I am desperately trying to get my Wireguard-VPN-Setup up and running as my Internet Connection has been switched to IPV6 (DS-lite). **My Setup(raw):** - NetCup VPS (acting as IPv4 contact point for my mobile devices out of the Internet) - Internal Wireguard Server (acting as the Gateway between internal and external network) - Iphone with Wireguard Client installed connected via mobile network only **Current Status:** - VPN Tunnel up and running between VPS and internal Wireguard Server as well as VPS and Mobile Client - VPS (VPN Address 192.168.1.10) able to ping both peers (192.168.1.1 and 192.168.1.15) - Internal Wireguard Server(192.168.1.1) able to ping VPS (192.168.1.10) but not able to reach Mobile Client (192.168.1.15) --> ICMP: Destination Host unreachable. - tcpdump on VPS Server does not show any ICMP-Request coming in from my internal Wireguard Server when trying to ping 192.168.1.15 - Mobile Client (192.168.1.15) able to ping VPS (192.168.1.10) via VPN-Tunnel but not able to reach Internal Wireguard Server (192.168.1.1) For me it seems to be a routing issue on the internal Gateway Server. Routes are set by wg-quick as follows: default via 192.168.2.1 dev enp0s10 proto static metric 100 169.254.0.0/16 dev enp0s10 scope link metric 1000 192.168.1.0/24 dev wg0 proto kernel scope link src 192.168.1.1 192.168.2.0/24 dev enp0s10 proto kernel scope link src 192.168.2.2 metric 100 IP-Forwarding is active. Any Ideas on what I could have missed? Any assistance is well appreciated!

I would like to use my Ubuntu VM to act as a dhcp server and gateway for my work laptop, This laptop must connect to a Cisco anyconnect SSLVPN in order to access internal resources This VPN is not a split tunneling, which means that all the laptop's traffic is encrypted and go through the tunnel to VPN server Is there a way to configure my ubuntu or a Kali linux on it's dhcp server to force install a specific routing table which tells the laptop to use split tunnel the traffic, in other words I will specify only some IP subnets to be routed through the tunnel interface but the default gateway (0.0.0.0/32) must exit directly through my linux, so I guess we could play with the metric so it can be lower the the VPN default route's metric. As far as I know there are some Firewalls that can do this option but not on the DHCP server itself. Since the only weapon I have got is a Ubuntu VM or Kali linux VM. The reason I want to do this because my work laptop is administratively locked so I have no privilege access to change it's network configuration.

I'm having trouble setting up 2 IP address so that if one fails it will use the secondary IP address. I've setup netplan as shown in the picture. I can connect via ssh using both IP address, I test which IP address is the main one by using speedtest-cli, using the server control panel I disable the IP address that was used by speedtest-cli. However, when I try to use speedtest-cli again it doesn't work, I expected it to automatically switch to the IP that is still available. I tried pinging known IP address but it doesn't work. Does anyone know why this isn't working as I expect it to and how I can get it working? 

I would like to forward all L3 packets received on eth0 to another interface lets call m0 (m0 is a custom interface tied into custom hardware with a distinct L2 framing mechanism) as well as the reverse m0->eth0. A sample implementation for m0 could be a SLIP interface for example. I want to achieve this using userspace tools preferably. The tricky part is I don't want to route. I don't care what the source or destination ipv4 addresses are, and I don't care what the MAC addresses are either. I just want to blindly grab everything from interface 0 and shovel it over interface 1 (and vice versa) without modifying the L3 packets. I know that everything (in this use case) coming in over eth0 is ipv4 UDP packets that fit in the Ethernet mtu 1500, no fragments. Additionally, it needs to work with multicast addressed packets. I'm worried that the only way to achieve this is with custom software that is camping on the interface(s) in promiscuous mode. I would like to avoid this because it would be hard to avoid entering a scenario where I loop packets back to their origin. For example, 1. Poll eth0 and m0 to see if data is received 2. packet A received at eth0 3. packet A captured at eth0 and sent to m0 4. packet A received at m0 1. packet A has already been dealt with but how does the software know that? I would have to keep some sort of table of previously handled packets... nasty. As far as setting it up in Linux, all the research I have done has led me to using combinations of the following, but I don't think they are appropriate in this use case:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth0 -o m0 -j ACCEPT
iptables -A FORWARD -i m0 -o eth0 -j ACCEPT

Achievable with Static Routing ------------------------------ Verified the interfaces are all working and it isn't a hardware problem by setting static routes and confirming bidirectional messaging. I'm starting to think it simply isn't achievable. PC0 can now directly connect to PC1; tested with: ping 192.168.2.110 -t 10 Received response from PC1 through the radios. network map:

eth0               eth0
                          192.168.0.111      192.168.2.112
              PC0 --- eth --- unit111 --- rf --- unit112 --- eth --- PC1
        192.168.0.110     192.168.1.111      192.168.1.112       192.168.2.110
                               m0                 m0

PC0:

