I have an embedded system with two ethernet ports. These two ports are connected to two different ethernet ports on a linux box. The linux box has another third port which is connected to the WAN.
The setup looks like below
_________________
eth0 ---- USB2ETH adapter-------(ethusb0)------------------| |
(IP: 192.168.2.50) (IP: 192.168.2.1) | Linux |
(Netmask: 255.255.255.0) (Netmask: 255.255.255.0) | Box |-------ethext0----WAN
| |
eth1----USB2ETH adapter--------(ethusb1)-------------------|_________________|
(IP: 192.168.3.50) (IP: 192.168.3.1)
(Netmask: 255.255.255.0) (Netmask: 255.255.255.0)
Both the interfaces are in different domain but same netmask as shown above
ethusb0 and ethusb1 run dhcp servers. I have updated the /etc/dhcp/dhcpd.conf accordingly and eth0 and eth1 get IP addresses assigned.
On the linux box, I have setup iptables to accept and forward packets from ethusb0 to ethext0
sudo iptables --policy FORWARD ACCEPT
sudo iptables -A FORWARD -i ethusb0 -o ethext0 -j ACCEPT
sudo iptables -A FORWARD -i ethext0 -o ethusb0 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o ethext0 -j MASQUERADE
Similar iptables is setup for ethusb1 as well.
On the linux box, I have also updated the /etc/network/interfaces for the ethusb0 and ethusb1 by adding the dns-nameservers. Lets say the server address is 192.0.3.3
Now, from the embedded system, from both the ports I'm able to ping the dns server. When I do a nslookup of the server name, it succeeds most of the time.
I monitored the ethusb0 and ethext0 wireshark and I can see the nslookup request and replies. Requests are received on ethusb0 and then forwarded to ethext0 and replies from ethext0 to ethusb0.
I also double confirmed by checking the forward stats counter in iptables for these interfaces.
Problem:
Now coming to the issue that occurs frequently.
There are certain times when the nslookup fails. The query packets are received on ethusb0 but not forwarded to ethext0. Confirmed this by monitoring wireshark and also iptables stats. But the next nslookup query works succeeds.
I investigated further and found an abnormality in nslookup query frames originating from the embedded system side. The frames sent out on say eth0, had MAC address of eth0 but the IP address of eth1. Its only for these kind of frames, that forwarding rule breaks.
Firstly, I do not know or understand, why the query packets would contain mismatched MAC and IP address. Usually the same interface is chosen to transmit/receive packets. Its only when I bring down and up the interface(ex. eth0), then the other interface is chosen.
Secondly, I'm not quite sure as to why the packets do not get forwarded. My suspicion is that there is some sort of MAC vs IP address check, being done which makes the linux machine to drop those packets. But iptables does not report any drop packets count.
I checked posts such as https://unix.stackexchange.com/questions/58395/make-nslookup-use-specific-interface but it did not help.
Things tried so far,
- Different sub net masks, but still issue is seen
- But if the interfaces are in same domain, 192.168.2.x and 192.168.2.y, the issue does not occur.
Could somebody please let me know, if any additional rules have to added to iptables or should the interfaces on the embedded system side be configured in a different way?
