i want to setup the base for my local net 10.10.0.0/16 i stuck with such initial config:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 127.0.1.0/8 scope host secondary lo
valid_lft forever preferred_lft forever
2: main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 3c:d9:2b:fa:b7:28 brd ff:ff:ff:ff:ff:ff
inet 10.10.254.1/16 metric 5 brd 10.10.255.255 scope global noprefixroute main
valid_lft forever preferred_lft forever
3: enp3s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 3c:d9:2b:fa:b7:2a brd ff:ff:ff:ff:ff:ff
4: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 3c:d9:2b:fa:b7:60 brd ff:ff:ff:ff:ff:ff
inet 10.10.0.254/16 brd 10.10.255.255 scope global noprefixroute lan
valid_lft forever preferred_lft forever
inet 10.10.0.253/16 brd 10.10.255.255 scope global secondary noprefixroute lan
valid_lft forever preferred_lft forever
5: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 3c:d9:2b:fa:b7:62 brd ff:ff:ff:ff:ff:ff
inet 10.11.0.11/24 brd 10.11.0.255 scope global noprefixroute wan
valid_lft forever preferred_lft forever
default via 10.11.0.254 dev wan table wan
10.11.0.0/24 dev wan table wan proto static scope link src 10.11.0.11 metric 10
default via 10.10.0.254 dev lan table lan
10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.254 metric 3
10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.253 metric 4
10.10.0.0/16 dev main proto static scope link src 10.10.254.1 metric 5
local 10.10.0.253 dev lan table local proto kernel scope host src 10.10.0.254
local 10.10.0.254 dev lan table local proto kernel scope host src 10.10.0.254
local 10.10.254.1 dev main table local proto kernel scope host src 10.10.254.1
broadcast 10.10.255.255 dev lan table local proto kernel scope link src 10.10.0.254
broadcast 10.10.255.255 dev main table local proto kernel scope link src 10.10.254.1
local 10.11.0.11 dev wan table local proto kernel scope host src 10.11.0.11
broadcast 10.11.0.255 dev wan table local proto kernel scope link src 10.11.0.11
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.1.0 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
0: from all lookup local
50: from 10.10.254.1 lookup main
100: from all to 10.10.0.0/16 lookup lan
200: from 10.11.0.11/24 lookup wan
300: from all lookup wan
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep 4 21:17:39 2024
*mangle
:PREROUTING ACCEPT [1239580:605755216]
:INPUT ACCEPT [378113:49258598]
:FORWARD ACCEPT [802997:543796066]
:OUTPUT ACCEPT [319027:35084380]
:POSTROUTING ACCEPT [1121729:578854744]
:ALL_MARK - [0:0]
:ALL_MARK_BASE - [0:0]
:LAN_MARK - [0:0]
:LAN_MARK_BASE - [0:0]
:WAN_MARK - [0:0]
:WAN_MARK_BASE - [0:0]
COMMIT
# Completed on Wed Sep 4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep 4 21:17:39 2024
*raw
:PREROUTING ACCEPT [1239580:605755216]
:OUTPUT ACCEPT [319027:35084380]
COMMIT
# Completed on Wed Sep 4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep 4 21:17:39 2024
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [319027:35084380]
:CONTINUE - [0:0]
:LOG_ACCEPT_FILTER_FORWARD - [0:0]
:LOG_DROP_FILTER_FORWARD - [0:0]
:LOG_DROP_FILTER_INPUT - [0:0]
:LOG_DROP_FILTER_OUTPUT - [0:0]
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -p tcp -m tcp --dport 222 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -p udp -m udp --dport 222 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -f -j DROP
-A INPUT -i lan -m conntrack --ctstate INVALID -j DROP
-A INPUT -i wan -m conntrack --ctstate INVALID -j DROP
-A INPUT -i lan -m conntrack --ctstate UNTRACKED -j CONTINUE
-A INPUT -i wan -m conntrack --ctstate UNTRACKED -j CONTINUE
-A INPUT -i lan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.0.254/32 -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 3/4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 3/4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i lan -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lan -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 172.64.36.1/32 -i wan -p tcp -m tcp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.1/32 -i wan -p udp -m udp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.2/32 -i wan -p tcp -m tcp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.2/32 -i wan -p udp -m udp --sport 853 -j ACCEPT
