Hi, all!

In short: if my box has 2 ethernet connections, one to the outside world
and one to my LAN, do I need to add a routing instruction so that packets
from my lan can make it out to the internet? Using
/etc/network/interfaces.

Fuller Question:

Currently my main system has one ethernet attached to my local network (a switch, or maybe a dumb router); a wireless router on the network is
connected to the (outside) internet and currently provides NAT, firewall
and DHCP.*

My goal is to attach the internet directly to my system by an ethernet
cable from the modem and take over as the primary router/firewall.

Do I need to add an ip route command to get outbound (public internet)
traffic to actually go out? This includes both traffic from my system and
from others on my local network. Unlike nft, ip doesn't seem to do
negative commands, so I guess I would first give routing rules for my local network and then send the rest out.**

E.g., with eth0 my LAN and eth1 the WAN
ip route add 192.168.1.0/24 dev eth0
# other routes I know something about
# other unused private routes--or maybe those should just be dropped by nft?
# perhaps
ip route add blackhole 192.168.0.0/16
ip route add default dev eth1
# nft does SNAT on the result

I'm using ifup as my primary configuration; and have examples of nft setup
for firewalls and routers, including SNAT. This is on buster, though I
hope to upgrade soon. I edited sysctl.conf to allow forwarding.

I had a similar setup a few years ago with iptables, and I don't remember needing to route manually, so maybe I'm missing something.

I've found it difficult to get current information; the "Debian Reference"
and "Securing Debian" are both pre nft, as is https://wiki.debian.org/DebianFirewall. The documentation on netfilter is naturally focused on nft, not on other changes one needs, and is not Debian specific. The Debian specific information on iproute2 is minimal; nftables does have some useful info on Debian integration. ifup has a fair amount of documentation, though it does leave exactly how specification in interfaces
get translated to specific kernel settings to the imagination (e.g., if I specify 2 interfaces will it automatically guess how to route?).

The whole thing is made more complex by the possible presence of other dynamically created networks from libvirt and Docker. I've mostly been avoiding docker since it doesn't seem to play well with others, e.g., it
may delete all my existing rules.

Ross


*DHCP is the problem. My main system provides customized DHCP and DNS. My
old wireless router let me disable DHCP; my new Deco 5 only lets me disable DHCP by disabling *all* the router features. Which is why I'm trying to
get my main system to act as the router.

**Given that interfaces listed first are not reliably configured first, I'm
not sure how to guarantee the outside routes get added after the inside
routes, at least if each is set when their respective interface comes up.

<div dir="ltr"><div>Hi, all!</div><div><br></div><div>In short: if my box has 2 ethernet connections, one to the outside world and one to my LAN, do I need to add a routing instruction so that packets from my lan can  make it out to the internet? 
Using /etc/network/interfaces.</div><div><br></div><div>Fuller Question:<br></div><div><br></div><div>Currently my main system has one ethernet attached to my local network (a switch, or maybe a dumb router); a wireless router on the network is connected
to the (outside) internet and currently provides NAT, firewall and DHCP.*</div><div><br></div><div>My goal is to attach the internet directly to my system by an ethernet cable from the modem and take over as the primary router/firewall.<br></div><div><br>
</div><div>Do I need to add an ip route command to get outbound (public internet) traffic to actually go out?  This includes both traffic from my system and from others on my local network.  Unlike nft, ip doesn&#39;t seem to do negative commands, so I
guess I would first give routing rules for my local network and then send the rest out.**</div><div><br></div><div>E.g., with eth0 my LAN and eth1 the WAN</div><div>ip route add <a href="http://192.168.1.0/24">192.168.1.0/24</a> dev eth0</div><div>#
other routes I know something about</div><div># other unused private routes--or maybe those should just be dropped by nft?</div><div># perhaps</div><div>ip route add blackhole <a href="http://192.168.0.0/16">192.168.0.0/16</a><br></div><div>ip route add
default dev eth1</div><div># nft does SNAT on the result<br></div><div><br></div><div>I&#39;m using ifup as my primary configuration; and have examples of nft setup for firewalls and routers, including SNAT.  This is on buster, though I hope to upgrade
soon.  I edited sysctl.conf to allow forwarding.<br></div><div><br></div><div>I had a similar setup a few years ago with iptables, and I don&#39;t remember needing to route manually, so maybe I&#39;m missing something.</div><div><br></div><div>I&#39;ve
found it difficult to get current information; the &quot;Debian Reference&quot; and &quot;Securing Debian&quot; are both pre nft, as is <a href="https://wiki.debian.org/DebianFirewall">https://wiki.debian.org/DebianFirewall</a>.  The documentation on
netfilter is naturally focused on nft, not on other changes one needs, and is not Debian specific.  The Debian specific information on iproute2 is minimal; nftables does have some useful info on Debian integration. ifup has a fair amount of
documentation, though it does leave exactly how specification in interfaces get translated to specific kernel settings to the imagination (e.g., if I specify 2 interfaces will it automatically guess how to route?).</div><div><br></div><div>The whole
thing is made more complex by the possible presence of other dynamically created networks from libvirt and Docker.  I&#39;ve mostly been avoiding docker since it doesn&#39;t seem to play well with others, e.g., it may delete all my existing rules.<br></

