Eth0 and eth1

As mentioned earlier in this forum, I'm setting up a VPN system.

This involves having two network cards on one PC - eth0 and eth1. Because I
want to learn as much as I can about networking, I'm doing it the hard way
and avoiding a distro or package which will do all this for me.

However, I'm having trouble understanding how I can add separate routes for
each card. One will connect to the WAN and have an "internet IP" whilst the
other will connect to a private subnet with a 192.168.*.* address. Clearly
they have separate gateway addresses.

What files need to be altered? I'm using SUSE, although not for any
particular reason (the install disc was simply at hand). However, YAST2
only seems to want to let me have one default route which it then applies
to both cards.

Also, is it possible to have separate DNS configs for both cards?

Captain Beefheart <nospam@mo.com> said:
>... two network cards on one PC - eth0 and eth1.
....
>However, I'm having trouble understanding how I can add separate routes for
>each card. One will connect to the WAN and have an "internet IP" whilst the
>other will connect to a private subnet with a 192.168.*.* address. Clearly
>they have separate gateway addresses.
>
>What files need to be altered? I'm using SUSE, although not for any
>particular reason (the install disc was simply at hand). However, YAST2
>only seems to want to let me have one default route which it then applies
>to both cards.

No, default routes you have just one. Whereever you want to route such
packets for which you don't have any more specific route set up. For
all the other networks you set up a route manually (or run a routing
software to get the routing information from your peers, if you are in
suh network that exchanges routing information -- most possibly not).
Setting up routes manually is done with command "ip route" (or just
"route" with some distributions). Then there is some distribution-
specific way for setting up routes that the system should set up at
boot time.

>Also, is it possible to have separate DNS configs for both cards?

Yep, bind can support different DNS views for different interfaces. The
BOG (Bind Operators Guide) should contain the configuration details
for this. But wait, are you really providing DNS name service from
this machine to the Internet, too? Or do you only want to have Internet
names available to the local machine (and network), and additionally
to have some local names?
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Captain Beefheart wrote:

>
> However, I'm having trouble understanding how I can add separate routes for
> each card. One will connect to the WAN and have an "internet IP" whilst the
> other will connect to a private subnet with a 192.168.*.* address. Clearly
> they have separate gateway addresses.

man route ;)
--> route add -net [net] netmask [mask] gw [gateway]
if I remember correctly, the system will find the right NIC by itself.
for adding a default-router: route add default gw [gateway]

> What files need to be altered? I'm using SUSE, although not for any
> particular reason (the install disc was simply at hand). However, YAST2
> only seems to want to let me have one default route which it then applies
> to both cards.

If _you_ want to be a router between the two networks you are connected
with that two NICs you have to edit the routing-thing in
/proc/sys/net/ipv4... If you're not the router, you don't have to edit
anything...


--
---
http://www.alf.at.tc
Austrian Linux Forum

Captain Beefheart wrote:

> As mentioned earlier in this forum, I'm setting up a VPN system.
>
> This involves having two network cards on one PC - eth0 and eth1. Because
> I want to learn as much as I can about networking, I'm doing it the hard
> way and avoiding a distro or package which will do all this for me.
>
> However, I'm having trouble understanding how I can add separate routes
> for each card. One will connect to the WAN and have an "internet IP"
> whilst the other will connect to a private subnet with a 192.168.*.*
> address. Clearly they have separate gateway addresses.
>
> What files need to be altered? I'm using SUSE, although not for any
> particular reason (the install disc was simply at hand). However, YAST2
> only seems to want to let me have one default route which it then applies
> to both cards.
>
> Also, is it possible to have separate DNS configs for both cards?

Okay - I've just spent a couple of hours unsuccessfully trying to get a
Fedora Core 2 box to work with two ethernet cards and two static IPs. Card
one had a 192.* private subnet address whilst card two had a static
internet IP assigned by our ISP. I've not setup a firewall or anything
fancy - just installed the distro and tried to configure the cards.

