More ethernet port same ip address

More ethernet port same ip address

[Michele Petrazzo - Unipex srl]

Hi all,
this is a very strange ask (I don't find any other on the net)...

I need to setup a linux box with more than one ethernet ports and every
one must have the same ip address. I, of course :), already tried to do it
with a lot of solutions that linux offer (iptables+mark+ip route, bonding,
a vlan every port), but with the same result... Packet come into
the right port but go out through the "last" that I have set, so it will
never arrive.
An iptables rule that are something like (-t mangle -A OUTPUT -j LOG) says:


IN= OUT=eth2 SRC=172.16.0.1 DST=172.16.0.10 LEN=84 TOS=0x00 PREC=0x00
TTL=64 ID=19468 PROTO=ICMP TYPE=0 CODE=0 ID=41003 SEQ=902
IN= OUT=eth2 SRC=172.16.0.1 DST=172.16.0.3 LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=8117 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=37888
IN= OUT=lo SRC=172.16.0.1 DST=172.16.0.1 LEN=88 TOS=0x00 PREC=0xC0
TTL=64 ID=8112 PROTO=ICMP TYPE=3 CODE=1 [SRC=172.16.0.1 DST=172.16.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8117 PROTO=ICMP TYPE=0 CODE=0 ID=512
SEQ=37888 ]

Here the server have the two ports with 172.16.0.1 and two clients,
connected into the two others has 172.16.0.3 and 172.16.0.10

It's there a solution for achieve this?

Thanks,
Michele

Re: More ethernet port same ip address

[Bernhard Bock]

Hi Michele,

Michele Petrazzo - Unipex srl wrote:
> Here the server have the two ports with 172.16.0.1 and two clients,
> connected into the two others has 172.16.0.3 and 172.16.0.10
> 
> It's there a solution for achieve this?

My proposal has nothing to do with netfilter, but you may have a look 
into "Proxy ARP".

Basically you give each interface the same IP address, put in host 
routes based on interfaces (route add -host 172.16.0.3 dev ethx) and 
enable proxy_arp in /proc/sys/net/ipv4/conf/ethx/proxy_arp. This should 
do the trick.

best regards
Bernhard

Re: More ethernet port same ip address

[Michele Petrazzo - Unipex srl]

Bernhard Bock wrote:
> Hi Michele,
> 

Hi!

> My proposal has nothing to do with netfilter, but you may have a look
>  into "Proxy ARP".
> 

I have already tried the proxy_arp trickle, but doesn't help.

> Basically you give each interface the same IP address, put in host 
> routes based on interfaces (route add -host 172.16.0.3 dev ethx) and
>  enable proxy_arp in /proc/sys/net/ipv4/conf/ethx/proxy_arp. This
> should do the trick.

The problem it's that I don't know who (which ip) wants to talk on which
port...
Starting from this problem I thought to mark the packets for say "you
(packet) with that mark, go out through that port" with iptables, mark 
and ip rules


Thanks,
Michele

Re: More ethernet port same ip address

[Leonardo Rodrigues Magalhães]

Michele Petrazzo - Unipex srl escreveu:
> Hi all,
> this is a very strange ask (I don't find any other on the net)...
>
> I need to setup a linux box with more than one ethernet ports and every
> one must have the same ip address. I, of course :), already tried to 
> do it
> with a lot of solutions that linux offer (iptables+mark+ip route, 
> bonding,
> a vlan every port), but with the same result... Packet come into
> the right port but go out through the "last" that I have set, so it will
> never arrive. 

    have you tried setting a bridge interface ???

    do NOT give ip address to the real ethernet interfaces (ethX) ..... 
simply get them 'up' and them bring a bridge interface up, with the ip 
address you need, and 'add' all the physical interfaces on the bridge 
interface.

    that should do the job easily.

    and then get iptables rules on the bridge (probably br0) interface 
.... and there you have it !