<div><br></div><div><div></div><div>Ross<br></div><div><br><br></div></div><div>*DHCP is the problem.  My main system provides customized DHCP and DNS.  My old wireless router let me disable DHCP; my new Deco 5 only lets me disable DHCP by

disabling *all* the router features.  Which is why I&#39;m trying to get my main system to act as the router.</div><br><div>**Given that interfaces listed first are not reliably configured first, I&#39;m not sure how to guarantee the outside routes get
added after the inside routes, at least if each is set when their respective interface comes up.<br></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
Yes. Take a look at the OpenWRT site, where you'll see plenty of
information on routers and setups. Naturally, you'll want to do the same
but perhaps without OpenWRT. It's a lot of moving pieces, good luck.

JDrabik

On 12/3/21 15:04, Ross Boylan wrote:

Hi, all!

In short: if my box has 2 ethernet connections, one to the outside
world and one to my LAN, do I need to add a routing instruction so
that packets from my lan can  make it out to the internet?  Using /etc/network/interfaces.

Fuller Question:

Currently my main system has one ethernet attached to my local network
(a switch, or maybe a dumb router); a wireless router on the network
is connected to the (outside) internet and currently provides NAT,
firewall and DHCP.*

My goal is to attach the internet directly to my system by an ethernet
cable from the modem and take over as the primary router/firewall.

Do I need to add an ip route command to get outbound (public internet) traffic to actually go out?  This includes both traffic from my system
and from others on my local network.  Unlike nft, ip doesn't seem to
do negative commands, so I guess I would first give routing rules for
my local network and then send the rest out.**

E.g., with eth0 my LAN and eth1 the WAN
ip route add 192.168.1.0/24 <http://192.168.1.0/24> dev eth0
# other routes I know something about
# other unused private routes--or maybe those should just be dropped
by nft?
# perhaps
ip route add blackhole 192.168.0.0/16 <http://192.168.0.0/16>
ip route add default dev eth1
# nft does SNAT on the result

I'm using ifup as my primary configuration; and have examples of nft
setup for firewalls and routers, including SNAT.  This is on buster,
though I hope to upgrade soon.  I edited sysctl.conf to allow forwarding.

I had a similar setup a few years ago with iptables, and I don't
remember needing to route manually, so maybe I'm missing something.

I've found it difficult to get current information; the "Debian
Reference" and "Securing Debian" are both pre nft, as is https://wiki.debian.org/DebianFirewall <https://wiki.debian.org/DebianFirewall>. The documentation on
netfilter is naturally focused on nft, not on other changes one needs,
and is not Debian specific. The Debian specific information on
iproute2 is minimal; nftables does have some useful info on Debian integration. ifup has a fair amount of documentation, though it does
leave exactly how specification in interfaces get translated to
specific kernel settings to the imagination (e.g., if I specify 2
interfaces will it automatically guess how to route?).

The whole thing is made more complex by the possible presence of other dynamically created networks from libvirt and Docker.  I've mostly
been avoiding docker since it doesn't seem to play well with others,
e.g., it may delete all my existing rules.

