Multiple IPv4 LAN IPs (secondary IP)

My desktop (F42) has a secondary LAN IP, in the same subnet as the primary, sharing the same network adapter, added via Network Manager. It works for incoming traffic because I’ve used it as the destination address for some game servers that were hosted in a Windows VM, with the necessary firewall rules to make that work, and that all still works. I also had used it as an outgoing IP, manually choosing it as an interface, to route traffic out my router to the internet through a VPN. But I’ve only just discovered at some point that stopped working, and it just defaulted to sending traffic out the primary IP, thus not exiting the VPN. Also doing something simple as “ping -I ” refuses to use the secondary IP. Based on ~4 hours of trying everything I know how to do and that google can help me find, with the ‘ip’ command, I cannot make this work again.

However I can login to a Fedora 40 server on my LAN, run 2 ‘ip’ commands (ip addr add/ip route add) to add a secondary address, and route, and successfully run a ping from either IP of my choosing. Thats it, 2 commands. I’ve tried to replicate this on my F42 machine just removing it from network manager and doing it from the command line, but still same behavior. Google really wants me to use ‘ip rule’ to add a new lookup table, I’ve tried that unsuccessfully. I’ve used that in the past with netfilter ‘mark’ extension to achieve similar things, but not sure here how its useful here.

If I ping myself, from my other self, the results come in ‘lo’ interface, from and to the requested IPs, but they wont leave the LAN adapter as anything other than the primary IP.

I’m assuming now since my upgrade from F40->F42 this has probably been broken.

So I’m just at a loss at the moment, I dont know what else to try, and google cant suggest anything new. sysctl setting change? As far as I can see I disabled nftables and just kept using iptables, and I dont see anything in there that should modify my traffic.

This is either so simple I can’t see the obvious in front of my face, or so obscure I’m never going to figure it out myself. Appreciate any advice.

Isn’t iptables completely dropped at this point? I think you have to use nftables now and the iptables commands are just wrapper scripts that translate things to nftables commands. Does nft list ruleset show your current firewall settings?

I think you might be able to accomplish what you are trying with something like the following in nftables (assuming you had both 192.168.0.1 and 192.168.0.2 assigned to your local NIC) (untested).

table inet nat {
	chain prerouting {
		type nat hook prerouting priority -100;
	}
	chain postrouting {
		type nat hook postrouting priority 100;
		ip saddr 192.168.0.1 ip daddr != 192.168.0.0/24 snat 192.168.0.2
	}
}

Beyond that, when dealing with multi-homed network interfaces, I have used systemd-networkd’s PreferredSource= setting. But you would have to switch to systemd-networkd to use that. I don’t know what the equivalent is with Network Manager.

Ok, I guess I’m going to need to look into that. Thank you for that. I guess this fell into the too obvious category.

I shutdown firewalld and it immidiately worked again. I’m entirely unfamiliar with nftables and did not think it was being used. My ‘firewall-config’ GUI is clearly editing my iptables rules and shows nothing of the rules nftables is using. Also the ‘nftables.service’ is disabled and inactive, so I was unaware it was doing anything. That is extremely confusing to say the least. Can’t believe I spent so long without just turning off the firewall.

Are the ‘firewall-config’ gui and firewalld outdated tools now? Or did I screw up my setup somehow?

The firewalld stuff is not outdated, but IIUC, it is all just wrappers around the lower-level nftables. Personally, I went straight from iptables to using nftables. I never liked the higher-level firewalld interface. I think firewalld generates nftables rules that are too complex with too much jumping from one table to the next. But I run servers, so my needs are a little different from a home user.

Yeah my iptables is a wrapper from the ‘iptables-nft’ package. I dont see anything relating to the port forwards I’ve added in firewalld (via the supposed iptables-nftables wrapper) in the nftables ruleset. There is ~500 entries of ‘w-t-f’ if I boil off the whitespace and such in that ruleset though. My untrained eye doesnt see anything in there that looks like a problem for outgoing traffic either though. Looks like I’ll just start with the example rules and start fresh and sack firewalld. I dont know why iptables claims to be a wrapper though. iptables kernel modules are loaded so I guess im just using both.

Yes, as I said, I don’t like managing nftables via firewalld. I think firewalld makes a horrible mess of things and it is unmanageable if you want to do anything more advanced than opening a port to the world.

You can manually maintain a simple one-file configuration in /etc/sysconfig/nftables.conf much like was done with the former iptables.^[1] The syntax of the nftables.conf file is a little different, but everything you need to know can be found in the nftables wiki here: nftables wiki

See also: https://www.netfilter.org/

1. e.g. Simple ruleset for a server - nftables wiki ↩︎