Two network cards (dual-homed), two gateways? Desparate for help
I'm having a bit of a problem. I'm managing a Linux server running SuSE 8.2. The server is dual-homed so it sits on two networks. In the network devices application in Yast in the "routing" section you have the option of either choosing a single default gateway or using "expert configuration" to setup routing. Now we need to have each network card use a different gateway. Here is the way it's currently working. We have one network (192.....) that we need to have running SSH and samba. We have another network (10......) that we need to have samba access. This works out great except one hitch. If I just put in 192.X.X.1 as the default gateway, the 10.... network can't get to the share. I think the reason being that upon return the traffic tries to go by way of the default gateway (192.x) and can't find it's way back to the 192 network. If I flip it and make the default gateway 10.X.X.1 the 10.... network can get to the share, but SSH has a problem because it tries to return via that gateway. So it's a mess and I know there *has* to be a way to get this to work. I just need to know how. Somewhere in the "expert" part of the "routing" section, there has to be settings I can put in to basically allow all traffic bound for the 192 card (eth0 in this case) return via the 192 gateway. And all traffic bound for the 10 card (eth1 in this case) return via the 10 gateway. I just don't know how to set this up. Any advice would be GREATLY appreciated. Preston
On Wednesday 07 Apr 2004 06:59, Preston Crawford wrote: snip ...
If I just put in 192.X.X.1 as the default gateway, the 10.... network can't get to the share. I think the reason being that upon return the traffic tries to go by way of the default gateway (192.x) and can't find it's way back to the 192 network. If I flip it and make the default gateway 10.X.X.1 the 10.... network can get to the share, but SSH has a problem because it tries to return via that gateway. So it's a mess and I know there *has* to be a way to get this to work. I just need to know how. Somewhere in the "expert" part of the "routing" section, there has to be settings I can put in to basically allow all traffic bound for the 192 card (eth0 in this case) return via the 192 gateway. And all traffic bound for the 10 card (eth1 in this case) return via the 10 gateway. I just don't know how to set this up.
Any advice would be GREATLY appreciated.
Preston
I did something a while back to solve a similar problem that involved specifying the gateways for each interface in their respective config files. However, this was SuSE 9.0, I don't know if it is true for SuSE8.2. Anyway, the files were : /etc/sysconfig/network/ifconfig-eth0 /etc/sysconfig/network/ifconfig-eth1 Check the man pages for route and ifconfig. Hope that helps and good luck. Eddie
The default gateway is a way of telling the system how to send packets for networks that are not known about. The 10. and 192. networks are both known about (on this server) and should therefore simply get the packets sent to the right network card. By setting the default gateway on this machine to 192.x.x.1 you are telling the machine that the packets for any unknown network should be forwarded to this IP. Is this what you want? Is the 192.x.x.1 really a gateway device (router or another box setup as a router?) to which all packets for unknown networks should be sent? Is this setting on the server or on the client machines? The client machines on the 10.x.x.x network should use a 10.x.x.x IP as the gateway, not the 192.x.x.x unless they also have a properly defined route to the 192 network as well. Damon -----Original Message----- From: Preston Crawford [mailto:me@prestoncrawford.com] Sent: 07 April 2004 07:00 To: suse-linux-e@suse.com Subject: [SLE] Two network cards (dual-homed), two gateways? Desparate for help I'm having a bit of a problem. I'm managing a Linux server running SuSE 8.2. The server is dual-homed so it sits on two networks. In the network devices application in Yast in the "routing" section you have the option of either choosing a single default gateway or using "expert configuration" to setup routing. Now we need to have each network card use a different gateway. Here is the way it's currently working. We have one network (192.....) that we need to have running SSH and samba. We have another network (10......) that we need to have samba access. This works out great except one hitch. If I just put in 192.X.X.1 as the default gateway, the 10.... network can't get to the share. I think the reason being that upon return the traffic tries to go by way of the default gateway (192.x) and can't find it's way back to the 192 network. If I flip it and make the default gateway 10.X.X.1 the 10.... network can get to the share, but SSH has a problem because it tries to return via that gateway. So it's a mess and I know there *has* to be a way to get this to work. I just need to know how. Somewhere in the "expert" part of the "routing" section, there has to be settings I can put in to basically allow all traffic bound for the 192 card (eth0 in this case) return via the 192 gateway. And all traffic bound for the 10 card (eth1 in this case) return via the 10 gateway. I just don't know how to set this up. Any advice would be GREATLY appreciated. Preston -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Wed, 2004-04-07 at 04:11, Damon Jebb wrote:
The default gateway is a way of telling the system how to send packets for networks that are not known about. The 10. and 192. networks are both known about (on this server) and should therefore simply get the packets sent to the right network card. By setting the default gateway on this machine to 192.x.x.1 you are telling the machine that the packets for any unknown network should be forwarded to this IP. Is this what you want? Is the 192.x.x.1 really a gateway device (router or another box setup as a router?) to which all packets for unknown networks should be sent? Is this setting on the server or on the client machines? The client machines on the 10.x.x.x network should use a 10.x.x.x IP as the gateway, not the 192.x.x.x unless they also have a properly defined route to the 192 network as well.