No joy. Card 2 (eth1 - Net IP) could ping everything merrily but card 1
(eth0 - 192.*) couldn't ping anything, such as a computer on its own
subnet.

Each card had separate gateway addresses correctly filled in. The ACT light
on the back of the non-working card flashed amber occassionally (normally
green for happy data transfers). But I don't know what this means.

As far as I can see it, this problem might be caused by three things:

1) Some subnetting weirdness (subnet for the eth0 (192.*) was 255.255.255.0,
whilst subnet for the Internet IP card (eth1) was 255.255.255.224). I read
somewhere that I might have to match the subnets for routing to work...?
Thinking about it logically, these two networks, even though they're
occuring at my PC, need to be joined by a router if they have different
subnet masks... so how do I configure a router *inside* my Linux setup? ...
leads me onto ....

2) Routing troubles (route -n reveals both cards + gateways are in the list
but I didn't copy and paste it to reproduce here - sorry).

3) Some weird default IPtables behaviour on behalf of Fedora Core 2,
although I did deactivate the firewall AFAICT.

Does anybody know of a good tutorial to introduce the concept of setting up
two network cards under Linux in the arrangement I've described? I'm
learning about the technology of networking as I go along so saying
something like "read the route/ifconfig man page!!" doesn't help - it's a
little above my level and assumes more knowledge than I currently have.

I've found tutorials on setting up IPtables, tutorials on setting up
firewalls, tutorials on configuring kernel modules for two cards, and
virtually everything else, But I can't find a tutorial on the *actual*work*
of configuring the network card IPs and routing. It's as if you're already
expected to know this.

Captain Beefheart wrote:

> Captain Beefheart wrote:
>
>> As mentioned earlier in this forum, I'm setting up a VPN system.
>>
>> This involves having two network cards on one PC - eth0 and eth1. Because
>> I want to learn as much as I can about networking, I'm doing it the hard
>> way and avoiding a distro or package which will do all this for me.
>>
>> However, I'm having trouble understanding how I can add separate routes
>> for each card. One will connect to the WAN and have an "internet IP"
>> whilst the other will connect to a private subnet with a 192.168.*.*
>> address. Clearly they have separate gateway addresses.
>>
>> What files need to be altered? I'm using SUSE, although not for any
>> particular reason (the install disc was simply at hand). However, YAST2
>> only seems to want to let me have one default route which it then applies
>> to both cards.
>>
>> Also, is it possible to have separate DNS configs for both cards?
>
> Okay - I've just spent a couple of hours unsuccessfully trying to get a
> Fedora Core 2 box to work with two ethernet cards and two static IPs. Card
> one had a 192.* private subnet address whilst card two had a static
> internet IP assigned by our ISP. I've not setup a firewall or anything
> fancy - just installed the distro and tried to configure the cards.
>
> No joy. Card 2 (eth1 - Net IP) could ping everything merrily but card 1
> (eth0 - 192.*) couldn't ping anything, such as a computer on its own
> subnet.
>
> Each card had separate gateway addresses correctly filled in. The ACT
> light on the back of the non-working card flashed amber occassionally
> (normally green for happy data transfers). But I don't know what this
> means.
>
> As far as I can see it, this problem might be caused by three things:
>
> 1) Some subnetting weirdness (subnet for the eth0 (192.*) was
> 255.255.255.0, whilst subnet for the Internet IP card (eth1) was
> 255.255.255.224). I read somewhere that I might have to match the subnets
> for routing to work...? Thinking about it logically, these two networks,
> even though they're occuring at my PC, need to be joined by a router if
> they have different subnet masks... so how do I configure a router
> *inside* my Linux setup? ... leads me onto ....
>
> 2) Routing troubles (route -n reveals both cards + gateways are in the
> list but I didn't copy and paste it to reproduce here - sorry).
>
> 3) Some weird default IPtables behaviour on behalf of Fedora Core 2,
> although I did deactivate the firewall AFAICT.
>
> Does anybody know of a good tutorial to introduce the concept of setting
> up two network cards under Linux in the arrangement I've described? I'm
> learning about the technology of networking as I go along so saying
> something like "read the route/ifconfig man page!!" doesn't help - it's a
> little above my level and assumes more knowledge than I currently have.
>
> I've found tutorials on setting up IPtables, tutorials on setting up
> firewalls, tutorials on configuring kernel modules for two cards, and
> virtually everything else, But I can't find a tutorial on the
> *actual*work* of configuring the network card IPs and routing. It's as if
> you're already expected to know this.