-A INPUT -i lan -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i lan -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -j LOG_DROP_FILTER_INPUT
-A FORWARD -i main -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o main -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wan -o lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lan -o wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p udp -m udp -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p tcp -m tcp -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i lan -o wan -m conntrack --ctstate NEW -j CONTINUE
-A FORWARD -j LOG_DROP_FILTER_FORWARD
-A CONTINUE -j RETURN
-A LOG_ACCEPT_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-accepted]:" --nflog-group 23
-A LOG_ACCEPT_FILTER_FORWARD -j ACCEPT
-A LOG_DROP_FILTER_FORWARD -i main -j NFLOG --nflog-prefix "[fFWDd-main]:" --nflog-group 30
-A LOG_DROP_FILTER_FORWARD -i lan -j NFLOG --nflog-prefix "[fFWDd-lan]:" --nflog-group 32
-A LOG_DROP_FILTER_FORWARD -i wan -j NFLOG --nflog-prefix "[fFWDd-wan]:" --nflog-group 33
-A LOG_DROP_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-drop]:" --nflog-group 22
-A LOG_DROP_FILTER_FORWARD -j DROP
-A LOG_DROP_FILTER_INPUT -j NFLOG --nflog-prefix "[filter-IN-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_INPUT -j NFLOG --nflog-prefix "[filter-IN-drop]:" --nflog-group 20
-A LOG_DROP_FILTER_INPUT -j DROP
-A LOG_DROP_FILTER_OUTPUT -j NFLOG --nflog-prefix "[filter-OUT-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_OUTPUT -j NFLOG --nflog-prefix "[filter-OUT-drop]:" --nflog-group 21
-A LOG_DROP_FILTER_OUTPUT -j DROP
COMMIT
# Completed on Wed Sep 4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep 4 21:17:39 2024
*nat
:PREROUTING ACCEPT [133812:27567189]
:INPUT ACCEPT [5148:716974]
:OUTPUT ACCEPT [8458:1549031]
:POSTROUTING ACCEPT [6386:1419831]
:DNS_DNAT_LS_ND - [0:0]
:DNS_DNAT_NS_LD - [0:0]
:DNS_DNAT_NS_ND - [0:0]
-A POSTROUTING -s 10.10.0.0/16 -o main -j SNAT --to-source 10.10.254.1
-A POSTROUTING -s 10.10.0.254/32 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
-A POSTROUTING -s 10.10.0.253/32 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
COMMIT
# Completed on Wed Sep 4 21:17:39 2024
BINDINGS
10.10.0.254 .253 – unbound (lan clients dns’s)
lan – keya dhcp4/ddns
127.0.1.0 – bind0 (lan ddns/resolver)
**DON”T ASK ME WHY THE IPTABLES RULES ARE FOR .. – mainly to see where the traffic goes”
I WANT DO TRAFFIC SHAPING VIA NF TABLES [filter] IN/OUT/FORWARD FOR SERVER AND CLIENTS add some mangling with base markings to be able to look at conntrack or tcpdump traffic and see whats going on…
DO LATER MORE ADVANCED SCENARIOS – VLANS / SUBSUBNET’S DYNAMIC ROUTING, TUNNELING
the setup should also handle the dummy d0 10.100.100.100/16 [respond by self ip on lan – not by lan attached ip’s ] dummy for clients – removed to make the base work as expecded
ip route get 1.1.1.1 from 10.11.0.11
1.1.1.1 from 10.11.0.11 via 10.11.0.254 dev wan table wan uid 0
ip route get 1.1.1.1 from 10.10.0.254
1.1.1.1 from 10.10.0.254 via 10.11.0.254 dev wan table wan uid 0
ip route get 1.1.1.1 from 10.10.254.1
1.1.1.1 from 10.10.254.1 via 10.11.0.254 dev wan table wan uid 0
cache
ip route get 10.10.0.254 from 10.10.254.1
local 10.10.0.254 from 10.10.254.1 dev lo table local uid 0
cache <local>
ip route get 10.10.0.254 from 10.11.0.11
local 10.10.0.254 from 10.11.0.11 dev lo table local uid 0
cache <local>
ip route get 10.10.254.1 from 10.11.0.11
local 10.10.254.1 from 10.11.0.11 dev lo table local uid 0
cache <local>
PROBLEM
1. - OK
$ ping 1.1.1.1 -c 1 -I wan
PING 1.1.1.1 (1.1.1.1) from 10.11.0.11 wan: 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=52 time=52.4 ms
--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 52.449/52.449/52.449/0.000 ms
2. 3. 4. - NOK
$ ping 1.1.1.1 -c 1 -I lan
PING 1.1.1.1 (1.1.1.1) from 10.10.0.254 lan: 56(84) bytes of data.
