routing traffic through eth0 and eth1

wizbit · 12-21-2015, 10:15 PM

I am running Slackware 14.1. My server has 2x NICs. 1 Internal, and 1 PCI card.
Both NICs are connected to my switch what is connected to pfSense.

I would like to use eth1 for p2p torrent incoming and outgoing traffic and the rest of the server traffic to use eth0. At the moment all traffic seems to be pumping out of eth1?

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.23.1.254 0.0.0.0 UG 202 0 0 eth1
0.0.0.0 10.23.1.254 0.0.0.0 UG 203 0 0 eth0
10.23.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.23.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.23.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth1
10.23.1.0 0.0.0.0 255.255.255.0 U 203 0 0 eth0
10.23.1.30 127.0.0.1 255.255.255.255 UGH 203 0 0 lo
10.23.1.31 127.0.0.1 255.255.255.255 UGH 202 0 0 lo
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo

Also, I think there is a problem with ARP as the 2x different NIC MAC addresses are not showing on pfSense, 1 MAC address is used for both IPs.?

StreamThreader · 12-22-2015, 01:43 AM

Maybe you need try iptables conmark and policy routing.

Quote:

Also, I think there is a problem with ARP as the 2x different NIC MAC addresses are not showing on pfSense, 1 MAC address is used for both IPs.?

You have two different NIC with two IPs 10.23.1.30 and 10.23.1.31, so you use different MAC (but if you manually not set one MAC for two NICs). You can view MACs by command: "ip link show | grep ether".

TracyTiger · 12-22-2015, 12:40 PM

You may want to investigate ARP Flux - non-deterministic population of the ARP cache.

I was quite surprised a few years ago when I learned that Linux by default uses (what some call) a host based ARP instead of only using the MAC of each individual physical port. I tested and verified that this characteristic was indeed the cause of the problems I was experiencing with the netfilter package at the time.

My software is a few years old so I'm not sure if the latest versions still default to this behavior.

Here are a couple of articles on it.

http://linux-ip.net/html/ether-arp.html#ether-arp-flux/
See section 2.1.4. The ARP Flux Problem

http://robertlathanh.com/2009/08/two...ux-arp_filter/

And an overview of ARP.
http://www.erg.abdn.ac.uk/users/gorr...pages/arp.html

Also see ...
man arp
man arping

Others may have better or more recent articles on this subject.

Richard Cranium · 12-22-2015, 09:00 PM

Quote:

Originally Posted by wizbit

I am running Slackware 14.1. My server has 2x NICs. 1 Internal, and 1 PCI card.
Both NICs are connected to my switch what is connected to pfSense.

I would like to use eth1 for p2p torrent incoming and outgoing traffic and the rest of the server traffic to use eth0. At the moment all traffic seems to be pumping out of eth1?

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.23.1.254     0.0.0.0         UG    202    0        0 eth1
0.0.0.0         10.23.1.254     0.0.0.0         UG    203    0        0 eth0
10.23.1.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.23.1.0       0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.23.1.0       0.0.0.0         255.255.255.0   U     202    0        0 eth1
10.23.1.0       0.0.0.0         255.255.255.0   U     203    0        0 eth0
10.23.1.30      127.0.0.1       255.255.255.255 UGH   203    0        0 lo
10.23.1.31      127.0.0.1       255.255.255.255 UGH   202    0        0 lo
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

Also, I think there is a problem with ARP as the 2x different NIC MAC addresses are not showing on pfSense, 1 MAC address is used for both IPs.?

If both cards are connected to the same switch, I'm not sure what you intend to gain by the split.

wizbit · 12-24-2015, 02:21 PM

It doesn't matter if both NICs are connected to the same switch. I would like the NICs to appear as different devices on the network, 1 ip with eth0 MAC address and 2nd ip with eth1 MAC address. At the moment all outbound traffic gets pumped through eth1 using eth1 MAC address. Ideally I would like this to happen:

NIC 1 eth0 using NIC 1 MAC Address > 10.23.1.30 > all services binded to 10.23.1.30 > all outbound and inbound traffic using NIC 1

NIC 2 eth1 using NIC 2 MAC Address > 10.23.1.31 > rtorrent binded to 10.23.31 > all outbound and inbound traffic using NIC 2

So when I do a arp table on pfSense, I can see both IPs using the correct MAC addresses (nothing duplicated).

I can then apply firewall rules to 10.23.31 if the traffic is flowing correctly.

