Re: Eth0 and eth1

• Previous message: Juhan Leemet: "Re: Hyperterminal vs command line telnet"
• In reply to: Captain Beefheart: "Re: Eth0 and eth1"
• Next in thread: Captain Beefheart: "Re: Eth0 and eth1"
• Reply: Captain Beefheart: "Re: Eth0 and eth1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 21 Jul 2004 22:14:32 -0200

(look down... waaaay down... must have been a Friendly Giant fan?)
On Wed, 21 Jul 2004 21:41:32 +0000, Captain Beefheart wrote:
> Captain Beefheart wrote:
>> Captain Beefheart wrote:
>>> As mentioned earlier in this forum, I'm setting up a VPN system.
>>>
>>> This involves having two network cards on one PC - eth0 and eth1. Because
>>> I want to learn as much as I can about networking, I'm doing it the hard
>>> way and avoiding a distro or package which will do all this for me.

OK, that's a good way to learn, but be patient. People will help, but
don't expect them to "hop to it!" because it is not their job.

>>> However, I'm having trouble understanding how I can add separate routes
>>> for each card. One will connect to the WAN and have an "internet IP"
>>> whilst the other will connect to a private subnet with a 192.168.*.*
>>> address. Clearly they have separate gateway addresses.

I think you're confusing yourself, and you're confusing me, too. Let's
review some basic concepts (for both of us) and go from there.

AFAIK, a *nix machine has only one routing table. This table can have
entries that specify a number of interfaces (ethernet, fibre, serial,
etc.). The routing table in a *nix machine deals with "outbound" packets.
Anything that comes "inbound" on the interfaces is handled by whatever you
see from "ifconfig -a" which lists the IP addresses which will be accepted
by that *nix machine. Anything else will be ignored (unless the interface
is put into diagnostic "promiscuous" mode, but leave that for later).

OK, now you'll have to be more explicit when you're describing your tests
and results. When you say you ping, you should tell us which machine
you're pinging from. I gather up to now it's been your gateway machine?
The one that is straddling your LAN and your IP connection? Make it clear,
because soon you'll also be talking about the other machines on the LAN.

>>> What files need to be altered? I'm using SUSE, although not for any
>>> particular reason (the install disc was simply at hand). However, YAST2
>>> only seems to want to let me have one default route which it then applies
>>> to both cards.

You should be able to do all of your testing with command line programs,
without fiddling with files and rebooting (yech! Windoze stuff!)
repeatedly. Eventually, you will want to make these settings "persistent"
and they should be recorded somewhere. Later...

>>> Also, is it possible to have separate DNS configs for both cards?

Someone(s) else has already answered that.

>> Okay - I've just spent a couple of hours unsuccessfully trying to get a
>> Fedora Core 2 box to work with two ethernet cards and two static IPs. Card
>> one had a 192.* private subnet address whilst card two had a static
>> internet IP assigned by our ISP. I've not setup a firewall or anything
>> fancy - just installed the distro and tried to configure the cards.
>>
>> No joy. Card 2 (eth1 - Net IP) could ping everything merrily but card 1
>> (eth0 - 192.*) couldn't ping anything, such as a computer on its own
>> subnet.

This is where I get confused. Normally, one would ping from "inside" the
machine (and not specify the interface) to some destination. The routing
table figures out which interface the ping is supposed to go out.

When you say "Card 2 (eth1 - Net IP) could ping everything", I assume you
mean that you could ping your ISP, and other internet site servers? OK. If
you specifically ping on eth1, you should NOT see your LAN computers. If
you do, then we're (both?) misunderstanding something, and should "regroup".

When you say "Card 1 (eth0 - 192.*) couldn't ping anything", I assume you
mean that your gateway computer could not ping your other LAN Linux
machines. Did you try to ping only by hostname? or by IP? If your routing
table is setup right, you should be able to ping your LAN machines by IP
address without specifying the Card/eth<n>. That should always work,
even if your name resolution is busted. Maybe you should print out your
routing table, with:

        netstat -r

Then check that you can actually look up hostnames, using dig or nslookup.
This should work for your internet connection, if you've setup your ISP
connection correctly. It might not work for your LAN machines, if you have
not setup your /etc/hosts file and/or your DNS server(s) correctly.

>> Each card had separate gateway addresses correctly filled in. The ACT
>> light on the back of the non-working card flashed amber occassionally
>> (normally green for happy data transfers). But I don't know what this
>> means.

Might be "collisions"? Not to worry, that can be normal for TCP/IP.
BTW, are you interconnecting your LAN computers with a hub? or switch?

