[SOLVED] 1 server, 2 nics, 2 networks

mbvo · 12-09-2013, 04:15 PM

I've got a CentOS 6.4 x64 on a server that I'm trying to put 2 networks on. The eth0 is accessible from outside, but eth1 is only accessible from servers on the same network. Here's the routes and interfaces and iptables:

Code:

[root@server1 ~]# route -nee|grep -v UH
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface    MSS   Window irtt
10.0.16.0       0.0.0.0         255.255.255.252 U     0      0        0 tun16    0     0      0
bbb.bbb.96.0     bbb.bbb.111.254  255.255.240.0   UG    0      0        0 eth1     0     0      0
bbb.bbb.96.0     0.0.0.0         255.255.240.0   U     0      0        0 eth1     0     0      0
aaa.aaa.0.0     0.0.0.0         255.255.224.0   U     0      0        0 eth0     0     0      0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0     0     0      0
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 eth1     0     0      0
0.0.0.0         aaa.aaa.31.254  0.0.0.0         UG    0      0        0 eth0     0     0      0
[root@server1  ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:25:90:AE:B0:1D
          inet addr:aaa.aaa.20.1  Bcast:aaa.aaa.31.255  Mask:255.255.224.0
          inet6 addr: fe80::225:90ff:feae:b01d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3074444 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2915178 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:304369712 (290.2 MiB)  TX bytes:980942806 (935.4 MiB)
          Interrupt:20 Memory:dfa00000-dfa20000

[root@server1 ~]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:25:90:AE:B0:1C
          inet addr:bbb.bbb.100.239  Bcast:bbb.bbb.111.255  Mask:255.255.240.0
          inet6 addr: fe80::225:90ff:feae:b01c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5212839 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2677 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1039049399 (990.9 MiB)  TX bytes:113766 (111.0 KiB)
          Interrupt:16 Memory:df900000-df920000
[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Does anyone know how to do this?

Both of these networks have gateways and can be accessed from the internet. But on this server only, the IP on eth1 can't be reached from outside of it's network while all the IPs on eth0 can.

Ser Olmy · 12-10-2013, 01:52 AM

The reason Internet clients can't reach the server via the 2nd network has to do with the routing table on the server. Specifically, the default route (gateway).

Since the default route points to the gateway router in network "a", any replies to non-local clients will be sent to that gateway. This will work fine as long as that gateway actually knows how to reach the client in question, but will fail if a client can only be reached via the gateway in network "b".

You might think that hosts on the Internet shouldn't be affected by this, since they can in theory be reached using either Internet connection. Unfortunately, NAT and/or firewalls gets in the way:

If the Internet routers are performing NAT (which they probably are), clients aren't actually connecting to your server, but to the external IP address of the gateway router which then forwards the relevant port/protocol to the server. Replies have to be sent through the same NAT router for this to work.
Even if NAT is not involved, a stateful firewall on the router on network "a" may still be reluctant to forward reply packets for which it has no matching session in its connection tracking table.

To fix this, you'll have to create a second routing table on the server with the router on the "b" network as a default gateway, and then use IP rules to make sure all traffic with a source address of "bbb.bbb.100.239" is processed by that table.

Alternatively, you could make the router on the "b" network do source NAT overloading ("masquerading") on all traffic going to the server. That way, incoming traffic from the Internet will appear to originate from the router itself, which has an IP address in a local, connected network.

acid_kewpie · 12-10-2013, 01:54 AM

A second routing table? He just needs to add routes to the relevant internal networks to go via the "b" router.

Ser Olmy · 12-10-2013, 02:01 AM

Quote:

Originally Posted by acid_kewpie

A second routing table? He just needs to add routes to the relevant internal networks to go via the "b" router.

He did say that both networks were connected to the Internet, but you're right that he didn't specifically say he wanted the server to be reachable from the Internet using the Internet connection in network "b".

If the problem is related solely to internal networks behind the router in network "b" then yes, adding entries for these networks to the routing table is all that's needed.

mbvo · 12-10-2013, 07:48 AM

Quote:

Originally Posted by Ser Olmy

He did say that both networks were connected to the Internet, but you're right that he didn't specifically say he wanted the server to be reachable from the Internet using the Internet connection in network "b".

If the problem is related solely to internal networks behind the router in network "b" then yes, adding entries for these networks to the routing table is all that's needed.

Both networks a and b need to be reachable from the internet. It appears that only one or the other can be accessed from outside it's own network depending on the default gateway. If there a way to set up the routing table so that there are 2 gateways, but no default gateway?

acid_kewpie · 12-10-2013, 07:54 AM

I think you really need to describe in much more detail what you specifically want to achieve. Whilst it's technically possible to reach a single server directly from two different internet entry points, it's VERY uncommon and pretty horrible a thing to do in any direction.

mbvo · 12-10-2013, 08:24 AM

Thanks for both of your help. After realizing that I need 2 default gateways and 2 routing tables I did a little more Googling and found this article:

http://kindlund.wordpress.com/2007/1...utes-in-linux/

The server is online and accessible correctly on both networks.

acid_kewpie · 12-10-2013, 08:56 AM

I very very much doubt you do need two default gateways, and there were much more conventional ways to do what you want, but either way, working is working.