So are you suggesting no default gateway AND nothing in the expert settings? Because that is essentially the situation. Traffic that hits the machine via the 192 network card just needs to return via the gateway for that card. Same for the 10 network. That's all. This computer isn't a router. It just stradles two networks. Preston
On Wed, 2004-04-07 at 09:42, Preston Crawford wrote:
On Wed, 2004-04-07 at 04:11, Damon Jebb wrote:
The default gateway is a way of telling the system how to send packets for networks that are not known about. The 10. and 192. networks are both known about (on this server) and should therefore simply get the packets sent to the right network card. By setting the default gateway on this machine to 192.x.x.1 you are telling the machine that the packets for any unknown network should be forwarded to this IP. Is this what you want? Is the 192.x.x.1 really a gateway device (router or another box setup as a router?) to which all packets for unknown networks should be sent? Is this setting on the server or on the client machines? The client machines on the 10.x.x.x network should use a 10.x.x.x IP as the gateway, not the 192.x.x.x unless they also have a properly defined route to the 192 network as well.
So are you suggesting no default gateway AND nothing in the expert settings? Because that is essentially the situation. Traffic that hits the machine via the 192 network card just needs to return via the gateway for that card. Same for the 10 network. That's all. This computer isn't a router. It just stradles two networks.
Preston
If it "stradles two networks" and passes traffic between them then it is indeed used as a router. Even a router has a default route if it is not primary for all of it's traffic. All hosts on the 10.x network would set their default route to the IP address of the nic in the 10.x network and hosts in the 192.x network would use the IP address of the nic in the 192.x network. -- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (6.2)
<SNIP> So are you suggesting no default gateway AND nothing in the expert settings? Because that is essentially the situation. Traffic that hits the machine via the 192 network card just needs to return via the gateway for that card. Same for the 10 network. That's all. This computer isn't a router. It just stradles two networks. </SNIP> No, I'm saying that you need a default gateway that suits the needs of your clients and the server and this can be different for the clients and server, and different for the clients on each of the two networks. If clients on the 10. network need access to the 192. network then this machine is routing packets between the two networks. For clients on the 10. network set the default gateway to the IP address of the network card on the 10. network in the server. If the default gateway on the 192. network is a machine or device other than the server then you need to have both a default gateway and a route to the 10. network defined. But none of this is directly relevant to the server - as I said the default gateway defines how a machine will attempt to route packets for networks that it doesn't know anything about, a machine on the 192. network will send all non 192. network packets to the default gateway, unless it knows something better to do with them. The important thing about the server is to correctly configure it to route packets between the two networks that it is connected to - it is a router because it connects two different networks. On clients on the 192 network I think you will have to setup the dual homed server as the gateway, this way they will send all packets for any network other than the 192. network to this machine. This machine will then choose whether to send the packets to the 10. network card or on to the external gateway (if you have one). So if the gateway machine on the 192. network is 192.168.1.1 and the server nic on this network is 192.168.1.2 then set all clients to have default gateway 192.168.1.2, set the server to have default gateway = 192.168.1.1 If the 10. network nic on the server has the IP 10.0.0.1 then all clients on the 10 network should have default gateway = 10.0.0.1. If you don't have an external gateway then I don't think the server needs a default gateway, but attempts to access any network other than the 10. or 192. will probably fail. You then need to make sure that the server is set to forward packets between the networks. You may, also want to setup a firewall, but I would leave this until you have a working system. Damon
On Wed, 2004-04-07 at 09:47, Damon Jebb wrote:
No, I'm saying that you need a default gateway that suits the needs of your clients and the server and this can be different for the clients and server, and different for the clients on each of the two networks. If clients on the 10. network need access to the 192. network then this machine is routing packets between the two networks. For clients on the 10. network set the default gateway to the IP address of the network card on the 10. network in the server. If the default gateway on the 192. network is a machine or device other than the server then you need to have both a default gateway and a route to the 10. network defined. But none of this is directly relevant to the server - as I said the default gateway defines how a machine will attempt to route packets for networks that it doesn't know anything about, a machine on the 192. network will send all non 192. network packets to the default gateway, unless it knows something better to do with them. The important thing about the server is to correctly configure it to route packets between the two networks that it is connected to - it is a router because it connects two different networks.
