Internet traffic rules between wlan0 and eth0

Question

I currently have a setup where my rpi 3b (raspbian jessie), is connected to two routers, using eth0 and wlan0. I want to using eth0 only to communicate with another device in tha LAN. And i want to use wlan0 for WAN traffic via the router.

How can i ensure that only the network on wlan0 is used for internet traffic? this must require some action? I want to use the network on eth0 only for communicating with a device in the same LAN, and make sure that no internet traffic is routed to WAN via the router on this network.

RPI eth0 -> router A -> Device in LAN. (RPI assigned IP in range 10.x.x.x)
RPI wlan0 -> router B -> any WAN traffic. (RPI assigned a static IP 192.168.1.13 via router settings)

I do not have access to router A.

is it enough to use the route command, something like this below?

sudo route del default
sudo route add default gw 192.168.1.1 (let's say this is the IP address of the router i want to use for internet)

I am a bit weary of just trying this because i would be making these changes over ssh. I really don't want to lose connection to the pi because it is in a remote location. I'm also worried that even if these changes do work, i may still get kicked out of my ssh connection after the changes are applied.

Do you think this is the right approach?

Fiddling with route is the last resort (it is overwritten by most networking setup commands). If you are using Raspbian on different networks with their own DHCP servers you don't need to do anything. — Milliways, Jun 14 '18 at 09:54
How can i ensure that only the netowrk on wlan0 is used for internet traffic though? this must require some action? I want to use the network on eth0 only for communicating with a device in the same LAN, and make sure that no internet traffic is routed to WAN via the router on this network. Thanks for the tip on the route command. — LecauseAndThePi, Jun 14 '18 at 10:08
Is it not? would this be implemented with the same method on a windows laptop? maybe it's linux specific? are the commands / configuration files / syntax / used to achieve a solutionfor this matter, identical across all linux distros? i thought this would be the best place to ask. — LecauseAndThePi, Jun 14 '18 at 10:33
Make sure you check out https://raspberrypi.stackexchange.com/a/37921/33476 — Dmitry Grigoryev, Jun 21 '18 at 07:26

Ingo · Accepted Answer · 2018-06-15T12:53:00.467

Because you have different subnets it is possible to setup clean routing. I assume the following network setup for example:

    10.10.10.1   10.10.10.2       192.168.1.13   192.168.1.1         +----------+
        /             \                /              \         wan  |          |
ROUTER A <-----------> (eth0)RPI(wlan0) <~.~.~.~.~.~.> ROUTER B <--> | INTERNET |
       \  ethernet                             wifi    /             |          |
        +<--------> LAN-Device        AdminPC <~.~.~.>+              +----------+
                   /                         \
              10.10.10.3                 192.168.1.2

As far as your AdminPC is on the same network as router B there shouldn't be any difficulties by fiddling with the default route on the raspi. Usually the route to the subnet is set by the kernel to:

rpi ~$ ip route list 192.168.1.0/24
192.168.1.0/24 dev wlan0 proto dhcp scope link src 192.168.1.13

If this isn't touched you should always reach the raspi with ssh. But if the DHCP-Server on Router B is configured the right way it will also give the default route to its clients so they can get into the internet automatically. Your routing table should look similar to this:

rpi ~$ ip route
default via 192.168.1.1 dev wlan0 proto dhcp src 192.168.1.13 metric 1024
10.10.10.0/24 dev eth0 proto dhcp scope link src 10.10.10.2
192.168.1.0/24 dev wlan0 proto dhcp scope link src 192.168.1.13
192.168.1.1 dev wlan0 proto dhcp scope link src 192.168.1.13 metric 1024

If the default route isn't set by the DHCP-Server then do:

rpi ~$ sudo ip route del default
rpi ~$ sudo ip route add default via 192.168.1.1 dev wlan0 src 192.168.1.13

Now from your raspi you can ping 10.10.10.3 and 192.168.1.2 and 8.8.8.8 (google nameserver on the internet). You cannot ping 10.10.10.3 from the AdminPC. There is no routing on your raspi. To do this you have to enable ip forwarding and setup a NAT (network address translation) on eth0 on the raspi and set a route to 10.10.10.0/24 on the AdminPC:

rpi ~$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
1
rpi ~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This also ensures that devices from 10.10.10.0/24 cannot connect to devices on 192.168.1.0/24. NAT is a one way translation.