From 10.10.0.254 icmp_seq=1 Destination Host Unreachable
--- 1.1.1.1 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
ping 1.1.1.1 -c 1 -I lan -B 10.10.0.254
PING 10.10.0.254 (10.10.0.254) from 10.10.0.254 lan: 56(124) bytes of data.
--- 10.10.0.254 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
ping 1.1.1.1 -c 1 -I wan -B 10.11.0.11
PING 10.11.0.11 (10.11.0.11) from 10.11.0.11 wan: 56(124) bytes of data.
--- 10.11.0.11 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
i've try to mark packets in mangle output and then add rule but this doesn't work also can someone correct my solution that i will work?
some topology related info
MAINSERVER - d0
/ |
wan lan main wan2 Rap )) (( Cx
| / /
R Sstp L3 ---- Sstp L2- Cx
| /
R Cx Rap )) Cx
|
www
Strict Reverse Path Filtering on Main Interface – ensures that main only handles traffic that is truly meant for it, preventing it from responding to packets meant for lan, traffic meant for the LAN network should be routed via lan with no interference from main
10.11.0.11 10.10.0.252/31 10.10.254.1 10.10.254.2
IN/OT IN/OUT IN/OUT IN/OUT
| | | |
| FORWARD | | |
main --------- lan main enp(unused yet - WAN SEC?)
| | | |
| -----SWITCH ------------SWITCH--------
10.11.0.0/24 10.10.10.254 /
| /
10.11.0.254/24 10.10.0.0/16
|
192.168.0.1
|
CGN
|
0.0.0.0/0
EDIT (detailed config):
#############################################################################################################################################################
####### START d0.cfg #######################################################################################################################################
auto d0
iface d0 inet manual
######## UP d0 #############
# add link d0 type dummy
pre-up /usr/bin/ip link add d0 type dummy || true
# assign d0 ip
pre-up /usr/bin/ip address add 10.10.100.100/16 broadcast 10.10.255.255 dev d0 label d0 metric 50 noprefixroute || true
# up d0
up /usr/bin/ip link set dev d0 up || true
# rule for d0
up /usr/bin/ip ru add from 10.10.100.100 lookup d0 priority 1100 || true
# route for d0
up /usr/bin/ip ro add 10.10.100.100 dev d0 proto static scope host src 10.10.100.100 table d0 || true
# disable ipv6
up /sbin/sysctl -w net.ipv6.conf.d0.disable_ipv6=1 || true
# arp ignore on lan if
post-up /sbin/sysctl -w net.ipv4.conf.lan.arp_ignore=0 || true
# respond arp for d0 via same segment lan if
up /sbin/sysctl -w net.ipv4.conf.lan.arp_filter=0
##### DOWN d0 ###############
# restore arp ignore
down /sbin/sysctl -w net.ipv4.conf.lan.arp_ignore=1 || true
down /usr/bin/ip ro del 10.10.100.100 dev d0 proto static scope host src 10.10.100.100 table d0 || true
down /usr/bin/ip ru del from 10.10.100.100 lookup d0 priority 1100 || true
# remove d0 address
down /usr/bin/ip address del 10.10.100.100/255.255.0.0 dev d0 || true
# down d0
down /usr/bin/ip link set d0 down || true
# remove d0
down /usr/bin/ip link del d0 type dummy || true
####### END d0.cfg ###########################################################################################################################################
###############################################################################################################################################################
####### START enp3s0f0.cfg ###################################################################################################################################
####### enp4s0f0 BEFORE RENAME lan ###############################################################################################
