DNG on Ubuntu 22.04 LTS in DMZ routing problems

Mark2.tech · ‎05-15-2023

I have a Dual homed Ubuntu 22.04 LTS Server that has one NIC in DMZ and the other in LAN. I’ve been wrestling with the netplan configuration and my searching has found many mixed recommendations on how to accomplish my desired configuration due to the recent changes in gateway configurations and routes. I’ve read the netplan documentation: Pre-requisites - Netplan documentation

Currently I have the following settings:

ip r

default via 192.168.2.2 dev eth0 proto static metric 100 onlink

172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown

172.18.0.0/16 dev br-e9fa8283d45d proto kernel scope link src 172.18.0.1

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.39

192.168.14.0/24 dev eth1 proto kernel scope link src 192.168.14.2

network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 192.168.2.39/24
dhcp4: no
routes:
- to: 0.0.0.0/0
via: 192.168.2.2
metric: 100
on-link: true
nameservers:
addresses:
- 192.168.2.33
- 192.168.2.99
eth1:
addresses:
- 192.168.14.2/24
dhcp4: no
routing-policy:
- from: 192.168.14.0/24
table: 199
routes:
- to: 0.0.0.0/0
via: 192.168.14.1
metric: 100
table: 199
routing-policies:
- from: 192.168.14.0/24
table: 199

What I’m trying to accomplish:

Allow internet access and Local Networking to go out via LAN connection.
Allow inbound traffic from our NATed Public IP to the DMZ Interface: 192.168.14.2 to reach our web application and be returned on the originating NIC (DMZ).

Currently with this configuration I can access the internet, but my web application times out. I’ve done packet tracing to determine that the flag [S] traffic is making it into the Ubuntu server, but no replies are heading back out.

What I’m finding is if I replace the default route - default via 192.168.2.2 dev eth0 proto static metric 100 onlink with default via 192.168.14.1 dev eth1 proto static metric 100 onlink then my web application works correctly and I see the return traffic, but then my server has no internet access as I need that traffic (updates, etc) to go out the LAN interface.

Please provide some direction on what netplan configuration I need to have to allow the dual-NIC to work and persist on reboot.

Thank you in advance for any help.

Mark2.tech · ‎05-30-2023

15 days and no response. DUO refuses to support the product in its recommended configuration. This is a standard installation as per DUO recommendation. We do not have a Linux Network engineer, though, we really should not need one since this is a simple configuration.
This seems like an issue with the docker containers having ‘network-gateway-admin’ and ‘network-gateway-portal’ on the same default gateway, which is not usable when you need to have a dual NIC configuration.

Mark2.tech · ‎05-31-2023

Is DUO Network Gateway to be considered a Reverse Proxy, or is this designed to have a Reverse Proxy in front of it?

DuoKristina · ‎06-13-2023

Hi @Mark2.tech,

To answer your last question first: Duo Network Gateway acts as a reverse proxy in front of your applications.

To your comment about not receiving immediate support for your original question: keep in mind that the Duo community is exactly that: a community of Duo customers and SMEs engaged in discussion. A post here does not create a support case. Here’s more information about how to obtain support: How to contact support and get help for Duo

With that said, I only see one prior support case referencing Netplan, with Ubuntu 18.04, but that was was about DNS issues and not a dual-NIC configuration.

I encourage you to create a case with Duo Support for in-depth troubleshooting. The Duo support team can escalate to the DNG development team if needed.

Duo, not DUO.