IFPC=enx4865ee1495b5
        ip link set $IFPC up
        ip addr flush $IFPC
        ip addr add 192.168.0.110/24 dev $IFPC
        ip route add 192.168.1.0/24 via 192.168.0.111
        ip route add 192.168.2.0/24 via 192.168.0.111

unit111:

ip link set eth0 up
        ip addr flush eth0
        ip addr add 192.168.0.111/24 dev eth0
        ip link set m0 up
        ip addr flush m0
        ip addr add 192.168.1.111/24 dev m0
        ip route add 192.168.2.0/24 via 192.168.1.111
        echo 1 > /proc/sys/net/ipv4/ip_forward

unit112:

ip link set eth0 up
        ip addr flush eth0
        ip addr add 192.168.2.112/24 dev eth0
        ip link set m0 up
        ip addr flush m0
        ip addr add 192.168.1.112/24 dev m0
        ip route add 192.168.0.0/24 via 192.168.1.112
        echo 1 > /proc/sys/net/ipv4/ip_forward

PC1:

IFPC=enp0s31f6
        ip link set $IFPC up
        ip addr flush $IFPC
        ip addr add 192.168.2.110/24 dev $IFPC
        ip route add 192.168.1.0/24 via 192.168.2.112
        ip route add 192.168.0.0/24 via 192.168.2.112

Application Context ------------------- This is for a radio that has its own L2/L1 used for RF transmission. It is guaranteed placement in a system at the edge of a network and the only packets it receives over its Ethernet interface are to go out over RF. The interface to the L2 used in the RF chain is a DMA that I built a network interface for (m0) because I *thought* it would simplify connecting it to the Ethernet interface. All of the L2/L1 used for M0 is an FPGA implementation shuffling packets over the m0 DMA. From the point of view of systems sending/receiving packets from the radio, the radio is basically supposed to look like a wire; packet in, packet out. Transmit Chain: [eth rx frame]->[??forward to m0??]->[m0 places pkt in dma for l2 chain]->[frame (L2),mod,out to rf] Receive chain: [rf,demod,deframe(L2)]->[m0 rx pkt creates skb]->[??forward to eth0??]->[eth0 rx skb transmits ethernet frame] The radio is full duplex, it should be able to perform the transmit and receive simultaneously. That is get packets from the Ethernet and transmits them over rf as well as receive packets over rf and send them back out to the Ethernet. I can place and recover packets into the RF chain using normal socket code through m0 no problem. I just can't figure out how to forward all traffic between the interfaces without touching the packets or opening the interfaces in promiscuous and doing it manually in C code (which as described earlier has its own bag of worms).

