par
Posts: 4
Joined: Sat Dec 08, 2012 1:39 pm

ip_forward

Sat Dec 08, 2012 1:51 pm

Hello, am new to rpi, got it a couple of days ago. I am looking to replace me DD-WRT linksys router with the rpi. So, I have two ethernet interfaces, one on the lan side and one on the wan side. The wan side is actually plugged into the back of the router. my windows pc is plugged directly into the rpi. So I have:

pc (192.168.0.100) ---- (192.168.0.4) eth0 (rpi) eth1 (192.168.178.100) ----- 192.168.178.1 ROUTER

So from the rpi I can ping the eth0 (192.168.0.4) and the pc. Also from the pi I can ping the eth1 port and the router at 192.168.178.1. In fact I can ping www.yahoo.com and everything works.

What is nor working is pinging the router (192.168.178.1) from my pc. In fact nothing is being forwarded by the rpi. I see ping packets coming into the rpi iptables in the filter table input and output chains. Forward chain is empty.

This is driving me crazy!!! I need help since I cant seem to get anywhere with this. Can someone help?

Here is the current config info - hope i didn't miss anything

----------------------------------------------------------------------
ip link info
----------------------------------------------------------------------

[email protected] ~ $ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether b8:27:eb:c2:bd:37 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:60:6e:d5:ae:ae brd ff:ff:ff:ff:ff:ff

----------------------------------------------------------------------
ip address info
----------------------------------------------------------------------

[email protected] ~ $ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether b8:27:eb:c2:bd:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.4/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:60:6e:d5:ae:ae brd ff:ff:ff:ff:ff:ff
inet 192.168.178.100/24 brd 192.168.178.255 scope global eth1

----------------------------------------------------------------------
lsmod
----------------------------------------------------------------------

[email protected] ~ $ lsmod
Module Size Used by
xt_conntrack 2794 0
xt_multiport 1555 0
xt_tcpudp 2065 0
ipt_MASQUERADE 1605 0
iptable_filter 1492 0
nf_nat_ftp 1666 0
iptable_nat 3727 0
nf_nat 16554 3 iptable_nat,nf_nat_ftp,ipt_MASQUERADE
ipt_REJECT 2071 0
ipt_LOG 6774 0
xt_limit 1560 0
xt_state 1124 0
nf_conntrack_ftp 5856 1 nf_nat_ftp
nf_conntrack_ipv4 11719 3 nf_nat,iptable_nat
nf_defrag_ipv4 1307 1 nf_conntrack_ipv4
nf_conntrack 71727 8 nf_conntrack_ipv4,nf_conntrack_ftp,xt_state,nf_nat,iptable_nat,nf_nat_ftp,ipt_MASQUERADE,xt_conntrack
ip_tables 11381 2 iptable_nat,iptable_filter
x_tables 16750 11 ip_tables,xt_state,xt_limit,ipt_LOG,ipt_REJECT,iptable_nat,iptable_filter,ipt_MASQUERADE,xt_tcpudp,xt_multiport,xt_conntrack
snd_bcm2835 12808 0
snd_pcm 74834 1 snd_bcm2835
snd_page_alloc 4951 1 snd_pcm
snd_seq 52536 0
snd_seq_device 6300 1 snd_seq
snd_timer 19698 2 snd_seq,snd_pcm
snd 52489 5 snd_timer,snd_seq_device,snd_seq,snd_pcm,snd_bcm2835
asix 13617 0

----------------------------------------------------------------------
iptables filter table
----------------------------------------------------------------------

[email protected] ~ $ sudo iptables -t filter -vnL --line-numbers
Chain INPUT (policy ACCEPT 548 packets, 31743 bytes)
num pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 661 packets, 67766 bytes)
num pkts bytes target prot opt in out source destination
[email protected] ~ $ sudo iptables -t nat -vnL --line-numbers
Chain PREROUTING (policy ACCEPT 3 packets, 174 bytes)
num pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 3 packets, 174 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 24 packets, 1806 bytes)
num pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 24 packets, 1806 bytes)
num pkts bytes target prot opt in out source destination

----------------------------------------------------------------------
ping the (lan) eth0 port
----------------------------------------------------------------------

[email protected] ~ $ ping 192.168.0.4
PING 192.168.0.4 (192.168.0.4) 56(84) bytes of data.
64 bytes from 192.168.0.4: icmp_req=1 ttl=64 time=0.262 ms
64 bytes from 192.168.0.4: icmp_req=2 ttl=64 time=0.200 ms
64 bytes from 192.168.0.4: icmp_req=3 ttl=64 time=0.199 ms
^C
--- 192.168.0.4 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 0.199/0.220/0.262/0.031 ms

