Eth0 and eth1

Discussion in 'Linux Networking' started by Captain Beefheart, Jul 20, 2004.

  1. As mentioned earlier in this forum, I'm setting up a VPN system.

    This involves having two network cards on one PC - eth0 and eth1. Because I
    want to learn as much as I can about networking, I'm doing it the hard way
    and avoiding a distro or package which will do all this for me.

    However, I'm having trouble understanding how I can add separate routes for
    each card. One will connect to the WAN and have an "internet IP" whilst the
    other will connect to a private subnet with a 192.168.*.* address. Clearly
    they have separate gateway addresses.

    What files need to be altered? I'm using SUSE, although not for any
    particular reason (the install disc was simply at hand). However, YAST2
    only seems to want to let me have one default route which it then applies
    to both cards.

    Also, is it possible to have separate DNS configs for both cards?
     
    Captain Beefheart, Jul 20, 2004
    #1
    1. Advertisements

  2. Captain Beefheart

    Juha Laiho Guest

    No, default routes you have just one. Whereever you want to route such
    packets for which you don't have any more specific route set up. For
    all the other networks you set up a route manually (or run a routing
    software to get the routing information from your peers, if you are in
    suh network that exchanges routing information -- most possibly not).
    Setting up routes manually is done with command "ip route" (or just
    "route" with some distributions). Then there is some distribution-
    specific way for setting up routes that the system should set up at
    boot time.
    Yep, bind can support different DNS views for different interfaces. The
    BOG (Bind Operators Guide) should contain the configuration details
    for this. But wait, are you really providing DNS name service from
    this machine to the Internet, too? Or do you only want to have Internet
    names available to the local machine (and network), and additionally
    to have some local names?
     
    Juha Laiho, Jul 21, 2004
    #2
    1. Advertisements

  3. man route ;)
    --> route add -net [net] netmask [mask] gw [gateway]
    if I remember correctly, the system will find the right NIC by itself.
    for adding a default-router: route add default gw [gateway]
    If _you_ want to be a router between the two networks you are connected
    with that two NICs you have to edit the routing-thing in
    /proc/sys/net/ipv4... If you're not the router, you don't have to edit
    anything...
     
    Bernhard Kastner, Jul 21, 2004
    #3
  4. Okay - I've just spent a couple of hours unsuccessfully trying to get a
    Fedora Core 2 box to work with two ethernet cards and two static IPs. Card
    one had a 192.* private subnet address whilst card two had a static
    internet IP assigned by our ISP. I've not setup a firewall or anything
    fancy - just installed the distro and tried to configure the cards.

    No joy. Card 2 (eth1 - Net IP) could ping everything merrily but card 1
    (eth0 - 192.*) couldn't ping anything, such as a computer on its own
    subnet.

    Each card had separate gateway addresses correctly filled in. The ACT light
    on the back of the non-working card flashed amber occassionally (normally
    green for happy data transfers). But I don't know what this means.

    As far as I can see it, this problem might be caused by three things:

    1) Some subnetting weirdness (subnet for the eth0 (192.*) was 255.255.255.0,
    whilst subnet for the Internet IP card (eth1) was 255.255.255.224). I read
    somewhere that I might have to match the subnets for routing to work...?
    Thinking about it logically, these two networks, even though they're
    occuring at my PC, need to be joined by a router if they have different
    subnet masks... so how do I configure a router *inside* my Linux setup? ...
    leads me onto ....

    2) Routing troubles (route -n reveals both cards + gateways are in the list
    but I didn't copy and paste it to reproduce here - sorry).

    3) Some weird default IPtables behaviour on behalf of Fedora Core 2,
    although I did deactivate the firewall AFAICT.

    Does anybody know of a good tutorial to introduce the concept of setting up
    two network cards under Linux in the arrangement I've described? I'm
    learning about the technology of networking as I go along so saying
    something like "read the route/ifconfig man page!!" doesn't help - it's a
    little above my level and assumes more knowledge than I currently have.

