I've made three CentOS 7 installation attempts to configure a simple firewall/router box with 2 nics.
I got myself into a seemingly circular scenario where NetworkManager and firewalld and /etc/sysconfig/network-scrpts/ifcfg-***** were interfering or overwriting each other.
I would need to ifdown enp3s7 the internal LAN nic in order to make the external internet enp2s0 reach websites and ping nameservers.
Or after completing firewall-cmd --complete-reload the internal LAN nic would still provide private ip addresses via dhcpd server but LAN clients could not access the internet.
After searching, I found some others experiencing similar adventures:
https://github.com/t-woerner/firewalld/issues/195 ((this person's ability to analyze multiple variables and how they're working together is far superior to mine))
I also found more than a few sysadmin explanations that relied on disabling NetworkManager altogether to make network-scripts/ifcfg-***** coordinate with firewalld services.
I'm hoping the following info is helpful to others struggling with the same problem:
1. sysctemctl stop NetworkManager
2. systemctl disable NetworkManager
3. Create dhcp ifcfg-***** for external interface. It must include a “ZONE=external” statement even though firewalld service will overwrite and erase it like this “ZONE=”
Example (external/internet nic):
Code:
TYPE=Ethernet
BOOTPROTO=dhcp
NM_CONTROLLED=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp2s0
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
DEVICE=enp2s0
ONBOOT=yes
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
ZONE=external
4. Create static ip address ifcfg-enp3s7 for internal interface.
Example (internal/LAN nic):
Code:
TYPE=Ethernet
BOOTPROTO=static
NM_CONTROLLED=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp3s7
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
DEVICE=enp3s7
ONBOOT=yes
HWADDR=xx:xx:xx:xx:xx:xx
DNS1=75.75.75.75
DNS2=75.75.76.76
IPADDR=10.10.1.1
NETMASK=255.255.255.0
PREFIX=24
GATEWAY=10.10.1.1
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
ZONE=internal
5. As said in #3, firewalld will erase the ZONE setting on the external nic configured for dhcp.
The only way I've found to deal with this overwriting is to make the intended external ethernet device associated with the default zone in firewalld. When firewalld reads the empty zone reference "ZONE=____" it will revert and assign the default zone I set like this ---
Code:
firewall-cmd --change-interface=enp2s0 --zone=external --permanent
firewall-cmd --set-default-zone=external
firewall-cmd --complete-reload
6. The external ethernet device won’t work (cannot ping any internet host) until you manually Deactivate it and then Reactivate it.
~# ifdown enp2s0
~# ifup enp2s0
I didn't include my dhcpd server settings or firewalld settings for brevity.
Please let me know if those would be helpful.
I'm still trying to learn all the nuances of making systemd, selinux, firewalld, iptables, and NetworkManager work together, so if you can lend any guidance to improve my current configuration I'd be very thankful.
For now, NetworkManager will remain disabled on my routerbox.