Nowadays IP networks are become popular in industrial environments. To limit infrastructure costsThanks to the dual Ethernet interface, these networks are often built ased onSBC Lynx allows to implement non-trivial routing network configurations are needed This . As an example of this flexibility, this article shows how to configure SBC Lynx to implement a Linux-powered router that manages data packet forwarding between two different LANs. This task can be performed in parallel with the other application-specific activities (typically field bus communications, monitoring, control etc.). This solution allows to reduce significantly overall infrastructure costs in many industrial environments where Ethernet networking is popular nowadays.
==Network topology==
The following image shows a simplified block diagram of the network topology that has been used for testing this configuration.
There are two [[File:SBCLynx-router-IP-forwarding.png|thumb|center|600px|Simplified block diagram of the network topology]] Two LANshave been used:
* main LAN (192.168.0.0/24)
* secondary LAN (192.168.11.0/24).
The following devices are connected to these LANsnetworks:
*a PC connected to the main LAN (IP address = 192.168.0.28)
2) *main LAN switch3) *SBC Lynx equipped with two Ethernet interfacesa) **primary interface (eth0) connected to main LAN (IP address = 192.168.0.209)b) **secondary interface (eth1) connected to secondary LAN (IP address = 192.168.11.209) [1]4) *secondary LAN managed switch (IP address = 192.168.11.239)5) *WiFi access point connected to secondary LAN (IP address = 192.168.11.241)
Secondary LAN managed switch and access point integrate a web server, accessible at port 80. Two IP forwarding rules have been be set up in order to make web servers accessible at 192.168.0.209:80 and 192.168.0.209:8080:
*192.168.0.209:8080 <-> 192.168.11.239:80
[1] For simplicity, secondary interface has been implemented with an USB/Ethernet adapter (TBDMOSCHIP 7830/7832/7730 usb-NET adapter) connected to USB port. For a real-world production environment, it is recommended the use of both iMX6UL Ethernet MAC controllers. To do that, a plugin board connected to the one piece connector (J45/J52) can be used. For more details please refer to [mailto:sales@dave.eu sales department].
==Implementation==
To enable routing functionality, the well known [https://www.netfilter.org/ netfilter/iptables packet filtering framework] has been added to the software provided along with [[AXEL_ULite_and_SBC_Lynx_Embedded_Linux_Kit_(XUELK)|XUELK]] by default.
The following steps describe how to set up and configure netfilter to implement the desired routing policy.
First make sure to correctly setup static IP for the two ethernet interfaces on SBC Lynx:
Before proceeding on port forwarding rules setting, the forwarding capability must be enabled on both <code>eth0</code> and <code>eth1</code> interfaces:
** This rule tells forward chain in the filter table to accept TCP packets on port 80 with destination IP address equal to ''192.168.11.241''. This rule is not strictly necessary, because by default filter tables accepts all packets. But it is useful for logging and packet statistic (see [[#Enabling_logging | Enabling logging]])
** This rule translate the source IP address of all the TCP packets on port 80 in output on ''eth1'' interface with destination IP address equal to ''192.168.11.241''
Here is a dump of the <code>FILTER</code> and <code>NAT</code> tables with the port forwarding rules :
Now on the PC side (192.168.0.28) it is possible to get access to either managed switch and access point web servers by using an web browser.
===Enabling logging===
To enable <code>iptables</code> logging capability some kernel drivers must be added to default configuration provided along with XUELK.
The logging functionality can be useful for troubleshooting the iptables custom configuration. But at the same time if it is not well configured it can be too much verbose and useless, especially if there is lot of traffic on the LAN.
Enabling <code>iptables</code> port forwarding log is a matter of adding rules on the chains that are interested on the port forwarding path. Here is a basic implementation of the port forwarding log:
The LOG output is appended on <code>/var/log/messages</code> file. Please note that the size of this log file in XUELK is limited to ''265kB''. When the limit size is reached the log file is backed up on <code>/var/log/messages.0</code> and a new empty log file is started.
There are various logging options. The two used in this example are the most common:
* <code>--log-prefix</code> : it adds a custom string on the beginning of every log entry. This is useful to immediately recognize the rule that is logged.
* <code>--log-level</code> : choose the log level from the standard linux log level. Selecting low log level can prints out all the iptables log also on debug console.
Other common filtering options can be used to reduce <code>iptables</code> log output size: see [https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#ss7.3 Filtering Specifications]
Here is a section of the logging output showing port forwarding in case of accessing the access point web server from the PC. Be aware that the nat table is traversed only by the first packet of each connection.
<code>iptables</code> init script is used to make rules persistent in order to load them automatically on boot.
The init script must be saved in the target's root file system as <code>/etc/init.d/iptables</code>. From SBC Lynx the following commands can be used to create and edit the file:
Install the <code>iptables</code> init script by simply issuing this command:
<pre>
update-rc.d iptables defaults
</pre>
To save the current <code>iptables</code> rules and make them persistent type this command:
<pre>
root@sbc-lynx:~# /etc/init.d/iptables save
Saving iptables rules
</pre>
At the next boot the saved <code>iptables</code> rules will be automatically loaded.
----
Please note that <code>sysctl</code> settings (e.g. the ones used to enable packet forwarding) are not persistent across reboots. To apply sysctl settings at boot time automatically, just add them to [http://linux.die.net/man/5/sysctl.conf <code>/etc/sysctl.conf</code>] as <code>token = value</code>:
<pre>
root@sbc-lynx:~# tail /etc/sysctl.conf
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
#kernel.shmmax = 141762560
net.ipv4.conf.eth0.forwarding=1
net.ipv4.conf.eth1.forwarding=1
</pre>
sysctl.conf settings are applied with init script during network configuration (see <code>/etc/init.d/networking</code>)
To check sysctl.conf syntax user can apply those settings also manually with the following command: