RE: Two NICS with same IP and same client IP

RE: Two NICS with same IP and same client IP

[Hudson Delbert J Contr 61 CS/SCBN]

tom,

why ?

to what end, this topology ?

please enlightenment as to the value added ?

v/r,
~piranha

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Tom Eastep
Sent: Wednesday, February 02, 2005 8:22 AM
Cc: netfilter@lists.netfilter.org
Subject: Re: Two NICS with same IP and same client IP


Raphael Jacquot wrote:
> Hervé wrote:
> 
>> Hello,
>>
>> I have a weird setup I would like to make work: I have two identical
>> subnets connected to one machine via two different NICs, like this:
>>
>> Server             |         | Client 1
>> eth0:192.168.100.1 |---------| 192.168.100.2
>>                    |                              | Client 2
>> eth1:192.168.100.1 |------------------------------| 192.168.100.2
> 
> 
> having 2 interfaces on the same box with the same IP address
> 
> repeat after me :
> 
> WILL NOT WORK

Having two interfaces with the same IP address and netmask doesn't work
well. Having the same IP address with different netmasks can be useful.

From my firewall:

gateway:/usr/src/linux-2.6.10/net/ipv4/netfilter# ip addr ls
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:a0:cc:db:31:c4 brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.176/32 scope global eth0
    inet6 fe80::2a0:ccff:fedb:31c4/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000
    link/ether 00:02:e3:08:55:fa brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.176/24 brd 206.124.146.255 scope global eth1
    inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary
eth1:0
    inet 206.124.146.180/24 brd 206.124.146.255 scope global secondary
eth1:1
    inet6 fe80::202:e3ff:fe08:55fa/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:c7:c0:e2:15 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth2
    inet6 fe80::208:c7ff:fec0:e215/64 scope link
       valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
gateway:/usr/src/linux-2.6.10/net/ipv4/netfilter#

Note Interfaces eth0 and eth1 -- both have IP address 206.124.146.176.

eth0 interfaces to my DMZ where there is a single server
(206.124.146.177) using Proxy ARP.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Re: Two NICS with same IP and same client IP

[Tom Eastep]

Hudson Delbert J Contr 61 CS/SCBN wrote:
> tom,
> 
> why ?
> 
> to what end, this topology ?
> 
> please enlightenment as to the value added ?
> 

See http://shorewall.net/myfiles.htm for a description of my
firewall/router's environment. In general, I prefer to use Proxy ARP for
a DMZ rather than NAT because it allows DMZ servers to have the same IP
address whether accessed from local or external clients.

The DMZ interface (eth0 in my case) needs an IP address -- what address
to give it? There seem to be two choices:

	a) Select an RFC 1918 address in some currently unused network.
	b) Use the firewall's external IP address.

By using b), the existing PTR record can serve both interfaces so that
traffic from the firewall to the server appears to come from the correct
host (gateway.shorewall.net).

In general, consider this:

   <upstream router -- address A.B.C.x>
                  |
                  |
    <gateway router -- address A.B.C.y>
                  |
     ---------------------------
     |   |   |    |    |   |   |

         Network A.B.C.0/24

Assume that the upstream router routes A.B.C.0/24 via the gateway router
A.B.C.y.

The gateway router can be configured as follows:

	External interface A.B.C.y/32
	Host route to A.B.C.x on external interface (no gateway)
	Default route via A.B.C.x
	Internal interface   A.B.C.y/24
	Net router to A.B.C.254/24 on Internal interface (no gateway)

So the gateway router only requires one IP address rather than two yet
it is addressable from both sides.

