Sample Header Ad - 728x90

Router with public IP towards ISP and public IP on the second interface, traffic problem

5 votes
2 answers
409 views
networking network-interface routing
I need help with my network and router setup again. The router is running Ubuntu and has two interfaces with public IP addresses. We are renting a public IP address pool: 198.51.100.0/24. One external interface, eth0, uses the public address 198.51.100.2 and connects to the ISP. The ISP is assigned the address 198.51.100.240. The second interface, eth1, uses 198.51.100.1 and connects to the local network, where our servers are located. All servers have public IP addresses. One of the servers acts as a proxy for the internal network. How should I properly configure routing between the interfaces so that all clients on eth1 can access the internet and are also accessible from the internet? Currently, if I set a /24 subnet mask on all router interfaces, I can access the router but not the servers. If I set a /32 subnet mask on the external interface eth0, which makes sense, I get access from one of the servers to the router. **When the hosts behind eth1 are unreachable at the IP level, arpping is still able to reach them.** +------+ +---+ +---------+ +-------------+ | +---+-----+--+| | | | MAIL | | | | +--++ | +--v--+ +->| 198.51.100.3| +------+ +---+ +--+---+ ISP | | +---+-----+--+ | +-------------+ | +---+-----+--+| |198.51.100.240|| SW || 198.51.100.5| +--->| 172.16.0.0 | | +----+-----+-+ | +---+-----+--+ | +----+ | +-------------+ | +-+----+ +-+-+ +------+ +---+ |198.51.100.1| | | +-------------+ | | | | | | | | |eth1 | | | | | FW/PROXY | | | +----+-----+-+ | +---+-----+--+ | +->| 198.51.100.7|<--+ +------+ +---+ +--^--+ | | 172.16.0.1 | | | +-------------+ +--------+ 
eth0 
        address 198.51.100.2
        netmask 24
        gateway 198.51.100.240

        
eth1
        address 198.51.100.1
        netmask 24
.ipv4.ip_forward = 1
# /etc/nftables.conf

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;

        # Allow loopback
        iif "lo" accept

        # Allow established/related
        ct state established,related accept

        iif "enp3s0" ip saddr 198.51.100.0/24 accept
        iif "enp6s0" ip saddr 198.51.100.0/24 accept

        # Allow SSH to router from anywhere
        tcp dport 22 accept

        # Allow ICMP (ping)
        ip protocol icmp accept

        # Log and drop everything else
        log prefix "nftables input drop: " flags all counter drop
    }

    chain forward {
        type filter hook forward priority 0;
        policy drop;

        # Allow established/related
        ct state established,related accept

        # Allow forwarding between interfaces for the public subnet
        iif "enp3s0" oif "enp6s0" ip saddr 195.19.139.0/24 ip daddr 195.19.139.0/24 accept
        iif "enp6s0" oif "enp3s0" ip saddr 195.19.139.0/24 ip daddr 195.19.139.0/24 accept

        # Log and drop everything else
        log prefix "nftables forward drop: " flags all counter drop
    }

    chain output {
        type filter hook output priority 0;
        policy accept;
    }
}
Asked by E Malinowski (61 rep)
Jun 19, 2025, 04:50 PM
Last activity: Jun 20, 2025, 02:33 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "networking"
More questions tagged "network-interface"
More questions tagged "routing"
Footer Ad - 728x90