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: More ethernet port same ip address

[Jan Engelhardt]

On Saturday 2008-07-19 16:01, Leonardo Rodrigues Magalhães wrote:
> Michele Petrazzo - Unipex srl escreveu:
>> Hi all,
>> this is a very strange ask (I don't find any other on the net)...

It's as simple as "first interface with same subnet wins".

>   have you tried setting a bridge interface ???
>
>   do NOT give ip address to the real ethernet interfaces (ethX) ..... simply
> get them 'up' and them bring a bridge interface up, with the ip address you
> need, and 'add' all the physical interfaces on the bridge interface.

And depending on the situation you might also need to enforce routing
at the bridge border so as to not open security holes.

Re: More ethernet port same ip address

[Michele Petrazzo - Unipex srl]

Jan Engelhardt wrote:
> On Saturday 2008-07-19 16:01, Leonardo Rodrigues Magalhães wrote:
>> Michele Petrazzo - Unipex srl escreveu:
>>> Hi all, this is a very strange ask (I don't find any other on the
>>> net)...
> 
> It's as simple as "first interface with same subnet wins".
> 

Ok. Thanks for the simple, but complete explain. But  where to say "go
out through the right one?"

>> have you tried setting a bridge interface ???
>> 
>> do NOT give ip address to the real ethernet interfaces (ethX) .....
>> simply get them 'up' and them bring a bridge interface up, with the
>> ip address you need, and 'add' all the physical interfaces on the
>> bridge interface.
> 
> And depending on the situation you might also need to enforce routing
>  at the bridge border so as to not open security holes.

Have you some more words about this? Where can I found problems? How to
modify routing?

Thanks,
Michele

Re: More ethernet port same ip address

[Jan Engelhardt]

On Saturday 2008-07-19 17:14, Michele Petrazzo - Unipex srl wrote:

> Jan Engelhardt wrote:
>> On Saturday 2008-07-19 16:01, Leonardo Rodrigues Magalhães wrote:
>> > Michele Petrazzo - Unipex srl escreveu:
>> > > Hi all, this is a very strange ask (I don't find any other on the
>> > > net)...
>> 
>> It's as simple as "first interface with same subnet wins".
>
> Ok. Thanks for the simple, but complete explain. But  where to say "go
> out through the right one?"

The fact is, you do not know in advance which is the right one.

>> And depending on the situation you might also need to enforce routing
>>  at the bridge border so as to not open security holes.
>
> Have you some more words about this? Where can I found problems? How to
> modify routing?

ebtables -t broute -P BROUTING DROP

which will force all packets being routed.

Re: More ethernet port same ip address

[Michele Petrazzo - Unipex srl]

Jan Engelhardt wrote:
>> Ok. Thanks for the simple, but complete explain. But  where to say 
>> "go out through the right one?"
> 
> The fact is, you do not know in advance which is the right one.

So there is no solution with the "marking into PREROUTING" technique?
Into my environ a packet that come from an interface MUST go out through
that one.

>>> And depending on the situation you might also need to enforce 
>>> routing at the bridge border so as to not open security holes.
>> Have you some more words about this? Where can I found problems? 
>> How to modify routing?
> 
> ebtables -t broute -P BROUTING DROP
> 
> which will force all packets being routed.

I'll try it soon.
But in this case, why the kernel doesn't "lost" the package that ebtables
wants to DROP? Or the kernel starts to see which is the first hole where
the packet can go inside and leave it there?
Seem a very contorted thinking to me...

Thanks,
MIchele

Re: More ethernet port same ip address

[Jan Engelhardt]

On Saturday 2008-07-19 18:05, Michele Petrazzo - Unipex srl wrote:

> Jan Engelhardt wrote:
>> > Ok. Thanks for the simple, but complete explain. But  where to say "go out
>> > through the right one?"
>> 
>> The fact is, you do not know in advance which is the right one.
>
> So there is no solution with the "marking into PREROUTING" technique?
> Into my environ a packet that come from an interface MUST go out through
> that one.

That will work easily, because the client contacts you first.
It is when the router has to decide a path for the first time.
But since you will be using a bridge device anyway, there is
just one path (namely, br0).

>> > > And depending on the situation you might also need to enforce routing at
>> > > the bridge border so as to not open security holes.
>> > Have you some more words about this? Where can I found problems? How to
>> > modify routing?
>> 
>> ebtables -t broute -P BROUTING DROP
>> 
>> which will force all packets being routed.
>
> I'll try it soon.
> But in this case, why the kernel doesn't "lost" the package that ebtables
> wants to DROP? Or the kernel starts to see which is the first hole where
> the packet can go inside and leave it there?
> Seem a very contorted thinking to me...

Ah just forget this one.


- create bridge device
- do as usual

Re: More ethernet port same ip address

[Leonardo Rodrigues Magalhães]

Jan Engelhardt escreveu:
>
> The fact is, you do not know in advance which is the right one.
>
>   

    the idea is that you dont need to worry about knowing what is the 
right interface .... bridging code will take care of sending it to the 
right interface. There's absoltely no 'routing' involved here !!!

    the only thing you need to be aware is that on this situation you 
cannot have the same ip address on different physical segments. Dont 
forget altough they are on different physical network segments, the 
bridge interface will make them appears as being on the same physical 
one. So, you cant have the same ip address on two physical segments, 
because with bridging, there wont have different segments !!! You'll 
have a single physical and logical network segment.

    if you dont have confliting ip addresses (which you absolutely cant 
have), there's no need to worry about routing, about 'going on the right 
interface' .... bridge interface will take care of everything !

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: More ethernet port same ip address

[Jan Engelhardt]

On Saturday 2008-07-19 18:17, Leonardo Rodrigues Magalhães wrote:
> Jan Engelhardt escreveu:
>>
>> The fact is, you do not know in advance which is the right one.
>
>   the idea is that you dont need to worry about knowing what is the right
> interface .... bridging code will take care of sending it to the right
> interface. There's absoltely no 'routing' involved here !!!

Except that I explained why routing fails...

>   the only thing you need to be aware is that on this situation you cannot
> have the same ip address on different physical segments.

Yes you can. If you meant "the same subnet", then that's more correct.

No need to lecture me, I've been there, done that, and did it all.
In fact, having the right ARP entries is enough to make routing select
the right interface, you do not strictly need a bridge interface.

> Dont forget altough
> they are on different physical network segments, the bridge interface will make
> them appears as being on the same physical one. So, you cant have the same ip
> address on two physical segments, because with bridging, there wont have
> different segments !!! You'll have a single physical and logical network
> segment.
>
>   if you dont have confliting ip addresses (which you absolutely cant have),
> there's no need to worry about routing, about 'going on the right interface'
> .... bridge interface will take care of everything !
>
> -- 
>
>
> 	Atenciosamente / Sincerily,
> 	Leonardo Rodrigues
> 	Solutti Tecnologia
> 	http://www.solutti.com.br
>
> 	Minha armadilha de SPAM, NÃO mandem email
> 	gertrudes@solutti.com.br
> 	My SPAMTRAP, do not email it
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: More ethernet port same ip address

[Leonardo Rodrigues Magalhães]

Jan Engelhardt escreveu:
> No need to lecture me, I've been there, done that, and did it all.
> In fact, having the right ARP entries is enough to make routing select
> the right interface, you do not strictly need a bridge interface.
>   

    hey man, nobody is trying to lecture nobody in here ... we're just 
trying to help each other. If you know more about the subject than me 
(in fact i have never used bridged interfaces, altough i know how they 
work in the theory), then sorry, but i simply dont know that you have 
been there, did it all ....


