Routing mystery/misunderstanding

The mystery:
Two physically separate network interfaces, lan1 (192.168.1.1, given by DHCP/4G router ) and lan2 (192.168.nn.nnn static).
Network set up by Yast, using Wicked Service, no IPv4 (or IPv6) routing enabled, so no traffic between subnets 192.168.1.x and 192.168.nn.x should be possible, right?
Yet, a Windows 7 host which has only one (enabled) interface, connected to lan2 with a static IP 192.168.nn.17 connects to internet via 192.168.nn.153 (Leap 15.3) which is defined as the default gateway in the Win7 network setup. So what happens here seems to be that the 192.168.nn.153 creates a route to internet on a different subnet for 192.168.nn.17 (which is definitely what I do not want).

How come the Win7 can connect to internet router on an other subnet than its’ own? Have I misunderstood something here?

Obfuscating private addresses just makes it harder for anyone to answer and so less likely someone will bother at all.

no IPv4 (or IPv6) routing enabled

How do you know it? Show full commands and their output you used to verify it.

How come the Win7 can connect to internet router on an other subnet than its’ own?

Show full log of

ip a
ip r
cat /proc/sys/net/ipv4/ip_forward
grep . /proc/sys/net/ipv4/conf/*/forwarding

on Linux and

ipconfig /all

on Windows.

Obfuscating? = not revealing or something similar, I guess (english in not my native language).
I couldn’t see they were relevant here, I understood they can be anything.

“no IPv4 (or IPv6) routing enabled”
Actually, I don’t really know, I just set them that way using Yast and thought that was enough. I don’t know the commands to verify it.

But:

staticlx153:~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0_LAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:e0:76:5a:d9:f1 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.38.153/24 brd 192.168.38.255 scope global eth0_LAN
       valid_lft forever preferred_lft forever
3: eth1_WW: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 8c:89:a5:e3:9d:be brd ff:ff:ff:ff:ff:ff
    altname enp4s0
    inet 192.168.1.3/24 brd 192.168.1.255 scope global eth1_WW
       valid_lft forever preferred_lft forever

and:

staticlx153:~ # ip r
default via 192.168.1.1 dev eth1_WW proto dhcp 
192.168.1.0/24 dev eth1_WW proto kernel scope link src 192.168.1.3 
192.168.38.0/24 dev eth0_LAN proto kernel scope link src 192.168.38.153 

more:

staticlx153:~ # cat /proc/sys/net/ipv4/ip_forward
1

Is that really all I should get? Trying to guess what that means - does that mean that forwarding is enabled despite not setting it enabled with Yast?

anyway, still more:

**staticlx153:~ #** grep . /proc/sys/net/ipv4/conf/*/forwarding
/proc/sys/net/ipv4/conf/all/forwarding:**1**
/proc/sys/net/ipv4/conf/default/forwarding:**1**
/proc/sys/net/ipv4/conf/eth0_LAN/forwarding:**1**
/proc/sys/net/ipv4/conf/eth1_WW/forwarding:**0**
/proc/sys/net/ipv4/conf/lo/forwarding:**1**

More guessing: looks like eth0_LAN (the “local” subnet .38.x) has forwarding enabled but eth1_WW (the “internet” subnet .1.x by DHCP) has not(?)
Using Yast (Network settings > Routing), I don’t see a way to set different settings per interface. Is manual editing a config file (which file would that be is unclear to me at this time) necessary here?

In the Win7:

C:\Users\a>ipconfig /all


Windows IP Configuration


   Host Name . . . . . . . . . . . . : WORK
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No


Ethernet adapter LAN:


   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : D0-50-99-48-B8-27
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.38.17(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.38.153
   DNS Servers . . . . . . . . . . . : 192.168.38.153
   Primary WINS Server . . . . . . . : 192.168.38.153
   NetBIOS over Tcpip. . . . . . . . : Enabled


Tunnel adapter isatap.{D8B3D442-7AB6-4B55-B0C7-747B91CC57C5}:


   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


Tunnel adapter Local Area Connection* 9:


   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

The usefulness of the above is uncertain, at the time (fresh after Win7 startup) the machine seems to have connected to the internal network, not routed to internet subnet.
When, how or why it happened earlier is a mystery.
Before writing here I did some desperate fiddling (don’t exactly remember what) but didn’t find any obvious settings to change.

