My AREDN device is sending out the following route table via DHCP to my laptop, which is directly attached with an ethernet cable. This is the route table I see in the laptop to which my AREDN node is directly attached:
default via 192.168.1.254 dev wlp1s0 proto dhcp metric 600
default via 10.0.111.1 dev enp2s0 proto dhcp metric 20100
10.0.0.0/8 via 10.0.111.1 dev enp2s0 proto dhcp metric 100
10.0.111.0/29 dev enp2s0 proto kernel scope link src 10.0.111.3 metric 100
172.16.0.0/12 via 10.0.111.1 dev enp2s0 proto dhcp metric 100
192.168.1.0/24 dev wlp1s0 proto kernel scope link src 192.168.1.74 metric 600
192.168.2.0/24 dev enp2s0.1 proto kernel scope link src 192.168.2.254
When I enable the WAN interface on the AREDN device so it can reach the internet (*), the default route via 10.0.111.1 gets its priority lowered to 100. Laptop routing table:
default via 10.0.111.1 dev enp2s0 proto dhcp metric 100
default via 192.168.1.254 dev wlp1s0 proto dhcp metric 600
10.0.0.0/8 via 10.0.111.1 dev enp2s0 proto dhcp metric 100
10.0.111.0/29 dev enp2s0 proto kernel scope link src 10.0.111.3 metric 100
172.16.0.0/12 via 10.0.111.1 dev enp2s0 proto dhcp metric 100
192.168.1.0/24 dev wlp1s0 proto kernel scope link src 192.168.1.74 metric 600
192.168.2.0/24 dev enp2s0.1 proto kernel scope link src 192.168.2.254
This prevents my laptop from reaching the internet, so I need to periodically delete the "default via 10.0.111.1" route from time to time as it pops up again. Really, the "default via 10.0.111.1"; is not necessary in my configuration.
Is there a way to stop the AREDN node from sending out this route? Or manually specify the priority? And if I figure out how by finding a suitable file to edit on the AREDN node, will the change persist across reboots?
The routing table on the AREDN node without LAN enabled is.
10.0.0.0/8 dev eth0.2 scope link src 10.33.13.224
10.0.0.0/8 dev wlan0 scope link src 10.32.13.224
10.0.111.0/29 dev br-lan scope link src 10.0.111.1
[*) I can explain further. This post is edited for a simplified scenario.]
You obviously have an addition network connection to your computer (192.168.1.0/24).
Uncheck "Allow others to use my WAN" and check "Prevent LAN devices from accessing WAN"
Thanks! I checked the "Prevent LAN devices from accessing WAN" box; and the route is not sent, exactly what I want.
I was hoping to not get into my setup because is not "canonical" but it is not unusual either. Here goes: The AREDN node is a TPLink CPE510 with a single ethernet port. My home router/gateway is the AT&T Pace 5268. I have an ethernet cable directly connecting the AREDN node to my laptop's ethernet. I get the "rest of the world" over wifi from the Pace.
On the AREDN node, LAN is enabled with the "5 node direct" (DHCP) setting, and WAN is enabled with a static to a unique subnet that only exists on the direct attached ethernet, that WAN IP is 192.168.2.1. We will set up the static for the laptop below.
On the laptop, my wifi has an IP on my home subnet, 192.168.1.0/24, and it also gets an IP address from the AREDN node on the 10.0.111.1 subnet, untagged.
Now the fun begins! The AREDN's WAN comes in on VLAN 1, so first I need to set up matching static IP on ethernet VLAN1, which is easy to do in Fedora Linux:
Now my AREDN node can talk to my home network 192.168.1.0/24 on the 192.168.2.1 address and get DNS from my Pace at 192.168.1.254 , which serves as the DNS server for the home network. But I sill can't get to the internet just yet, because the Pace will only NAT for the 192.168.1.0/24 net. The easiest way to make that work is to set up a NAT on my laptop so that incoming connections on the 192.168.2.254 VLAN 1 address appear to come from the laptop's home network address on the wifi. This again is pretty easy to do in Linux with iptables although it was easier for me to copy a script from serverfault (if you know iptables you know how that is). The script is attached and contains CC-BY-SA credit in the headers. You end up with the following iptables config:
Now, I would not have to do all this if I had the AREDN WAN interface wired directly to the home network on a Pace switch port, which is the way most people probably have it set up. That's not practical for now, the Pace is in my basement.
As far as I know the mesh network can't access the internet, which is what I want ("Allow ohters to use my WAN" is not checked). If I wanted to put, say, Gmail or a public internet camera on the mesh network, my approach would be to set up an Apache proxy server on the laptop rather that fiddle with the network configuration further (I know Apache pretty well.)