Multhoming a linux box.

I have a slackware box with 5 network ports in it. A 1gb Intel card
and a 4 port adaptec starfire card.


3 ports are pointed at the directly at the internet 12.x.x.7,
12.x.x.9, and 12.x.x.12
I would like the 4th to point to our internal network with the
10.x.x.x networking scheme.

I have tried to run DHCP and it will NOT pickup any addresses from our
dhcp server.

I have also tried:
ifconfig eth3 10.0.0.235 broadcast 10.0.0.255 netmask 255.255.255.0 up
then:
route add 10.0.0.0 gw 10.0.0.1 eth3

I am still unable to see the computer on my LAN after that. I can
access the server via the 3 ports configured to be externally facing
though.

Two questions:
Do I have to have "multicast" enabled on my kernel (i thought that was
only for MBONE)?
Am I missing a step on my networking configuration that is causing
this problem?

Other odd behavior, If I take the box down and put all the NICS on
the same 10.x.x.x LAN, I can pull DHCP addresses and/or talk to all
network cards internally, but then I am unable to configure a network
card to speak to external addresses.

Thanks for any help and or suggestions.

Jake

I've only got two interfaces, but one is internet facing and the other is on
10.0.0.0

I'm RH9.0, so maybe there are differences...

what does your route look like when things aren't working?

looks like your route add is missing the netmask:
route add 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 eth3

I don't believe you need multicast.

Jake Burns wrote:
> I have a slackware box with 5 network ports in it. A 1gb Intel card
> and a 4 port adaptec starfire card.
>
>
> 3 ports are pointed at the directly at the internet 12.x.x.7,
> 12.x.x.9, and 12.x.x.12
> I would like the 4th to point to our internal network with the
> 10.x.x.x networking scheme.

Trouble ahead...! - Why the hell do You waste three ports here? Do You
have three cables connected? How do You connect anyway? - To me, it
smells nonsense. Please explain.


> I have tried to run DHCP and it will NOT pickup any addresses from our
> dhcp server.
>
> I have also tried:
> ifconfig eth3 10.0.0.235 broadcast 10.0.0.255 netmask 255.255.255.0 up
> then:
> route add 10.0.0.0 gw 10.0.0.1 eth3
>
> I am still unable to see the computer on my LAN after that. I can
> access the server via the 3 ports configured to be externally facing
> though.
>
> Two questions:
> Do I have to have "multicast" enabled on my kernel (i thought that was
> only for MBONE)?
> Am I missing a step on my networking configuration that is causing
> this problem?

This is an "either or" decission ("mutually exclusive"): If You can
setup Your eth3 with the ifconfig command, the route command is absolute
nonsense because the i/f address together with the netmask gives enough
information about the 10.0.0/24 destination.

So, it's either DHCP or static setup.

You needn't have multicast.


> Other odd behavior, If I take the box down and put all the NICS on
> the same 10.x.x.x LAN, I can pull DHCP addresses and/or talk to all
> network cards internally, but then I am unable to configure a network
> card to speak to external addresses.

How useful.

From what You write, it is impossible to help You (which I wish I
could). Please be somewhat more specific about Your environment
(like distro, kernel version, and especially Your startfire driver).
And, are You using a firewall...? - I know there's a way to get over
this.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

> Trouble ahead...! - Why the hell do You waste three ports here? Do You
> have three cables connected? How do You connect anyway? - To me, it
> smells nonsense. Please explain.

> So, it's either DHCP or static setup.

> You needn't have multicast.

> How useful.
>
> From what You write, it is impossible to help You (which I wish I
> could). Please be somewhat more specific about Your environment
> (like distro, kernel version, and especially Your startfire driver).

> And, are You using a firewall...? - I know there's a way to get over
> this.
>
>
> Cheers, Jack.

The box is serving three ftp servers that face the internet in a DMZ
zone hence, they are all on separate connections. No aliasing to one
card. If one port or cable goes down at least the other three don't.
All our traffic isn't being pushed through a single 100 mbit port
either.

The fourth network port is for internal lan usage.

If all four need to have static IP addresses, that's fine.
7
So I configured:
eth0: 12.x.x.7 broadcast 12.x.x.x netmask 255.255.255.128
eth1: 12.x.x.9 broadcast 12.x.x.x netmask 255.255.255.128
eth2: 12.x.x.10 broadcast 12.x.x.x netmask 255.255.255.128
eth3: 10.0.0.111 broadcast 10.0.0.255 netmask 255.255.255.0

my route table:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
localnet * 255.255.255.128 U 0 0
0 eth0
localnet * 255.255.255.128 U 0 0
0 eth1
localnet * 255.255.255.128 U 0 0
0 eth2
10.0.0.0 * 255.255.255.0 U 0 0
0 eth4
loopback * 255.0.0.0 U 0 0
0 lo
default 12.x.x.1 0.0.0.0 UG 1 0 0
eth0

I tried to use route add 10.0.0.0 gw 10.0.0.1 eth4 to no avail.

