2 subnets on the same network segment

robadawb · 11-15-2005, 02:57 PM

I'm a network newbie and I need some advice on how to setup my box at work. We currently have to two different subnets on the same network segment. One subnet is configured to be behind the firewall while the other is in front. I don't quite understand how this works and perhaps herein lies my question.

I have two network interfaces on my box and I would like to connect each one to each subnet respectively. The subnet behind the firewall uses DHCP. Below are my configuration files for each interface. I believe I used the system-config-network utility to configure both of them.

DEVICE=eth0
BOOTPROTO=dhcp
HWADDR=
ONBOOT=yes
TYPE=Ethernet

IPV6INIT=no
ONBOOT=yes
USERCTL=no
PEERDNS=yes
GATEWAY=
TYPE=Ethernet
DEVICE=eth1
HWADDR=
BOOTPROTO=none
NETMASK=
IPADDR=

With both interfaces active I notice martian packets being logged by the kernel. I considered normal behavior but didn't know how to tell the kernel not to log these packets. It also made me wonder if I had configured my network incorrectly. This lead to other interesting questions.

Shouldn't I have two default gateways? If so, how do I set this up?
If I'm using DHCP to configure one interface how do I override the DNS settings for the other?
Do I setup two host entires in my /etc/hosts file with the same hostname?
How can you have two subnets on the same network segment? Isn't this a security risk?

Would anyone be willing to help me out or point me in the right direction? I know these are a lot of questions that may have already been answered. I'm using Fedora Core 4 with the 2.6.12 kernel.

Cheers,
Rob

kbuk · 11-16-2005, 08:35 AM

You can run as many subnets over the same wire as you like. There are security issues, a good firewall ruleset can take care of those. You don't want two default gateways unless you know exactly what you're doing. Chances are the internal and external networks will end up going through the same gateway anyway.

Most dhcp clients re-write the /etc/resolv.conf file anyway (so taking care of the dns issues)

You can put multiple addresses into the /etc/hosts file, but it will only use the first
eg
192.168.0.10 hostname.my.address hostname-192 hostname
10.0.0.10 hostname.my.address hostname-10 hostname

You may need additional routing details eg other routing details.
typically your DHCP server will provide the gateway so that can cause problems (how to remove the default gateway that was provided via dhcp) it's probably achieved in if-up.d (not sure how to configure that on fedora)

Assuming that there is NOT 802.1Q tagged vlan's on the networks involved your config would be something like
(note I usually use other distro's so the exact details may be slightly out)
As both networks are on the same segment (and not tagged) you can access both through the same network card using eth0:0 as the additional network address (substitue eth1 if desired below)
replace bits in <> brackets as approprate

/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
ONBOOT=yes
USERCTL=no
PEERDNS=yes
TYPE=Ethernet

/etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
BOOTPROTO=static
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
ONBOOT=yes
TYPE=Ethernet
ADDRESS=<public ip address>
NETMASK=<public netmask>

With both interfaces active I notice martian packets being logged by the kernel. ???
please explain / give examples

robadawb · 11-16-2005, 09:12 AM

Thanks for the reply, kbuk.

This is from /var/log/messages

Nov 16 08:07:42 eos kernel: martian source 172.16.136.209 from 172.16.136.136, on dev eth1
Nov 16 08:07:47 eos kernel: martian source 172.16.136.255 from 172.16.136.188, on dev eth1
Nov 16 08:07:58 eos kernel: martian source 172.16.136.133 from 172.16.136.79, on dev eth1

eth1 is configured with an ip address in front of the firewall.
eth0 uses the reserved 172.16.136.0/24 behind it.

kbuk · 11-16-2005, 09:27 AM

google is your friend

http://www.derkeiler.com/Mailing-Lis...3-05/0003.html
http://www.networksecurityarchive.or.../msg00098.html

it's an obviously spoofed packed (most likely from a hacked, or virus filled computer on the local subnet)

robadawb · 11-16-2005, 12:39 PM

I don't think so, but only because I now see the same thing on the other interface. Packets from behind the firewall are being logged as martian from the interface in front of the firewall and vice versa. Seems unlikely that packets are being spoofed on both sides considering each subnet is on the same wire and more likely that the kernel *thinks* it's seeing martian packets. But I am a newbie and have to consider I have no idea what I'm talking about

2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 172.16.136.129/24 brd 172.16.136.255 scope global eth0

3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet xxx.xxx.xxx.123/24 brd xxx.xxx.xxx.255 scope global eth1

Nov 16 11:08:16 eos kernel: martian source xxx.xxx.xxx.65 from xxx.xxx.xxx.1, on dev eth0
Nov 16 11:08:11 eos kernel: martian source 172.16.136.238 from 172.16.136.133, on dev eth1

robadawb · 11-16-2005, 03:42 PM

http://www.absoluteastronomy.com/enc...ian_packet.htm

Quote:

Martian packets can arise from network equipment malfunction, misconfiguration of a host, or simple coexistence of two logical networks on a single physical layer. For instance, if the IP networks 192.168.34.0/24 and 10.2.3.0/24 operate on the same Ethernet segment, packets from 10.2.3.4 are Martians to the computer at 192.168.34.9, and vice versa.

Well, atleast now I know I'm not crazy.