Ross

*DHCP is the problem.  My main system provides customized DHCP and
DNS.  My old wireless router let me disable DHCP; my new Deco 5 only
lets me disable DHCP by disabling *all* the router features.  Which is
why I'm trying to get my main system to act as the router.

**Given that interfaces listed first are not reliably configured
first, I'm not sure how to guarantee the outside routes get added
after the inside routes, at least if each is set when their respective interface comes up.

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Yes. Take a look at the OpenWRT site, where you'll see plenty of
information on routers and setups. Naturally, you'll want to do
the same but perhaps without OpenWRT. It's a lot of moving pieces,
good luck.</p>
<p>JDrabik<br>
</p>
<div class="moz-cite-prefix">On 12/3/21 15:04, Ross Boylan wrote:<br>
</div>
<blockquote type="cite" cite="mid:CAK3NTRCB50Zy-fq=[email protected]">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Hi, all!</div>
<div><br>
</div>
<div>In short: if my box has 2 ethernet connections, one to the
outside world and one to my LAN, do I need to add a routing
instruction so that packets from my lan can  make it out to
the internet?  Using /etc/network/interfaces.</div>
<div><br>
</div>
<div>Fuller Question:<br>
</div>
<div><br>
</div>
<div>Currently my main system has one ethernet attached to my
local network (a switch, or maybe a dumb router); a wireless
router on the network is connected to the (outside) internet
and currently provides NAT, firewall and DHCP.*</div>
<div><br>
</div>
<div>My goal is to attach the internet directly to my system by
an ethernet cable from the modem and take over as the primary
router/firewall.<br>
</div>
<div><br>
</div>
<div>Do I need to add an ip route command to get outbound
(public internet) traffic to actually go out?  This includes
both traffic from my system and from others on my local
network.  Unlike nft, ip doesn't seem to do negative commands,
so I guess I would first give routing rules for my local
network and then send the rest out.**</div>
<div><br>
</div>
<div>E.g., with eth0 my LAN and eth1 the WAN</div>
<div>ip route add <a href="http://192.168.1.0/24"
moz-do-not-send="true">192.168.1.0/24</a> dev eth0</div>
<div># other routes I know something about</div>
<div># other unused private routes--or maybe those should just
be dropped by nft?</div>
<div># perhaps</div>
<div>ip route add blackhole <a href="http://192.168.0.0/16"
moz-do-not-send="true">192.168.0.0/16</a><br>
</div>
<div>ip route add default dev eth1</div>
<div># nft does SNAT on the result<br>
</div>
<div><br>
</div>
<div>I'm using ifup as my primary configuration; and have
examples of nft setup for firewalls and routers, including
SNAT.  This is on buster, though I hope to upgrade soon.  I
edited sysctl.conf to allow forwarding.<br>
</div>
<div><br>
</div>
<div>I had a similar setup a few years ago with iptables, and I
don't remember needing to route manually, so maybe I'm missing
something.</div>
<div><br>
</div>
<div>I've found it difficult to get current information; the
"Debian Reference" and "Securing Debian" are both pre nft, as
is <a href="https://wiki.debian.org/DebianFirewall"
moz-do-not-send="true">https://wiki.debian.org/DebianFirewall</a>. 
The documentation on netfilter is naturally focused on nft,
not on other changes one needs, and is not Debian specific. 
The Debian specific information on iproute2 is minimal;
nftables does have some useful info on Debian integration.
ifup has a fair amount of documentation, though it does leave
exactly how specification in interfaces get translated to
specific kernel settings to the imagination (e.g., if I
specify 2 interfaces will it automatically guess how to
route?).</div>
<div><br>
</div>
<div>The whole thing is made more complex by the possible
presence of other dynamically created networks from libvirt
and Docker.  I've mostly been avoiding docker since it doesn't
seem to play well with others, e.g., it may delete all my
existing rules.<br>
</div>
<div><br>
</div>
<div>
<div>Ross<br>
</div>
<div><br>
<br>
</div>
</div>
<div>*DHCP is the problem.  My main system provides customized
DHCP and DNS.  My old wireless router let me disable DHCP; my
new Deco 5 only lets me disable DHCP by disabling *all* the
router features.  Which is why I'm trying to get my main
system to act as the router.</div>
<br>
<div>**Given that interfaces listed first are not reliably
configured first, I'm not sure how to guarantee the outside
routes get added after the inside routes, at least if each is
set when their respective interface comes up.<br>
</div>
</div>
</blockquote>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
Hello,


when you know something about Linux you can use software from sratch.