But I'm not routing between the networks. So I'm confused. I simply have a computer that happens to be on two networks. Does that still make it a router? And if so, what is the proper routing configuration to make this work? Now an update, though. I went back in to work on the computer. The problem is pretty clear now. - If there are no default gateways in the routing table neither the samba share on the 10. network works, nor does SSH. - If the default gateway in the routing table is the 10 network's gateway (10.x.x.1) then the samba share works for the boxes on the 10 network, but SSH doesn't work. - If the default gateway in the routing table is the 192 network's gateway (192.168.0.1) then the samba share DOESN'T work for the boxes on the 10 network, but SSH does work. And by SSH working I mean this. Basically this computer (as described earlier) is an internal machine. The reason it stradles two networks is because it needs to share files (via samba) with computers on two different networks. The 192 and the 10. Don't ask why. Anyway, how I see it is that Samba should share to both fine, which it does if that above condition about the gateway is met. So that's confusing. And SSH should work fine, which it does if the other above condition is met. The sticking point is this. The 10 network on the server is not like DIRECTLY connected to the machine trying to get to the samba share. And there's a little indirection on the SSH side, because we're trying to get to SSH via a virtual server on our firewall (i.e. the firewall says all SSH requests for me get passed onto this internal server). So I'm guess that the fact that it's configured as described above, could contribute to the problem I'm having. I just need to figure out the proper routing configuration to enable both things (Samba over the 10 and SSH over the 192 through the firewall) to work at the same time. Preston
<SNIP> But I'm not routing between the networks. So I'm confused. I simply have a computer that happens to be on two networks. Does that still make it a router? And if so, what is the proper routing configuration to make this work? </SNIP> That depends on whether machines on one network need to see machines on the other. If they do then the machine that straddles the networks has to be a router for the two networks, and incidentally the machines on both networks will need to be able to talk to each other because the communication is in effect a conversation. Do any machines that connect to Samba via SSH need to see or access any other 10. network machines? <SNIP> The sticking point is this. The 10 network on the server is not like DIRECTLY connected to the machine trying to get to the samba share. And there's a little indirection on the SSH side, because we're trying to get to SSH via a virtual server on our firewall (i.e. the firewall says all SSH requests for me get passed onto this internal server). So I'm guess that the fact that it's configured as described above, could contribute to the problem I'm having. I just need to figure out the proper routing configuration to enable both things (Samba over the 10 and SSH over the 192 through the firewall) to work at the same time. </SNIP> So, the Samba server is not on this machine? It's somewhere on the 10. network? That would explain a lot. You need to understand that this server is indeed routing. You then need to setup routing so that it works between the networks. You could put the routes to the two networks in the expert mode in YaST. They will look like... Destination 10.0.0.0 Gateway Something on this network can be the IP of this machine, it should be the IP of a device that knows what to do with packets for unknown networks, like a router or gateway to the internet. Netmask 255.255.0.0 Device Choose the correct one Note that 10. networks are class b so the netmask is usually 255.255.0.0 and 192 networks are class c so the netmask is usually 255.255.255.0. Also make sure that you tick the enable IP forwarding item in the YaST routing module. You will also need to make sure that the machine with the Samba server knows how to get to the router machine (get used to calling it that, that's what it is). You could put a route to the 192 network on this machine with the IP address of the router as the gateway address. Alternatively, if this is correct, you could set the router machine as the gateway address for the Samba server, but it depends if you connect to the internet from the 10 Network through another machine. You could also put the route to the 10. network in the gateway device on the 10. network, if you have access to it, which would be a moer reliable and complete solution as it is easier to setup new devices on the network. Damon