At least you did not specify if nn=1 or not. No, not posting reality will not help anybody to better, and without more effort, understand what you try to explain.

True, I didn’t. The significance of 1 or not didn’t occur to me. But otherwise, they make no difference (except for 0 and 255), right?

I only want to show you that leaving out information while YOU think it is irrelevant may nevertheless be relevant to your potential helpers. One of the reasons to ask for help is that others may detect things you did not see (simply because it is very human to be blind to obvious details when trying to debug something). So do not hide details, but as long as they are not real passwords, etc. show them!

What you did will at the best give you a friendly remark not to do that (as did @avidjaar). At the worst people will simply stop reading your post at that point and go for another, more rewarding thread (or just for a beer).

Yes, I get your point.

@JM:

Some things to check – <https://doc.opensuse.org/documentation/leap/reference/html/book-reference/cha-network.html#sec-network-router> –

• Despite what YaST is indicating, please check the contents of the configuration in ‘/etc/sysctl.d/
  ’ - the Kernel documentation of the ‘/proc/sys/net/ipv4/**’ and ‘/proc/sys/net/ipv6/**’ variables is here – <https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt>.

You may, also, have to take a look at the Firewall configuration – <https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-security-firewall.html#>.

So you have two interfaces in two different networks.

staticlx153:~ # cat /proc/sys/net/ipv4/ip_forward
1

Is that really all I should get?

Yes

does that mean that forwarding is enabled despite not setting it enabled with Yast?

Correct. All that YaST does is dropping file in /etc/sysctl.d. If YaST says “routing not enabled” it just means corresponding sysctl file is not present; but any program can change sysctl later and anyone can drop another file in /etc/syctl.d that overrides YaST settings.

/proc/sys/net/ipv4/conf/eth0_LAN/forwarding:**1**
/proc/sys/net/ipv4/conf/eth1_WW/forwarding:**0**

So packets coming from your LAN where your Windows server is located will be forwarded.

Do you use firewalld? Is it active?

dcurtisfra:
Thanks for pointing information sources, had a look at those. I need to have a closer look…

arvidjaar:
Yes, two, thinking: that way I will have no problems keeping them separate.

About /etc/sysctl.d:
The directory contains a file “70-yast.conf”, with content:

net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.disable_ipv6 = 1

-which looks to me like what I wanted to get (no forwarding, no IPv6)
But that’s it, nothing else, no 50-*.conf files as I’ve seen before.
Is it that the directory /etc/sysctl.d/ is not used anymore but Yast is not aware of that and happily writes there thinking someone will read them?

The Security and Hardening Guide dcurtisfra mentiones says in “25.2 Masquerading basics”:
“However, the router must be configured before it can forward such packets. For security reasons, this is not enabled in a default installation. To enable it, add the line net.ipv4.ip_forward = 1 in the file /etc/sysctl.conf. Alternatively do this via YaST, for example by calling yast routing ip-forwarding on.”
I think I tried to do the opposite of this using Yast, failing.
The file /etc/sysctl.conf reads:

####
#
# /etc/sysctl.conf is meant for local sysctl settings
#
# sysctl reads settings from the following locations:
#   /boot/sysctl.conf-<kernelversion>
#   /lib/sysctl.d/*.conf
#   /usr/lib/sysctl.d/*.conf
#   /usr/local/lib/sysctl.d/*.conf
#   /etc/sysctl.d/*.conf
#   /run/sysctl.d/*.conf
#   /etc/sysctl.conf
#
# To disable or override a distribution provided file just place a
# file with the same name in /etc/sysctl.d/
#
# See sysctl.conf(5), sysctl.d(5) and sysctl(8) for more information
#
####

-i.e. empty from the system’s point of view. But as it mentions “/etc/sysctl.d/*.conf”, one might think that the file “70-yast.conf” would be read(?).
Should I add a line net.ipv4.ip_forward = 0 in the file /etc/sysctl.conf?