>> As far as I can see it, this problem might be caused by three things:
>>
>> 1) Some subnetting weirdness (subnet for the eth0 (192.*) was
>> 255.255.255.0, whilst subnet for the Internet IP card (eth1) was
>> 255.255.255.224). I read somewhere that I might have to match the subnets
>> for routing to work...? Thinking about it logically, these two networks,
>> even though they're occuring at my PC, need to be joined by a router if
>> they have different subnet masks... so how do I configure a router
>> *inside* my Linux setup? ... leads me onto ....

I find it odd that you are using a subnet mask of 255.255.255.224 for the
IP card. Is this what your ISP told you? That's a range of 5 bits. Hmm.
Might be OK, depending on what your ISP told you. Doesn't matter much,
anyway, as you said you have a single static IP address given you?

>> 2) Routing troubles (route -n reveals both cards + gateways are in the
>> list but I didn't copy and paste it to reproduce here - sorry).

That would help.

>> 3) Some weird default IPtables behaviour on behalf of Fedora Core 2,
>> although I did deactivate the firewall AFAICT.

Dunno. I don't use IPtables myself, since I'm behind a firewall/router.
I'm using a Linksys device, for convenience and peace of mind.

>> Does anybody know of a good tutorial to introduce the concept of setting
>> up two network cards under Linux in the arrangement I've described? I'm
>> learning about the technology of networking as I go along so saying
>> something like "read the route/ifconfig man page!!" doesn't help - it's a
>> little above my level and assumes more knowledge than I currently have.

It's basically routing. With superimposed name resolution. Unfortunately,
to really understand what is going on, you will have to RTFM, man pages,
info pages, web sites, etc., lots of stuff. We might be able to help focus
some of your reading, to focus/start with important/relevant stuff.

>> I've found tutorials on setting up IPtables, tutorials on setting up
>> firewalls, tutorials on configuring kernel modules for two cards, and
>> virtually everything else, But I can't find a tutorial on the
>> *actual*work* of configuring the network card IPs and routing. It's as if
>> you're already expected to know this.

I would leave IPtables aside for the time being, as that will only
complicate things even more. Do you have a firewall/router? or is that
what you're building? If you are making the firewall/router, keep in mind
that while you're tinkering you might get compromised, and you should
check your machine (chkrootkit, etc.) when you're done. If there is
anything "funny" it might be best to wipe and reinstall (now that you know
exactly what you're doing). Else you might have trojans in there, etc.

It would be easiest to get basic routing working first. Then turn on your
firewall in your gateway and recheck your routing. That's what I would do.

> I'm currently reading TCP-IP-ADMIN, a document linked to from the TLDP Net
> How-To. It was written in 1988 but should surely still be relevant.

The main protocols and routing have not changed for decades.

> Regarding routing, it says that a metric of 0 against an entry causes the
> data to stay on the same local network, even if different subnets are in
> use (ie 192.1.1.0 and 192.1.2.0). However, this is only for a one ethernet
> card setup.

Don't worry about metrics. Metrics were used for a kind of "load
balancing" or "response tuning", to try to use the fastest links if/when
available. This was important in the uucp (serial connection) days. Not
really relevant with ADSL/cable-modem or LAN. I believe these would both
be metric 0, i.e. as fast as can possibly be. In any case, you don't have
any "alternate routing" so there's nothing to chose from. There is only
one way to forward the packet so that it gets to its final destination.

> I'm still unsure about how to get the data to "leap" from one network card
> to another... I guess what I'm asking here is how to setup a PC as a basic
> gateway between subnets.

It really does not "leap". Think of your networking as a collection of
"store and forward" nodes. Each node (host) will accept a packet if it
recognizes its own address(es) as the destination of the packet. Then when
it examines the packet for the "ultimate/final destination" it decides
whether to deliver it to a local (internal software) "port" or forward it
via some other network connection, to another computer. So, if your local
LAN computers address your gateway computer directly, the packets are
accepted and processed there. For example, if you setup an ssh connection
from your desk PC to the gateway PC to get a session for maintenance, etc.
However, if one of your LAN PCs is trying to address an internet computer,
the packet is still sent to your gateway computer (BTW, that LAN PC has to
have the gateway computer defined as the "default route" in its own
routing table), but the gateway computer recognizes that it is for another
network, and passes it on, out to the ISP (and it chooses the interface
from its routing table). Similarly for inbound packets (sort of), except
to really understand that traffic you should read up on NAT (network
address translation). That's probably a topic for later...

Check out a few things... do some reading... get your routing table fixed...
Then come back with specific questions. Someone will likely answer them.

-- 
Juhan Leemet
Logicognosis, Inc.

• Previous message: Juhan Leemet: "Re: Hyperterminal vs command line telnet"
• In reply to: Captain Beefheart: "Re: Eth0 and eth1"
• Next in thread: Captain Beefheart: "Re: Eth0 and eth1"
• Reply: Captain Beefheart: "Re: Eth0 and eth1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]