Ho to route one subnet to another using firewalld CentOS 7












1















I have a CentOS 7 system, with a VPN host and one physical network interface.



I have my physical network interface assigned to public zone, while my VPN requests are going through trusted. Also, I have some servers, in docker containers routed to the latter zone.



I'd like, if my VPN and Docker containers to have internet connection, while retaining the subnet of 10.8.0.0/24 that I created on zone trusted.



The solution I'm thinking of involves forwarding request from 10.8.0.0/24 to out of the subnet to the physical interface, preferably with masquareding. If you have a better solution, I'm open to it.



So far, my firewalld config looks like this.



public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp2s0

  sources:

  services: ssh dhcpv6-client

  ports: 8080/tcp 23/tcp 1194/udp 80/tcp 443/tcp

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





trusted (active)

  target: ACCEPT

  icmp-block-inversion: no

  interfaces: docker0

  sources: 10.8.0.0/24 2001:0db8:ee00:abcd::/64

  services: openvpn

  ports:

  protocols:

  masquerade: yes

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





networking vpn centos routing firewalld







share|improve this question

























  • I'm kind of confused by the question, because I only have one NIC (physical one at least), which is connected to the internet, via a router. the IP is 192.168.0.241. The VPN has a subnet of 10.8.0.0/24, and the computer in question has the address of 10.8.0.1. I was paying attention, not to have them overlap

    – László Stahorszki
    Jan 23 at 22:23






  • 1





    Okay so try this..... route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 followed by route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 but beforehand you might save the output of the route print somewhere to reference first. To delete those routes you can run route delete 10.8.0.0 and route delete 10.8.0.1.... Think hard about this, have backup of your route table too and be sure you can revert it back out of have a backout method just in case.

    – Pimp Juice IT
    Jan 23 at 22:26






  • 1





    If you add those two routes and there are problems, you can reboot too since they are not persistent so route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 first and then route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 next. If there are issues, reboot and do not run the route delete commands. Still have the route print output of the IPv4 first though.

    – Pimp Juice IT
    Jan 23 at 22:27






  • 1





    There has to be an IP on one subnet that can talk to an IP on another subnet that can then route via Layer 3 routing I think. I've configured static routes like that before on the client machines, and I've configured static routes in routers and firewalls too. There are other ways to do it with other protocols but for things like this, that's how I've handled some in the past. Maybe it will help or maybe not, let me know your thoughts.

    – Pimp Juice IT
    Jan 23 at 22:31








  • 2





    Let us continue this discussion in chat.

    – Pimp Juice IT
    Jan 23 at 22:46
















1















I have a CentOS 7 system, with a VPN host and one physical network interface.



I have my physical network interface assigned to public zone, while my VPN requests are going through trusted. Also, I have some servers, in docker containers routed to the latter zone.



I'd like, if my VPN and Docker containers to have internet connection, while retaining the subnet of 10.8.0.0/24 that I created on zone trusted.



The solution I'm thinking of involves forwarding request from 10.8.0.0/24 to out of the subnet to the physical interface, preferably with masquareding. If you have a better solution, I'm open to it.



So far, my firewalld config looks like this.



public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp2s0

  sources:

  services: ssh dhcpv6-client

  ports: 8080/tcp 23/tcp 1194/udp 80/tcp 443/tcp

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





trusted (active)

  target: ACCEPT

  icmp-block-inversion: no

  interfaces: docker0

  sources: 10.8.0.0/24 2001:0db8:ee00:abcd::/64

  services: openvpn

  ports:

  protocols:

  masquerade: yes

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





networking vpn centos routing firewalld







share|improve this question

























  • I'm kind of confused by the question, because I only have one NIC (physical one at least), which is connected to the internet, via a router. the IP is 192.168.0.241. The VPN has a subnet of 10.8.0.0/24, and the computer in question has the address of 10.8.0.1. I was paying attention, not to have them overlap

    – László Stahorszki
    Jan 23 at 22:23






  • 1





    Okay so try this..... route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 followed by route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 but beforehand you might save the output of the route print somewhere to reference first. To delete those routes you can run route delete 10.8.0.0 and route delete 10.8.0.1.... Think hard about this, have backup of your route table too and be sure you can revert it back out of have a backout method just in case.