-Tom	
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

RE: Two NICS with same IP and same client IP

[Hudson Delbert J Contr 61 CS/SCBN]

jason,

sorry, but your gonna' hear this anyway...but its not negative..
i just wanna know why?

okay...here is what i'm sure will think is a dumb question.

why not make life simple for all concerned [servers, clients and routers, too...]

re-numbering the subnets...or just one and --- voila! problem gone   !!!!

this might be too simplistic for this list (he! he! he!) but lets say...
 
eth0@server = 192.168.100.0/24 
eth0@client = 192.168.100.1/24

eth1@server = 172.16.1.0/24 
eth1@client = 162.16.1.1/24

or whatever...whats the problem?

i think also the statement below may be have some validity
if this is as easy as i think it is.

where's the difficiulty.

complex is bad.
simple is good.


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Jason
Opperisano
Sent: Wednesday, February 02, 2005 12:56 PM
To: netfilter@lists.netfilter.org
Subject: Re: Two NICS with same IP and same client IP


On Wed, Feb 02, 2005 at 09:35:31AM -0000, Hervé wrote:
> Hello,
> 
> I have a weird setup I would like to make work: I have two identical
> subnets connected to one machine via two different NICs, like this:
> 
> Server             |         | Client 1
> eth0:192.168.100.1 |---------| 192.168.100.2
>                    |                              | Client 2
> eth1:192.168.100.1 |------------------------------| 192.168.100.2
> 
> These two machines only access an NFS share on the server, but I assume
> this is irrelevant: the problem is to route the packets back through the
> interface the request came from (I am not trying to access the boxes
> _from_ the server).

aight--this comes with no warranty expressed nor implied, and no
guarantee that it won't burn down your house or that it will even work
at all...  this is off the top of my head, and other than typing the
commands on a test machine to validate the syntax, i have not tested
this one iota...  i also don't believe that you *_have_* to do this--i
think you secretly just want to do this, because you think you should be
able to...  ;-)

here goes--it obviously requires iproute2, and the CONNMARK patch from
POM:

---BEGIN STUFF I DON'T WANNA HEAR COMMENTS ABOUT---

# start fresh
ip addr flush dev eth0
ip addr flush dev eth1

	# add the same IP to each NIC
ip addr add 192.168.100.1/24 brd + dev eth0
	
	# why not assign the diff subnets addy's here ?
ip addr add 172.16.1.1/24 brd + dev eth

..or..

ip addr add 172.16.1.1/24 brd + dev eth1
 
ip addr add 192.168.100.1/24 brd + dev eth1
	# and here also...?

# add two new route tables to hold our local network routes
#   (this only needs to be done once)

echo 200 zero >> /etc/iproute2/rt_tables
echo 201 one >> /etc/iproute2/rt_tables

# start fresh
for t in mangle nat filter; do
  iptables -t $t -F
  iptables -t $t -X
  iptables -t $t -Z
done

# restore the connmark on each packet as it comes in off the wire
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

# if a packet isn't marked, mark it based off the inbound NIC
iptables -t mangle -A PREROUTING -i eth0 -m connmark --mark 0 -j CONNMARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth1 -m connmark --mark 0 -j CONNMARK --set-mark 2

# restore the mark on locally-generated reply packets before the outbound route lookup

iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark 
	# add local network route for each NIC in its routing table

ip route add 192.168.100.0/24 dev eth0 src 192.168.100.1 table zero

	# here's another chance to NOT do the shenanigans
ip route add 172.16.100.0/24 dev eth1 src 172.16.100.1 table one # or here...

# ip route add 192.168.100.0/24 dev eth1 src 192.168.100.1 table one

# add rules to lookup routes based on the netfilter mark
ip rule add fwmark 1 table zero
ip rule add fwmark 2 table one

# disable reverse path filtering on the duplicate NICs
sysctl -w net.ipv4.conf.eth0.rp_filter=0
sysctl -w net.ipv4.conf.eth1.rp_filter=0

# start clean
ip route flush cache

---END STUFF I DON'T WANNA HEAR COMMENTS ABOUT---

just a thought--hope it doesn't lead you too astray.

i feel so dirty

...and rightly so...just kiddin...ceeyal8tr...

v/r,
~piranha

--
"You couldn't fool your mother on the foolingest day of your life if
 you had an electrified fooling machine."
        --The Simpsons

Re: Two NICS with same IP and same client IP

[Jason Opperisano]

On Wed, Feb 02, 2005 at 02:22:41PM -0800, Hudson Delbert J Contr 61 CS/SCBN wrote:
> jason,
> 
> sorry, but your gonna' hear this anyway...but its not negative..
> i just wanna know why?
> 
> okay...here is what i'm sure will think is a dumb question.
> 
> why not make life simple for all concerned [servers, clients and routers, too...]
> 
> re-numbering the subnets...or just one and --- voila! problem gone   !!!!
> 
> this might be too simplistic for this list (he! he! he!) but lets say...
>  
> eth0@server = 192.168.100.0/24 
> eth0@client = 192.168.100.1/24
> 
> eth1@server = 172.16.1.0/24 
> eth1@client = 162.16.1.1/24
> 
> or whatever...whats the problem?
> 
> i think also the statement below may be have some validity
> if this is as easy as i think it is.
> 
> where's the difficiulty.
> 
> complex is bad.
> simple is good.

i agree with you one hundred thousand gabillion (is that a
glavin?) percent.  judging from the posts in this thread--i believe
properly configuring IP is an unacceptable solution for the OP.

-j

--
"Ah, good ol' trustworthy beer. My love for you will never die."
        --The Simpsons

RE: Two NICS with same IP and same client IP

[Gary W. Smith]

But if you giving eth0 IP addresses on two different subnets then you could just plug everything that's on eth1 onto the same network as eth0.

Just because it's Linux doesn't mean you can redefine IP routing and expect it to work.


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Hervé
Sent: Wednesday, February 02, 2005 8:41 AM
To: netfilter 
Subject: Re: Two NICS with same IP and same client IP

> Hervé wrote:
>>
>> In my case, the point is to help the routing by modifying the source
>> address. For example, you give eth0 two addresses: 192.168.100.1 and
>> 192.168.101.1, and eth1: 192.168.100.1 (yes, the same) and
>> 192.168.102.1.
>
> what's the point ???
>
I have two identical test benches, in which one box has a fixed IP
address, hence I can't change the subnets.
What is more, this box always accesses the same IP address for the server.

Yeah, not so easy, but hey, it's Linux, so it's possible!

Cheers,
Hervé.

Re: Two NICS with same IP and same client IP

[Raphael Jacquot]

Gary W. Smith wrote:
> But if you giving eth0 IP addresses on two different subnets then you could just plug everything that's on eth1 onto the same network as eth0.
> 
> Just because it's Linux doesn't mean you can redefine IP routing and expect it to work.

furthermore, having 2 clients with the same IP on the same subnet is 
asking for trouble...

RE: Two NICS with same IP and same client IP

[Hervé]

Both test benches are identical: in each setup there is a box with IP
192.168.100.2 trying to read via NFS from 192.168.100.1.

If you find another way to do that, I am your man, 'cause NFS re-exporting
does not work with knfsd, and synchronising two machines all the time is
not an option...

Basically, the network interface where the packet originated has to
somehow be remembered at the routing stage. I only see source address
mangling to do that...

Cheers,
Hervé.

> But if you giving eth0 IP addresses on two different subnets then you
> could just plug everything that's on eth1 onto the same network as eth0.
>
> Just because it's Linux doesn't mean you can redefine IP routing and
> expect it to work.
>
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Hervé
> Sent: Wednesday, February 02, 2005 8:41 AM
> To: netfilter
> Subject: Re: Two NICS with same IP and same client IP
>
>> Hervé wrote:
>>>
>>> In my case, the point is to help the routing by modifying the source
>>> address. For example, you give eth0 two addresses: 192.168.100.1 and
>>> 192.168.101.1, and eth1: 192.168.100.1 (yes, the same) and
>>> 192.168.102.1.
>>
>> what's the point ???
>>
> I have two identical test benches, in which one box has a fixed IP
> address, hence I can't change the subnets.
> What is more, this box always accesses the same IP address for the server.
>
> Yeah, not so easy, but hey, it's Linux, so it's possible!
>
> Cheers,
> Hervé.
>
>

RE: Two NICS with same IP and same client IP

[Hervé]

Both test benches are identical: in each setup there is a box with IP
192.168.100.2 trying to read via NFS from 192.168.100.1.

If you find another way to do that, I am your man, 'cause NFS re-exporting
does not work with knfsd, and synchronising two machines all the time is
not an option...

Basically, the network interface where the packet originated has to
somehow be remembered at the routing stage. I only see source address
mangling to do that...

Cheers,
Hervé.

> But if you giving eth0 IP addresses on two different subnets then you
> could just plug everything that's on eth1 onto the same network as eth0.
>
> Just because it's Linux doesn't mean you can redefine IP routing and
> expect it to work.
>
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Hervé
> Sent: Wednesday, February 02, 2005 8:41 AM
> To: netfilter
> Subject: Re: Two NICS with same IP and same client IP
>
>> Hervé wrote:
>>>
>>> In my case, the point is to help the routing by modifying the source
>>> address. For example, you give eth0 two addresses: 192.168.100.1 and
>>> 192.168.101.1, and eth1: 192.168.100.1 (yes, the same) and
>>> 192.168.102.1.
>>
>> what's the point ???
>>
> I have two identical test benches, in which one box has a fixed IP
> address, hence I can't change the subnets.
> What is more, this box always accesses the same IP address for the server.
>
> Yeah, not so easy, but hey, it's Linux, so it's possible!
>
> Cheers,
> Hervé.
>
>

Re: Two NICS with same IP and same client IP

[Bob Tellefson]

On Wednesday 02 February 2005 16:57, Hervé wrote:

> Basically, the network interface where the packet originated has to
> somehow be remembered at the routing stage. I only see source address
> mangling to do that...
>

It would seem that if you add two additional IPs to the NFS machine (on a 
dummy interface) and do a local DNAT to those IPs based on the incoming nic, 
that the correct routing tables/rules would be all that is needed to route 
the return packets to the correct network.

Have a look at

   http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html

for the concepts and examples.  Chapter 5, in particular, covers the routing 
concepts your solution will need.

Note that ProxyARP uses the same ip on two interfaces and depends on the 
proper routing table entries to do the right thing.


-- 

Bob Tellefson
Java network application development & hosting

Re: Two NICS with same IP and same client IP

[Hervé]

> On Wednesday 02 February 2005 16:57, Hervé wrote:
>
>> Basically, the network interface where the packet originated has to
>> somehow be remembered at the routing stage. I only see source address
>> mangling to do that...
>>
>
> It would seem that if you add two additional IPs to the NFS machine (on a
> dummy interface) and do a local DNAT to those IPs based on the incoming
> nic,
> that the correct routing tables/rules would be all that is needed to route
> the return packets to the correct network.
>
> Have a look at
>
>    http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html
>
> for the concepts and examples.  Chapter 5, in particular, covers the
> routing
> concepts your solution will need.
>
> Note that ProxyARP uses the same ip on two interfaces and depends on the
> proper routing table entries to do the right thing.
>
>
> --
>
> Bob Tellefson
> Java network application development & hosting
>
Yup, that's what I started doing, but I still have to modify the source
address somehow, so the return packet is routed according to that
address...

In fact, conceptually, I really want a router between each client and my
server:

Client1 (a.b.c.d) -> (a.b.c.1) Router (x.y.z.1) -|-> (x.y.z.3) Server
Client2 (a.b.c.d) -> (a.b.c.1) Router (x.y.z.2) -|

This does all: same client IPs, unique server for all the clients IP (and
only one NIC).

And that's probably what I'm going to do, not just conceptually!

But I have to say that I would have liked to do it all on the one machine,
rather than needing to go through routers.

