Linux networking: setting up ethernet and wifi routers

Question

I've been setting up a linux box as my router. And my networking is fairly simple at this point:

1. I have the router connected to my fiber box, which authenticates with my ISP using pppd.
2. I have an ethernet interface, enp2s0, which is the gateway on the router:

enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.1.1.1  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::20d:b9ff:fe5a:2f91  prefixlen 64  scopeid 0x20<link>
        ether 00:0d:b9:5a:2f:91  txqueuelen 1000  (Ethernet)
        RX packets 57348511  bytes 31510953543 (29.3 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 116229180  bytes 129467792313 (120.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0xf7a00000-f7a1ffff

3. I have a wireless interface:

wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.1.1.2  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::6f0:21ff:fe91:cf90  prefixlen 64  scopeid 0x20<link>
        ether 04:f0:21:91:cf:90  txqueuelen 1000  (Ethernet)
        RX packets 493730  bytes 595814115 (568.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 355275  bytes 344035494 (328.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Which I'd like clients to connect to.

4. I have nftables and some basic routing rules to route traffic.

My clients can connect to the ethernet interface all right. And internet etc. works as expected. However, when connecting to the wireless interface, and pinging:

-> % ping -I wlp65s0 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 10.1.1.48 wlp65s0: 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
60 packets transmitted, 0 received, 100% packet loss, time 60428ms

I don't seem to get any replies back.

On the router, I see the following when enabling nftables trace:

trace id 85cd7345 ip filter trace_chain packet: iif "ppp0" ip saddr 8.8.8.8 ip daddr 10.1.1.48 ip dscp af21 ip ecn not-ect ip ttl 61 ip id 0 ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 12 icmp sequence 59 @th,64,96 0xd9d22c6700000000d1790900 
trace id 85cd7345 ip filter forward packet: iif "ppp0" oif "enp2s0" ip saddr 8.8.8.8 ip daddr 10.1.1.48 ip dscp af21 ip ecn not-ect ip ttl 60 ip id 0 ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 12 icmp sequence 59 @th,64,96 0xd9d22c6700000000d1790900 
trace id 3626e73a ip filter trace_chain packet: iif "wlp4s0" ether saddr 48:ad:9a:9d:5e:a4 ether daddr 04:f0:21:91:cf:90 ip saddr 10.1.1.48 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 52040 ip length 84 icmp type echo-request icmp code net-unreachable icmp id 12 icmp sequence 60 @th,64,96 0xdad22c67000000006cd70900 
trace id 3626e73a ip filter forward packet: iif "wlp4s0" oif "ppp0" ether saddr 48:ad:9a:9d:5e:a4 ether daddr 04:f0:21:91:cf:90 ip saddr 10.1.1.48 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 52040 ip length 84 icmp type echo-request icmp code net-unreachable icmp id 12 icmp sequence 60 @th,64,96 0xdad22c67000000006cd70900 
trace id a6c3e760 ip filter trace_chain packet: iif "ppp0" ip saddr 8.8.8.8 ip daddr 10.1.1.48 ip dscp af21 ip ecn not-ect ip ttl 61 ip id 0 ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 12 icmp sequence 60 @th,64,96 0xdad22c67000000006cd70900 
trace id a6c3e760 ip filter forward packet: iif "ppp0" oif "enp2s0" ip saddr 8.8.8.8 ip daddr 10.1.1.48 ip dscp af21 ip ecn not-ect ip ttl 60 ip id 0 ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 12 icmp sequence 60 @th,64,96 0xdad22c67000000006cd70900 

Which I am unable to understand.

Any pointers here will be very helpful.

---

If I change the wireless interface address to 10.1.2.1, I am able to connect to other hosts on the LAN/WAN.

Answer 1

My guess is that the router doesn't know where to send traffic to 10.1.1.48; it could go via 10.1.1.1 (ethernet) or 10.1.1.2 (wifi). So response to the ping is going to the ethernet port, and the wireless client never sees it. We can see this from the iif "ppp0" oif "enp2s0" part of the trace; packet arrives from ppp0 (the "iif") and is attempted to be sent on ethernet (the "oif").

That would also explain why setting wireless to a different subnet (10.1.2.1) solves the problem; there's a unique interface per subnet.

If you want wifi and ethernet clients to be on the same subnet then you may be better off creating a bridge. So let's call this bridge "br-lan". That bridge will get the IP address 10.1.1.1. And then you add the ethernet and wifi adapters (which don't have IP addresses!) to the bridge. Now things work.

How you create the bridge will depend on what Linux distro you're using.

On RedHat and derivates (eg Alma, Rocky) this can be done with network manager. Something like (untested)

nmcli connection delete enp2s0
nmcli connection delete wlp4s0

nmcli connection add type bridge con-name br-lan ifname br-lan bridge.stp no ip4 10.1.1.1/24 ipv6.method disabled
nmcli connection add type bridge-slave con-name enp2s0 ifname enp2s0 master br-lan
nmcli connection add type bridge-slave con-name wlp4s0 ifname wlp4s0 master br-lan

This will delete any existing configuration for ethernet and wifi (so be careful; you'll lose network access at this point; do it from a console) and then create the bridge with the required IP address, then attach the two interfaces to it.