I'm currently reading TCP-IP-ADMIN, a document linked to from the TLDP Net
How-To. It was written in 1988 but should surely still be relevant.

Regarding routing, it says that a metric of 0 against an entry causes the
data to stay on the same local network, even if different subnets are in
use (ie 192.1.1.0 and 192.1.2.0). However, this is only for a one ethernet
card setup.

I'm still unsure about how to get the data to "leap" from one network card
to another... I guess what I'm asking here is how to setup a PC as a basic
gateway between subnets.

(look down... waaaay down... must have been a Friendly Giant fan?)
On Wed, 21 Jul 2004 21:41:32 +0000, Captain Beefheart wrote:
> Captain Beefheart wrote:
>> Captain Beefheart wrote:
>>> As mentioned earlier in this forum, I'm setting up a VPN system.
>>>
>>> This involves having two network cards on one PC - eth0 and eth1. Because
>>> I want to learn as much as I can about networking, I'm doing it the hard
>>> way and avoiding a distro or package which will do all this for me.

OK, that's a good way to learn, but be patient. People will help, but
don't expect them to "hop to it!" because it is not their job.

>>> However, I'm having trouble understanding how I can add separate routes
>>> for each card. One will connect to the WAN and have an "internet IP"
>>> whilst the other will connect to a private subnet with a 192.168.*.*
>>> address. Clearly they have separate gateway addresses.

I think you're confusing yourself, and you're confusing me, too. Let's
review some basic concepts (for both of us) and go from there.

AFAIK, a *nix machine has only one routing table. This table can have
entries that specify a number of interfaces (ethernet, fibre, serial,
etc.). The routing table in a *nix machine deals with "outbound" packets.
Anything that comes "inbound" on the interfaces is handled by whatever you
see from "ifconfig -a" which lists the IP addresses which will be accepted
by that *nix machine. Anything else will be ignored (unless the interface
is put into diagnostic "promiscuous" mode, but leave that for later).

OK, now you'll have to be more explicit when you're describing your tests
and results. When you say you ping, you should tell us which machine
you're pinging from. I gather up to now it's been your gateway machine?
The one that is straddling your LAN and your IP connection? Make it clear,
because soon you'll also be talking about the other machines on the LAN.

>>> What files need to be altered? I'm using SUSE, although not for any
>>> particular reason (the install disc was simply at hand). However, YAST2
>>> only seems to want to let me have one default route which it then applies
>>> to both cards.

You should be able to do all of your testing with command line programs,
without fiddling with files and rebooting (yech! Windoze stuff!)
repeatedly. Eventually, you will want to make these settings "persistent"
and they should be recorded somewhere. Later...

>>> Also, is it possible to have separate DNS configs for both cards?

Someone(s) else has already answered that.

>> Okay - I've just spent a couple of hours unsuccessfully trying to get a
>> Fedora Core 2 box to work with two ethernet cards and two static IPs. Card
>> one had a 192.* private subnet address whilst card two had a static
>> internet IP assigned by our ISP. I've not setup a firewall or anything
>> fancy - just installed the distro and tried to configure the cards.
>>
>> No joy. Card 2 (eth1 - Net IP) could ping everything merrily but card 1
>> (eth0 - 192.*) couldn't ping anything, such as a computer on its own
>> subnet.

This is where I get confused. Normally, one would ping from "inside" the
machine (and not specify the interface) to some destination. The routing
table figures out which interface the ping is supposed to go out.