Thanks for the link as well, I need to read through it carefully before
giving up my first idea (I hate giving up ;-)

Herve.

Two NICS with same IP and same client IP

[Hervé]

Hello,

I have a weird setup I would like to make work: I have two identical
subnets connected to one machine via two different NICs, like this:

Server             |         | Client 1
eth0:192.168.100.1 |---------| 192.168.100.2
                   |                              | Client 2
eth1:192.168.100.1 |------------------------------| 192.168.100.2

These two machines only access an NFS share on the server, but I assume
this is irrelevant: the problem is to route the packets back through the
interface the request came from (I am not trying to access the boxes
_from_ the server).

My first idea was to modify the source address as the request come in, and
then route and put the original address back in the outgoing packet, but I
haven't found a way to do that.

Anybody got any idea?

Thanks in advance,
Hervé.

Re: Two NICS with same IP and same client IP

[Raphael Jacquot]

Hervé wrote:
> Hello,
> 
> I have a weird setup I would like to make work: I have two identical
> subnets connected to one machine via two different NICs, like this:
> 
> Server             |         | Client 1
> eth0:192.168.100.1 |---------| 192.168.100.2
>                    |                              | Client 2
> eth1:192.168.100.1 |------------------------------| 192.168.100.2

having 2 interfaces on the same box with the same IP address

repeat after me :

WILL NOT WORK

> 
> These two machines only access an NFS share on the server, but I assume
> this is irrelevant: the problem is to route the packets back through the
> interface the request came from (I am not trying to access the boxes
> _from_ the server).
> 
> My first idea was to modify the source address as the request come in, and
> then route and put the original address back in the outgoing packet, but I
> haven't found a way to do that.
> 
> Anybody got any idea?
> 
> Thanks in advance,
> Hervé.
> 

Re: Two NICS with same IP and same client IP

[Raphael Jacquot]

Hervé wrote:
>>having 2 interfaces on the same box with the same IP address
>>
>>repeat after me :
>>
>>WILL NOT WORK
> 
> 
> Well, I can't see why not. Can you explain?

uh, because that's how routing in the server PC works. you have to have 
a different address for each interface.
your best bet is to either use the same interface (and change one of the 
client's IP to something else (like 192.168.100.3) like so :

server             |         __________         client 1
eth0:192.168.100.1 |--------| ethernet |------| 192.168.0.2
                    |        |  switch  |
                             |__________|------| 192.168.0.3
                                                 client 2

or... change one of the subnets to use a different prefix, like so :

Server             |         | Client 1
eth0:192.168.100.1 |---------| 192.168.100.2
                    |                              | Client 2
eth1:192.168.101.1 |------------------------------| 192.168.101.2

Re: Two NICS with same IP and same client IP

[Jason Opperisano]

On Wed, 2005-02-02 at 05:28, Raphael Jacquot wrote:
> Hervé wrote:
> >>having 2 interfaces on the same box with the same IP address
> >>
> >>repeat after me :
> >>
> >>WILL NOT WORK
> > 
> > 
> > Well, I can't see why not. Can you explain?

maybe this is easier to grasp:

  $ cd /var/tmp
  $ mkdir new
  $ mkdir new
  mkdir: cannot create directory `new': File exists

you're trying to do the same thing in the kernel.

-j

--
"Dear Mr. President, there are too many states nowadays, please
 eliminate three. I am not a crackpot."
	--The Simpsons

Re: Two NICS with same IP and same client IP

[Hervé]

> On Wed, 2005-02-02 at 05:28, Raphael Jacquot wrote:
>> Hervé wrote:
>> >>having 2 interfaces on the same box with the same IP address
>> >>
>> >>repeat after me :
>> >>
>> >>WILL NOT WORK
>> >
>> >
>> > Well, I can't see why not. Can you explain?
>
> maybe this is easier to grasp:
>
>   $ cd /var/tmp
>   $ mkdir new
>   $ mkdir new
>   mkdir: cannot create directory `new': File exists
>
> you're trying to do the same thing in the kernel.
>
> -j
>
> --
> "Dear Mr. President, there are too many states nowadays, please
>  eliminate three. I am not a crackpot."
>  --The Simpsons
>
Sorry guys, but this is indeed allowed. Your example might be valid if
you're talking MAC addresses and do not bridge the NICs, and even then I'm
not sure.