    I've found tutorials on setting up IPtables, tutorials on setting up
    firewalls, tutorials on configuring kernel modules for two cards, and
    virtually everything else, But I can't find a tutorial on the *actual*work*
    of configuring the network card IPs and routing. It's as if you're already
    expected to know this.
     
    Captain Beefheart, Jul 21, 2004
    #4
  5. I'm currently reading TCP-IP-ADMIN, a document linked to from the TLDP Net
    How-To. It was written in 1988 but should surely still be relevant.

    Regarding routing, it says that a metric of 0 against an entry causes the
    data to stay on the same local network, even if different subnets are in
    use (ie 192.1.1.0 and 192.1.2.0). However, this is only for a one ethernet
    card setup.

    I'm still unsure about how to get the data to "leap" from one network card
    to another... I guess what I'm asking here is how to setup a PC as a basic
    gateway between subnets.
     
    Captain Beefheart, Jul 21, 2004
    #5
  6. Captain Beefheart

    Juhan Leemet Guest

    (look down... waaaay down... must have been a Friendly Giant fan?)

    OK, that's a good way to learn, but be patient. People will help, but
    don't expect them to "hop to it!" because it is not their job.

    I think you're confusing yourself, and you're confusing me, too. Let's
    review some basic concepts (for both of us) and go from there.

    AFAIK, a *nix machine has only one routing table. This table can have
    entries that specify a number of interfaces (ethernet, fibre, serial,
    etc.). The routing table in a *nix machine deals with "outbound" packets.
    Anything that comes "inbound" on the interfaces is handled by whatever you
    see from "ifconfig -a" which lists the IP addresses which will be accepted
    by that *nix machine. Anything else will be ignored (unless the interface
    is put into diagnostic "promiscuous" mode, but leave that for later).

    OK, now you'll have to be more explicit when you're describing your tests
    and results. When you say you ping, you should tell us which machine
    you're pinging from. I gather up to now it's been your gateway machine?
    The one that is straddling your LAN and your IP connection? Make it clear,
    because soon you'll also be talking about the other machines on the LAN.

    You should be able to do all of your testing with command line programs,
    without fiddling with files and rebooting (yech! Windoze stuff!)
    repeatedly. Eventually, you will want to make these settings "persistent"
    and they should be recorded somewhere. Later...

    Someone(s) else has already answered that.

    This is where I get confused. Normally, one would ping from "inside" the
    machine (and not specify the interface) to some destination. The routing
    table figures out which interface the ping is supposed to go out.

    When you say "Card 2 (eth1 - Net IP) could ping everything", I assume you
    mean that you could ping your ISP, and other internet site servers? OK. If
    you specifically ping on eth1, you should NOT see your LAN computers. If
    you do, then we're (both?) misunderstanding something, and should "regroup".

    When you say "Card 1 (eth0 - 192.*) couldn't ping anything", I assume you
    mean that your gateway computer could not ping your other LAN Linux
    machines. Did you try to ping only by hostname? or by IP? If your routing
    table is setup right, you should be able to ping your LAN machines by IP
    address without specifying the Card/eth<n>. That should always work,
    even if your name resolution is busted. Maybe you should print out your
    routing table, with:

    netstat -r

    Then check that you can actually look up hostnames, using dig or nslookup.
    This should work for your internet connection, if you've setup your ISP
    connection correctly. It might not work for your LAN machines, if you have
    not setup your /etc/hosts file and/or your DNS server(s) correctly.

    Might be "collisions"? Not to worry, that can be normal for TCP/IP.
    BTW, are you interconnecting your LAN computers with a hub? or switch?

    I find it odd that you are using a subnet mask of 255.255.255.224 for the
    IP card. Is this what your ISP told you? That's a range of 5 bits. Hmm.
    Might be OK, depending on what your ISP told you. Doesn't matter much,
    anyway, as you said you have a single static IP address given you?

