Configuring dual connection sharing on ZBOX-CI327NANO-GS-01 (Ubuntu 17.10)


#1

I am sorry for this post, this is mostly a brain dump because I had a horrible time getting this to work on Artful and I want to store the steps somewhere for when I will inevitably need them again in the future.

Connection sharing is usually pretty trivial to setup, but boy does it get nasty when there’s more than one. I spent hours on this.

Packages required: dnsmasq

Setup:

  • enp3s0: connected to upstream Internet. The edge router is another Artful machine sharing a connection by cable and getting Internet from WiFi. The network is 10.43.0.0/24

  • enp2s0: local network share by cable (10.2.2.0/24)

  • wlp1s0: local network share by WiFi (10.66.0.0/24)

Firewall rules have to look like that:

[email protected]:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i wlp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i wlp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i wlp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp2s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp2s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 10.66.0.0/24 -o wlp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.66.0.0/24 -i wlp1s0 -j ACCEPT
-A FORWARD -i wlp1s0 -o wlp1s0 -j ACCEPT
-A FORWARD -o wlp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i wlp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.2.2.0/24 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.2.2.0/24 -i enp2s0 -j ACCEPT
-A FORWARD -i enp2s0 -o enp2s0 -j ACCEPT
-A FORWARD -o enp2s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp2s0 -j REJECT --reject-with icmp-port-unreachable

Shared interfaces might have to be configured manually sometimes, dunno why.

[email protected]:~# ifconfig wlp1s0 10.66.0.1 netmask 255.255.255.0
[email protected]:~# ifconfig enp2s0 10.2.2.1 netmask 255.255.255.0

Finally route -n has to look something like that:

[email protected]:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.43.0.1       0.0.0.0         UG    100    0        0 enp3s0
10.2.2.0        0.0.0.0         255.255.255.0   U     0      0        0 enp2s0
10.43.0.0       0.0.0.0         255.255.255.0   U     100    0        0 enp3s0
10.66.0.0       0.0.0.0         255.255.255.0   U     0      0        0 wlp1s0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp2s0

Not sure where that 169.254.0.0 entry comes from. It’s just bloody there.

Oh almost forgot, of course you gotta configure dnsmasq to serve as a DHCP server for the two interfaces:

nano /etc/dnsmasq.conf

Inside that file:

dhcp-range=interface:enp2s0,10.2.2.2,10.2.2.254,72h
dhcp-range=interface:wlp1s0,10.66.0.1,10.66.0.254,72h

Then of course,

[email protected]:~# systemctl enable dnsmasq.service
[email protected]:~# systemctl start dnsmasq.service

Some of the steps will likely have to be repeated after reboot, I’m not looking forward to testing that hypothesis. xD


Best desktop mini computer to buy for Ubuntu Mate
#2

Re the 169.254.0.0 address, if you comment the link line in /etc/networks and reboot, that ip will not appear in route -n Of what I remember, that ip is assigned if the host was not able to get a DHCP address.