    – Pimp Juice IT
    Jan 23 at 22:26






  • 1





    If you add those two routes and there are problems, you can reboot too since they are not persistent so route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 first and then route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 next. If there are issues, reboot and do not run the route delete commands. Still have the route print output of the IPv4 first though.

    – Pimp Juice IT
    Jan 23 at 22:27






  • 1





    There has to be an IP on one subnet that can talk to an IP on another subnet that can then route via Layer 3 routing I think. I've configured static routes like that before on the client machines, and I've configured static routes in routers and firewalls too. There are other ways to do it with other protocols but for things like this, that's how I've handled some in the past. Maybe it will help or maybe not, let me know your thoughts.

    – Pimp Juice IT
    Jan 23 at 22:31








  • 2





    Let us continue this discussion in chat.

    – Pimp Juice IT
    Jan 23 at 22:46














1












1








1








I have a CentOS 7 system, with a VPN host and one physical network interface.



I have my physical network interface assigned to public zone, while my VPN requests are going through trusted. Also, I have some servers, in docker containers routed to the latter zone.



I'd like, if my VPN and Docker containers to have internet connection, while retaining the subnet of 10.8.0.0/24 that I created on zone trusted.



The solution I'm thinking of involves forwarding request from 10.8.0.0/24 to out of the subnet to the physical interface, preferably with masquareding. If you have a better solution, I'm open to it.



So far, my firewalld config looks like this.



public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp2s0

  sources:

  services: ssh dhcpv6-client

  ports: 8080/tcp 23/tcp 1194/udp 80/tcp 443/tcp

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





trusted (active)

  target: ACCEPT

  icmp-block-inversion: no

  interfaces: docker0

  sources: 10.8.0.0/24 2001:0db8:ee00:abcd::/64

  services: openvpn

  ports:

  protocols:

  masquerade: yes

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





networking vpn centos routing firewalld







share|improve this question
















I have a CentOS 7 system, with a VPN host and one physical network interface.



I have my physical network interface assigned to public zone, while my VPN requests are going through trusted. Also, I have some servers, in docker containers routed to the latter zone.



I'd like, if my VPN and Docker containers to have internet connection, while retaining the subnet of 10.8.0.0/24 that I created on zone trusted.



The solution I'm thinking of involves forwarding request from 10.8.0.0/24 to out of the subnet to the physical interface, preferably with masquareding. If you have a better solution, I'm open to it.



So far, my firewalld config looks like this.



public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp2s0

  sources:

  services: ssh dhcpv6-client

  ports: 8080/tcp 23/tcp 1194/udp 80/tcp 443/tcp

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





trusted (active)

  target: ACCEPT

  icmp-block-inversion: no

  interfaces: docker0

  sources: 10.8.0.0/24 2001:0db8:ee00:abcd::/64

  services: openvpn

  ports:

  protocols:

  masquerade: yes

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:





networking vpn centos routing firewalld




networking vpn centos routing firewalld






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 23 at 22:21







László Stahorszki

















asked Jan 23 at 22:01









László StahorszkiLászló Stahorszki

1063




1063













  • I'm kind of confused by the question, because I only have one NIC (physical one at least), which is connected to the internet, via a router. the IP is 192.168.0.241. The VPN has a subnet of 10.8.0.0/24, and the computer in question has the address of 10.8.0.1. I was paying attention, not to have them overlap

    – László Stahorszki
    Jan 23 at 22:23






  • 1





    Okay so try this..... route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 followed by route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 but beforehand you might save the output of the route print somewhere to reference first. To delete those routes you can run route delete 10.8.0.0 and route delete 10.8.0.1.... Think hard about this, have backup of your route table too and be sure you can revert it back out of have a backout method just in case.

