The GUI is not NetworkManager. The GUI, the nmtui
, and the nmcli
are three tools that one can use to talk to NetworkManager.service
.
There are no “/24 segments” 10.44.1.1 , …1.255, 10.44.2.1 , …2.255, etc if the network segment is a “/16” 10.44.0.1 , …255.254.
The NAT is a separate issue.
If the IP address of the interface enp2s0
of this Rocky machine should have IP address 10.44.1.1, then you must give it address 10.44.1.1/16
, Not 10.44.0.0.
NAT example:
10.44.7.77 sends a packet to forums.rocky. It resolves name of forums.rocky to address. Lets say a.b.c.d. A packet is created that has “SRC=10.44.7.77 DST=a.b.c.d”
The 10.44.7.77 has only two “routes”: to 10.44.0.0/16, and default via 10.44.1.1 (which uses the first route to find 10.44.1.1). The a.b.c.d is not within 10.44.0.0/16, so the dafault route is used.
The 10.44.1.1, “gw”, receives packet. Packet does not have DST=10.44.1.1 so it is not for gw.
The gw has three routes: to 10.44.0.0/16, to 100.100.100.224/28 and default via 100.100.100.225.
The a.b.c.d is in neither 10.44.0.0/16 nor 100.100.100.224/28, so it is forwarded to 100.100.100.225.
If there is no NAT, then packet would go forward until it reaches forums.rocky, and forums.rocky would create a reply with “SRC=a.b.c.d DST=10.44.7.77”.
Alas, 10.44.7.77 is a private address and no good router forwards such packets. Even if they would, nobody knows where that destination is.
Therefore, the gw must modify the outgoing packet before it leaves the enp3s0
.
Replace "SRC=10.44.7.77 DST=a.b.c.d"
with "SRC=100.100.100.235 DST=a.b.c.d"
.
The reply from forums.rocky thus has "SRC=a.b.c.d DST=100.100.100.235"
When the reply arrives to gw via enp3s0
, the gw remembers that it did sNAT outgoing packet and does replace "SRC=a.b.c.d DST=100.100.100.235"
with "SRC=a.b.c.d DST=10.44.7.77"
.
Looking at the routing table of gw, the packet is sent out via enp2s0
, to 10.44.0.0/16, where 10.44.7.77 does receive it.
The point is that the proper “nat” occurs on outgoing, enp3s0, (the iptables had chain POSTROUTING in table nat), and not “on enp2s0”.
Furthermore, the FirewallD does set up NAT (which it calls ‘masquerade’) for you, if you use correct zone or modify zone correctly.
The enp2s0 and enp3s0 should not be on the same zone, because conceptually the “outside” and “inside” are different and should be treated differently.