# enp3s0f0 - main interface connected to switch
# see enp4s0f1.cfg for routing details
# ALLOW SETUP WITH ifup/ifdown only when used with --allow=main
# see systemd if-main.service
allow-main enp3s0f0
# MANUAL SETUP
iface enp3s0f0 inet manual
# CHANGE ORIGINAL NAME
pre-up ip link set enp3s0f0 name main
# SETUP IP ADDRESS
pre-up ip address add 10.10.254.1/16 broadcast 10.10.255.255 dev main noprefixroute label main metric 5 || true
# LINK UP
up ip link set main up || true
# ADD ROUTE
up ip route add 10.10.0.0/16 dev main table main proto static scope link src 10.10.254.1 metric 5 || true
# SETUP DEFAULT ROUTE
# up ip route add default via 10.10.0.254 dev main table main || true
# main rule
up ip rule add from 10.10.254.1 to all lookup main priority 50 || true
# CONFIGURE
up echo 1 > /proc/sys/net/ipv4/conf/main/arp_ignore || true
up echo 1 > /proc/sys/net/ipv4/conf/main/arp_filter || true
# strict reverse path filtering on main interface
# ensures that main only handles traffic that is truly meant for it,
# preventing it from responding to packets meant for lan
up echo 1 > /proc/sys/net/ipv4/conf/main/rp_filter || true
# IPTABLES SETUP ON UP
post-up /etc/network/iptables/main_up.x4 up main || true
# RECONF LAN
post-up /etc/network/iptables/lan_up.x4 reconf main || true
# RECONF WAN
post-up /etc/network/iptables/wan_up.x4 reconf main || true
# ALLOW SETUP WITH ifup/ifdown only when used with --allow=main
allow-main main
# MANUAL SETUP
iface main inet manual
# REMOVE RULE
pre-down ip rule del from 10.10.254.1 to all lookup main priority 50 || true
# IPTABLES SETUP ON DOWN
pre-down /etc/network/iptables/main_up.x4 down main || true
# REMOVE ROUTE
# pre-down ip route del default via 10.10.0.254 dev main table main || true
pre-down ip route del 10.10.0.0/16 dev main table main proto static global link src 10.10.254.1 metric 5 || true
# LINK DOWN
pre-down ip link set main down || true
# ADDRESS FLUSH
down ip address flush dev main || true
# RULE REMOVE
down ip ru del from 10.10.254.1 lookup main || true
# FLUSH RO CACHE
post-down ip route flush cache || true
# REVERT ORIGINAL NAME
post-down ip link set main name enp3s0f0 || true
####### END enp3s0f0.cfg #####################################################################################################################################
##############################################################################################################################################################
####### START enp4s0f0.cfg ###################################################################################################################################
# enp4s0f0 - LAN interface used for routing, DNS, and DHCP
##################
# 255 local
# 254 main
# 253 default
#
#
# 300 wan
# 220 lan
# 200 lansec
# 150 tun
# 110 d0
# 100 devs
# 0 unspec
###################
# IFACE RENAMED TABLE IPS/CIDR | METRIC SERVICES
# lo lo lo| 127.0.0.1/24 127.0.1.0/24 named,mariadb,unboud[ctrl](pri,sec) kea-ctrl-agent
# enp3s0f0 main main|254 10.10.254.1/16|5
# enp3s0f1 devs devs|100 10.10.254.2/16|6 sshd
# enp4s0f0 lan lan|220 10.10.0.254/16|3 10.10.0.243/16|4 unbound(pri/53),kea-dhcp-ddns,nbd-server,smbd,syslog-ng,cloudflared(quic|443) unbound(sec/53),
# enp4s0f1 wan wan|300 10.11.0.11/24|10 nginx(80,443)
# d0 d0 d0|110 10.10.100.100/16
# tun1 tun1 tun1|150 10.10.0.252/32 (left)
#
# [multihomed host]
# REGARDLESS ADDING DIFERENT SCOPE LIKE link src (ipA|ipB) or dev (devA|devB) can't add SECOND! route for same network - need add prefix !!!)
