[SOLVED] NetworkManager + firewalld + /etc/sysconfig/network-scripts = not working together

Sum1 · 01-16-2017, 12:05 PM

I've made three CentOS 7 installation attempts to configure a simple firewall/router box with 2 nics.
I got myself into a seemingly circular scenario where NetworkManager and firewalld and /etc/sysconfig/network-scrpts/ifcfg-***** were interfering or overwriting each other.

I would need to ifdown enp3s7 the internal LAN nic in order to make the external internet enp2s0 reach websites and ping nameservers.
Or after completing firewall-cmd --complete-reload the internal LAN nic would still provide private ip addresses via dhcpd server but LAN clients could not access the internet.

After searching, I found some others experiencing similar adventures: https://github.com/t-woerner/firewalld/issues/195 ((this person's ability to analyze multiple variables and how they're working together is far superior to mine))

I also found more than a few sysadmin explanations that relied on disabling NetworkManager altogether to make network-scripts/ifcfg-***** coordinate with firewalld services.

I'm hoping the following info is helpful to others struggling with the same problem:

1. sysctemctl stop NetworkManager

2. systemctl disable NetworkManager

3. Create dhcp ifcfg-***** for external interface. It must include a “ZONE=external” statement even though firewalld service will overwrite and erase it like this “ZONE=”
Example (external/internet nic):

Code:

TYPE=Ethernet
BOOTPROTO=dhcp
NM_CONTROLLED=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp2s0
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
DEVICE=enp2s0
ONBOOT=yes
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
ZONE=external

4. Create static ip address ifcfg-enp3s7 for internal interface.
Example (internal/LAN nic):

Code:

TYPE=Ethernet
BOOTPROTO=static
NM_CONTROLLED=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp3s7
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
DEVICE=enp3s7
ONBOOT=yes
HWADDR=xx:xx:xx:xx:xx:xx
DNS1=75.75.75.75
DNS2=75.75.76.76
IPADDR=10.10.1.1
NETMASK=255.255.255.0
PREFIX=24
GATEWAY=10.10.1.1
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
ZONE=internal

5. As said in #3, firewalld will erase the ZONE setting on the external nic configured for dhcp.
The only way I've found to deal with this overwriting is to make the intended external ethernet device associated with the default zone in firewalld. When firewalld reads the empty zone reference "ZONE=____" it will revert and assign the default zone I set like this ---

Code:

firewall-cmd --change-interface=enp2s0 --zone=external --permanent
firewall-cmd --set-default-zone=external
firewall-cmd --complete-reload

6. The external ethernet device won’t work (cannot ping any internet host) until you manually Deactivate it and then Reactivate it.
~# ifdown enp2s0
~# ifup enp2s0

I didn't include my dhcpd server settings or firewalld settings for brevity.
Please let me know if those would be helpful.
I'm still trying to learn all the nuances of making systemd, selinux, firewalld, iptables, and NetworkManager work together, so if you can lend any guidance to improve my current configuration I'd be very thankful.
For now, NetworkManager will remain disabled on my routerbox.

Sum1 · 01-16-2017, 12:14 PM

Quote:

6. The external ethernet device won’t work (cannot ping any internet host) until you manually Deactivate it and then Reactivate it.
~# ifdown enp2s0
~# ifup enp2s0

Forgot to mention, after reboot, you'll need to manually re-set the external internet nic as shown above.
Definitely not ideal for anyone relying on remote ssh access.
Local access to terminal required to re-set the external internet device.

Sum1 · 01-18-2017, 11:59 PM

Made another try.
I'll need to do some remote management so it's not acceptable to potentially get locked out upon reboot.

Quote:

Originally Posted by Sum1

CentOS 7 installation attempt to configure a simple firewall/router box with 2 nics.
1. sysctemctl stop NetworkManager

2. systemctl disable NetworkManager

On latest attempt, 1. start NetworkManager and enable NetworkManager

Quote:

3. Create dhcp ifcfg-***** for external interface. It must include a “ZONE=external” statement even though firewalld service will overwrite and erase it like this “ZONE=”

The statement above is wrong. ZONE= statement is not necessary to make ethernet device settings work with firewalld.
Also wrong, firewalld is not overwriting anything in /etc/sysconfig/network-scripts/ifcfg-*****.
I removed all previous ifcfg-***** scripts and created new ones using a combination of the nmcli and nmtui commandline tools for controlling NetworkManager devices.

External ethernet device:

Code:

HWADDR=xx:xx:xx:xx:xx:xx
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=external
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
ONBOOT=yes
AUTOCONNECT_PRIORITY=-999
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

Internal (LAN) ethernet device:

Code:

HWADDR=xx:xx:xx:xx:xx:xx
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=no
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=internal
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx
ONBOOT=yes
AUTOCONNECT_PRIORITY=-999
DNS1=75.75.75.75
DNS2=75.75.76.76
IPADDR=10.10.1.1
PREFIX=24
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

I believe the cause of all the previous problems with needing to deactivate the internal ethernet device in order to reach internet hosts and ping dns on the external ethernet nic was due to setting DEFROUTE=yes on the internal (LAN) device. Upon changing to DEFROUTE=no on the internal nic, all routing across from LAN to Internet and Internet to LAN works upon reboot.

I tried to provide a GATEWAY setting on the internal ethernet device using nmtui but it doesn't write to ifcfg-internal.
I manually inserted GATEWAY=10.10.1.1 into ifcfg-internal but it gets removed by NetworkManager upon reboot.

systemctl status NetworkManager also reports --- "GATEWAY will be ignored when DEFROUTE is disabled." Okay. NetworkManager doesn't need it to forward packets from LAN clients.

Quote:

5. As said in #3, firewalld will erase the ZONE setting on the external nic configured for dhcp.
The only way I've found to deal with this overwriting is to make the intended external ethernet device associated with the default zone in firewalld. When firewalld reads the empty zone reference "ZONE=____" it will revert and assign the default zone I set like this ---

Again, I misunderstood. It's not necessary to insert ZONE statements into the ethernet device configuration.
Assign ethernet device zones using firewall-cmd.
Configure zone parameters also using firewall-cmd.

selinux is enabled and enforcing.
firewalld is enabled and directing iptables filter and NAT.
NetworkManager is controlling ethernet devices configuration and active connections.
dhcpd is leasing ip addresses to LAN clients.

Everything works upon update and reboot.
SOLVED