I am trying to configure the following setup:


fc2 server with 2 nics

Cisco firewall

255.255.255.248 inet adress pool with one adress designated for this server

192.168.XX.0 internal network


one of the nics should be designated to internal traffic and i assigned an ip of 192.168.20.8/255.255.255.0. the other one should be designated to external traffic but since the cisco firewall is routing all traffic to specific adresses in the internal network it has to have an internal adress as well and can not have the designated adress from the pool. so it got 192.168.20.46. the cisco thing is forwarding all packages for the external adress to 192.168.20.46. so far so good. i have set up one route to net 192.168.20.0 for the first (internal) card in order to have all internal traffic on this interface. worx. i tried several different routing settings as well as standard gateways for the other but i simply don't get it right. worx not, very not!

pls help me out of this routing disaster.

THX

why don't you post your nic config files and the results of route -n and ifconfig -a? Not that I'll know what the problem is, but someone else might and I can see why mine's messed up to

Why don't you start by explaining your network topology? It's very unclear what you're using the two separate network cards for. Are both NICs plugged into the same switch? If not, is one NIC plugged into your Internet router and one NIC plugged into something else? Where is the firewall in relation to both NICS (between your router and the server, or something else?)? Why are you using two NICs to begin with (what problem are you trying to solve)?

I should have thought that this weird configuration is not only confusing me ;-)... OK i will try to explain it more clearly and start with answering your questions:

Network Topology: Internally we have a 192.168.20.0 network with different servers (W2K, Domino, FC2 (the one we are talking about)), a switch, a cisco firewall box. Externally we are provided with an adress pool of 8 ips deriving an (external) network with 6 useable adresses (i think).

Switch: Both NICs are plugged into the same switch and are both within the 192.168.20.0 network since I have no possibility to connect one directly to the firewall.

Firewall: The firewall is also connected to the switch on the internal side and within the 192.168.20.0 network and to the providers cable modem on the external side. It is forwarding all traffic for one of the six IPs to an internal address/NIC (eth0 of my server) via the switch it is connected to.

2 NICs: One NIC (eth1) should soley be responsible for internal traffic on the 192.168.20.0 network in order to make the server available to clients from the internal network. The other NIC (eth0) should actually have been connected to the internet (the providers modem) directly but since the company's security guidelines prohibit that . So it got an 192.168.20.0 network address as well. The reason I am using to NICs is in first place the idea to spread the load of internal and external traffic on two interfaces and the other to have different services available for internal and external users (which could also be established with one, i know, but it is seemed easier to for example turn off one interface and have a service that is usually used by both internal and external users still available for just one of the user groups) and last but not least the server was originally not ment to sit behind a firewall but to be connected to the internet directly with one interface.

Which leads me to my confused situation... I don't want to reconfigure the whole machine to just use one interfaces since it would besides the work also bring along a lot of problems in turning on and off services for internal and external users. So what I am trying to establish is the state that was originally intented with the problem that I have both NICs and the firewall within the same network (192.168.20.0).
It is clear to me how the routing of the (internal) eth1 is set up namely to 192.168.20.0 but I am absolutely confused on the routing of the (external) eth0. Is the firewall the default gateway for eth0? And if what is the default gateway for eth1? Should the routing of this NIC be set to the internal adress of the firewall.... I tried some configurations but in the end I always end up with some name resolution problems (One machine and two NICs in the same network) or with all traffic on one interface or with no traffic at all, anyway it does not work because I don't get the routing right.

I hope that this made it a bit clearer and apreciate your help on this one!

Regards tokehs

I think you have a little misconception in your head. There is no such thing as default gateway for an interface. There can be only one default gateway for one server.
So I suggest you set up your routing like this (say the internal IP of your firewall is 192.168.20.1):

route packets to 192.168.20.1/32 via eth0
route packets for 192.168.20.0/24 via eth1
route packets to 0.0.0.0/0 (default) to 192.168.20.1 via eth0

I never remember exact syntax of route command from the top of my head but I hope you get the idea.

Robert

You cannot have two NICs on the same switch and the same subnet, unless you're using interface bonding. The only reason to use interface bonding is if you're maxing out the bandwidth of a single interface, but it doesn't sound like that's happening at all.

If one NIC is supposed to be for external services, you need to get it connected to a different switch, preferably one that hangs off of a separate firewall interface in a DMZ configuration. If both NICs are on the same subnet and behind the firewall, there's no way to prevent internal users from connecting to the services running on the "external" (which is actually an internal IP that has a static outside NAT on the firewall).

If it's not possible to physically connect one of the NICs to a different switch on a different net, then you can acheive exactly what you want by simply adding an IP alias to your existing interface (just remove the second card or turn it off). Your external services can all be NAT'd to one IP on the interface and you can bind your "external" services only to that IP. Your internal services will be configured to bind to the other IP. There's no way for an external user to connect to the internal service, even though they're running on the same physical interface, because the firewall is forcing them to the other IP.

thank you all for your input. i think i can get on now besides one more question that comes up my mind:

is the switch the problem or the network? would it be possible to have the traffic of two different networks on one switch because if so the i would start my own 192.168. net and just reconfigure the firewall?

if not then i have just the option with the virtual nic left...

thanks and regards

tokehs

It may or may not work if you put one NIC on a separate network (but on the same switch). If they're on the same switch you might get weird ARP situations with both NICs offering access to the same IP. There's really no point to that any way since it doesn't offer any benefits over just adding an IP alias to the primary NIC.