# OR USE SEPARATE TABLES (each table may have his own GW)
# general rule: if a route does not have src specified then
# ip with scope=host can be as backend only for a route with scope=host
# ip with scope=link can be as backend only for a route with scope=host or scope=link
# ip with scope=global can be as backend only for a route with any scope
# the scope of a route in Linux is an indicator of the distance to the destination network.
# host - route has host scope when it leads to a destination address on the local host.
# link - route has link scope when it leads to a destination address on the local network.
# universe - route has universe scope when it leads to addresses more than one hop away.
# The scope influences source address selection for connections/associations where the source address is not yet fixed (e.g. initiating a TCP connection, but not when reacting to an incoming packet),
# the source address will be selected depending on the scope of the route the packet is about to hit. This is why addresses also have a scope attribute.
# (The kernel needs to perform this check during ip route add because route gateways (nexthops) must be directly reachable on the same L2 connection
# – they cannot be behind another gateway. That is, the gateway must be in your subnet.
# Route scopes are a generic mechanism to express this restriction: the new route's nexthop needs to be reachable through an existing route with a lower scope.
# In other words, you must go through a local host (link scope) before you can reach a remote host (global scope).)
##########################################################################################################################################################
# enp4s0f0 - LAN interface used for routing, DNS, and DHCP
####### enp4s0f0 BEFORE RENAME lan ###############################################################################################
auto enp4s0f0
iface enp4s0f0 inet manual
############################# UP ##############################################
# CHANGE ORIGINAL enp4s0f0 NAME to lan
pre-up ip link set enp4s0f0 name lan
# lan SETUP IP PRIMARY
pre-up ip address add 10.10.0.254/16 broadcast 10.10.255.255 dev lan noprefixroute || true
# lan SETUP IP SECONDARY
pre-up ip address add 10.10.0.253/16 broadcast 10.10.255.255 dev lan noprefixroute || true
# lan IFACE UP
up ip link set lan up || true
# lan table ROUTE FOR PRIMARY IP
up ip route add 10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.254 metric 3 || true
# lan table ROUTE FOR SECONDARY IP
up ip route add 10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.253 metric 4 || true
# DEFAULT ROUTE FOR lan table
up ip route add default via 10.10.0.254 dev lan table lan || true
# ALL -> LAN RULE
up ip rule add from all to 10.10.0.0/16 lookup lan priority 100 || true
# SETUP INTERFACE
up echo 1 > /proc/sys/net/ipv4/conf/lan/arp_ignore || true
up echo 1 > /proc/sys/net/ipv4/conf/lan/arp_filter || true
up echo 1 > /proc/sys/net/ipv4/conf/lan/rp_filter || true
# up echo 1 > /proc/sys/net/ipv4/conf/default/arp_ignore || true
# SETUP IPTABLES FOR LAN
post-up /etc/network/iptables/lan_up.x4 up lan || true
# RECONF MAIN RULES
post-up /etc/network/iptables/wan_up.x4 reconf lan || true
# RECONF WAN RULES
post-up /etc/network/iptables/main_up.x4 reconf lan || true
# not used anymore but for precaution
post-up ip route flush cache || true
####### enp4s0f0 RENAMED lan ###############################################################################################
auto lan
iface lan inet manual
############################# DOWN ##############################################
# DEL RULE lan lookup
pre-down ip rule del from all to 10.10.0.0/16 lookup lan priority 100 || true
# DEL DEFAULT lan table ROUTE
pre-down ip route del default via 10.10.0.254 dev lan table lan || true
# REMOVE lan ROUTES
pre-down ip route del 10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.253 metric 4 || true
pre-down ip route del 10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.254 metric 3 || true
# lan LINK DOWN
down ip link set lan down || true
# lan ADDR FLUSH
post-down ip address flush dev lan || true
# lan REVERT TO ORGINAL ENAME enp4s0f0
post-down ip link set lan name enp4s0f0
####### END enp4s0f0.cfg #####################################################################################################################################
