Using the Raspberry Pi as a Router

Question

First of all, I've searched the internet and try many methods. Still couldn't work this out.

I want my RPi to be between an end-point and a router, and eventually be kind of firewall, that all the traffic will be transferred from/to the router to/from the end-point.

Therefore I think bridging the internet from the router to the end-point will be a solution.

The setup is:

                 10.0.0.138   10.0.0.12
internet <--> Router <-------------> RPi <--------------> end-point
                                      169.254.25.136   169.254.25.25

The Pi's eth0 is wired to the router, and the Pi's eth1 is wired to the endpoint.

In this setup, my Pi has internet connection, but my end-point doesn't, which it seems logical.

What can I do in order to bridge the connection? By the way, my IPs are static (through dhcpcd.conf, do I need to change it in /etc/network/interfaces also?)

My IPs are:

router- ip: 10.0.0.138
|
Rpi- eth0(to router): 10.0.0.12
default gateway: 10.0.0.138

Rpi- eth1(to end-point): 169.254.25.136
default gateway: 10.0.0.12
|
Endpoint - ip: 169.254.25.25
default gateway: 169.254.25.136

edit - Routing is what i need, not bridging.

Answer 1

You are building a router with firewall. It does not make sense to give two default routes. The default route is the route ip addresses are send to that do not belong to local networks. If the router do not know where to send an ip address it will send it to the next hop on the network with the ip address of the default route. If you have two default routes where should the router send unknown ip addresses to?

You should only set up one default route in the raspi to your internet router, in your example to 10.0.0.138. But how get the packets from network 169.254.25.0/24 to the internet? The packets have to pass from eth1 to eth0 and backwards. To enable this you have to turn on ip forwarding as @dlu already commented. There are several ways to do it. I don't know what configuration you are using. You can enable it direct to the kernel with:

rpi3 ~$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Or you can uncomment it in /etc/sysctl.conf and reboot:

rpi3 ~$ grep -B 1 'ipv4.ip_forward' /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

Or with systemd-networkd you can add IPForward=yes to the [Network] section in one of your /etc/systemd/network/eth*.network files.

Your internet router 10.0.0.138 does not know where to send packets from network 169.254.25.0/24. We have to tell it with a static route. On most internet router I know you can set a static route but how to do that varies from model to model. It's up to you to find it out. On a Raspberry Pi it would look like this (don't set it on your Raspi router!)

~$ sudo ip route add 169.254.25.0/24 via 10.0.0.12 dev ethX

That means: "send all packets belonging to network 169.254.25.0/24 (destination network) to the next router 10.0.0.12 (gateway). It knows where to go on."

summarize Raspberry Pi settings
Settings on RPi (router):

rpi3 ~$ ip addr   # stripped to relevant settings
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 10.0.0.12/24 brd 10.0.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 169.254.25.136/24 brd 169.254.25.255 scope global eth1
rpi3 ~$ ip route
default via 10.0.0.138 dev eth0 proto static
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.12
169.254.25.0/24 dev eth1 proto kernel scope link src 169.254.25.136

Settings on end-point:

end-point ~$ ip addr   # stripped to relevant settings
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 169.254.25.25/24 brd 169.254.25.255 scope global eth0
end-point ~$ ip route
default via 169.254.25.136 dev eth0 proto static
169.254.25.0/24 dev eth0 proto kernel scope link src 169.254.25.25

troubleshooting
ip forwarding works without iptables. iptables as firewall only restricts communication so for troubleshooting make sure iptables is complete transparent. If you have some rules there then save them (out of scope here) before flushing [1]:

rpi3 ~$ sudo -Es
rpi3 ~# iptables --policy INPUT ACCEPT
rpi3 ~# iptables --policy FORWARD ACCEPT
rpi3 ~# iptables --policy OUTPUT ACCEPT
rpi3 ~# iptables --table nat --flush
rpi3 ~# iptables --table mangle --flush
rpi3 ~# iptables --table raw --flush
rpi3 ~# iptables --flush
rpi3 ~# iptables --delete-chain
rpi3 ~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
rpi3 ~# exit
rpi3 ~$

Check if ip_forward is set to 1:

rpi3 ~$ cat /proc/sys/net/ipv4/ip_forward
1

From your end-point you should be able to ping your raspi on this side. This should always work. If not you have a general problem with your connection e.g. a broken ethernet wire, loose plugged in ethernet cable into port, wrong drivers for your interfaces or something else.

end-point ~$ ping -nc1 169.254.25.136
PING 169.154.25.136 (169.154.25.136) 56(84) bytes of data.
64 bytes from 169.154.25.136: icmp_seq=1 ttl=64 time=0.663 ms
[...]

Then you should see the other side (forwarding the ip) of the raspi and your internet router:

end-point ~$ ping -nc1 10.0.0.12
PING 10.0.0.12 (10.0.0.12) 56(84) bytes of data.
64 bytes from 10.0.0.12: icmp_seq=1 ttl=64 time=0.663 ms
[...]
end-point ~$ ping -nc1 10.0.0.138
PING 10.0.0.138 (10.0.0.138) 56(84) bytes of data.
64 bytes from 10.0.0.138: icmp_seq=1 ttl=64 time=0.663 ms
[...]

And you should get responses out from the internet, e.g. from the google nameserver. First try from the raspi then from the end-point:

rpi3 ~$ ping -nc1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=2 ttl=61 time=12.4 ms
[...]
end-point ~$ ping -nc1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=2 ttl=61 time=12.4 ms
[...]

And it should take the default routes on your network, hop by hop (look at the first two responses):

end-point ~$ traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  169.254.25.136  0.504 ms  0.580 ms  0.642 ms
 2  10.0.0.138  0.504 ms  0.580 ms  0.642 ms
 3  62.155.246.85  9.556 ms  9.493 ms  11.073 ms
 4  217.239.51.58  13.707 ms  14.051 ms  15.524 ms
 5  80.156.160.118  15.655 ms  17.208 ms  17.144 ms
 6  * * *
 7  216.239.48.42  18.655 ms 72.14.233.46  20.237 ms  21.819 ms
 8  108.170.238.245  19.712 ms 108.170.233.39  13.247 ms 216.239.59.113  13.366 ms
 9  8.8.8.8  13.926 ms  12.564 ms  12.596 ms

references:
[1]: best way to clear all iptables rules