I just want the box to talk to my LAN on one side of my firewall, and
to the internet in my DMZ on the other side.

Thanks for any help.

Jake Burns <(E-Mail Removed)> wrote:
> eth0: 12.x.x.7 broadcast 12.x.x.x netmask 255.255.255.128
> eth1: 12.x.x.9 broadcast 12.x.x.x netmask 255.255.255.128
> eth2: 12.x.x.10 broadcast 12.x.x.x netmask 255.255.255.128

Error. All three interfaces are in the same subnet. How is
anyone supposed to know which to send packets through for that
net?

Fix.

> eth3: 10.0.0.111 broadcast 10.0.0.255 netmask 255.255.255.0

Fine.

> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> localnet * 255.255.255.128 U 0 0 0 eth0
> localnet * 255.255.255.128 U 0 0 0 eth1
> localnet * 255.255.255.128 U 0 0 0 eth2

All completely bollixed as per above.


> 10.0.0.0 * 255.255.255.0 U 0 0 0 eth4
> loopback * 255.0.0.0 U 0 0 0 lo
> default 12.x.x.1 0.0.0.0 UG 1 0 0 eth0

Why have you got the default route going out through eth0 in
particular? Where is your internet router?

> I tried to use route add 10.0.0.0 gw 10.0.0.1 eth4 to no avail.

Then try harder. You forgot the "-net" and maybe a netmask.

> I just want the box to talk to my LAN on one side of my firewall, and
> to the internet in my DMZ on the other side.

Then at least fix your netmasks.

Peter

Jake Burns <(E-Mail Removed)> wrote:
> I have a slackware box with 5 network ports in it. A 1gb Intel card
> and a 4 port adaptec starfire card.
>
>

> 3 ports are pointed at the directly at the internet 12.x.x.7,
> 12.x.x.9, and 12.x.x.12

It would make better sence to use virtual interfaces. The event of one
cable or port going down is too remote to consider if all the cables are
going in the same path. The server would be more unreliable.

So use only two cards, and use the interfaces as follows.

eth0 10.x.x.x
eth1 12.x.x.7
eth1:1 12.x.x.9
eth1:2 12.x.x.12

> I have tried to run DHCP and it will NOT pickup any addresses from our
> dhcp server.

On what interface? Did you specify and interface? By default dhcp
clients will generally use eth0

And of course you need to fix up your routes, as others have said.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

P.T. Breuer wrote:

>>10.0.0.0 * 255.255.255.0 U 0 0 0 eth4
>
>>I tried to use route add 10.0.0.0 gw 10.0.0.1 eth4 to no avail.
>
>
> Then try harder. You forgot the "-net" and maybe a netmask.

On top of that, You needn't even try to do this, because it's nonsense.
If You specify (via ifconfig) that 10.0.0.0/24 is reachable via eth4,
You are fooling Yourself when then You tell Your box that it should use
a gateway to reach the subnet that it is physically connected to.

Also, I don't get Your idea of eth3 vs. eth4 configuration.

Please review.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

Sorry to be an idiot but, how SHOULD my routing table look then?

If eth0-eth2 are all in a DMZ facing the Internet, shouldn't they be
on the same subnet?

I guess I don't understand why each ethernet card has to have a
different subnet. Wouldn't the traffic coming to a specific IP
determine what interface passes the traffic back out?

Thanks for your patience with an idiot.

Jake

Jake Burns wrote:
> Sorry to be an idiot but, how SHOULD my routing table look then?
>
> If eth0-eth2 are all in a DMZ facing the Internet, shouldn't they be
> on the same subnet?
>
> I guess I don't understand why each ethernet card has to have a
> different subnet. Wouldn't the traffic coming to a specific IP
> determine what interface passes the traffic back out?

OK, Jake, let's give it another try from the beginning:

Firstly, it is very hard to understand Your network design. From what
You wrote, I take it that You have five ethernet connectors on Your box,
four on that starfire and one on Intel. The configuration of those is
somewhat obscure: Three of the four ports of the starfire have public
IP addresses. So I'm wondering what they connect to. Do You have three
cables that connect to the internet/ISP in parallel? I dare doubt.