About firewalld
Yast2 - services manager says:

* firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2021-09-17 04:38:40 EEST; 5h 51min ago
       Docs: man:firewalld(1)
   Main PID: 1154 (firewalld)
      Tasks: 2 (limit: 4915)
     CGroup: /system.slice/firewalld.service
             `-1154 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

From the above I guess it is active (if Yast is to be trusted).
So far, I have configured firewall with Yast. The Security and Hardening Guide, in 25.4 firewalld mentions firewall-config. I installed it and had a glimpse, need to dig it further to get some idea of it.

Well, YaST only copied the output of

systemctl status firewalld.service

Thus is is innocent whatever you see lol!

Kind of what I guessed. So, this, at least, is correct.

About the files mentioned in sysctl.conf

/boot/sysctl.conf-<kernelversion> contains nothing I understand has anything to do with network (as one might expect)
/lib/sysctl.d/ doesn’t exist
/usr/lib/sysctl.d/ - - HA!

• 51-network.conf:

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

All zero, nothing accepted, so looks good(?)
But:

• 50-default.conf

#
# Distribution defaults.
# Use /etc/sysctl.conf to override.
#
# Disable response to broadcast pings to avoid smurf attacks.
net.ipv4.icmp_echo_ignore_broadcasts = 1


# enable route verification on all interfaces
net.ipv4.conf.all.rp_filter = 2


# avoid deleting secondary IPs on deleting the primary IP
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1


# disable IPv6 completely
#net.ipv6.conf.all.disable_ipv6 = 1


# enable IPv6 forwarding
#net.ipv6.conf.all.forwarding = 1


# enable IPv6 privacy but do not use the temporary
# addresses for outgoing connections by default
# (bsc#678066,bsc#752842,bsc#988023,bsc#990838)
net.ipv6.conf.default.use_tempaddr = 1


# increase the number of possible inotify(7) watches
fs.inotify.max_user_watches = 65536


# Magic SysRq Keys enable some control over the system even if it
# crashes (e.g. during kernel debugging).
#
#   0 - disable sysrq completely
#   1 - enable all functions of sysrq
#  >1 - bitmask of allowed sysrq functions:
#          2 - enable control of console logging level
#          4 - enable control of keyboard (SAK, unraw)
#          8 - enable debugging dumps of processes etc.
#         16 - enable sync command
#         32 - enable remount read-only
#         64 - enable signalling of processes (term, kill, oom-kill)
#        128 - allow reboot/poweroff
#        256 - allow nicing of all RT tasks
#
# For further information see /usr/src/linux/Documentation/sysrq.txt
# default 184 = 128+32+16+8
kernel.sysrq = 184


# enable hard- and symlink protection (bnc#821585)
fs.protected_hardlinks = 1
fs.protected_symlinks = 1


# restrict printed kernel ptrs (bnc#833774)
kernel.kptr_restrict = 1

Quite obviously (or maybe) related to the problem, but I don’t actually know what to do with this.
Write overrites to /etc/sysctl.conf, yes, but what exactly?
Maybe uncomment here the line “net.ipv6.conf.all.disable_ipv6 = 1”, to get rid of IPv6 completely (although that’s not causing my routing problem)?
The lines concerning IPv4 don’t quite “open” to me.

Anyway, digging further…
/usr/local/lib/ - empty
/etc/sysctl.d/ - as mentioned, only the Yast file
/run/sysctl.d/ - doesn’t exist

This file is read once on system boot. As I already said, anyone and any program can at any time change any sysctl value.

* firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2021-09-17 04:38:40 EEST; 5h 51min ago

Please show output of

firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
firewall-cmd --list-all-zones

About 70-yast.conf:
So this is not necessarily what was read at system boot? The file time stamp says it was last modified yesterday, about the time I last fiddled with these settings with Yast, though. Shouldn’t it show if the file was modified after that, i.e. after booting this morning?

“forward: no” on all, masquerade: no on all except on “external”. Is this the cause?

I do not understand this question. File timestamp is when YaST wrote this file.

“forward: no” on all, masquerade: no on all except on “external”. Is this the cause?

Yes. Somehow you managed to include all output inside [noparse]

…
[/noparse] tags so it is not included on reply and I cannot quote it. But if masquerading is enabled in one of active or default zone, firewalld automatically turns on forwarding. Firewalld runs after sysctl files have been processed so it overrides whatever was set by YaST.

Returning to manual quoting until I learn to use this forum.
Fascinating what you can achieve when you don’t know what you’re doing…

“As I already said, anyone and any program can at any time change any sysctl value.”
-I thought you meant that this file possibly/probably has been changed by someone/something without me knowing it. But obviously it was not.

So, if I get a hang of this new-to-me “firewall-config”, I will find a way to change this setting?
Or, as the setting probably comes from some config file (/etc/firewalld/firewalld.conf seems not to be the one) by editing the config file directly. If I find it…

Please be careful with respect to *NIX file timestamps –

• If, the “noatime” mount option then, the timestamp related to “Time Of Day last accessed
  ” will not be written …

 > LANG=C stat /etc/sysctl.d/70-yast.conf 
  File: /etc/sysctl.d/70-yast.conf
  Size: 109             Blocks: 8          IO Block: 4096   regular file
Device: 802h/2050d      Inode: 4064905     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-07-14 15:34:27.359950528 +0200
Modify: 2021-07-14 15:34:04.195950844 +0200
Change: 2021-07-14 15:34:04.195950844 +0200
 Birth: 2020-08-18 15:20:44.268000052 +0200
 > 

The only indication of when the file was last read, are the timestamps related to the “systemd-sysctl.service” …

dcurtisfra:
OK, understood (somehow…).
Thanks

“So, if I get a hang of this new-to-me “firewall-config”, I will find a way to change this setting?”

Well, there it is, staring right at your face.

**staticlx153:~ #** firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:  
  sources:  
  services:  
  ports:  
  protocols:  
  forward: no
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  

dmz
  target: default
  icmp-block-inversion: no
  interfaces:  
  sources:  
  services: ssh
  ports:  
  protocols:  
  forward: no
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: docker0
  sources:  
  services:  
  ports:  
  protocols:  
  forward: no
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  

drop
  target: DROP
  icmp-block-inversion: no
  interfaces:  
  sources:  
  services:  
  ports:  
  protocols:  
  forward: no
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1_WW
  sources:  
  services: ssh
  ports:  
  protocols:  
  forward: no
  **masquerade: no**
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  

home
  target: default
  icmp-block-inversion: no
  interfaces:  
  sources:  
  services: dhcpv6-client mdns samba-client ssh
  ports:  
  protocols:  
  forward: no
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0_LAN
  sources:  
  services: dhcpv6-client mdns nfs nfs3 rpc-bind samba samba-client samba-dc ssh
  ports:  
  protocols:  
  forward: no
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  

public
  target: default
  icmp-block-inversion: no
  interfaces:  
  sources:  
  services: dhcpv6-client
  ports:  
  protocols:  
  forward: no
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:  
  sources:  
  services:  
  ports:  
  protocols:  
  forward: no
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:  

work
  target: default
  icmp-block-inversion: no
  interfaces:  
  sources:  
  services: dhcpv6-client ssh
  ports:  
  protocols:  
  forward: no
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules:

Looks like problem solved.
Thanks everyone