When you say "Card 2 (eth1 - Net IP) could ping everything", I assume you
mean that you could ping your ISP, and other internet site servers? OK. If
you specifically ping on eth1, you should NOT see your LAN computers. If
you do, then we're (both?) misunderstanding something, and should "regroup".

When you say "Card 1 (eth0 - 192.*) couldn't ping anything", I assume you
mean that your gateway computer could not ping your other LAN Linux
machines. Did you try to ping only by hostname? or by IP? If your routing
table is setup right, you should be able to ping your LAN machines by IP
address without specifying the Card/eth<n>. That should always work,
even if your name resolution is busted. Maybe you should print out your
routing table, with:

netstat -r

Then check that you can actually look up hostnames, using dig or nslookup.
This should work for your internet connection, if you've setup your ISP
connection correctly. It might not work for your LAN machines, if you have
not setup your /etc/hosts file and/or your DNS server(s) correctly.

>> Each card had separate gateway addresses correctly filled in. The ACT
>> light on the back of the non-working card flashed amber occassionally
>> (normally green for happy data transfers). But I don't know what this
>> means.

Might be "collisions"? Not to worry, that can be normal for TCP/IP.
BTW, are you interconnecting your LAN computers with a hub? or switch?

>> As far as I can see it, this problem might be caused by three things:
>>
>> 1) Some subnetting weirdness (subnet for the eth0 (192.*) was
>> 255.255.255.0, whilst subnet for the Internet IP card (eth1) was
>> 255.255.255.224). I read somewhere that I might have to match the subnets
>> for routing to work...? Thinking about it logically, these two networks,
>> even though they're occuring at my PC, need to be joined by a router if
>> they have different subnet masks... so how do I configure a router
>> *inside* my Linux setup? ... leads me onto ....

I find it odd that you are using a subnet mask of 255.255.255.224 for the
IP card. Is this what your ISP told you? That's a range of 5 bits. Hmm.
Might be OK, depending on what your ISP told you. Doesn't matter much,
anyway, as you said you have a single static IP address given you?

>> 2) Routing troubles (route -n reveals both cards + gateways are in the
>> list but I didn't copy and paste it to reproduce here - sorry).

That would help.

>> 3) Some weird default IPtables behaviour on behalf of Fedora Core 2,
>> although I did deactivate the firewall AFAICT.

Dunno. I don't use IPtables myself, since I'm behind a firewall/router.
I'm using a Linksys device, for convenience and peace of mind.

>> Does anybody know of a good tutorial to introduce the concept of setting
>> up two network cards under Linux in the arrangement I've described? I'm
>> learning about the technology of networking as I go along so saying
>> something like "read the route/ifconfig man page!!" doesn't help - it's a
>> little above my level and assumes more knowledge than I currently have.

It's basically routing. With superimposed name resolution. Unfortunately,
to really understand what is going on, you will have to RTFM, man pages,
info pages, web sites, etc., lots of stuff. We might be able to help focus
some of your reading, to focus/start with important/relevant stuff.

>> I've found tutorials on setting up IPtables, tutorials on setting up
>> firewalls, tutorials on configuring kernel modules for two cards, and
>> virtually everything else, But I can't find a tutorial on the
>> *actual*work* of configuring the network card IPs and routing. It's as if
>> you're already expected to know this.

I would leave IPtables aside for the time being, as that will only
complicate things even more. Do you have a firewall/router? or is that
what you're building? If you are making the firewall/router, keep in mind
that while you're tinkering you might get compromised, and you should
check your machine (chkrootkit, etc.) when you're done. If there is
anything "funny" it might be best to wipe and reinstall (now that you know
exactly what you're doing). Else you might have trojans in there, etc.

It would be easiest to get basic routing working first. Then turn on your
firewall in your gateway and recheck your routing. That's what I would do.

> I'm currently reading TCP-IP-ADMIN, a document linked to from the TLDP Net
> How-To. It was written in 1988 but should surely still be relevant.

The main protocols and routing have not changed for decades.