Then, You say that those three connections form a DMZ. That cannot be
the case. By definition, a DMZ requires the use of a firewall, which
does not show at all in Your description.

Basically, this is why the other replies didn't help You much. You
didn't really point out the problem but You only gave a description of
Your topology, which, as I may add, seems absolutely inefficient.

Please try to provide more details on Your problem, like ASCII-art or,
at least, what each of Your eth$N physically connects to. From there,
You can get a step-by-step guideline to solve Your trouble here.

That You did get little and confusing response here is because of the
lack of those details. - You see that everybody hit that routing mis-
configuration. That is not solved yet. Tell us what Your network is
like, and You'll get a detailed explaination of what's going on and
why, so that You can understand the concepts.


> Thanks for your patience with an idiot.

Don't be too hard to Yourself. - But, if You claim to run ftp servers
in the wild, readers may assume that You have a basic understanding of
networking, and routing in particular, which obviously You do not (yet}
have.

Please give a more detailed description of Your network. And, why not
read the Networking-HowTo along with some other introductory documen-
tation. - Everybody here will gladly help You to understand what's up,
that's what this NG is good for in the first place.


Cheers and keep those details coming, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

Sorry, about the confusion Jack. I really appreciate the help.

It's a slack 9.1 box with proftpd running three virtual ftp servers
each bound to a specific IP address. Our firewall should block
everything other than ftp connections on the DMZ side. I want LAN
connectivity so I don't have internal users blowing bandwith on eth0,
eth1, or eth2.

The only thing I did was add the IP's to the rc.inet1.conf and run the
initial netconfig script (which only configures 1 card). Otherwise it
is stock Slackware.

I don't really care how inefficient it is to use three separate ports
to connect to the internet. I don't think it really makes the system
that much more complex. I understand I can alias them all to one
port. Just pretend they're backups for each other.

As stated earlier:

eth0: 12.x.x.7
eth1: 12.x.x.9
eth2: 12.x.x.10
eth3: Preferably DHCP assigned. Otherwise a static 10.0.0.135 address
will be fine.
eth4unused as of yet possibly soon to be used though)

ASCII art as requested:
_______________________
| FTP SERVER |
eth(x) | 0 1 2 3 4 |
| * * * * * |
------------------------
| | | |
| | | |
| | | |
------------- ----------
|DMZ'd Switch| |LAN Switch|(10.x.x.x)
------------- ----------
|
Firewall
|
*---------*
|Internet |
*---------*

It's a Slackware 9.1 Box.
/etc/networks reads:

loopback 127.0.0.0
localnet 12.x.x.0


/etc/rc.d/rc.inet1.conf reads:

# Config information for eth0:
IPADDR[0]="12.x.x.7"
NETMASK[0]="255.255.255.128"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""

# Config information for eth1:
IPADDR[1]="12.x.x.9"
NETMASK[1]="255.255.255.128"
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""

# Config information for eth2:
IPADDR[2]="12.x.x.10"
NETMASK[2]="255.255.255.128"
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""

# Config information for eth3:
IPADDR[3]=""
NETMASK[3]=""
USE_DHCP[3]=""
DHCP_HOSTNAME[3]=""

# Config information for eth4:
IPADDR[4]=""
NETMASK[4]=""
USE_DHCP[4]=""
DHCP_HOSTNAME[4]="yes"

# Default gateway IP address:
GATEWAY="12.x.x.1"

# Change this to "yes" for debugging output to stdout. Unfortunately,
# /sbin/hotplug seems to disable stdout so you'll only see debugging
output
# when rc.inet1 is called directly.
DEBUG_ETH_UP="no"


Output of the route command:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
localnet * 255.255.255.128 U 0 0
0 eth0
localnet * 255.255.255.128 U 0 0
0 eth1
localnet * 255.255.255.128 U 0 0
0 eth2
10.0.0.0 * 255.255.255.0 U 0 0
0 eth4
loopback * 255.0.0.0 U 0 0
0 lo
default 12.x.x.1 0.0.0.0 UG 1 0 0
eth0

As I have said before, eth4 will not pickup DHCP. I have tried:
dhcpcd eth4 to no avail. There are other computers plugged into the
same LAN switch getting dhcp addresses.

I have tried:
ifconfig eth4 10.0.0.135 netmask 255.255.255.0 broadcast 10.0.0.255 up
route add 10.0.0.0 gw 10.0.0.1 eth4 and many variants, also to no
avail.

The most important part is that eth0-2 are up and running and ftp
traffic gets passed to those three interfaces. The LAN connection is
not nearly as important.

I hope this gives you enough information.

Jake