----------------------------------------------------------------------
ping the (wan) eth1 port
----------------------------------------------------------------------

[email protected] ~ $ ping 192.168.178.100
PING 192.168.178.100 (192.168.178.100) 56(84) bytes of data.
64 bytes from 192.168.178.100: icmp_req=1 ttl=64 time=0.267 ms
64 bytes from 192.168.178.100: icmp_req=2 ttl=64 time=0.200 ms
64 bytes from 192.168.178.100: icmp_req=3 ttl=64 time=0.199 ms
64 bytes from 192.168.178.100: icmp_req=4 ttl=64 time=0.199 ms
^C
--- 192.168.178.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.199/0.216/0.267/0.031 ms

----------------------------------------------------------------------
ping internet address - runs over eth1 - dns lookup working
----------------------------------------------------------------------

[email protected] ~ $ ping www.yahoo.com
PING ds-eu-fp3.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
64 bytes from ir1.fp.vip.ird.yahoo.com (87.248.112.181): icmp_req=1 ttl=53 time=63.1 ms
64 bytes from ir1.fp.vip.ird.yahoo.com (87.248.112.181): icmp_req=2 ttl=53 time=62.5 ms
64 bytes from ir1.fp.vip.ird.yahoo.com (87.248.112.181): icmp_req=3 ttl=53 time=63.1 ms
^X64 bytes from ir1.fp.vip.ird.yahoo.com (87.248.112.181): icmp_req=4 ttl=54 time=57.5 ms
64 bytes from ir1.fp.vip.ird.yahoo.com (87.248.112.181): icmp_req=5 ttl=54 time=57.2 ms
^C
--- ds-eu-fp3.wa1.b.yahoo.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 57.217/60.733/63.186/2.732 ms

----------------------------------------------------------------------
ip route
----------------------------------------------------------------------

[email protected] ~ $ ip route
default via 192.168.178.1 dev eth1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.4
192.168.178.0/24 dev eth1 proto kernel scope link src 192.168.178.100

----------------------------------------------------------------------
sysctl value of net.ipv4.ip_forward
----------------------------------------------------------------------

[email protected] ~ $ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

----------------------------------------------------------------------
sysctl values - sudo sysctl -a
----------------------------------------------------------------------


net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.tag = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.accept_redirects = 1
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.shared_media = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.default.accept_source_route = 1
net.ipv4.conf.default.accept_local = 0
net.ipv4.conf.default.src_valid_mark = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.medium_id = 0
net.ipv4.conf.default.bootp_relay = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.tag = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.arp_announce = 0
net.ipv4.conf.default.arp_ignore = 0
net.ipv4.conf.default.arp_accept = 0
net.ipv4.conf.default.arp_notify = 0
net.ipv4.conf.default.proxy_arp_pvlan = 0
net.ipv4.conf.default.disable_xfrm = 0
net.ipv4.conf.default.disable_policy = 0
net.ipv4.conf.default.force_igmp_version = 0
net.ipv4.conf.default.promote_secondaries = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.accept_redirects = 1
net.ipv4.conf.lo.secure_redirects = 1
net.ipv4.conf.lo.shared_media = 1
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 1
net.ipv4.conf.lo.accept_source_route = 1
net.ipv4.conf.lo.accept_local = 0
net.ipv4.conf.lo.src_valid_mark = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.medium_id = 0
net.ipv4.conf.lo.bootp_relay = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.lo.tag = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.arp_announce = 0
net.ipv4.conf.lo.arp_ignore = 0
net.ipv4.conf.lo.arp_accept = 0
net.ipv4.conf.lo.arp_notify = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0
net.ipv4.conf.lo.disable_xfrm = 1
net.ipv4.conf.lo.disable_policy = 1
net.ipv4.conf.lo.force_igmp_version = 0
net.ipv4.conf.lo.promote_secondaries = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.accept_redirects = 1
net.ipv4.conf.eth0.secure_redirects = 1
net.ipv4.conf.eth0.shared_media = 1
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.conf.eth0.accept_source_route = 1
net.ipv4.conf.eth0.accept_local = 0
net.ipv4.conf.eth0.src_valid_mark = 0
net.ipv4.conf.eth0.proxy_arp = 0
net.ipv4.conf.eth0.medium_id = 0
net.ipv4.conf.eth0.bootp_relay = 0
net.ipv4.conf.eth0.log_martians = 0
net.ipv4.conf.eth0.tag = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.arp_announce = 0
net.ipv4.conf.eth0.arp_ignore = 0
net.ipv4.conf.eth0.arp_accept = 0
net.ipv4.conf.eth0.arp_notify = 0
net.ipv4.conf.eth0.proxy_arp_pvlan = 0
net.ipv4.conf.eth0.disable_xfrm = 0
net.ipv4.conf.eth0.disable_policy = 0
net.ipv4.conf.eth0.force_igmp_version = 0
net.ipv4.conf.eth0.promote_secondaries = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.accept_redirects = 1
net.ipv4.conf.eth1.secure_redirects = 1
net.ipv4.conf.eth1.shared_media = 1
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1.send_redirects = 1
net.ipv4.conf.eth1.accept_source_route = 1
net.ipv4.conf.eth1.accept_local = 0
net.ipv4.conf.eth1.src_valid_mark = 0
net.ipv4.conf.eth1.proxy_arp = 0
net.ipv4.conf.eth1.medium_id = 0
net.ipv4.conf.eth1.bootp_relay = 0
net.ipv4.conf.eth1.log_martians = 0
net.ipv4.conf.eth1.tag = 0
net.ipv4.conf.eth1.arp_filter = 0
net.ipv4.conf.eth1.arp_announce = 0
net.ipv4.conf.eth1.arp_ignore = 0
net.ipv4.conf.eth1.arp_accept = 0
net.ipv4.conf.eth1.arp_notify = 0
net.ipv4.conf.eth1.proxy_arp_pvlan = 0
net.ipv4.conf.eth1.disable_xfrm = 0
net.ipv4.conf.eth1.disable_policy = 0
net.ipv4.conf.eth1.force_igmp_version = 0
net.ipv4.conf.eth1.promote_secondaries = 0
net.ipv4.ip_forward = 1

