DNG on Ubuntu 22.04 LTS in DMZ routing problems

Mark2.tech · May 15, 2023, 8:11pm

I have a Dual homed Ubuntu 22.04 LTS Server that has one NIC in DMZ and the other in LAN. I’ve been wrestling with the netplan configuration and my searching has found many mixed recommendations on how to accomplish my desired configuration due to the recent changes in gateway configurations and routes. I’ve read the netplan documentation: Pre-requisites - Netplan documentation

Currently I have the following settings:

ip r

default via 192.168.2.2 dev eth0 proto static metric 100 onlink

172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown

172.18.0.0/16 dev br-e9fa8283d45d proto kernel scope link src 172.18.0.1

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.39

192.168.14.0/24 dev eth1 proto kernel scope link src 192.168.14.2

network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 192.168.2.39/24
dhcp4: no
routes:
- to: 0.0.0.0/0
via: 192.168.2.2
metric: 100
on-link: true
nameservers:
addresses:
- 192.168.2.33
- 192.168.2.99
eth1:
addresses:
- 192.168.14.2/24
dhcp4: no
routing-policy:
- from: 192.168.14.0/24
table: 199
routes:
- to: 0.0.0.0/0
via: 192.168.14.1
metric: 100
table: 199
routing-policies:
- from: 192.168.14.0/24
table: 199

What I’m trying to accomplish:

Allow internet access and Local Networking to go out via LAN connection.
Allow inbound traffic from our NATed Public IP to the DMZ Interface: 192.168.14.2 to reach our web application and be returned on the originating NIC (DMZ).

Currently with this configuration I can access the internet, but my web application times out. I’ve done packet tracing to determine that the flag [S] traffic is making it into the Ubuntu server, but no replies are heading back out.

What I’m finding is if I replace the default route - default via 192.168.2.2 dev eth0 proto static metric 100 onlink with default via 192.168.14.1 dev eth1 proto static metric 100 onlink then my web application works correctly and I see the return traffic, but then my server has no internet access as I need that traffic (updates, etc) to go out the LAN interface.

Please provide some direction on what netplan configuration I need to have to allow the dual-NIC to work and persist on reboot.

Thank you in advance for any help.

Mark2.tech · May 31, 2023, 4:24am

15 days and no response. DUO refuses to support the product in its recommended configuration. This is a standard installation as per DUO recommendation. We do not have a Linux Network engineer, though, we really should not need one since this is a simple configuration.
This seems like an issue with the docker containers having ‘network-gateway-admin’ and ‘network-gateway-portal’ on the same default gateway, which is not usable when you need to have a dual NIC configuration.

Mark2.tech · May 31, 2023, 3:48pm

Is DUO Network Gateway to be considered a Reverse Proxy, or is this designed to have a Reverse Proxy in front of it?