I am unable to ping6 my gateway or beyond. I am able to ping6 my loopback successfully, but that is all. [\u@r2d2:/root] # ping6 ipv6.google.com PING6(56=40+8+8 bytes) 2001:19f0:7000:8945:5400:ff:fe05:3dab --> 2404:6800:400a:805::200e ping6: sendmsg: Operation not permitted ping6: wrote ipv6.l.google.com 16 chars, ret=-1 ping6: sendmsg: Operation not permitted ping6: wrote ipv6.l.google.com 16 chars, ret=-1 ping6: sendmsg: Operation not permitted ping6: wrote ipv6.l.google.com 16 chars, ret=-1 ^C --- ipv6.l.google.com ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss [\u@r2d2:/root] # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 107.191.60.1 UGS vtnet0 107.191.60.0/24 link#1 U vtnet0 107.191.60.48 link#1 UHS lo0 127.0.0.1 link#2 UH lo0 169.254.0.0/16 56:00:00:05:3d:ab US vtnet0 Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 default 56:00:00:05:3d:ab US vtnet0 ::1 link#2 UH lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 2001:19f0:7000:8945::/64 link#1 U vtnet0 2001:19f0:7000:8945::64 link#1 UHS lo0 2001:19f0:7000:8945:5400:ff:fe05:3dab link#1 UHS lo0 fe80::/10 ::1 UGRS lo0 fe80::%vtnet0/64 link#1 U vtnet0 fe80::5400:ff:fe05:3dab%vtnet0 link#1 UHS lo0 fe80::%lo0/64 link#2 U lo0 fe80::1%lo0 link#2 UHS lo0 fe80::%tun0/64 link#4 U tun0 fe80::5029:5a67:f95a:a47e%tun0 link#4 UHS lo0 ff01::%vtnet0/32 fe80::5400:ff:fe05:3dab%vtnet0 U vtnet0 ff01::%lo0/32 ::1 U lo0 ff01::%tun0/32 fe80::5029:5a67:f95a:a47e%tun0 U tun0 ff02::/16 ::1 UGRS lo0 ff02::%vtnet0/32 fe80::5400:ff:fe05:3dab%vtnet0 U vtnet0 ff02::%lo0/32 ::1 U lo0 ff02::%tun0/32 fe80::5029:5a67:f95a:a47e%tun0 U tun0 [\u@r2d2:/root] # ifconfig vtnet0: flags=8843 metric 0 mtu 1500 options=6c03bb ether 56:00:00:05:3d:ab inet6 fe80::5400:ff:fe05:3dab%vtnet0 prefixlen 64 scopeid 0x1 inet6 2001:19f0:7000:8945:5400:ff:fe05:3dab prefixlen 64 autoconf inet 107.191.60.48 netmask 0xffffff00 broadcast 107.191.60.255 inet6 2001:19f0:7000:8945::64 prefixlen 64 nd6 options=23 media: Ethernet 10Gbase-T status: active lo0: flags=8049 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 pflog0: flags=100 metric 0 mtu 33160 tun0: flags=8050 metric 0 mtu 1500 options=80000 inet6 fe80::5029:5a67:f95a:a47e%tun0 prefixlen 64 scopeid 0x4 nd6 options=21 Opened by PID 1054 [\u@r2d2:/root] # cat /etc/rc.conf| curl -F 'sprunge= fe80::fc00:ff:fe05:3dab: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is r2d2.ex-mailer.com, Flags [router, solicited] 17:12:38.795797 IP6 (hlim 56, next-header UDP (17) payload length: 57) 2001:19f0:ac00:102:5054:ff:fea9:125.44215 > r2d2.ex-mailer.com.domain: [udp sum ok] 65322% [1au] NS? e-shadowsecurity.net. ar: . OPT UDPsize=1232 OK (49) 17:12:40.294209 IP6 (hlim 56, next-header UDP (17) payload length: 65) 2001:19f0:ac00:102:5054:ff:fea9:125.34231 > r2d2.ex-mailer.com.domain: [udp sum ok] 21702% [1au] AAAA? spartan.e-shadowsecurity.net. ar: . OPT UDPsize=4096 OK (57) 17:12:40.300451 IP6 (hlim 56, next-header UDP (17) payload length: 57) 2001:19f0:ac00:102:5054:ff:fea9:125.31739 > r2d2.ex-mailer.com.domain: [udp sum ok] 8695% [1au] NS? e-shadowsecurity.net. ar: . OPT UDPsize=4096 OK (49) 17:12:41.798625 IP6 (hlim 56, next-header UDP (17) payload length: 65) 2001:19f0:ac00:102:5054:ff:fea9:125.45150 > r2d2.ex-mailer.com.domain: [udp sum ok] 32270% [1au] AAAA? spartan.e-shadowsecurity.net. ar: . OPT UDPsize=1232 OK (57) 17:12:42.638938 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::5400:ff:fe05:3dab > fe80::fc00:ff:fe05:3dab: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::fc00:ff:fe05:3dab Update: [\u@r2d2:/root] # /etc/rc.d/netif restart && /etc/rc.d/routing restart Stopping Network: lo0 vtnet0. lo0: flags=8048 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 nd6 options=21 vtnet0: flags=8802 metric 0 mtu 1500 options=6c03bb ether 56:00:00:05:3d:ab inet6 fe80::5400:ff:fe05:3dab%vtnet0 prefixlen 64 scopeid 0x1 inet6 2001:19f0:7000:8945:5400:ff:fe05:3dab prefixlen 64 autoconf inet6 2001:19f0:7000:8945::64 prefixlen 64 nd6 options=23 media: Ethernet 10Gbase-T status: active Starting Network: lo0 vtnet0. lo0: flags=8049 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 vtnet0: flags=8843 metric 0 mtu 1500 options=6c03bb ether 56:00:00:05:3d:ab inet6 fe80::5400:ff:fe05:3dab%vtnet0 prefixlen 64 scopeid 0x1 inet6 2001:19f0:7000:8945:5400:ff:fe05:3dab prefixlen 64 autoconf inet 107.191.60.48 netmask 0xffffff00 broadcast 107.191.60.255 inet6 2001:19f0:7000:8945::64 prefixlen 64 nd6 options=23 media: Ethernet 10Gbase-T status: active route: writing to routing socket: No such process delete net 169.254.0.0: gateway vtnet0 fib 0: not in table route: writing to routing socket: No such process delete net default: gateway 107.191.60.1 fib 0: not in table delete net fe80::: gateway ::1 delete net ff02::: gateway ::1 delete net ::ffff:0.0.0.0: gateway ::1 delete net ::0.0.0.0: gateway ::1 add net 169.254.0.0: gateway vtnet0 add net default: gateway 107.191.60.1 Additional inet routing options: gateway=YES. add net fe80::: gateway ::1 add net ff02::: gateway ::1 add net ::ffff:0.0.0.0: gateway ::1 add net ::0.0.0.0: gateway ::1 Additional inet6 routing options: gateway=YES. [\u@r2d2:/root] # rtsol -D vtnet0 checking if vtnet0 is ready... vtnet0 is ready set timer for vtnet0 to 1s New timer is 1s timer expiration on vtnet0, state = 1 send RS on vtnet0, whose state is 2 set timer for vtnet0 to 4s New timer is 4s received RA from fe80::fc00:ff:fe05:3dab on vtnet0, state is 2 Processing RA ndo = 0x607b60 ndo->nd_opt_type = 3 ndo->nd_opt_len = 4 ndo = 0x607b80 ndo->nd_opt_type = 25 ndo->nd_opt_len = 3 nsbuf = 2001:19f0:300:1704::6 ndo = 0x607b98 ndo->nd_opt_type = 5 ndo->nd_opt_len = 1 ndo = 0x607ba0 ndo->nd_opt_type = 1 ndo->nd_opt_len = 1 rsid = [vtnet0:slaac] write to child = nameserver (11) write to child = 2001:19f0:300:1704::6(21) write to child = (1) script "/sbin/resolvconf" terminated stop timer for vtnet0 RA expiration timer: type=25, msg=2001:19f0:300:1704::6, expire=1h0m0s there is no timer [\u@r2d2:/root] # ping6 ipv6.google.com PING6(56=40+8+8 bytes) 2001:19f0:7000:8945:5400:ff:fe05:3dab --> 2404:6800:400a:804::200e ping6: sendmsg: Operation not permitted ping6: wrote ipv6.l.google.com 16 chars, ret=-1 ping6: sendmsg: Operation not permitted ping6: wrote ipv6.l.google.com 16 chars, ret=-1 ping6: sendmsg: Operation not permitted ping6: wrote ipv6.l.google.com 16 chars, ret=-1 ping6: sendmsg: Operation not permitted ping6: wrote ipv6.l.google.com 16 chars, ret=-1 ping6: sendmsg: Operation not permitted ping6: wrote ipv6.l.google.com 16 chars, ret=-1 ^C --- ipv6.l.google.com ping6 statistics --- 5 packets transmitted, 0 packets received, 100.0% packet loss

