NUS Wired Network (802.1X)
NUS campus wired network uses 802.1X (EAP) authentication. Without authentication, you get a restricted IP in the 10.245/10.246 range with no proper internet access.
| State | IP Range |
|---|---|
| Unauthenticated | 10.245 / 10.246 |
| Authenticated | 172.x |
Setup with wpa_supplicant
Install:
apt install wpasupplicantCreate /etc/wpa_supplicant/wpa_supplicant-wired.conf:
ctrl_interface=/run/wpa_supplicant
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=PEAP
identity="nusstf\\username"
password="password"
phase2="auth=MSCHAPV2"
}Run authentication, then request IP:
wpa_supplicant -i <interface> -D wired \
-c /etc/wpa_supplicant/wpa_supplicant-wired.conf -B
dhclient <interface>Important
- Do NOT stop wpa_supplicant — authentication is stateful, stopping it immediately drops to restricted network
- DHCP must happen AFTER authentication
- Do NOT mix NetworkManager with manual wpa_supplicant
Dual NIC Policy Routing (WiFi + Ethernet)
If your machine has both WiFi and Ethernet on NUS network, you may need policy routing to avoid asymmetric routing.
Problem: Traffic arrives via Ethernet but replies go out via WiFi (default route) → connection fails.
Solution: Use ip rule to ensure traffic arriving on Ethernet replies via Ethernet.
Add to /etc/iproute2/rt_tables:
100 campus
ip route add default via 10.246.80.1 dev enp6s0 table campus
ip rule add iif enp6s0 lookup campusPrevent Ethernet from overriding default route:
nmcli connection modify <eth-interface> ipv4.never-default yes
nmcli connection modify <eth-interface> ipv4.ignore-auto-dns yesPersistence
Create /etc/NetworkManager/dispatcher.d/10-enp6s0-policy-routing:
#!/bin/bash
IFACE="$1"
STATE="$2"
if [ "$IFACE" = "enp6s0" ] && [ "$STATE" = "up" ]; then
ip route replace default via 10.246.80.1 dev enp6s0 table campus
ip rule show | grep -q "iif enp6s0 lookup campus" || \
ip rule add iif enp6s0 lookup campus
fichmod +x /etc/NetworkManager/dispatcher.d/10-enp6s0-policy-routingVerification
ip rule
# Expected: from all iif enp6s0 lookup campus
ip route show table campus
# Expected: default via 10.246.80.1 dev enp6s0Proxmox on NUS Network
For Proxmox hosts, the recommended approach is:
- WAN bridge (
vmbr-wan): 802.1X authenticated interface for internet - LAN bridge (
vmbr-lan): internal bridge for containers and other devices - NAT from LAN to WAN via iptables
Troubleshooting
- Check authentication:
CTRL-EVENT-EAP-SUCCESSin wpa_supplicant output - Check NAT counters:
iptables -t nat -L -n -v - Debug order: Auth → IP → Route → NAT → Internet
- Do NOT use source-IP-based rules (
from 10.246.x.x) — useiif(interface-based) rules instead