    – Pimp Juice IT
    Jan 23 at 22:26






  • 1





    If you add those two routes and there are problems, you can reboot too since they are not persistent so route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 first and then route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 next. If there are issues, reboot and do not run the route delete commands. Still have the route print output of the IPv4 first though.

    – Pimp Juice IT
    Jan 23 at 22:27






  • 1





    There has to be an IP on one subnet that can talk to an IP on another subnet that can then route via Layer 3 routing I think. I've configured static routes like that before on the client machines, and I've configured static routes in routers and firewalls too. There are other ways to do it with other protocols but for things like this, that's how I've handled some in the past. Maybe it will help or maybe not, let me know your thoughts.

    – Pimp Juice IT
    Jan 23 at 22:31








  • 2





    Let us continue this discussion in chat.

    – Pimp Juice IT
    Jan 23 at 22:46



















  • I'm kind of confused by the question, because I only have one NIC (physical one at least), which is connected to the internet, via a router. the IP is 192.168.0.241. The VPN has a subnet of 10.8.0.0/24, and the computer in question has the address of 10.8.0.1. I was paying attention, not to have them overlap

    – László Stahorszki
    Jan 23 at 22:23






  • 1





    Okay so try this..... route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 followed by route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 but beforehand you might save the output of the route print somewhere to reference first. To delete those routes you can run route delete 10.8.0.0 and route delete 10.8.0.1.... Think hard about this, have backup of your route table too and be sure you can revert it back out of have a backout method just in case.

    – Pimp Juice IT
    Jan 23 at 22:26






  • 1





    If you add those two routes and there are problems, you can reboot too since they are not persistent so route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 first and then route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 next. If there are issues, reboot and do not run the route delete commands. Still have the route print output of the IPv4 first though.

    – Pimp Juice IT
    Jan 23 at 22:27






  • 1





    There has to be an IP on one subnet that can talk to an IP on another subnet that can then route via Layer 3 routing I think. I've configured static routes like that before on the client machines, and I've configured static routes in routers and firewalls too. There are other ways to do it with other protocols but for things like this, that's how I've handled some in the past. Maybe it will help or maybe not, let me know your thoughts.

    – Pimp Juice IT
    Jan 23 at 22:31








  • 2





    Let us continue this discussion in chat.

    – Pimp Juice IT
    Jan 23 at 22:46

















I'm kind of confused by the question, because I only have one NIC (physical one at least), which is connected to the internet, via a router. the IP is 192.168.0.241. The VPN has a subnet of 10.8.0.0/24, and the computer in question has the address of 10.8.0.1. I was paying attention, not to have them overlap

– László Stahorszki
Jan 23 at 22:23





I'm kind of confused by the question, because I only have one NIC (physical one at least), which is connected to the internet, via a router. the IP is 192.168.0.241. The VPN has a subnet of 10.8.0.0/24, and the computer in question has the address of 10.8.0.1. I was paying attention, not to have them overlap

– László Stahorszki
Jan 23 at 22:23




1




1





Okay so try this..... route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 followed by route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 but beforehand you might save the output of the route print somewhere to reference first. To delete those routes you can run route delete 10.8.0.0 and route delete 10.8.0.1.... Think hard about this, have backup of your route table too and be sure you can revert it back out of have a backout method just in case.

– Pimp Juice IT
Jan 23 at 22:26





Okay so try this..... route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 followed by route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 but beforehand you might save the output of the route print somewhere to reference first. To delete those routes you can run route delete 10.8.0.0 and route delete 10.8.0.1.... Think hard about this, have backup of your route table too and be sure you can revert it back out of have a backout method just in case.

– Pimp Juice IT
Jan 23 at 22:26




1




1





If you add those two routes and there are problems, you can reboot too since they are not persistent so route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 first and then route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 next. If there are issues, reboot and do not run the route delete commands. Still have the route print output of the IPv4 first though.