I have made a mistake on this - <SNIP> Note that 10. networks are class b so the netmask is usually 255.255.0.0 and 192 networks are class c so the netmask is usually 255.255.255.0. Also make sure that you tick the enable IP forwarding item in the YaST routing module. </SNIP> The 10 network is a class A, so the normal netmask would be 255.0.0.0 Damon
On Thu, 2004-04-08 at 06:19, Damon Jebb wrote:
I have made a mistake on this - <SNIP> Note that 10. networks are class b so the netmask is usually 255.255.0.0 and 192 networks are class c so the netmask is usually 255.255.255.0. Also make sure that you tick the enable IP forwarding item in the YaST routing module. </SNIP>
The 10 network is a class A, so the normal netmask would be 255.0.0.0
Damon
10.x is classified as a "class A" network but can be further subnetted using 10.x.x 255.255.0.0 and 10.x.x.x 255.255.255.0 as we are using in our company. -- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (6.2)
On Thu, 2004-04-08 at 01:49, Damon Jebb wrote:
<SNIP> But I'm not routing between the networks. So I'm confused. I simply have a computer that happens to be on two networks. Does that still make it a router? And if so, what is the proper routing configuration to make this work? </SNIP>
That depends on whether machines on one network need to see machines on the other. If they do then the machine that straddles the networks has to be a router for the two networks, and incidentally the machines on both networks will need to be able to talk to each other because the communication is in effect a conversation. Do any machines that connect to Samba via SSH need to see or access any other 10. network machines?
No. There is no communication between the 10 and 192 networks. That's why I keep using the term "stradle". It's the best way I can think of to describe this situation. This server serves out (via samba) files to two different networks. But computers on each network never talk to computers on the other network. And, in fact, they shouldn't. That's why they're separate networks. The 10 network box should see the server (and there is only 1) and the 192 boxes should see the server, but they should never see each other. Hope that clears that up.
<SNIP> The sticking point is this. The 10 network on the server is not like DIRECTLY connected to the machine trying to get to the samba share. And there's a little indirection on the SSH side, because we're trying to get to SSH via a virtual server on our firewall (i.e. the firewall says all SSH requests for me get passed onto this internal server). So I'm guess that the fact that it's configured as described above, could contribute to the problem I'm having. I just need to figure out the proper routing configuration to enable both things (Samba over the 10 and SSH over the 192 through the firewall) to work at the same time. </SNIP>
So, the Samba server is not on this machine? It's somewhere on the 10. network? That would explain a lot. You need to understand that this
No, I must have poorly worded that. Samba IS on this machine, the server. It's on this machine and serving itself out to two different networks, 10 and 192. What I was trying to say is that the computer trying to get to the samba share, the client to the server in this case, isn't AS directly connected to the server as the clients on the 192 network are. I threw that in (and it probably caused confusion) just in case that was part of the problem.
server is indeed routing. You then need to setup routing so that it works between the networks. You could put the routes to the two networks in the expert mode in YaST. They will look like...
So either way, though, there is no routing taking place here. The server simply serves two networks. The 192 and the 10. No computer ever talks to a computer on the other network and visa versa. They simply all talk to the same server via different networks. Preston
I'm not sure I can say anymore without seeing a network diagram. How are your clients getting connected to the 192 network? I think you should try the two routes (one for the 192 and one for the 10) that I mentioned last time, if you have not. The only real difference is that you don't have to switch on the ip forwarding if the two networks don't need to see each other. You also need to consider what is the correct gateway for each network. If the 192 clients are coming into your network through a router or other internet gateway (for VPN type access) then you should probably specify that router as the gateway on the 192 network. As for the 10 network, does it have a gateway? Does the server need to see anything except the 10. network (e.g. internet access)? Damon
On Thu, 2004-04-08 at 07:04, Damon Jebb wrote:
I'm not sure I can say anymore without seeing a network diagram. How are your clients getting connected to the 192 network?
