Thanks for the detail write up. I'll try your suggestions and see if it works.Your Pi acts as a router (not a bridge) and manages a network. Great.What can I do to configure the Pi to allow each group of computers to talk to each other without the need to ssh into the Pi? I've google for quite a while now and can't find the solution for this particular use case.
You (almost) do not have to configure the Pi.
A - You have to configure hosts of the first group and add a route to the network address of the Pi for traffic going to the second group. At the moment, traffic to the second group goes to the main router and once there gets dropped, because the main router doesn’t know the Pi acts as a secondary router.
On a linux host of the first group, assuming the host is connected via wireless (wlan0) and the IP address of the Pi is 10.128.9.254, you could add a static route to the secondary group with a command like this:With this, the host will be able to communicate with hosts in the second group. The routing table of the host will include at least 3 routes:Code:
$ sudo ip route add 192.168.25.0/24 via 10.128.9.254 dev wlan0Every host in the first group that needs to connect to hosts in the second one should be configured with a suitable static route. Methods vary according to the operating system of the host.
- a route to all hosts in the first group (10.128.9.0/24), through a configured network interface
- a route to all hosts in the second group (192.168.25.0/24), via the address of a secondary router (the Pi) present on the first network
- a (lower priority) route to anywhere (i.e. “default” or 0.0.0.0/0) via the address of the router of the first network. This route is used for internet access.
B - To seamlessly enable any host in the first group to reach hosts in the second group, 2 popular methods exist (but might not be available to you):(If you need hosts in the secondary group to be able connect to the main router itself, e.g. access its web admin interface, only method 2 will do.)
- Edit the configuration of the DHCP server that manages the first host group, so that clients will automatically create a supplementary route for hosts managed by the Pi, or
- Edit the configuration of the router of the first group, so that when hosts try reaching targets in the second group, packets received by the router by virtue of their configured default route are sent back in the LAN to the Pi for further processing.
In other words, since the main router receives all traffic not specifically addressed to the main group, add a static route in the main router and redirect instead of dropping traffic to the second group.
C - The IP address of the Pi needs to be known (and preferably should be fixed) in order to configure this static route. Normally a DHCP server tries leasing the same address to the same host over and over, however an address change is always possible unless a fixed lease has been provisioned for the host.
D - Hosts in the second group need no additional configuration since their router (the Pi) is already configured with all necessary routes.
E - And finally, IP masquerade configuration in the Pi will actually need changing:
- In case a static route is added to the main router, the masquerade rule needs to be removed.
- In all other cases (hosts configured either locally or globally thanks to a DHCP server), the masquerade rule needs to be amended so that it doesn’t hide source addresses from the second group when the target address belongs to the first group.
In other words,should allow hosts in the second group to reply to host in the first group without interference.Code:
iptables -t nat -A POSTROUTING -o wlan0 ! -d 10.128.9.0/24 -j MASQUERADE
So there you go. Your Pi needs almost no configuration. About everything else, does![:D]( "Very Happy")
HTH and if not, perhaps take a look at a similar situation I was involved with in the past: viewtopic.php?t=272142
Statistics: Posted by rasp14 — Fri May 17, 2024 12:36 am