AdminPC ~$ sudo ip route add 10.10.10.0/24 via 192.168.1.13 dev wlan0 src 192.168.1.2

But if you can it is better to set the route to 10.10.10.0/24 on router B. Then you have to do it only there and not on each device.

Without warranty ;-)
For a very simple disaster recovery as far as you haven't made persistent settings you can start a reboot job:

rpi ~$ sudo bash -c 'sleep 15m && systemctl reboot' &
[1] 708
rpi ~$ jobs
[1]+  Running    sudo bash -c 'sleep 15m && systemctl reboot' &
rpi ~$

This will reboot your raspi after 15 minutes. Don't forget the PID, here 708, to kill the job when you are ready.

rpi ~$ sudo kill 708

If everything works as expected you can make the settings persistent. How to to that depends on what you are using: old style networking, dhcpcd, or systemd-networkd. You can make a generic systemd unit that should always work:

rpi ~$ sudo systemctl --force --full edit set-forward.service

In the editor insert these statements, save it and quit the editor:

[Unit]
Description=setup forwarding with NAT
After=network.target
Wants=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
ExecStart=/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Install]
WantedBy=multi-user.target

Enable the unit:

rpi ~$ sudo systemctl enable set-forward.service

Install the same unit on the AdminPC but only with one:

ExecStart=/sbin/ip route add 10.10.10.0/24 via 192.168.1.13 dev wlan0 src 192.168.1.2

Thank you! this is such a great and detailed explanation, i really appreciate the time it must have taken you to draft it out! Unfortunately i think i created some confusion on my question, and omitted some crucial details. i will edit my question now to reflect the actual scenario. I understand if you will not go back and change your answer accordingly, your current answer did provide a lot of knowledge anyway. — LecauseAndThePi, Jun 14 '18 at 13:29
Basically i had accidently swapped the IP ranges of each router (also did not say that i have a static IP assigned to the rpi by router B), and asked the question about route command using the correct i address, which made the whole thing confusing. and yeah i do not have admin access to router A. — LecauseAndThePi, Jun 14 '18 at 13:35
@LecauseAndThePi No problem with updating my answer. It's better to give an answer with minor information than asking and asking on comments. So you can better see what's missing. With router A we have then to workaround with NAT. Just a moment please. I have to look world champion ship soccer opening game ... — Ingo, Jun 14 '18 at 15:09
@LecauseAndThePi I have confused what router to use for internet connection. It is router B, right? I have rewritten my answer; hope it will cover your needs. If not, tell me. — Ingo, Jun 15 '18 at 00:33
Ingo, thanks again for the taking the time in editing the answer. Yes, it is router B. Your answer is correct! However,the changes made with ip route are not persistent. I have set up another pi here and connected it in a similar way to my remote set up for testing. If i unplug and plug back the ethernet cable, or if i reboot the rpi the default route is reset to router A (on eth0 side). Do you know how to make these changes permanent? Looking online i found a solutions, but they all involve making up custom bash scripts or similar to simply run the command again whenever eth0 is configured. — LecauseAndThePi, Jun 15 '18 at 08:15
i think i have found a solution to make the changes permanent. On top of you suggested in your answer, i also edited /etc/dhcpcd.conf to include: interface eth0 nogateway. This should stop the interface to set up a gateway when configuring. — LecauseAndThePi, Jun 15 '18 at 10:31

Internet traffic rules between wlan0 and eth0

1 Answers1