I have also my own router with two network interfaces and one wireless
lan card

take a look at


bind9                     -    DNS Server isc-dhsp-server    -    DHCP Server for IPv4 and/or IPv6
hostapd                 -    Wireless Daemon
nftables                 -    !!!Important / Firewall

optionally if you like

webmin                -    Web based GUI
Am 03.12.2021 um 23:04 schrieb Ross Boylan:

Hi, all!

In short: if my box has 2 ethernet connections, one to the outside
world and one to my LAN, do I need to add a routing instruction so
that packets from my lan can  make it out to the internet?  Using /etc/network/interfaces.

Fuller Question:

Currently my main system has one ethernet attached to my local network
(a switch, or maybe a dumb router); a wireless router on the network
is connected to the (outside) internet and currently provides NAT,
firewall and DHCP.*

My goal is to attach the internet directly to my system by an ethernet
cable from the modem and take over as the primary router/firewall.

Do I need to add an ip route command to get outbound (public internet) traffic to actually go out?  This includes both traffic from my system
and from others on my local network.  Unlike nft, ip doesn't seem to
do negative commands, so I guess I would first give routing rules for
my local network and then send the rest out.**

E.g., with eth0 my LAN and eth1 the WAN
ip route add 192.168.1.0/24 <http://192.168.1.0/24> dev eth0
# other routes I know something about
# other unused private routes--or maybe those should just be dropped
by nft?
# perhaps
ip route add blackhole 192.168.0.0/16 <http://192.168.0.0/16>
ip route add default dev eth1
# nft does SNAT on the result

I'm using ifup as my primary configuration; and have examples of nft
setup for firewalls and routers, including SNAT.  This is on buster,
though I hope to upgrade soon.  I edited sysctl.conf to allow forwarding.

I had a similar setup a few years ago with iptables, and I don't
remember needing to route manually, so maybe I'm missing something.

I've found it difficult to get current information; the "Debian
Reference" and "Securing Debian" are both pre nft, as is https://wiki.debian.org/DebianFirewall. The documentation on netfilter
is naturally focused on nft, not on other changes one needs, and is
not Debian specific. The Debian specific information on iproute2 is
minimal; nftables does have some useful info on Debian integration.
ifup has a fair amount of documentation, though it does leave exactly
how specification in interfaces get translated to specific kernel
settings to the imagination (e.g., if I specify 2 interfaces will it automatically guess how to route?).

The whole thing is made more complex by the possible presence of other dynamically created networks from libvirt and Docker.  I've mostly
been avoiding docker since it doesn't seem to play well with others,
e.g., it may delete all my existing rules.

Ross

*DHCP is the problem.  My main system provides customized DHCP and
DNS.  My old wireless router let me disable DHCP; my new Deco 5 only
lets me disable DHCP by disabling *all* the router features.  Which is
why I'm trying to get my main system to act as the router.

**Given that interfaces listed first are not reliably configured
first, I'm not sure how to guarantee the outside routes get added
after the inside routes, at least if each is set when their respective interface comes up.