In my case, the point is to help the routing by modifying the source
address. For example, you give eth0 two addresses: 192.168.100.1 and
192.168.101.1, and eth1: 192.168.100.1 (yes, the same) and 192.168.102.1.

Now if you mangle the source address from 192.168.100.2 to 192.168.101.2
when it comes through eth0 and to 192.168.102.2 when it comes through
eth1, then the routing will work (chose the right interface) for the
reply. All you have to do is to change the addresses back before sending
on the network.

So, I want rules like this:
Prerouting:
- if interface is eth1, change network to 192.168.101.0
- if interface is eth2, change network to 192.168.102.0
Postrouting:
- if network is 192.168.101.0 or 192.168.102.0, then change network to
192.168.100.0

But I don't know how to enter just those rules...

Cheers,
Hervé.

Re: Two NICS with same IP and same client IP

[Jason Opperisano]

On Wed, 2005-02-02 at 09:32, Hervé wrote:
> Sorry guys, but this is indeed allowed. Your example might be valid if
> you're talking MAC addresses and do not bridge the NICs, and even then I'm
> not sure.

yup--you're exactly right--so i don't suppose you'll be needing any help
on this then.

-j

--
"Operator! Give me the number for 911!"
	--The Simpsons

Re: Two NICS with same IP and same client IP

[Hervé]

> On Wed, 2005-02-02 at 09:32, Hervé wrote:
>> Sorry guys, but this is indeed allowed. Your example might be valid if
>> you're talking MAC addresses and do not bridge the NICs, and even then
>> I'm
>> not sure.
>
> yup--you're exactly right--so i don't suppose you'll be needing any help
> on this then.
>
> -j
>
> --
> "Operator! Give me the number for 911!"
>  --The Simpsons
>
>
>
Sorry if I upset you, that was not the idea.

Thanks for your time anyway!
Hervé.

Re: Two NICS with same IP and same client IP

[Raphael Jacquot]

Hervé wrote:
> 
> In my case, the point is to help the routing by modifying the source
> address. For example, you give eth0 two addresses: 192.168.100.1 and
> 192.168.101.1, and eth1: 192.168.100.1 (yes, the same) and 192.168.102.1.

what's the point ???

Re: Two NICS with same IP and same client IP

[Hervé]

> Hervé wrote:
>>
>> In my case, the point is to help the routing by modifying the source
>> address. For example, you give eth0 two addresses: 192.168.100.1 and
>> 192.168.101.1, and eth1: 192.168.100.1 (yes, the same) and
>> 192.168.102.1.
>
> what's the point ???
>
I have two identical test benches, in which one box has a fixed IP
address, hence I can't change the subnets.
What is more, this box always accesses the same IP address for the server.

Yeah, not so easy, but hey, it's Linux, so it's possible!

Cheers,
Hervé.

Re: Two NICS with same IP and same client IP

[Tom Eastep]

Raphael Jacquot wrote:
> Hervé wrote:
> 
>> Hello,
>>
>> I have a weird setup I would like to make work: I have two identical
>> subnets connected to one machine via two different NICs, like this:
>>
>> Server             |         | Client 1
>> eth0:192.168.100.1 |---------| 192.168.100.2
>>                    |                              | Client 2
>> eth1:192.168.100.1 |------------------------------| 192.168.100.2
> 
> 
> having 2 interfaces on the same box with the same IP address
> 
> repeat after me :
> 
> WILL NOT WORK

Having two interfaces with the same IP address and netmask doesn't work
well. Having the same IP address with different netmasks can be useful.