User avatar
joan
Posts: 13925
Joined: Thu Jul 05, 2012 5:09 pm
Location: UK

Re: ip_forward

Sat Dec 08, 2012 2:11 pm

Have you added a rule for the default route to your router?

e.g.

sudo route add -net router netmask 255.255.255.255 dev wlan0
sudo route add default gw router

where router is the ip address?

par
Posts: 4
Joined: Sat Dec 08, 2012 1:39 pm

Re: ip_forward

Sat Dec 08, 2012 2:24 pm

not sure I understand. Here is what ip route comes back with. There is a default route there:

[email protected] ~ $ ip route
default via 192.168.178.1 dev eth1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.4
192.168.178.0/24 dev eth1 proto kernel scope link src 192.168.178.100

default would be the router (192.168.178.1) or am I missing something?

thanks for the quick reply :-)

par
Posts: 4
Joined: Sat Dec 08, 2012 1:39 pm

Re: ip_forward

Sat Dec 08, 2012 10:17 pm

I must be having a brain crap or something because I cant figure this out. Seems that what I try just makes thing worse. The setup is pretty simple, a pc, rpi with two ethernet interfaces, and a dsl router

pc (192.168.0.100)------(192.168.0.4) eth0 --rpi ---eth1 (192.168.178.100) ------(192.168.178.1) router

rpi interfaces
[email protected] ~ $ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether b8:27:eb:c2:bd:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.4/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:60:6e:d5:ae:ae brd ff:ff:ff:ff:ff:ff
inet 192.168.178.100/24 brd 192.168.178.255 scope global eth1

rpi route info
[email protected] ~ $ ip route
default via 192.168.178.1 dev eth1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.4
192.168.178.0/24 dev eth1 proto kernel scope link src 192.168.178.100

Cant get this to work. Any help appreciated

par
Posts: 4
Joined: Sat Dec 08, 2012 1:39 pm

Re: ip_forward

Mon Dec 10, 2012 8:33 am

I have solved the problems! Turns out that ip_forward was not the problem or the routes. When you change certain sysctl variables, the rpi is setup to be a router and not a host. The rpi adheres to strict rules that routers need to adhere to. RCF 1812 defines how a router should act. So the problem is that I have two non-routable ip subnets one on either side of the rpi. By default and per RFC 1812, routers can not route non-routable addresses. This can be changed with the following sysctl variables

net.ipv4.ip_forward
net.ipv4.accept_redirects = 0
net.ipv4.send_redirects = 1
net.ipv4.accept_source_route = 1

In case anyone is interested, here is an reference I found for sysctl variables and what they do

http://kernel.org/doc/Documentation/net ... sysctl.txt

This did the trick but there is one more problem. The router lan interface has a problem with packets that are not part of its subnet. These need to be NATed . Add the following iptables rule and everything works like charm

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j SNAT --to 192.168.178.100

Hope this helps someone

bvisonl
Posts: 1
Joined: Fri Jan 03, 2014 3:01 pm

Re: ip_forward

Fri Jan 03, 2014 3:02 pm

Hey, can you tell me how did you managed to get the routing done? I can't even ping the eth0 from the eth1... I followed your configuration and still...let me know what you need so you can help me :) thanks in advance

Return to “Debian”