Background information: I have a Windows 10 (soon to be 11) work laptop with VMware Workstation Pro 17. This laptop is connected to my home network via Ethernet and connects to my work network via Cisco AnyConnect VPN. I have a Debian based VM that I added two network interfaces to through VMware workstation (one is NAT and the other is bridged). eth0 is NAT and it successfully connects and allows me to reach devices on my work network and the internet (its IP is in the range of the VMware network adapter on the host machine); eth1 is bridged and it successfully connects and has an IP in my home network space and I can reach the internet (and not get blocked by work firewalls and such).
Goal: I would like to configure my VM to default to using eth1 (work blocks access to my personal website where I have notes and such). However, there are still many instances when I need to run tools that can reach work sites and resources so I'd like to have an option to run tools from an environment that uses eth0. Rather than manually updating /etc/hosts/ or adding manual routes, the concept of network namespaces seemed perfect for my scenario so I attempted to create a network namespace for any work related traffic to use.
What I have tried: I tried several different guides for setting up namespaces (https://josephmuia.ca/2018-05-16-net-namespaces-veth-nat/); this one was particularly helpful. However, I think I may be missing something as I run into seemingly two problems:
- When I use
vethto connect the network namespace I was able to successfully get the separate network namespace to reach the internet and my work network, but the default/root namespace was still defaulting to theeth0. So I tried deleting the default route foreth0(that broke network access in the new namespace) and I tried changing the metric to be lower on the default route foreth1(so that it had priority) but this also broke access in the network namespace. - I tried to move
eth0directly into the network namespace rather than usevirtual-ethpairs but I can't seem to get the networking stack working, added routes, iptables looks fine in the namespace, but DHCP won't assign an IP and if I assign it manually it still doesn't want to work.
Here is some more details on the commands run. For configuring the namespace:
ip netns add ns
ip netns exec ns ip link set lo up
ip link add veth-default type veth peer name veth-ns
ip link set veth-ns netns ns
ip addr add 10.0.3.1/24 dev veth-default
ip netns exec ns ip addr add 10.0.3.2/24 dev veth-ns
ip link set veth-default up
ip netns exec ns ip link set veth-ns up
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -o eth0 -i veth-default -j ACCEPT
iptables -A FORWARD -i eth0 -o veth-default -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.3.2/24 -o eth0 -j MASQUERADE
ip netns exec ns ip route add default via 10.0.3.1
Above worked well at first but, as mentioned, changing the routes in my default namespace broke it and I have two default routes listed when running ip route
default via 192.168.109.2 dev eth0 proto dhcp src 192.168.109.128 metric 100
default via 192.168.1.1 dev eth1 proto dhcp src 192.168.1.36 metric 101
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.36 metric 101
192.168.109.0/24 dev eth0 proto kernel scope link src 192.168.109.128 metric 100
and when I removed the first route and added it back with metric 102, it broke the namespace (also it eventually got re-added with metric 100 and there were 3 default routes).
When I configured the namespace without veth, this is what I used:
ip netns add ns
ip link set dev eth0 netns ns
ip netns exec ns ip link set dev lo up
ip netns exec ns ip link set dev eth0 up
Then INSIDE the namespace
route add default gw 192.168.109.2 (tried .1 and .2 here)
also removed that route and tried adding it with ip route
ip route add default via 192.168.109.2 dev eth0
Haven't used namespaces before and my networking knowledge is more high level (haven't set up routing on Linux like this before) so if anyone wants to take a shot at helping me reach my goal it would be much appreciated. Or if there is a way to do this with a proxy/proxychains that's easier than namespaces maybe that is the best option, but I feel like I am so close!
