So I had an issue today with my main lab server
I have multiple subnets in my lab some that can reach the Internet some are strictly internal
I have an Ubuntu server that I want to connect to 2 subnets one is connected to my fast Gigabit network while the other is connected to my slow 10/100 network but I want to make sure that the internet traffic goes out my internet firewall.
My server has 2 NIC’s I ran into a reverse path filtering roadblock! GRR reverse path verify is a great security feature but it can be messy to deal with
Here is how I solved my problem
First here is my interfaces config
# Managment
auto enp3s0
iface enp3s0 inet static
network 192.168.1.0
address 192.168.1.2
gateway 192.168.1.254
netmask 255.255.255.0
dns-nameservers 208.67.222.222
###Payload
auto enp1s5
iface enp1s5 inet static
network 192.168.2.0
address 192.168.2.2
netmask 255.255.255.0
dns-nameservers 208.67.222.222
post-up route add -net 192.168.2.0/24 gw 192.168.2.254
Here is what my routing table looks like
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 enp3s0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s5
192.168.2.0 192.168.2.254 255.255.255.0 UG 10 0 0 enp1s5
I first added a post-up directive under the payload interface to install a route after the interface comes up during a reboot also note that only 1 of the nic’s has a gateway configured.
with the above setup, I had an issue with SSH to 192.168.1.2 from the 192.168.2.0/24 network because my traffic from the 2.0 network would get dropped because the server is doing a reverse check
I was able to resolve this by
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/enp3s0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/enp1s5/rp_filter
This will disable reverse path verify which in my case fixed my issue!
Hope this helps!