I have on my home LAN network my home router set up as gateway and few clients. One client (orangepipc) works also like DNS resolver with installed PiHole. on the gateway(192.168.11.1) is DHCP server, where I have reserved IP address (192.168.11.6) for PiHole. On the gateway is set up this PiHole as Primary DNS resolver and for all the clients in LAN works fine. I am able to ping the PiHole and join there with SSH from the LAN. But If I am join to the Pihole device, from there is not possible join/ping to the gateway or the other device in LAN/WAN. Oh the PiHole device installed only clean actual Armbian, Kodi and PiHole (from the installation script). The first, what I checked up is gateway set up misconfiguration on PiHole, but I cant see anything wrong. Attaching my settings bellow. Any ideas, pls? ip -4 route | grep default | cut -d ' ' -f 3 192.168.11.1 ifconfig eth0 Link encap:Ethernet HWaddr 6e:01:40:a3:84:8e inet addr:192.168.11.6 Bcast:192.168.11.255 Mask:255.255.255.0 inet6 addr: fe80::6c01:40ff:fea3:848e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:324629 errors:0 dropped:0 overruns:0 frame:0 TX packets:1402480 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:65879699 (65.8 MB) TX bytes:118278414 (118.2 MB) Interrupt:114 ip -4 route default via 192.168.11.1 dev eth0 proto static metric 100 169.254.0.0/16 dev eth0 scope link metric 1000 192.168.11.0/24 dev eth0 proto kernel scope link src 192.168.11.6 metric 100 iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

I have a RHEL 9 server which has IP addresses as 172.10.0.10 and 172.30.1.10, which is connected to two separate switches with two separate network interfaces. This server runs a virtual machine, which has IP address of 172.30.1.200. We connected another physical network interface of this physical server to the switch connected to 172.30.1.XXX block. This network interface is only reserved to that virtual machine, so that virtual machine can communicate with our other servers in 172.10.0.XXX block. In this point, I have to make this server as a specific gateway between our other servers and the virtual machine. This server should make itself as a gateway between 172.30.1.200 (the virtual machine), and few servers on the IP block of 172.10.0.XXX block. I have tried port forwarding, but this doesn't work for a specific reason about the application running on our VM. This server, which is I'm planning to make the gateway, must work as a gateway only for those 2 separate IP blocks. Because it's open to world internet, I need to make this gateway minimal as possible. I've added needed IP address of clients and VM to internal zone of firewalld, any changes I'll made should only affect the internal zone, if possible. Also, the clients in 172.10.0.XXX also connect to the internet, with another gateway address. So the clients have to use 172.10.0.10 gateway to communicate for the address of 172.30.1.200 only, not with the entire internet network.

Is there a way to replace RDS Gateway with some sort of linux based proxy. I know there some ways to do it with ssh/port forwarding, but this is to replace a current RDS Gateway our users utilize for remote access (~300 users). I need to support multiple windows clients using their native RDP to connect to their windows desktops on campus, using some sort of linux proxy in between. From my searching, there are some solutions (xrdp,ssh proxy, port forwarding, etc) that sort of do what I need but they either aren't user friendly or they involve using multiple/non-standard ports. Before I give up my search and succumb to paying MS Licensing for RDS, is it currently possible to use linux to proxy RDP from windows using their native client? [Multiple Remote Windows Clients] => [Linux proxy/gateway] => [Corporate Windows Desktops]

I have an iptables firewall (machine 1) and a centos 7 based gateway (machine 2), which is having 2 interfaces (machine-2:int-1) from WAN [/30] and (machine-2:int-2) is LAN [/28] one of the static IP provided by ISP. Now this setup is working fine, machine-1:LAN-subnets are doing iptables based NATing and machine-1:LAN-subnet-int's gateway is machine-2's:int-2. All routes for NATed IPs gateway are set as iptables firewall.