Basically they're all plugged into the wall, which goes into a small patch-panel in the closet where the server is (small operation). From there they're patched directly into a firewall/router. So the server is on the same firewall/router hub-type device as the other computers that access it. So it's on a level playing field with the machines that access it. And when I make settings changes, samba never goes away for the 192 network. What goes away is this virtual SSH server. The one where the firewall device points in at the server to deliver SSH. If the default gateway is the 10 network's gateway, then that SSH stops working.
I think you should try the two routes (one for the 192 and one for the 10) that I mentioned last time, if you have not. The only real difference is that you don't have to switch on the ip forwarding if the two networks don't need to see each other.
You mean having the two default gateways. One for each interface? I'm looking back through your responses and I'm not sure where exactly to put what you want me to put. I've tried a couple places. I've tried adding two default routes via "route add default gw 10.x.x.1 eth1" and "route add default gw 192.168.0.1". And I've also tried that /etc/sysconfig/network/ifroute-eth0, etc. that someone else mentioned. What do you mean exactly. What should I be trying?
You also need to consider what is the correct gateway for each network. If the 192 clients are coming into your network through a router or other internet gateway (for VPN type access) then you should probably specify that router as the gateway on the 192 network. As for the 10 network, does it have a gateway? Does the server need to see anything except the 10. network (e.g. internet access)?
Nope. It's fairly clean, I think. The 10 network interface just needs to make sure that it leaves the computer via the same interface it came in. i.e. If samba listens on both nics it needs to send any samba packets listened to on the 10 interface back via the 10 gateway. Same with 192. I'm just having trouble getting each nic to use a separate gateway and for there not to be a "default" of some kind. Preston
From this I would say that the default gateway on the server 192 network needs to be the IP of the router/gateway device on the 192 network. On
<SNIP> Basically they're all plugged into the wall, which goes into a small patch-panel in the closet where the server is (small operation). From there they're patched directly into a firewall/router. So the server is on the same firewall/router hub-type device as the other computers that access it. So it's on a level playing field with the machines that access it. And when I make settings changes, samba never goes away for the 192 network. What goes away is this virtual SSH server. The one where the firewall device points in at the server to deliver SSH. If the default gateway is the 10 network's gateway, then that SSH stops working. </SNIP> the 10 network you should not need a default gateway, so you will probably find it best to set the gateway to the IP of the nic on this machine. <SNIP> You mean having the two default gateways. One for each interface? I'm looking back through your responses and I'm not sure where exactly to put what you want me to put. I've tried a couple places. I've tried adding two default routes via "route add default gw 10.x.x.1 eth1" and "route add default gw 192.168.0.1". And I've also tried that /etc/sysconfig/network/ifroute-eth0, etc. that someone else mentioned. What do you mean exactly. What should I be trying? </SNIP> I don't think that the command for default gateway would have worked because the second would have replaced the first - check by printing the routing table after you've done the commands. What you actuall want is to add two routes, specifying the gateway to be used for each network specification. This would be something like... # route add -net 10.0.0.0 gw 10.0.0.1 netmask 255.0.0.0 eth0 # route add -net 192.168.0.0 gw 192.168.0.254 netmask 255.255.255.0 eth1 You'll need to check the details of the above lines, you may have the nics the otherway round, but basically this should work. You could also use YaST/network services/routing in expert mode. You will then see a table with the headings that I gave before, sorry I should have been more explicit. If you put two entries in here, one for the 10 network... Destination 10.0.0.0 Gateway You can put the IP of the nic on the 10 network here Netmask 255.0.0.0 Device ETHx (which ever is the right one) Then similarly for the 192 network... Destination 192.168.0.0 (note this assumes that you have used 192.168.0.x as the IP addresses on this network, set the third octet to the correct value if you've used something different). Gateway The IP address of the router Netmask 255.255.255.0 Device The other one. I would use the route command above as root to test the settings then make them permanent. Hopefully this may help. Damon
Preston Crawford wrote:
On Thu, 2004-04-08 at 01:49, Damon Jebb wrote:
<SNIP> But I'm not routing between the networks. So I'm confused. I simply have a computer that happens to be on two networks. Does that still make it a router? And if so, what is the proper routing configuration to make this work? </SNIP>
That depends on whether machines on one network need to see machines on the other. If they do then the machine that straddles the networks has to be a router for the two networks, and incidentally the machines on both networks will need to be able to talk to each other because the communication is in effect a conversation. Do any machines that connect to Samba via SSH need to see or access any other 10. network machines?
