[SOLVED] Multiple network adapters routing Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
User avatar
WatskeBart
Posts: 12
Joined: Mon Mar 23, 2020 2:36 pm

[SOLVED] Multiple network adapters routing

Post by WatskeBart »

Hi there DietPi fam,

I'm running DietPi on a RPi 3B for quite a while now and i'm loving it. But now i'm reaching the limits of my knowledge and google fu ;)
I've succesfully added a second USB ethernet adapter on the RPi to connect a second network. I'm also running WireGuard to gain remote access to my RPi.
By default the WireGuard connection routes everything to the eth0 (default RPi) interface. Splendid :)

But how can I access my second network from my remote WireGuard client?

Image

I can access network A without any problems, but I cannot access network B from my remote client.

Current routing table on the RPi (ip route show):

Code: Select all

default via 192.168.10.1 dev eth0 onlink
10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.250
10.9.0.0/24 dev wg0 proto kernel scope link src 10.9.0.1
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.250
Current network interface configuration on the RPi (cat /etc/network/interfaces):

Code: Select all

# Drop-in configs
source interfaces.d/*

# Local
auto lo
iface lo inet loopback

# Ethernet onboard
allow-hotplug eth0
iface eth0 inet static
address 192.168.10.250
netmask 255.255.255.0
gateway 192.168.10.1
dns-nameservers 1.1.1.1

# Ethernet plugin USB
allow-hotplug eth1
iface eth1 inet static
address 10.0.10.250
netmask 255.255.255.0

# WiFi
#allow-hotplug wlan0
iface wlan0 inet dhcp
address 0.0.0.0
netmask 0.0.0.0
gateway 0.0.0.0
#dns-nameservers 0.0.0.0
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
Current WireGuard configuration on the RPi (cat /etc/wireguard/wg0.conf):
Followed the WireGuard instructions as described on DietPi forum viewtopic.php?p=16308#p16308
$(sed -n 3p /DietPi/dietpi/.network) translates to eth0

Code: Select all

[Interface]
Address = 10.9.0.1/24
PrivateKey = *redacted*
ListenPort = *redacted*

PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE

# Client 1
[Peer]
PublicKey = *redacted*
AllowedIPs = 10.9.0.4/32
Current WireGuard client configuration on the RPi (cat /etc/wireguard/wg0-client1.conf):

Code: Select all

[Interface]
Address = 10.9.0.4/24
PrivateKey = *redacted*

# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 1.1.1.1

# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = *redacted*
# Tunnel all network traffic through the VPN:
#       AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
#       AllowedIPs = 192.168.10.0/24
# Tunnel access to VPN server only:
#       AllowedIPs = 192.168.10.250/32
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = *redacted*

# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
PersistentKeepalive = 25
If more information is needed, please do tell.
Last edited by WatskeBart on Tue Mar 24, 2020 3:40 pm, edited 3 times in total.
//WB

There's not much you can do, without a CPU.
User avatar
trendy
Posts: 126
Joined: Tue Feb 25, 2020 2:54 pm

Re: Multiple network adapters routing

Post by trendy »

Have you added the 10.0.10.0/24 in the allowed networks and routed it on the remote WG client?
User avatar
Joulinar
Posts: 2091
Joined: Sat Nov 16, 2019 12:49 am

Re: Multiple network adapters routing

Post by Joulinar »

just for my understanding,
  1. what is the reason to have 2 different networks?
  2. how does clients from network A connect to network B?
  3. how does clients from network B connect to the Internet?
  4. I guess your RPi using network A as well to connect to the internet?
My guess is, that solution might be somewhere between iptables and having the correct routing :?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
WatskeBart
Posts: 12
Joined: Mon Mar 23, 2020 2:36 pm

Re: Multiple network adapters routing

Post by WatskeBart »

trendy wrote: Mon Mar 23, 2020 3:05 pm Have you added the 10.0.10.0/24 in the allowed networks and routed it on the remote WG client?
I've added the WireGuard client config and it's currently set to 0.0.0.0/24
//WB

There's not much you can do, without a CPU.
User avatar
WatskeBart
Posts: 12
Joined: Mon Mar 23, 2020 2:36 pm

Re: Multiple network adapters routing

Post by WatskeBart »

Joulinar wrote: Mon Mar 23, 2020 3:39 pm just for my understanding,
  1. what is the reason to have 2 different networks?
  2. how does clients from network A connect to network B?
  3. how does clients from network B connect to the Internet?
  4. I guess your RPi using network A as well to connect to the internet?
My guess is, that solution might be somewhere between iptables and having the correct routing :?
  1. The RPi is there to bridge WireGuard to network B, but uses network A to gain access.
  2. There's no need for clients from network A to connect to network B. Only one WireGuard client is required to gain access to network B, but uses network A to get in from the internet.
  3. Clients on network B uses a different gateway to get to the internet (complete seperate internet line).
  4. Network A is the primary connection to the internet. Network B was added later with a USB ethernet adapter
//WB

There's not much you can do, without a CPU.
User avatar
Joulinar
Posts: 2091
Joined: Sat Nov 16, 2019 12:49 am

Re: Multiple network adapters routing

Post by Joulinar »

ok stupid question, why not going to access Network B via internet connection of Network B?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
WatskeBart
Posts: 12
Joined: Mon Mar 23, 2020 2:36 pm

Re: Multiple network adapters routing

Post by WatskeBart »

Joulinar wrote: Mon Mar 23, 2020 6:35 pm ok stupid question, why not going to access Network B via internet connection of Network B?
We have no control over the internet connection on network B, so we cannot make any port forwards.
//WB

There's not much you can do, without a CPU.
User avatar
trendy
Posts: 126
Joined: Tue Feb 25, 2020 2:54 pm

Re: Multiple network adapters routing

Post by trendy »

WatskeBart wrote: Mon Mar 23, 2020 5:31 pm
trendy wrote: Mon Mar 23, 2020 3:05 pm Have you added the 10.0.10.0/24 in the allowed networks and routed it on the remote WG client?
I've added the WireGuard client config and it's currently set to 0.0.0.0/24
Unless this is a typo, this is totally pointless.
Can you post here the client config too?
User avatar
WatskeBart
Posts: 12
Joined: Mon Mar 23, 2020 2:36 pm

Re: Multiple network adapters routing

Post by WatskeBart »

trendy wrote: Mon Mar 23, 2020 7:38 pm
WatskeBart wrote: Mon Mar 23, 2020 5:31 pm
trendy wrote: Mon Mar 23, 2020 3:05 pm Have you added the 10.0.10.0/24 in the allowed networks and routed it on the remote WG client?
I've added the WireGuard client config and it's currently set to 0.0.0.0/24
Unless this is a typo, this is totally pointless.
Can you post here the client config too?
Client config is in the first post, and it's not a typo, it's there by default.
See the commented lines in the config which WireGuard generates:

Code: Select all

# Tunnel all network traffic through the VPN:
#       AllowedIPs = 0.0.0.0/0, ::/0
I tried setting it to 10.0.10.0/24 but still no joy.
//WB

There's not much you can do, without a CPU.
User avatar
WatskeBart
Posts: 12
Joined: Mon Mar 23, 2020 2:36 pm

Re: Multiple network adapters routing

Post by WatskeBart »

I also tried this guide to add a extra routing table, but that didn't work. But maybe I added the wrong network info.
//WB

There's not much you can do, without a CPU.
Post Reply