[SOLVED] Multiple network adapters routing

General Discussion
1

Hi there DietPi fam,

I’m running DietPi on a RPi 3B for quite a while now and i’m loving it. But now i’m reaching the limits of my knowledge and google fu :wink:
I’ve succesfully added a second USB ethernet adapter on the RPi to connect a second network. I’m also running WireGuard to gain remote access to my RPi.
By default the WireGuard connection routes everything to the eth0 (default RPi) interface. Splendid :slight_smile:

But how can I access my second network from my remote WireGuard client?

I can access network A without any problems, but I cannot access network B from my remote client.

Current routing table on the RPi (ip route show):

default via 192.168.10.1 dev eth0 onlink
10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.250
10.9.0.0/24 dev wg0 proto kernel scope link src 10.9.0.1
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.250

Current network interface configuration on the RPi (cat /etc/network/interfaces):

# Drop-in configs
source interfaces.d/*

# Local
auto lo
iface lo inet loopback

# Ethernet onboard
allow-hotplug eth0
iface eth0 inet static
address 192.168.10.250
netmask 255.255.255.0
gateway 192.168.10.1
dns-nameservers 1.1.1.1

# Ethernet plugin USB
allow-hotplug eth1
iface eth1 inet static
address 10.0.10.250
netmask 255.255.255.0

# WiFi
#allow-hotplug wlan0
iface wlan0 inet dhcp
address 0.0.0.0
netmask 0.0.0.0
gateway 0.0.0.0
#dns-nameservers 0.0.0.0
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Current WireGuard configuration on the RPi (cat /etc/wireguard/wg0.conf):
_Followed the WireGuard instructions as described on DietPi forum https://dietpi.com/forum/t/dietpi-software-details-for-all-installation-options/22/127
$(sed -n 3p /DietPi/dietpi/.network) translates to eth0

[Interface]
Address = 10.9.0.1/24
PrivateKey = *redacted*
ListenPort = *redacted*

PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE

# Client 1
[Peer]
PublicKey = *redacted*
AllowedIPs = 10.9.0.4/32

Current WireGuard client configuration on the RPi (cat /etc/wireguard/wg0-client1.conf):

[Interface]
Address = 10.9.0.4/24
PrivateKey = *redacted*

# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 1.1.1.1

# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = *redacted*
# Tunnel all network traffic through the VPN:
#       AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
#       AllowedIPs = 192.168.10.0/24
# Tunnel access to VPN server only:
#       AllowedIPs = 192.168.10.250/32
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = *redacted*

# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
PersistentKeepalive = 25

If more information is needed, please do tell.

2

Have you added the 10.0.10.0/24 in the allowed networks and routed it on the remote WG client?

3

just for my understanding,

  1. what is the reason to have 2 different networks?
  2. how does clients from network A connect to network B?
  3. how does clients from network B connect to the Internet?
  4. I guess your RPi using network A as well to connect to the internet?

My guess is, that solution might be somewhere between iptables and having the correct routing :thinking:

4

I’ve added the WireGuard client config and it’s currently set to 0.0.0.0/24

5



  1. The RPi is there to bridge WireGuard to network B, but uses network A to gain access.
  2. There’s no need for clients from network A to connect to network B. Only one WireGuard client is required to gain access to network B, but uses network A to get in from the internet.
  3. Clients on network B uses a different gateway to get to the internet (complete seperate internet line).
  4. Network A is the primary connection to the internet. Network B was added later with a USB ethernet adapter
6

ok stupid question, why not going to access Network B via internet connection of Network B?

7

We have no control over the internet connection on network B, so we cannot make any port forwards.

8

Unless this is a typo, this is totally pointless.
Can you post here the client config too?

9

Client config is in the first post, and it’s not a typo, it’s there by default.
See the commented lines in the config which WireGuard generates:

# Tunnel all network traffic through the VPN:
#       AllowedIPs = 0.0.0.0/0, ::/0

I tried setting it to 10.0.10.0/24 but still no joy.

10

I also tried this guide to add a extra routing table, but that didn’t work. But maybe I added the wrong network info.

11

Maybe you would need to consider creating a 2nd Wireguard interface wg1 that points to your eth1 network. Still I guess something on iptables needed to be adjusted. But my know on iptable is limited.

12

Okay, it was a typo. It is /0, not /24

Forget about that.

I didn’t see the client config the first time.
So you are allowing every prefix on the WG tunnel, however the “route-allowed” is not enabled.
Can you post the routing table from the client when the tunnel is up?

13

When the client is up (Win10 client) this is the routing table:

10.9.0.0	255.255.255.0		On-link          10.9.0.3    256
10.9.0.3	255.255.255.255		On-link          10.9.0.3    256
10.9.0.255	255.255.255.255		On-link          10.9.0.3    256

When I add 10.0.10.0/24 in the AllowedIPs, then the routing table is like this:

0.0.0.0		0.0.0.0			On-link          10.9.0.3      0
10.0.10.0	255.255.255.0		On-link          10.9.0.3      0
10.0.10.255	255.255.255.255		On-link          10.9.0.3    256
10.9.0.0	255.255.255.0		On-link          10.9.0.3    256
10.9.0.3	255.255.255.255		On-link          10.9.0.3    256
10.9.0.255	255.255.255.255		On-link          10.9.0.3    256

The only network B address I can ping from my client is 10.0.10.250, which is the 2nd ethernet interface on the RPi.
I also enabled ip_forwarding on all the interfaces.
I think I need to add a route from 10.9.0.0/24 to 10.0.10.0/24 but on which interface?

Thank you both for your help so far btw :slight_smile:

P.S. wg0-client1.conf is the config used on the remote client and is in the last codeblock from the first post.
P.S.S. I only posted the WireGuard related route table info.

14

can you try to do a traceroute from your mobile W10 system to a system on network B?

15

A tracert to a device in network B will only result in a pingback from 10.9.0.1 (WireGuard server), the rest is timed out.

A tracert to a device on network A will result in 2 hops:

  • 10.9.0.1 (WireGuard server on RPi)


  • 192.168.10.200 (device network A)

P.S. I updated the picture in the first post to hopefully clarify it a bit better.

16

do you have access to a system on Network B and to try to capture traffic using Wireshark? I mean to see if there are packages arrived from the RPi?

17

When I use my WireGuard remote client and SSH into the RPi, then I can reach network B perfectly. But I cannot access network B directly from my WireGuard remote client. So yes there is traffic from the RPi to network B.

I think there’s no routing from 10.9.0.1 (WG server) to 10.0.10.0/24 (network B), but I don’t know how to add this.

18

I guess we misunderstood. I would like to do some package capture on a system on Network B if you try to access to a system on network B directly without doing a SSH session to your RPi first. So still the question if you have direct access to a system on Network B? Probably some routing is missing as well on Network B back to your RPi. Just guessing. Therefore it would be good to know if something arrived an Network B systems at all.

19

The problem is that Network B doesn’t have a route to the WG network. Ideally you should add a static route on the gateways of both networks A and B for 10.9.0.0/24 via the IP of the Raspi.
If you cannot achieve that the other option is to SNAT on the Raspi, more or less what you have tried to do there with masquerade, but only for eth0, while you need to do it for eth1 as well.
Try this:

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.0.10.250
20

yep indeed. That is what I was trying to check, if something arrived on Network B but get routed to the Internet Router on Network B and not back to the RPi. I personally add this static route on my Internet Router. But you already told you don’t have access to Internet Router of Network B. So no option to set static route there.