LAN
   ^
   |
   |
FIREWALL (NAT) --> Other int's *-- IPTABLES
   ^
   |
   |
GATEWAY (no NAT) *-- PFSense
   ^
   |
   | 
  WAN (ISP)

Now I would like to replace the CentOS based gateway with PFSense. As soon as I replaced the Gateway machine with PFSense, NATed addresses are not passing thru. I tweaked the NAT outbounds rules, disabled it. Still I could not make this happen. I need to make rules and routing in PFSense, that allows all the traffic from LAN to WAN as is (no NATing - since iptables firewall is taking care of it). Please suggest.

I have a machine that runs Fedora 19. Updating is not an option due to software constraints. I have an image that I've copied from a working unit of the exact same model using Clonezilla. I've done this before but on this latest revision of the hardware in Fedora 19 I can set a default Gateway but can't reach anything on the network. On a Fedora 25 load (can't use because of hibernation issue) my Gateway works perfectly. I've made changes to my ifcfg-enp3s0 file, stopped and restarted my network. I get a default Gateway from my static settings but I can't ping anything on the network. If I allow it to use DHCP I do not get an IP address. On the same machine I can restore Fedora 25 or boot from a live Fedora 32 version and get network. It's something with the Fedora 19 that's the issue.

I am using a Raspberry Pi 2 running Ubuntu Server acting as an active directory domain controller with samba and kerberos etc as detailed in [this video](https://www.youtube.com/watch?v=tgBuvA6J-_8) . I have three Windows 11 Professional clients part of the domain. The clients are configured with their own IP address, use the same network-wide subnet mask, and dns settings are routed to the dc, with the secondary (alternative dns server) as the default wifi router (as a device off the network domain would use). In the video, it shows changing the default gateway of the windows clients to the IP address of the DC. I made this change, and connected to the domain successfully. However, when performing basic searches or accessing external sites online on the clients, it is EXTREMELY SLOW or fails to load even the simplest page. If I change the default gateway of the client back to the router IP address (as it would have been originally), then the webpages load completely fine, however, the client loses the domain entirely, and doesn't even recognise it as existing. E.g. a ping to exampledomain.local doesn't reach. **Is there a way to remain part of the domain, in touch with the DC, whilst using the gateway of the router on the clients?** Very new to all this, including IT forums etc, so feedback on my question appreciated.

I’m using a Beaglebone Black running a webserver on a Debian system. The BBB is working as a DHCP + DNS (using dnsmasq) in a local network (192.168.5.xyz) with no direct internet access. I can easily connect devices that retrieve an IP from the BBB. So far so good. In case I’m at home for example, I’d like to add internet access to this little network. So I connect this network to a router that provides internet access and has a static IP address (192.168.5.254) within this network. So I added the router’s IP to the /etc/network/interfaces file: **/etc/network/interfaces:** # The loopback network interface auto lo iface lo inet loopback # The primary network interface #auto eth0 #iface eth0 inet dhcp allow-hotplug eth0 iface eth0 inet static address 192.168.5.1 netmask 255.255.255.0 gateway 192.168.5.254 But for some reason an extra default routing entry is added whenever I reboot my BBB. When I manually delete/flush the default entry with GW 0.0.0.0 everything works fine. Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 0.0.0.0 0.0.0.0 U 0 0 0 eth0 default 192.168.5.254 0.0.0.0 UG 0 0 0 eth0 link-local 0.0.0.0 255.255.0.0 U 0 0 0 eth0 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 It seems that the unwanted default gateway is added during boot: **journalctl -b**: … Nov 06 11:29:40 webserver connmand: eth0 {add} address 192.168.5.1/24 label eth0 family 2 Nov 06 11:29:40 webserver avahi-daemon: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.5.1. Nov 06 11:29:40 webserver connmand: eth0 {add} route 192.168.5.0 gw 0.0.0.0 scope 253 Nov 06 11:29:40 webserver avahi-daemon: New relevant interface eth0.IPv4 for mDNS. Nov 06 11:29:40 webserver avahi-daemon: Registering new address record for 192.168.5.1 on eth0.IPv4. Nov 06 11:29:40 webserver connmand: eth0 {add} route 0.0.0.0 gw 192.168.5.254 scope 0 … I can also the the "wanted" routings I made in /etc/network/interfaces. These are also made by the Connman Deamon. But the **/etc/connman/main.conf** is apparently not the file that is causing the default route with gateway 0.0.0.0: [General] PreferredTechnologies=ethernet,wifi SingleConnectedTechnology=false AllowHostnameUpdates=false PersistentTetheringMode=true NetworkInterfaceBlacklist=SoftAp0,usb0,usb1 Do you have any hints how to find out where the extra route is added and how to prevent it? I've already looked through several sripts that are called during boot but couldn't find it... Or is the way I'm setting up eth0 completely wrong?

