF that DHCP config could be modified, then DHCP could supply the additional static route to PC2. Alas, the PC1 should refuse that additional route, because it does already have a route to 10.10.10.100/24 (due to its NIC2).
Lets try one more time:
“PC1” is a computer. It has network interface (NIC).
“Deviced1” is a computer. It has network interface (NIC).
“” is a computer with Rocky OS and two network interfaces (two NIC that you call “NIC1” and “NIC2”).
You have cable from NIC of “PC1” to NIC of “”? (I bet not.)
You have cable from NIC of “Device1” to NIC of “”?
could you explain if i need to add static route for both NIC1 and NIC2 - this will be my linux box
is this correct adding this: ?
for NIC1: note eth0 is NIC1
ip route add 192.168.100.0/24 via 10.10.10.100 dev eth0
for NIC2 - enp4s0
ip route add 10.10.10.0/24 via 192.168.100.101 dev enp4s0
Im pretty sure i have tried that but still no good. am i missing metric ? tried with 1 or 100 still no good.
Hi all.
Thank you all for helping on this.
I have created a diagram.
the red box is what I CAN NOT change - no access.
I do have access to the Rocky Linux box and Device 1- so I want to be able to ping from PC 1 to Device 1 on 10.10.10.2.
You sit at PC1. You create “ping 10.10.10.2” packet.
It is the PC1 that has to decide what to do with the packet – based on what the PC1 knows.
Is 10.10.10.2 for the PC1? No
Is 10.10.10.2 within 192.168.100.0/24? No
The only remaining option is the “catch all rule” (aka default route). It says: Send to 192.168.100.254
How does PC1 send a packet to 192.168.100.254? It checks its routing table again.
Is 192.168.100.254 for the PC1? No
Is 192.168.100.254 within 192.168.100.0/24? Yes. Use “send to link-local neighbor” routine.
then that would match before the catch-all rule and PC1 would know to
Send to 192.168.100.101, (rather than send to 192.168.100.254).
There is an another option that does not require change in PC1:
move the Device1 from subnet 10.10.10.0/24 into subnet 192.168.100.0/24
For example to 192.168.100.103 (if it is free) – unless the Gateway automatically gives some other address.
One can do the move without change to physical cabling, if one converts Rocky into bridge – a network switch.
The Rocky would have a bridge interface and that would have the 192.168.100.101/24 address.
Neither NIC1 nor NIC2 would have any IP address; they would be mere “ports” of the bridge.
(man nmcli-examples has example 10 about bridge creation.)
If Rocky is a bridge, then ip_forward is not needed and firewall does not need any changes from default.
PC1 could then ping 192.168.100.103.
Without having access to the router, direct access from PC1 to any address other than 192.168.100.101 is not guaranteed.
The only workaround would be setting up a VPN between PC1 and the Rocky-Box. And event that would rely on the router allowing traffic at least on the port that the VPN uses.
The “red box” is drawn like typical consumer device that has a network switch on the LAN-side of the router with four physical ports. There is no traffic filtering on such switch.
A “real” router can be set up to have two (unswitched) ports on same subnet, and a bridge can be set up to filter the switched traffic, but these seem unlikely here.
Hi all, and again thank you for consistent help on this, really appreciate it.
Unfortunately everything on the left hand side in all the RED boxes i only have user access - can not add routes or change anything including the Windows machine PC1… is it stuck in that configuration.
However the Linux box and Device 1 i can modify whatever is needed.
And I use FRR even for static routing.