Richard Cranium · 12-27-2015, 10:22 PM

Quote:

Originally Posted by wizbit

It doesn't matter if both NICs are connected to the same switch. I would like the NICs to appear as different devices on the network, 1 ip with eth0 MAC address and 2nd ip with eth1 MAC address. At the moment all outbound traffic gets pumped through eth1 using eth1 MAC address. Ideally I would like this to happen:

NIC 1 eth0 using NIC 1 MAC Address > 10.23.1.30 > all services binded to 10.23.1.30 > all outbound and inbound traffic using NIC 1

NIC 2 eth1 using NIC 2 MAC Address > 10.23.1.31 > rtorrent binded to 10.23.31 > all outbound and inbound traffic using NIC 2

So when I do a arp table on pfSense, I can see both IPs using the correct MAC addresses (nothing duplicated).

I can then apply firewall rules to 10.23.31 if the traffic is flowing correctly.

If they are both using the same switch, you may as well use vlans.

But, according to the articles TracyTiger provided, putting...

Code:

for x in eth0 eth1; do
    echo "1" > /proc/sys/net/ipv4/conf/$x/arp_filter
done

...into /etc/rc.d/rc.local should do the trick for you.

You can run the individual commands as root and see if your arp cache is correct afterwards.

(http://robertlathanh.com/2009/08/two...ux-arp_filter/ also discusses the matter, but he says pretty much the same things as TracyTiger's links tell you.)

wizbit · 12-28-2015, 08:28 PM

Excellent, thank you all for the replies.

Have now fixed the problem by making eth0 and eth1 use static IP rather than use dhcpd to grab IP. Now the default route is eth0. If rtorrent listens on eth1 IP, pfSense now sees the correct IP so I can now apply firewall rules to it.

I also added this to /etc/sysctl.conf

net.ipv4.conf.eth0.arp_filter = 1
net.ipv4.conf.eth1.arp_filter = 1

TracyTiger · 04-29-2017, 04:50 PM

This thread is more than 1 year old but I have additional information that may be helpful for anyone finding this thread in a search and needing control over packets on a hardware interface basis.

Summary: Make sure the kernel parameter rp_filter is set to 0 when configuring to eliminate ARP Flux. [ /proc/sys/net/ipv4/conf/*/rp_filter = 0 (default) ]

----------

On Slackware64-14.2 the ARP Flux issue came up for me on a new server build this week. I found my solution from years ago no longer worked and that one setting was critical to the solution.

This week I solved the problem (eliminated ARP flux) by using the four following kernel settings ...

Quote:

/proc/sys/net/ipv4/conf/*/arp_ignore = 2
/proc/sys/net/ipv4/conf/*/arp_announce = 1
/proc/sys/net/ipv4/conf/*/arp_filter = 0 (default)
/proc/sys/net/ipv4/conf/*/rp_filter = 0 (default)

* represents any of default, all, eth0, eth1, etc or a shell wildcard in a script

In researching my problem I found the information on these settings in this 2014 article.

The key for me was to have rp_filter=0. In the past part of my firewall rules always had this feature turned on (1). Apparently the ARP flux "fix" I used long ago no longer works with rp_filter enabled.

The author of the article linked above writes ...

Quote:

Now, on older kernels (2.4 and earlier), that was enough. But on newer kernels, an additional change is necessary due to the changes in how rp_filter is handled. So this would apply to kernels starting at 2.6 and onward through the current 3.x versions. So to make this work on 2.6+ kernels, we set the additional rp_filter value:

Code:

$ sysctl -w net.ipv4.conf.all.rp_filter=0

Other settings for the other features (arp_ignore, arp_announce, arp_filter) may also work as long as rp_filter is disabled (0). For example others have suggested arp_ignore=1 and arp_announce=2. Simply having rp_filter=0 and arp_filter=1 may also work. I have not yet experimented with the characteristics of these other combinations as I had a server to put online right away and my firewall rules were then working correctly. The settings you need will depend upon your networking goals.

Short descriptions of these settings can be found on your Slackware machine at /usr/src/linux/Documentation/networking/ip-sysctl.txt.

I originally started enabling the rp_filter feature years ago on simple linux based routers that I set up which involved packet forwarding. This rp_filter feature to prevent spoofed packets (route/source verification) is probably not needed on a non-forwarding host so most people would probably have it disabled and not encounter the obstacle to the ARP flux solution that I did this week. But I'm posting this information in case it may be useful to someone.

abga · 11-03-2017, 06:40 PM

@TracyTiger

Interesting update, thanks!. Until now I kept the following code in my sample firewall script for those very rare occasions where I have several ethernet adapters on the same system connected (configured) on the same subnet:

Code:

if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo "Enabling rp_filter"
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

Changed it now to:

Code:

echo "Mitigating ARP Flux"
echo 2 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/all/arp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

According to:
https://www.kernel.org/doc/Documenta.../ip-sysctl.txt
-it is ok to use both arp_ignore & arp_announce, depending on the circumstance