I've got an ubuntu linux PC on a private 192.168.x.y LAN. It's got an IP on the 0 subnet (192.168.0.y) and is able to ping other PC's on the 0 subnet. It looked like the _gateway MAC address had been hardcoded, so I was unable to reach any other subnet until I read this article . It had me run sudo ip nei flush all so that my ARP table would be cleared. This worked initially but a little bit later I was unable to ping the PC again; the ARP table reverted to the old hardcoded MAC address for the _gateway entry in the ARP table. Where in linux would someone set up a periodic change of the MAC address for the _gateway entry in the ARP table?

### Context I installed Debian 12 in my machine a couple of days ago, and since then I have been facing some issues with (outbound) IPv6 networking. From my investigation so far (having gone through infinitely many related posts on this and other Linux forums, none of which have been particularly helpful), it seems to me the default gateway for IPv6 is misconfigured, but I'm currently at my wit's end on how to proceed from here. ### Reproducing the issue A simple ping suffices to illustrate it:

$ ping -6 example.org                                                                                                                                                                                           
PING example.org(2606:2800:220:1:248:1893:25c8:1946 (2606:2800:220:1:248:1893:25c8:1946)) 56 data bytes                                                                                                            
^C                                                                                                                                                                                                                 
--- example.org ping statistics ---                                                                                                                                                                                
18 packets transmitted, 0 received, 100% packet loss, time 17394ms

whereas it works with _regular_ IPv4:

$ ping -4 example.org                                                                                                                                                                                           
PING  (93.184.216.34) 56(84) bytes of data.                                                                                                                                                                        
64 bytes from 93.184.216.34 (93.184.216.34): icmp_seq=1 ttl=52 time=116 ms                                                                                                                                         
64 bytes from 93.184.216.34 (93.184.216.34): icmp_seq=2 ttl=52 time=194 ms                                                                                                                                         
^C                                                                                                                                                                                                                 
---  ping statistics ---                                                                                                                                                                                           
2 packets transmitted, 2 received, 0% packet loss, time 1002ms                                                                                                                                                     
rtt min/avg/max/mdev = 116.459/155.372/194.285/38.913 ms

The issue is not limited to ICMP packets, wget and curl also fail to establish connection if targeting an IPv6 address. This also shows DNS is not the problem here, since the IPv6 address is succesfully resolved. ### Setup As mentioned, my setup is a recent installation of Debian 12 with GNOME. This means networking is handled by Network Manager, where the IPv6 method is set to auto and ip6-privacy is enabled (I already tried disabling it to no avail). Output from relevant commands:

$ sudo dmesg | grep IPv6                                      
[10528.771325] IPv6: ADDRCONF(NETDEV_CHANGE): wlp2s0: link becomes ready
[10559.614635] IPv6: ADDRCONF(NETDEV_CHANGE): wlp2s0: link becomes ready
[18402.308519] IPv6: ADDRCONF(NETDEV_CHANGE): wlp2s0: link becomes ready
[18406.196405] IPv6: ADDRCONF(NETDEV_CHANGE): wlp2s0: link becomes ready
[18444.190916] IPv6: ADDRCONF(NETDEV_CHANGE): wlp2s0: link becomes ready

So it looks like IPv6 is enabled at the kernel level (?).

$ ip -6 route                                                 
2a00:d100:18e2:9f00::/64 dev wlp2s0 proto ra metric 600 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 1024 pref medium
default via fe80::1 dev wlp2s0 proto ra metric 600 pref medium

From what I can tell, fe80:: is meant for [local networking](https://en.wikipedia.org/wiki/Link-local_address#IPv6) so it should not be where requests are routed to by default. On the other hand, `2a00:d100:18e2:9f00::/56 is the value my router claims for _prefix delegation_, but I am not entirely sure what that means. I tried to set it as the default gateway (with sudo route add -A inet6 default gw 2a00:d100:18e2:9f00::`), but that didn't do the trick either.

$ sudo route -A inet6                                                                                                                                                                                       
Kernel IPv6 routing table                                                                                
Destination                    Next Hop                   Flag Met Ref  Use If                                                                                                                                     
2a00:d100:18e2:9f00::/64       [::]                       U    600 1      0 wlp2s0                                                                                                                                 
fe80::/64                      [::]                       U    1024 1      0 wlp2s0                                                                                                                                
[::]/0                         _gateway                   UG   600 5      0 wlp2s0                                                                                                                                 
localhost/128                  [::]                       Un   0   7      0 lo                                                                                                                                     
zenbook/128                    [::]                       Un   0   3      0 wlp2s0                                                                                                                                 
zenbook/128                    [::]                       Un   0   2      0 wlp2s0                                                                                                                                 
zenbook/128                    [::]                       Un   0   3      0 wlp2s0                                                                                                                                 
ff00::/8                       [::]                       U    256 6      0 wlp2s0                                                                                                                                 
[::]/0                         [::]                       !n   -1  1      0 lo

$ traceroute -6 google.com
traceroute to google.com (2a00:1450:4003:80f::200e), 30 hops max, 80 byte packets                                                                                                                                  
 1  * * *                                                                                                
 2  * * *                                                                                                
 3  * * *                                                                                                
[continues ...]
28  * * *
29  * * *
30  * * *

If any other command output is required in order to make progress, please let me know in the comments. Any help with this is appreciated.