– Pimp Juice IT
Jan 23 at 22:27





If you add those two routes and there are problems, you can reboot too since they are not persistent so route add 10.8.0.0 mask 255.255.255.0 10.8.0.1 first and then route add 10.8.0.1 mask 255.255.255.255 192.168.0.241 next. If there are issues, reboot and do not run the route delete commands. Still have the route print output of the IPv4 first though.

– Pimp Juice IT
Jan 23 at 22:27




1




1





There has to be an IP on one subnet that can talk to an IP on another subnet that can then route via Layer 3 routing I think. I've configured static routes like that before on the client machines, and I've configured static routes in routers and firewalls too. There are other ways to do it with other protocols but for things like this, that's how I've handled some in the past. Maybe it will help or maybe not, let me know your thoughts.

– Pimp Juice IT
Jan 23 at 22:31







There has to be an IP on one subnet that can talk to an IP on another subnet that can then route via Layer 3 routing I think. I've configured static routes like that before on the client machines, and I've configured static routes in routers and firewalls too. There are other ways to do it with other protocols but for things like this, that's how I've handled some in the past. Maybe it will help or maybe not, let me know your thoughts.

– Pimp Juice IT
Jan 23 at 22:31






2




2





Let us continue this discussion in chat.

– Pimp Juice IT
Jan 23 at 22:46





Let us continue this discussion in chat.

– Pimp Juice IT
Jan 23 at 22:46










1 Answer
1






active

oldest

votes


















0














Sorry for my absence, I had other things to do in the meantime, but I did manage to solve the problem.



However, the solution is kind of disappointing. The only thing I needed to do was to enable masquerading on the public zone






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397662%2fho-to-route-one-subnet-to-another-using-firewalld-centos-7%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Sorry for my absence, I had other things to do in the meantime, but I did manage to solve the problem.



    However, the solution is kind of disappointing. The only thing I needed to do was to enable masquerading on the public zone






    share|improve this answer




























      0














      Sorry for my absence, I had other things to do in the meantime, but I did manage to solve the problem.



      However, the solution is kind of disappointing. The only thing I needed to do was to enable masquerading on the public zone






      share|improve this answer


























        0












        0








        0







        Sorry for my absence, I had other things to do in the meantime, but I did manage to solve the problem.



        However, the solution is kind of disappointing. The only thing I needed to do was to enable masquerading on the public zone






        share|improve this answer













        Sorry for my absence, I had other things to do in the meantime, but I did manage to solve the problem.



        However, the solution is kind of disappointing. The only thing I needed to do was to enable masquerading on the public zone







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 2 at 15:19









        László StahorszkiLászló Stahorszki

        1063




        1063






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397662%2fho-to-route-one-subnet-to-another-using-firewalld-centos-7%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Сан-Квентин

            Image
            Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но...
            Read more

            8-я гвардейская общевойсковая армия

            Image
            8-я гвардейская общевойсковая ордена Ленина армия Награды: Войска: РККА → Советская армия → СВ России Род войск: Формирование: 1943 Расформирование (преобразование): 1992 Предшественник: 62-я армия (1942—43) → 8-я гвардейская общевойсковая армия (1943—92) → 8-й гвардейский армейский корпус (1992—98) Боевой путь Изюм-Барвенковская операция Донбасская операция Запорожская операция Битва за Днепр Днепропетровская операция Березнеговато-Снигирёвская операция Одесская операция Люблин-Брестская операция Варшавско-Познанская операция Восточно-Померанская операция Берлинская наступательная операция У этого термина существуют и другие значения, см. 8-я армия. Фотография Гвардейского Красного Знамени (лицевая сторона) 8-й гвардейской армии , образца 1943 года. Фотография Гвардейского Красного Знамени (оборотная сторона) 8-й гвардейской армии , образца 1943 года. 8-я гвардейская общевойсковая ордена Ленина армия  — гвардейское фор...
            Read more

            Алькесар

            Image
            Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове...
            Read more