-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: More ethernet port same ip address

[Michele Petrazzo - Unipex srl]

Leonardo Rodrigues Magalhães wrote:
>> (iptables+mark+ip route, bonding, a vlan every port), but with the 
>> same result... Packet come into the right port but go out through 
>> the "last" that I have set, so it will never arrive.
> 
> have you tried setting a bridge interface ???
> 

If I remember correctly I tried it (and forgot to add it to my list's
test) iwth the same results.
Monday morning I'll retry and post results

Michele

Re: More ethernet port same ip address

[Grant Taylor]

On 7/19/2008 2:34 AM, Michele Petrazzo - Unipex srl wrote:
> I need to setup a linux box with more than one ethernet ports and 
> every one must have the same ip address. I, of course :), already 
> tried to do it with a lot of solutions that linux offer 
> (iptables+mark+ip route, bonding, a vlan every port), but with the 
> same result... Packet come into the right port but go out through the 
> "last" that I have set, so it will never arrive.
> 
> Here the server have the two ports with 172.16.0.1 and two clients, 
> connected into the two others has 172.16.0.3 and 172.16.0.10
> 
> It's there a solution for achieve this?

Like others have said, I think (based on what little you have said) that 
bridging is an appropriate option.  I say "think" because I don't know 
if you are trying to filter what passes between the two sides of the server.

Could you do what you are wanting to do by moving the two ethernet 
cables that connect to the server over to a switch and then run one 
cable from the switch to the server?  If this will work, bridging will 
do exactly the same thing in software.

I'd suggest that your bridge the two interfaces (with out any IPs) and 
bind the 172.16.0.1 IP address to the bridge interface its self.

With regards to the question about choosing which interface the traffic 
will go out, (with out forcing its hand) bridging does the exact same 
thing as a switch would.  When you send a packet to a given destination 
the bridge will send the ethernet frame containing the packet out the 
port that is destination MAC is connected to.  If the port the 
destination MAC is connected to is not known bridging will send the 
frame out all ports until it does know what port it is connected to 
(i.e. the bridge receives a reply thus learning the port).

I say "with out forcing its hand" because there are a lot of things that 
you can do with EBTables and / or IPTables to encourage bridging to do 
what you want if it is not the norm.



Grant. . . .

Re: More ethernet port same ip address

[Anatoly Muliarski]

I'll try to put in my 5 cents ...
A working example from openet.ru
---
(x.x.x.99 ... x.x.x.110) --- (eth1, x.x.x.98 | eth0, x.x.x.98) --- (x.x.x.97)

1. Delete default routes
   ip route del x.x.x.96/28 dev eth0
   ip route del x.x.x.96/28 dev eth1

2. Set up routes for subnets
   ip route add x.x.x.97 dev eth0
   ip route add x.x.x.96/28 dev eth1

3. Turn on Proxy ARP
   echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
   echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
---


-- 
Best regards
Anatoly Muliarski

Re: More ethernet port same ip address

[Grant Taylor]

On 07/21/08 02:00, Anatoly Muliarski wrote:
> I'll try to put in my 5 cents ...
> A working example from openet.ru

I suppose we need some more clarification from the OP on what 
specifically s/he needs and what s/he has (not) tried.

I think this thread goes tho show how there are multiple ways to achieve 
  the same goal.



Grant. . . .

Re: More ethernet port same ip address

[Michele Petrazzo - Unipex srl]

Hi another time,

made some tries and I see that it works well with the "bridge" mode. The
only thing that I do was to to create a new bridge, remove the ip address
from the interfaces, add them to the bridge and set an ip address for
the bridge. Nothing other. With arp_proxy 1 or 0 it works in the same
manner.

The strange it's that I already tried this solution in test room, but I
remember that it didn't work. One think that forgot to say it's that
when I tried, I was using a different switch configuration (that now I
cannot reproduce): there was two different switch (with stp enabled and
configured), each one with 3 different vlan and each of the three vlans
end into one server ethernet port.
So:

pc1 <--> | vlan5 ------------- stp| <->  |stp ----------- stp| vlan 5<-> 
srv port 1
pc2 <--> | vlan6 -switch1-  stp| <-> |stp switch2 stp| vlan 6<-> srv port 2
pc3 <--> | vlan7 ------------- stp| <->  |stp ----------- stp| vlan 7<-> 
srv port 3

Here, for make the communication working, I have to setup the three
vlan(s) on the server port's, but they must have the same address.
And, with the "bridge" solution I think that I cannot.