We have two different network interfaces eno1 and eno2 (eno3 and eno4 are not connected) and we have one bridge vmbr0 we want to add another bridge vmbr1 and we want to set two different gateways on these bridges. Currently vmbr0's gateway is set to 172.20.10.1. now we want to create another bridge vmbr1 and set it's gateway to 172.20.1.40 I entered these parameters for creating vmbr1 but the proxmox interface doesn't allow this This is my configuration and this is the output of ifconfig. I am using Proxmox VE 5.4-13 on HP ProLiant DL380p Gen8 and uname -a shows Linux vmserver1 4.15.18-21-pve #1 SMP PVE 4.15.18-48 (Fri, 20 Sep 2019 11:28:30 +0200) x86_64 GNU/Linux The main reason I want to do this is for creating VMs on two different networks. **The networks are separate and NOT PHYSICALLY CONNECTED to each other.**

I could not get this working. I have two public ip addresses . on centos 6 my setup was eth0.2 VLAN2 was DHCP from ISP 1 and eth0:1 was static ip address from ISP 2. It worked out the box without any configuration, metric or table routes entries. ON centos 7 I set the ifcfg-eno1.2and ifcfg-eno1:3 ~~~~ DEVICE=eno1.2 HWADDR=removed TYPE=Ethernet BOOTPROTO=DHCP ONBOOT=yes VLAN=yes IPV6INIT=yes USERCTL=yes PEERDNS=no ARPCHECK=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV4_ROUTE_METRIC=10 DEVICE=eno1:3 HWADDR=removed TYPE=Ethernet BOOTPROTO=none ONBOOT=yes VLAN=no IPV6INIT=yes USERCTL=yes PEERDNS=no ARPCHECK=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV4_ROUTE_METRIC=11 IPADDR=APUBLICIPADDRESS PREFIX=25 GATEWAY=THEGATEWAY DNS1=1.1.1.1 ~~~~~ When i restart the network services only the first interface works, but if i release the ip address eno1:3 starts working. I tried adding/removing IPV4_ROUTE_METRIC=10 on eno1.2 and IPV4_ROUTE_METRIC=11 on eno1:3 to no avail Any tips?

I'm trying to switch from DHCP to static IP by using dhcpcd. When I switch from static to DHCP I'm configuring that eth0 (which used to have the static address) will also be the one with the DHCP address. But somehow dhcpcd seems to remove the gateway as well when it starts. So if I originally have Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.50.1 0.0.0.0 UG 0 0 0 eth0 192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 It will become Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 This is my dhcpcd.conf file # A sample configuration for dhcpcd. # See dhcpcd.conf(5) for details. # Allow users of this group to interact with dhcpcd via the control socket. #controlgroup wheel # Inform the DHCP server of our hostname for DDNS. hostname # Use the hardware address of the interface for the Client ID. #clientid # or # Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361. # Some non-RFC compliant DHCP servers do not reply with this set. # In this case, comment out duid and enable clientid above. duid # Persist interface configuration when dhcpcd exits. persistent # Rapid commit support. # Safe to enable by default because it requires the equivalent option set # on the server to actually work. option rapid_commit # A list of options to request from the DHCP server. option domain_name_servers, domain_name, domain_search, host_name option classless_static_routes # Respect the network MTU. This is applied to DHCP routes. option interface_mtu # Most distributions have NTP support. #option ntp_servers # A ServerID is required by RFC2131. require dhcp_server_identifier # Generate SLAAC address using the Hardware Address of the interface #slaac hwaddr # OR generate Stable Private IPv6 Addresses based from the DUID #slaac private # Configure IPv4 only ipv4only # Don't set any default routes nogateway # Allow the following interfaces allowinterfaces eth0 I use dhcpcd eth0 to request an IP What am I doing wrong?

Router1 is gateway for another router(2). Router1 has set 10.0.0.1/8 lan network to which router2 is attached. 10.0.0.1 is obviously the bridge ip address of lan as well as assigned gateway ip for router2. Router1 has the following rule that successfully blocks every try from router2 to reach destination different than 10.0.0.1 (router1 ip itself..) , **but unfortunately only if router2 is using the 10.0.0.1 as gateway**. iptables -t raw -I PREROUTING ! -d 10.0.0.1 -j DROP The problem is: If I change the gateway of router2 from 10.0.0.1 to 10.22.22.1 and use dhcp to obtain ip address or manually set 10.22.22.22/24 (for example) - router2 is able to access the internet from router1 !? This is strange for me because the above rule is very clear. What rule should I apply to block router2 internet, and allow access to gateway only 10.0.0.1/8 ? (The /8 network is absolutely needed for lan, also I need raw table commands only).