    That would help.

    Dunno. I don't use IPtables myself, since I'm behind a firewall/router.
    I'm using a Linksys device, for convenience and peace of mind.

    It's basically routing. With superimposed name resolution. Unfortunately,
    to really understand what is going on, you will have to RTFM, man pages,
    info pages, web sites, etc., lots of stuff. We might be able to help focus
    some of your reading, to focus/start with important/relevant stuff.

    I would leave IPtables aside for the time being, as that will only
    complicate things even more. Do you have a firewall/router? or is that
    what you're building? If you are making the firewall/router, keep in mind
    that while you're tinkering you might get compromised, and you should
    check your machine (chkrootkit, etc.) when you're done. If there is
    anything "funny" it might be best to wipe and reinstall (now that you know
    exactly what you're doing). Else you might have trojans in there, etc.

    It would be easiest to get basic routing working first. Then turn on your
    firewall in your gateway and recheck your routing. That's what I would do.
    The main protocols and routing have not changed for decades.
    Don't worry about metrics. Metrics were used for a kind of "load
    balancing" or "response tuning", to try to use the fastest links if/when
    available. This was important in the uucp (serial connection) days. Not
    really relevant with ADSL/cable-modem or LAN. I believe these would both
    be metric 0, i.e. as fast as can possibly be. In any case, you don't have
    any "alternate routing" so there's nothing to chose from. There is only
    one way to forward the packet so that it gets to its final destination.
    It really does not "leap". Think of your networking as a collection of
    "store and forward" nodes. Each node (host) will accept a packet if it
    recognizes its own address(es) as the destination of the packet. Then when
    it examines the packet for the "ultimate/final destination" it decides
    whether to deliver it to a local (internal software) "port" or forward it
    via some other network connection, to another computer. So, if your local
    LAN computers address your gateway computer directly, the packets are
    accepted and processed there. For example, if you setup an ssh connection
    from your desk PC to the gateway PC to get a session for maintenance, etc.
    However, if one of your LAN PCs is trying to address an internet computer,
    the packet is still sent to your gateway computer (BTW, that LAN PC has to
    have the gateway computer defined as the "default route" in its own
    routing table), but the gateway computer recognizes that it is for another
    network, and passes it on, out to the ISP (and it chooses the interface
    from its routing table). Similarly for inbound packets (sort of), except
    to really understand that traffic you should read up on NAT (network
    address translation). That's probably a topic for later...

    Check out a few things... do some reading... get your routing table fixed...
    Then come back with specific questions. Someone will likely answer them.
     
    Juhan Leemet, Jul 22, 2004
    #6
  7. Captain Beefheart

    Juha Laiho Guest

    And you still didn't. That, in addition to interface configuration info
    would be most helpful. So, output from commands "ip -f inet addr" and
    "ip -f inet route".
    This we could see if you did provide output of "iptables -vnL"
    (and perhaps also "iptables -t nat -vnL" and iptables -t mangle -vnL").
    Shouldn't be anythins specific. Set the cards up just as single
    cards (you already have at least one set up properly). Check that
    you're able to ping machines in both networks from the gateway-to-be.
    Then enable forwarding between the interfaces with
    "echo 1 > /proc/sys/net/ipv4/ip_forward"
    (or "sysctl -w net.ipv4.ip_forward=1").
    This change can be made permanent by inserting the line
    "net.ipv4.ip_forward = 1" into file /etc/sysctl.conf.

    The documents you've listed so far (network admin guide, etc) should
    be sufficient.
     
    Juha Laiho, Jul 22, 2004
    #7
  8. Thanks for taking the time to reply, Juhan. It was genuinely useful and I've
    been able to check my own ideas against what you wrote. I've taken your
    advice and been reading up. I've started a new thread above to explain how
    I think the routing table of a two ethernet card gateway should be setup.
     
    Captain Beefheart, Jul 22, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.