Thanks to all,
Michele

Re: More ethernet port same ip address

[Grant Taylor]

On 07/21/08 13:11, Michele Petrazzo - Unipex srl wrote:
> made some tries and I see that it works well with the "bridge" mode. 
> The only thing that I do was to to create a new bridge, remove the ip 
> address from the interfaces, add them to the bridge and set an ip 
> address for the bridge. Nothing other. With arp_proxy 1 or 0 it works 
> in the same manner.

*nod*

> The strange it's that I already tried this solution in test room, but 
> I remember that it didn't work. One think that forgot to say it's 
> that when I tried, I was using a different switch configuration (that 
> now I cannot reproduce): there was two different switch (with stp 
> enabled and configured), each one with 3 different vlan and each of 
> the three vlans end into one server ethernet port.

VLANs and especially STP make things more interesting.

> Here, for make the communication working, I have to setup the three 
> vlan(s) on the server port's, but they must have the same address. 
> And, with the "bridge" solution I think that I cannot.

With traditional bridging, you would bridge the three (virtual) 
interfaces together and then bind your server's IP(s) to the bridge 
interface.  I've got a system in service that has an excess of 24 
different VLAN interfaces bridged together, and it's working great.

> Thanks to all,

*nod*



Grant. . . .

Re: More ethernet port same ip address

[Anatoly Muliarski]

I have just now the next working configuration:

pc1->switch_access_port_vlan17->
   ->  (vlan17)(172.19.0.20)

->switch_Trunk_port_for_vlan17_vlan18
pc2->switch_access_port_vlan18->
   -> (vlan18)(172.19.0.20)

arp_proxy is set on.
Also you need to set up forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

+ I recommend to clear firewall rules for testing purpose:
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

2008/7/21, Michele Petrazzo - Unipex srl <michele.petrazzo@unipex.it>:
>
> pc1 <--> | vlan5 ------------- stp| <->  |stp ----------- stp| vlan 5<-> srv
> port 1
> pc2 <--> | vlan6 -switch1-  stp| <-> |stp switch2 stp| vlan 6<-> srv port 2
> pc3 <--> | vlan7 ------------- stp| <->  |stp ----------- stp| vlan 7<-> srv
> port 3
>
> Here, for make the communication working, I have to setup the three
> vlan(s) on the server port's, but they must have the same address.
> And, with the "bridge" solution I think that I cannot.


-- 
Best regards
Anatoly Muliarski

Re: More ethernet port same ip address

[Grant Taylor]

On 07/22/08 08:03, Anatoly Muliarski wrote:
> I have just now the next working configuration:

<snip>

> arp_proxy is set on.
> Also you need to set up forwarding:
> echo 1 > /proc/sys/net/ipv4/ip_forward

*nod*

> + I recommend to clear firewall rules for testing purpose:
> iptables -F
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT

Based on experience (shooting my self in the foot) I *strongly* 
recommend that you set the chain policies *BEFORE* flushing the table / 
chains.  Just think what will happen if the chain policy is DENY and you 
are trying to do this via an SSH connection.



Grant. . . .

Re: More ethernet port same ip address

[Jan Engelhardt]

On Tuesday 2008-07-22 17:06, Grant Taylor wrote:
>> + I recommend to clear firewall rules for testing purpose:
>> iptables -F
>> iptables -P INPUT ACCEPT
>> iptables -P OUTPUT ACCEPT
>> iptables -P FORWARD ACCEPT
>
> Based on experience (shooting my self in the foot) I *strongly*
> recommend that you set the chain policies *BEFORE* flushing the
> table / chains.  Just think what will happen if the chain policy is
> DENY and you are trying to do this via an SSH connection.

I strongly recommend you set the policies WHILE flushing the table.