I'm trying to create a separate subnet for certain devices on my network. To this end I created a pseudo-ethernet interface attached to one of my internal network ports.
eth0 WAN external ip
eth1 LAN xx.xx.10.1/24
eth2 Other LAN xx.xx.20.1/24
peth1 eth1 xx.xx.30.1/24
DHCP on eth1 and eth2, not on peth1.
Bare minimum firewall rules on eth0.
I attach a manually addressed machine with xx.xx.30.5 as the address and xx.xx.30.1 as the gateway but I'm not able to ping anything or resolve any names.
I'm not sure what step I'm missing in the big picture.
Any help appreciated.
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description SSH
destination {
port 22
}
log disable
protocol tcp_udp
state {
established enable
invalid disable
new enable
related disable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address xx.xx.10.1/24
description LAN
duplex auto
speed auto
}
ethernet eth2 {
address xx.xx.20.1/24
description WLAN
duplex auto
speed auto
}
loopback lo {
}
pseudo-ethernet peth1 {
description Gamesys
link eth1
mac 00:02:03:04:05:06
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet xx.xx.10.0/24 {
default-router xx.xx.10.1
dns-server xx.xx.10.1
lease 86400
start xx.xx.10.200 {
stop xx.xx.10.243
}
}
}
shared-network-name WLAN-subnet {
authoritative disable
subnet xx.xx.20.0/24 {
default-router xx.xx.20.1
dns-server xx.xx.20.1
lease 86400
start xx.xx.20.100 {
stop xx.xx.20.200
}
static-mapping HomeAP {
ip-address xx.xx.20.2
}
}
}
use-dnsmasq disable
}
dns {
dynamic {
interface eth0 {
service custom-noip {
}
web dyndns
}
}
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name DTB-Router
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Vancouver
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.0.4901118.160804.1131 */