Basically, I have a Linux box (Ubuntu Focal) configured as a gateway: sysctl net.ipv4.ip_forward = 1 #Enable ipv4 forwarding iptables -t nat -A POSTROUTING -o ens160 -s 192.168.1.0/24 -j MASQUERADE #NAT 192.168.1.x to internet behind interface ens160 Having done this, I can ping successfully: And I see the hit count increase on the masquerade rule (from 1 to 2 in this example): The rule is duplicated in the previous picture because of all the stuff I was trying at the time I took the screenshot, but its not really significant in this example I don't think. So I can ping 8.8.8.8 just fine, but if I try to do something else, like for example a DNS lookup like

dig @8.8.8.8 www.google.com

This fails and the hit count on the rule does not increase. I also tried using telnet to open an HTTP (not HTTPS) website by IP address (not name), and this also fails, with the hit count not increasing. I'm really at a loss for what could be causing this, since this procedure normally works and the rule itself is saying that it applies to all protocols, not just ICMP, but it seems to be the case that I can ping anything by IP address, but DNS lookups (UDP) and TCP connections are failing because the gateway is not sending them out. I did a tcpdump as well and you can see the packets coming in as 192.168.1.x, and in the case of ICMP you also see the NATted packets leaving, but for UDP/TCP you don't see anything leaving. What might be the issue here? ___ Edit: Adding some more info as per some of the feedback from comments The filter and raw tables don't seem to have anything in there. I'm not sure if I'm using the right command to check these, but I think so: iptables-save -c doesn't show anything besides what I expect either. (There are some dupes of the rule I added due to repeated trial & error, but I don't think these have any impact):

sudo iptables-save -c
# Generated by iptables-save v1.8.4 on Tue May  2 18:59:25 2023
*raw
:PREROUTING ACCEPT [290378:642993821]
:OUTPUT ACCEPT [26621:1727859]
COMMIT
# Completed on Tue May  2 18:59:25 2023
# Generated by iptables-save v1.8.4 on Tue May  2 18:59:25 2023
*filter
:INPUT ACCEPT [290051:642964315]
:FORWARD ACCEPT [140:11615]
:OUTPUT ACCEPT [26631:1728900]
COMMIT
# Completed on Tue May  2 18:59:25 2023
# Generated by iptables-save v1.8.4 on Tue May  2 18:59:25 2023
*nat
:PREROUTING ACCEPT [72935:11925313]
:INPUT ACCEPT [72704:11903229]
:OUTPUT ACCEPT [1643:146886]
:POSTROUTING ACCEPT [1643:146886]
[11:924] -A POSTROUTING -s 192.168.1.0/24 -o ens160 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.1.0/24 -o ens160 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.1.0/32 -o ens160 -j MASQUERADE
COMMIT
# Completed on Tue May  2 18:59:25 2023

I myself am not really able to get any additional insights from this output, any suggestions? ___ Edit 2: Adding some more info as per the comments I don't believe NFtables was ever installed, but nft list chains doesn't give anything, and the routes for icmp and udp seem to be the same: It's really quite strange since DNS requests originating from within the gateway VM itself (the system DNS isn't set to 8.8.8.8) seem to get SNATted and go out no problem, and even get a response, but for whatever reason inbound DNS requests from the private LAN just die on arrival:

I created a linux VM with 3 interfaces: a NAT interface for internet access (eth0 with ip in this range 192.168.84.0/24), a Host-only interface for communication with other VMs (eth1 with ip 192.168.10.10) and a VPN interface (tun0 that's up when connected to a VPN server and with ip into this range 10.182.0.0/16, this may change at every connection). My goal is to set up all the necessary instructions on how to route only the incoming and outgoing internet traffic from eth1 to go through tun0 and leave internet access to the other applications on the gateway (if necessary). I would like to create something similar to the Whonix Gateway (where connections are routed through TOR from the outside connected VM Workstation) but instead of using TOR I would like to use a generic VPN service, that would be accessed with OpenVPN or Wireguard. So I thought of some steps to do: 1. Enable IP forwarding on the Linux virtual machine by editing the /etc/sysctl.conf file and setting net.ipv4.ip_forward = 1 2. Add a new route for the host-only interface to route all traffic through the VPN interface with the following command:

sudo route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.182.4.2 dev tun0

Here I'm not sure how to manage it if the IP of the tun0 changes. And if this is correct. 3. Set up iptables rules to redirect all incoming and outgoing traffic from the eth1 interface to the VPN interface, except for traffic coming from the gateway itself with the following commands:

sudo iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o tun0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 192.168.84.131 -o eth0 -j MASQUERADE

4. Make iptables rules persistent so install the iptables-persistent package by running the command:

sudo apt-get install iptables-persistent
sudo iptables-save > /etc/iptables/rules.v4

5. Configure the other virtual machine connected to the host-only network to use the Linux virtual machine as its default gateway and DNS server. So set the IP address to a unique address on the same subnet as the host-only network interface of the Linux virtual machine then set the default gateway to the IP address of the host-only network interface of the Linux virtual machine and finally set the DNS server to the IP address of the host-only network interface of the Linux virtual machine. But something is not working properly and from the other VM connected to the gateway through the host-only network I can't connect to the internet (when the VPN is connected on the GW). I'm no expert and I know I'm doing something wrong so can someone help me on simplify and adjust (remove or add instructions) this steps on how to create a linux VM gateway that connect to the internet through a VPN and share this and only this connection with another VM connected through a private network of the 2 VMs (so when the VPN is off the other VM connected to the gateway have no Internet connection). If all of this make sense ^_^ Thanks you so much