> Regarding routing, it says that a metric of 0 against an entry causes the
> data to stay on the same local network, even if different subnets are in
> use (ie 192.1.1.0 and 192.1.2.0). However, this is only for a one ethernet
> card setup.

Don't worry about metrics. Metrics were used for a kind of "load
balancing" or "response tuning", to try to use the fastest links if/when
available. This was important in the uucp (serial connection) days. Not
really relevant with ADSL/cable-modem or LAN. I believe these would both
be metric 0, i.e. as fast as can possibly be. In any case, you don't have
any "alternate routing" so there's nothing to chose from. There is only
one way to forward the packet so that it gets to its final destination.

> I'm still unsure about how to get the data to "leap" from one network card
> to another... I guess what I'm asking here is how to setup a PC as a basic
> gateway between subnets.

It really does not "leap". Think of your networking as a collection of
"store and forward" nodes. Each node (host) will accept a packet if it
recognizes its own address(es) as the destination of the packet. Then when
it examines the packet for the "ultimate/final destination" it decides
whether to deliver it to a local (internal software) "port" or forward it
via some other network connection, to another computer. So, if your local
LAN computers address your gateway computer directly, the packets are
accepted and processed there. For example, if you setup an ssh connection
from your desk PC to the gateway PC to get a session for maintenance, etc.
However, if one of your LAN PCs is trying to address an internet computer,
the packet is still sent to your gateway computer (BTW, that LAN PC has to
have the gateway computer defined as the "default route" in its own
routing table), but the gateway computer recognizes that it is for another
network, and passes it on, out to the ISP (and it chooses the interface
from its routing table). Similarly for inbound packets (sort of), except
to really understand that traffic you should read up on NAT (network
address translation). That's probably a topic for later...

Check out a few things... do some reading... get your routing table fixed...
Then come back with specific questions. Someone will likely answer them.

--
Juhan Leemet
Logicognosis, Inc.

Captain Beefheart <nospam@mo.com> said:
>Okay - I've just spent a couple of hours unsuccessfully trying to get a
>Fedora Core 2 box to work with two ethernet cards and two static IPs. Card
>one had a 192.* private subnet address whilst card two had a static
>internet IP assigned by our ISP. I've not setup a firewall or anything
>fancy - just installed the distro and tried to configure the cards.
>
>No joy. Card 2 (eth1 - Net IP) could ping everything merrily but card 1
>(eth0 - 192.*) couldn't ping anything, such as a computer on its own
>subnet.
....
>2) Routing troubles (route -n reveals both cards + gateways are in the list
>but I didn't copy and paste it to reproduce here - sorry).

And you still didn't. That, in addition to interface configuration info
would be most helpful. So, output from commands "ip -f inet addr" and
"ip -f inet route".

>3) Some weird default IPtables behaviour on behalf of Fedora Core 2,
>although I did deactivate the firewall AFAICT.

This we could see if you did provide output of "iptables -vnL"
(and perhaps also "iptables -t nat -vnL" and iptables -t mangle -vnL").

>Does anybody know of a good tutorial to introduce the concept of
>setting up two network cards under Linux in the arrangement I've
>described?

Shouldn't be anythins specific. Set the cards up just as single
cards (you already have at least one set up properly). Check that
you're able to ping machines in both networks from the gateway-to-be.
Then enable forwarding between the interfaces with
"echo 1 > /proc/sys/net/ipv4/ip_forward"
(or "sysctl -w net.ipv4.ip_forward=1").
This change can be made permanent by inserting the line
"net.ipv4.ip_forward = 1" into file /etc/sysctl.conf.

The documents you've listed so far (network admin guide, etc) should
be sufficient.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Juhan Leemet wrote:
>
> Check out a few things... do some reading... get your routing table
> fixed... Then come back with specific questions. Someone will likely
> answer them.
>

Thanks for taking the time to reply, Juhan. It was genuinely useful and I've
been able to check my own ideas against what you wrote. I've taken your
advice and been reading up. I've started a new thread above to explain how
I think the routing table of a two ethernet card gateway should be setup.