From my firewall:

gateway:/usr/src/linux-2.6.10/net/ipv4/netfilter# ip addr ls
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:a0:cc:db:31:c4 brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.176/32 scope global eth0
    inet6 fe80::2a0:ccff:fedb:31c4/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000
    link/ether 00:02:e3:08:55:fa brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.176/24 brd 206.124.146.255 scope global eth1
    inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary
eth1:0
    inet 206.124.146.180/24 brd 206.124.146.255 scope global secondary
eth1:1
    inet6 fe80::202:e3ff:fe08:55fa/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:c7:c0:e2:15 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth2
    inet6 fe80::208:c7ff:fec0:e215/64 scope link
       valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
gateway:/usr/src/linux-2.6.10/net/ipv4/netfilter#

Note Interfaces eth0 and eth1 -- both have IP address 206.124.146.176.

eth0 interfaces to my DMZ where there is a single server
(206.124.146.177) using Proxy ARP.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Re: Two NICS with same IP and same client IP

[Jason Opperisano]

On Wed, Feb 02, 2005 at 09:35:31AM -0000, Hervé wrote:
> Hello,
> 
> I have a weird setup I would like to make work: I have two identical
> subnets connected to one machine via two different NICs, like this:
> 
> Server             |         | Client 1
> eth0:192.168.100.1 |---------| 192.168.100.2
>                    |                              | Client 2
> eth1:192.168.100.1 |------------------------------| 192.168.100.2
> 
> These two machines only access an NFS share on the server, but I assume
> this is irrelevant: the problem is to route the packets back through the
> interface the request came from (I am not trying to access the boxes
> _from_ the server).

aight--this comes with no warranty expressed nor implied, and no
guarantee that it won't burn down your house or that it will even work
at all...  this is off the top of my head, and other than typing the
commands on a test machine to validate the syntax, i have not tested
this one iota...  i also don't believe that you *_have_* to do this--i
think you secretly just want to do this, because you think you should be
able to...  ;-)

here goes--it obviously requires iproute2, and the CONNMARK patch from
POM:

---BEGIN STUFF I DON'T WANNA HEAR COMMENTS ABOUT---

# start fresh
ip addr flush dev eth0
ip addr flush dev eth1

# add the same IP to each NIC
ip addr add 192.168.100.1/24 brd + dev eth0
ip addr add 192.168.100.1/24 brd + dev eth1

# add two new route tables to hold our local network routes
#   (this only needs to be done once)
echo 200 zero >> /etc/iproute2/rt_tables
echo 201 one >> /etc/iproute2/rt_tables

# start fresh
for t in mangle nat filter; do
  iptables -t $t -F
  iptables -t $t -X
  iptables -t $t -Z
done

# restore the connmark on each packet as it comes in off the wire
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
# if a packet isn't marked, mark it based off the inbound NIC
iptables -t mangle -A PREROUTING -i eth0 -m connmark --mark 0 \
  -j CONNMARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth1 -m connmark --mark 0 \
  -j CONNMARK --set-mark 2

# restore the mark on locally-generated reply packets
#   before the outbound route lookup
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

# add local network route for each NIC in its routing table
ip route add 192.168.100.0/24 dev eth0 src 192.168.100.1 table zero
ip route add 192.168.100.0/24 dev eth1 src 192.168.100.1 table one

# add rules to lookup routes based on the netfilter mark
ip rule add fwmark 1 table zero
ip rule add fwmark 2 table one

# disable reverse path filtering on the duplicate NICs
sysctl -w net.ipv4.conf.eth0.rp_filter=0
sysctl -w net.ipv4.conf.eth1.rp_filter=0

# start clean
ip route flush cache

---END STUFF I DON'T WANNA HEAR COMMENTS ABOUT---

just a thought--hope it doesn't lead you too astray.

i feel so dirty...

-j

--
"You couldn't fool your mother on the foolingest day of your life if
 you had an electrified fooling machine."
        --The Simpsons