##############################################################################################################################################################
####### START enp4s0f1.cfg ###################################################################################################################################
####### enp4s0f1 BEFORE RENAME wan ###############################################################################################
auto enp4s0f1
iface enp4s0f1 inet manual
# RENAME TO WAN
pre-up ip link set enp4s0f1 name wan
# SETUP WAN IP
pre-up ip address add 10.11.0.11/24 broadcast 10.11.0.255 dev wan noprefixroute || true
# UP WAN IF
pre-up ip link set dev wan up || true
# ROUTE WAN NET VIA WAN LINK USING TABLE WAN
up ip route add 10.11.0.0/24 dev wan table wan proto static scope link src 10.11.0.11 metric 10 || true
# DEFAULT WAN ROUTE NEXT HOOP
up ip route add default via 10.11.0.254 table wan dev wan || true
# RULE FROM WAN NET
up ip rule add from 10.11.0.11/24 lookup wan priority 200 || true
# TO WWW
up ip rule add to 0.0.0.0/0 lookup wan priority 300 || true
# CONF IFACE
up echo 1 > /proc/sys/net/ipv4/conf/wan/rp_filter || true
up echo 1 > /proc/sys/net/ipv4/conf/wan/arp_filter || true
up echo 1 > /proc/sys/net/ipv4/conf/wan/arp_ignore || true
# iptables restore
post-up /etc/network/iptables/wan_up.x4 up wan || true
# REINIT WAN/MAIN
post-up /etc/network/iptables/lan_up.x4 reconf wan || true
post-up /etc/network/iptables/main_up.x4 reconf wan || true
# enable forwarding
post-up echo 1 > /proc/sys/net/ipv4/ip_forward || true
# flush cache routes
post-up ip route flush cache || true
############################################
# REVERT ORIGINAL NAME FROM lan TO enp4s0f1
auto wan
iface wan inet manual
######################### DOWN ############################################
# DISABLE FORWARDING
pre-down echo 0 > /proc/sys/net/ipv4/ip_forward || true
# REMOVE RULE TO WWW
pre-down ip rule del to 0.0.0.0/0 lookup wan priority 300 || true
# RULE FROM WAN NET
pre-down ip rule del from 10.11.0.11/24 lookup wan priority 200 || true
# REMOVE MERGED TABLES DEFAULT WAN ROUTE
pre-down ip route del default via 10.11.0.254 table wan dev wan || true
# DELETE WAN NET ROUTE
pre-down ip route del 10.11.0.0/24 dev wan table wan proto static scope link src 10.11.0.11 metric 10 || true
# SET WAN LINK DOWN
down ip link set dev wan down || true
# FLUSH WAN IFACE ADDRESS
post-down ip address flush dev wan || true
# REVERT wan TO ORIGINAL NAME enp4s0f0
post-down ip link set wan name enp4s0f1 || true
####### END enp4s0f1.cfg ###################################################################################################################################
#############################################################################################################################################################
####### START lo.cfg #######################################################################################################################################
####### lo ###############################################################################################
# /8 ensures comm between lo ips ? or /32 is enough ?
auto lo
iface lo inet loopback
up /usr/bin/ip addr add 127.0.1.0/8 dev lo || true
up /sbin/sysctl -w net.ipv6.conf.lo.disable_ipv6=1 || true
post-up /sbin/sysctl -w net.ipv4.conf.lo.arp_filter=1 || true
post-up /sbin/sysctl -w net.ipv4.conf.lo.arp_ignore=1 || true
post-up /sbin/sysctl -w net.ipv4.conf.lo.accept_redirects=0 || true
post-up /sbin/sysctl -w net.ipv4.conf.lo.send_redirects=0 || true
post-up /sbin/sysctl -w net.ipv4.conf.lo.arp_announce=1 || true
down /usr/bin/ip addr dele 127.0.1.0/8 dev lo || true
down /usr/bin/ip l set dev lo down || true
####### END lo.cfg #########################################################################################################################################
/etc/network/interfaces
# ORDER MATTERS FIRST UP FIRST
#source /etc/network/interfaces.d/*.cfg
# LO FIRST
source /etc/network/interfaces.d/lo.cfg
# MAIN
source /etc/network/interfaces.d/enp3s0f0.cfg
# LAN NEXT
source /etc/network/interfaces.d/enp4s0f0.cfg
# D0 using LAN
#source /etc/network/interfaces.d/d0.cfg
# WAN
source /etc/network/interfaces.d/enp4s0f1.cfg
# TUN (no place left....)