No. There is no communication between the 10 and 192 networks. That's why I keep using the term "stradle". It's the best way I can think of to describe this situation. This server serves out (via samba) files to two different networks. But computers on each network never talk to computers on the other network. And, in fact, they shouldn't. That's why they're separate networks. The 10 network box should see the server (and there is only 1) and the 192 boxes should see the server, but they should never see each other. Hope that clears that up.
<snip> interfaces = eth0 eth1 bind interfaces only = No Try placing the above in your smb.conf file and restarting samba. Also, make sure the samba server can ping any addresses in question. The above is not realy secure as any address could then connect. Check out the man page for smb.conf and look at the hosts allow parameters to tighten this down after checking for an initial connection. -- Louis D. Richards LDR Interactive Technologies
Preston Crawford wrote:
On Thu, 2004-04-08 at 01:49, Damon Jebb wrote:
<SNIP> But I'm not routing between the networks. So I'm confused. I simply have a computer that happens to be on two networks. Does that still make it a router? And if so, what is the proper routing configuration to make this work? </SNIP>
That depends on whether machines on one network need to see machines on the other. If they do then the machine that straddles the networks has to be a router for the two networks, and incidentally the machines on both networks will need to be able to talk to each other because the communication is in effect a conversation. Do any machines that connect to Samba via SSH need to see or access any other 10. network machines?
No. There is no communication between the 10 and 192 networks. That's why I keep using the term "stradle". It's the best way I can think of to describe this situation. This server serves out (via samba) files to two different networks. But computers on each network never talk to computers on the other network. And, in fact, they shouldn't. That's why they're separate networks. The 10 network box should see the server (and there is only 1) and the 192 boxes should see the server, but they should never see each other. Hope that clears that up.
<SNIP> The sticking point is this. The 10 network on the server is not like DIRECTLY connected to the machine trying to get to the samba share. And there's a little indirection on the SSH side, because we're trying to get to SSH via a virtual server on our firewall (i.e. the firewall says all SSH requests for me get passed onto this internal server). So I'm guess that the fact that it's configured as described above, could contribute to the problem I'm having. I just need to figure out the proper routing configuration to enable both things (Samba over the 10 and SSH over the 192 through the firewall) to work at the same time. </SNIP>
So, the Samba server is not on this machine? It's somewhere on the 10. network? That would explain a lot. You need to understand that this
No, I must have poorly worded that. Samba IS on this machine, the server. It's on this machine and serving itself out to two different networks, 10 and 192. What I was trying to say is that the computer trying to get to the samba share, the client to the server in this case, isn't AS directly connected to the server as the clients on the 192 network are. I threw that in (and it probably caused confusion) just in case that was part of the problem.
server is indeed routing. You then need to setup routing so that it works between the networks. You could put the routes to the two networks in the expert mode in YaST. They will look like...
So either way, though, there is no routing taking place here. The server simply serves two networks. The 192 and the 10. No computer ever talks to a computer on the other network and visa versa. They simply all talk to the same server via different networks.
Preston
This looks like it should be simple or I have probably missed some of the original point of the question , example from "man route". route add -net 192.56.76.0 netmask 255.255.255.0 dev eth0 adds a route to the network 192.56.76.x via "eth0". The Class C netmask modifier is not really necessary here because 192.* is a Class C IP address. The word "dev" can be omitted here. Substituting the true values should allow 192 subnet to go via eth0 and 10 subnet via eth1 or which ever way round is desired. If that proves successful, then a closer look at YaST or config files should allow them to be set permanently. Regards Sid.
participants (6)
-
Damon Jebb
-
eddie
-
Kenneth Schneider
-
Louis Richards
-
Preston Crawford
-
Sid Boyce