Hi, all!
In short: if my box has 2 ethernet connections, one to the outside world and one to my LAN, do I need to add a routing instruction so that packets from my lan can make it out to the internet? Using /etc/network/interfaces.
Fuller Question:
Currently my main system has one ethernet attached to my local network (a switch, or maybe a dumb router); a wireless router on the network is connected to the (outside) internet and currently provides NAT, firewall and DHCP.*
My goal is to attach the internet directly to my system by an ethernet cable from the modem and take over as the primary router/firewall.
Do I need to add an ip route command to get outbound (public internet) traffic to actually go out? This includes both traffic from my system and from others on my local network. Unlike nft, ip doesn't seem to do negative commands, so I guess I would first give routing rules for my local network and then send the rest out.**
E.g., with eth0 my LAN and eth1 the WAN
# other routes I know something about
# other unused private routes--or maybe those should just be dropped by nft?
# perhaps
ip route add default dev eth1
# nft does SNAT on the result
I'm using ifup as my primary configuration; and have examples of nft setup for firewalls and routers, including SNAT. This is on buster, though I hope to upgrade soon. I edited sysctl.conf to allow forwarding.
I had a similar setup a few years ago with iptables, and I don't remember needing to route manually, so maybe I'm missing something.
I've found it difficult to get current information; the "Debian Reference" and "Securing Debian" are both pre nft, as is
https://wiki.debian.org/DebianFirewall. The documentation on netfilter is naturally focused on nft, not on other changes one needs, and is not Debian specific. The Debian specific information on iproute2 is minimal; nftables does have some useful info on Debian integration. ifup has a fair amount of documentation, though it does leave exactly how specification in interfaces get translated to specific kernel settings to the imagination (e.g., if I specify 2 interfaces will it automatically guess how to route?).
The whole thing is made more complex by the possible presence of other dynamically created networks from libvirt and Docker. I've mostly been avoiding docker since it doesn't seem to play well with others, e.g., it may delete all my existing rules.
*DHCP is the problem. My main system provides customized DHCP and DNS. My old wireless router let me disable DHCP; my new Deco 5 only lets me disable DHCP by disabling *all* the router features. Which is why I'm trying to get my main system to act as the router.
**Given that interfaces listed first are not reliably configured first, I'm not sure how to guarantee the outside routes get added after the inside routes, at least if each is set when their respective interface comes up.