Hosts on subnet not getting to internet.

I have a cable modem – 192.168.0.1
I have a SUSE box – eth2:192.168.0.2 eth0:192.168.2.1 default 192.168.0.1 port forwarding enabled & two valid DNS server addresses.

SUSE box can ping and browse anywhere (Internet, and any box on both subnets.
Hosts on 192.168.2.0/24 network can ping 192.168.0.1 and 192.168.0.2 but can not ping anything on the Internet. Of course they also can not get out to resolve addresses.

I’ve missed a configuration option somewhere. Can anyone help?

TIA
Bob

A more complete picture might help. I assume you have configured default gateway (192.168.2.1) for each of the 192.168.2.* host machines

Show us the defined routes in your openSUSE box

ip route

and also

iptables -L

Even though you’ve stated you have port forwarding enabled (and configured?), please confirm with

cat /proc/sys/net/ipv4/ip_forward

and I’d expect to see something like the following forwarding rules…

iptables -A FORWARD -i eth0 -o eth2 -s 192.168.2.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -s 192.168.0.0/24 -d 192.168.2.0/24 -j ACCEPT

You need to post the following…

  1. A very clear description (or picture) of the <physical> topology.

  2. Post the following from one of your Hosts (not your openSUSE router)

ip addr
ip route

Optionally, you should also post the same commands executed on your openSUSE router to verify your description.

TSU

In addition to what was already requested, show “iptables -L -n -v” output from openSUSE box.

Here’s some preliminary data:

                    Rustic20@RoutFire:~&gt; ip rout

default via 192.168.0.1 dev eth0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Rustic20@RoutFire:/proc/sys/net/ipv4> cat ip_forward
1

I have visually verified IP Forwarding is checked. Also, firewall is disabled on all ports.
Yes, hosts do have the proper default gateway 192.168.2.1

I’m not great at graphics but I’ll try:

Cable Modem …SUSE …Host
192.168.0.1++++++++++192.168.0.2 192.168.2.1++++++++++++192.168.2.100
FF.FF.FF.0 … FF.FF.FF.0 FF.FF.FF.0 …FF.FF.FF.0
…192.168.0.1 … 192.168.2.1

I couldn’t use spaces or tabs, had to use periods for spacing.

SUSE can ping and browse to everything including Internet.
Host can ping to 2.1, 0.2, and 0.1 Nothing else.

While I have a good understanding of router issues, I confess to having very limited knowledge of SUSE tools available to me to diagnose an issue like I have above.

Thank you all very much for your help.

Posted separate reply at bottom. Thanks.

Rustic20@RoutFire:/proc/sys/net/ipv4> sudo iptables -L -n -v
root’s password:
Chain INPUT (policy ACCEPT 15625 packets, 11M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 15453 packets, 1289K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 13308 packets, 1742K bytes)
pkts bytes target prot opt in out source destination

Why not just masquerade the traffic on the SUSE box?


iptables -I FORWARD -i eth2 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s 212.226.118.0/24 -j MASQUERADE


I gather from what you say, I can not set up routing between the two routers (cable modem & SUSE) just using SUSE’s GUI? If true, I’ve learned something. Thanks.

Useful references:
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.firewall.html#sec.security.firewall.SuSE.yast
https://en.opensuse.org/SDB:Internet_connection_sharing

No, you can do it with the SUSE Firewall GUI, like Deano linked up there.

What I pasted was just for testing purposes so you could see if it worked.

OK, understand about testing. Thanks. As for the Firewall GUI, that puzzles me since I have the Firewall disabled. However, since I can not put my finger on where the problem lies, I’ll discount nothing. Thanks again.
Bob

Since I didn’t have the Firewall enabled I’ve been ignoring anything with Firewall configuration. However, maybe I can not do what I want to do without the Firewall enabled? Interesting. Good to know this. I’m learning about SUSE; this does help. Thanks.

Bob

In order to get address translation to work I had to bring the firewall into play. Either that or do it manually with iptables. Thanks guys. Your help was much appreciated.

Bob

Yes, well IP masquerading is one of the many things that iptables can be used for as part of an active Linux firewall. The YaST firewall module provides a convenient way to quickly configure a firewall for many common situations such as this. (Custom rules can be used for more complex situations.) Anyway, it’s all part of the learning. Glad to read of your success with this.