--
Mit freundlichen Grüßen

Jörg Jellissen
Friesenstraße 3
47445 Moers

Mobil: (01573) / 5 34 42 18
Fax: (02841) / 4 08 62 77

E-Mail:[email protected]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p><br>
</p>
<p>when you know something about Linux you can use software from
sratch.</p>
<p><br>
</p>
<p>I have also my own router with two network interfaces and one
wireless lan card</p>
<p>take a look at</p>
<p><br>
</p>
bind9                     -    DNS Server<br>
isc-dhsp-server    -    DHCP Server for IPv4 and/or IPv6<br>
hostapd                 -    Wireless Daemon<br>
nftables                 -    !!!Important / Firewall<br>
<br>
optionally if you like<br>
<br>
webmin                -    Web based GUI
<div class="moz-cite-prefix">Am 03.12.2021 um 23:04 schrieb Ross
Boylan:<br>
</div>
<blockquote type="cite" cite="mid:CAK3NTRCB50Zy-fq=[email protected]">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Hi, all!</div>
<div><br>
</div>
<div>In short: if my box has 2 ethernet connections, one to the
outside world and one to my LAN, do I need to add a routing
instruction so that packets from my lan can  make it out to
the internet?  Using /etc/network/interfaces.</div>
<div><br>
</div>
<div>Fuller Question:<br>
</div>
<div><br>
</div>
<div>Currently my main system has one ethernet attached to my
local network (a switch, or maybe a dumb router); a wireless
router on the network is connected to the (outside) internet
and currently provides NAT, firewall and DHCP.*</div>
<div><br>
</div>
<div>My goal is to attach the internet directly to my system by
an ethernet cable from the modem and take over as the primary
router/firewall.<br>
</div>
<div><br>
</div>
<div>Do I need to add an ip route command to get outbound
(public internet) traffic to actually go out?  This includes
both traffic from my system and from others on my local
network.  Unlike nft, ip doesn't seem to do negative commands,
so I guess I would first give routing rules for my local
network and then send the rest out.**</div>
<div><br>
</div>
<div>E.g., with eth0 my LAN and eth1 the WAN</div>
<div>ip route add <a href="http://192.168.1.0/24"
moz-do-not-send="true">192.168.1.0/24</a> dev eth0</div>
<div># other routes I know something about</div>
<div># other unused private routes--or maybe those should just
be dropped by nft?</div>
<div># perhaps</div>
<div>ip route add blackhole <a href="http://192.168.0.0/16"
moz-do-not-send="true">192.168.0.0/16</a><br>
</div>
<div>ip route add default dev eth1</div>
<div># nft does SNAT on the result<br>
</div>
<div><br>
</div>
<div>I'm using ifup as my primary configuration; and have
examples of nft setup for firewalls and routers, including
SNAT.  This is on buster, though I hope to upgrade soon.  I
edited sysctl.conf to allow forwarding.<br>
</div>
<div><br>
</div>
<div>I had a similar setup a few years ago with iptables, and I
don't remember needing to route manually, so maybe I'm missing
something.</div>
<div><br>
</div>
<div>I've found it difficult to get current information; the
"Debian Reference" and "Securing Debian" are both pre nft, as
is <a href="https://wiki.debian.org/DebianFirewall"
moz-do-not-send="true" class="moz-txt-link-freetext">https://wiki.debian.org/DebianFirewall</a>. 
The documentation on netfilter is naturally focused on nft,
not on other changes one needs, and is not Debian specific. 
The Debian specific information on iproute2 is minimal;
nftables does have some useful info on Debian integration.
ifup has a fair amount of documentation, though it does leave
exactly how specification in interfaces get translated to
specific kernel settings to the imagination (e.g., if I
specify 2 interfaces will it automatically guess how to
route?).</div>
<div><br>
</div>
<div>The whole thing is made more complex by the possible
presence of other dynamically created networks from libvirt
and Docker.  I've mostly been avoiding docker since it doesn't
seem to play well with others, e.g., it may delete all my
existing rules.<br>
</div>
<div><br>
</div>
<div>
<div>Ross<br>
</div>
<div><br>
<br>
</div>
</div>
<div>*DHCP is the problem.  My main system provides customized
DHCP and DNS.  My old wireless router let me disable DHCP; my
new Deco 5 only lets me disable DHCP by disabling *all* the
router features.  Which is why I'm trying to get my main
system to act as the router.</div>
<br>
<div>**Given that interfaces listed first are not reliably
configured first, I'm not sure how to guarantee the outside
routes get added after the inside routes, at least if each is
set when their respective interface comes up.<br>
</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Mit freundlichen Grüßen

Jörg Jellissen
Friesenstraße 3
47445 Moers

Mobil: (01573) / 5 34 42 18
Fax: (02841) / 4 08 62 77

E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:[email protected]">[email protected]</a></pre>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)