Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 13 Jan 2003 19:21:41 -0500
From:      Bill Moran <wmoran@potentialtech.com>
To:        John <sephtin@techgodz.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Multiple network cards with IP addresses in the same network
Message-ID:  <3E235815.90605@potentialtech.com>
References:  <20030113114954.GQ1330@anand.org> <3E22B6B4.70401@potentialtech.com> <20030113141031.GA11679@anand.org> <3E22CDA4.4010401@potentialtech.com> <003a01c2bb50$dc9e87f0$be22410a@corporate.amfam.com>

next in thread | previous in thread | raw e-mail | index | archive | help
John wrote:
> I'm going to jump in here, because this question was my reason for having
> joined the Freebsd-questions list in the first place.  Of all the time I've
> been running FreeBSD, this is my first post to this list... :P

Welcome.

> I have a similar situation.  Firewall/NAT machine with 3 nics.  Only rather
> than using the two external interfaces for different services, I would like
> to use two nic's on the external subnet (using the FreeBSD machine as a
> NAT/Firewall) for the following purpose:
> --I would like one interface to be used for external IPF/NAT connectivity
> for my network computers, allowing my network connectivity to my ISP.
> --I would like a second interface to acquire a SECOND ip address to be set
> up as bimap in NAT, to allow a second machine (my workstation) to be the
> only machine to utilize the second external IP.  Similar to being in a DMZ,
> but it would still use an internal address, as well as be subject to the
> firewall rules in IPF.

I don't understand:
a) Why you need 3 NICs to do this?
b) Why you need 3 IPs to do this?
Just put an internal and external IP (2 NICs) and if you have a specific
machine within the network that you want treated specially, write special
ipfw rules for it.  Why the need for 3 IPs/NICs?

> Again, I have read that this is available on Linux.  My searches have shown
> that there are ways to do this on RedHat w/ ipchains (etc.).. ... but I
> digress...

That's fine.  I'm sure there are lots of systems that have spiffy (or maybe
not so spiffy) things that you can do that you can't in FreeBSD (or other
spiffy system).

My only question I have is why do you need it?  There are other ways to get
the end result.

> I have tried putting two nics in and having dhclient obtain addresses for
> both on the same subnet.  dhclient will get both addresses (shown in
> dhclient.leases), but fails to assign an ip to the second interface, failing
> with the error "file already exists".  I'm sure this is a different (but
> related) issue.

Sounds very related.

> In my situation, another solution might be to use an alias on a single
> external interface.. only I'm not sure how to get dhclient to obtain the
> second IP address and assign it to the alias, nor how to get IPF to
> recognize the alias'd interface properly.

That sure seems to be beyond what the software was designed to do.  You
could probably write some fancy scripts or something, but I ask my original
question: What are you trying to accomplish in the end?  Because it sure
seems like you're trying to use a wrench to hammer nails.

> Bridging also comes to mind, but I'm not certain that if I bridge the
> interface to my workstation computer it would correctly handle having an
> internal as well as external address (other software application
> complications would arise as well, I'm sure).  That's not my intent anyway,
> so I have not and likely will not persue bridging as an option.

If you need NAT to get out, then bridging won't work.

> Maybe I should have posted this on a diff. thread?  :P  But I believe the
> resolution to this issue is the same as the originally posted issue.
> Hopefully something will come out of it.

I could be wrong, but I suspect the "resolution" of your problem is to determine
what you want to accomplish, and then use FreeBSD in the manner it was intended
to achieve your goal.

> Thanks,
> John
> Addtn'l info:  I have a FreeBSD 4.7 Stable #2 (updated yesterday).
> 
> ----- Original Message -----
> From: "Bill Moran" <wmoran@potentialtech.com>
> To: "Anand Buddhdev" <arb@anand.org>
> Cc: <questions@freebsd.org>
> Sent: Monday, January 13, 2003 8:31 AM
> Subject: Re: Multiple network cards with IP addresses in the same network
> 
> 
> 
>>Anand Buddhdev wrote:
>>
>>>On Mon, Jan 13, 2003 at 07:53:08AM -0500, Bill Moran wrote:
>>>
>>>
>>>>>I have a FreeBSD 4.7 system, with 3 ethernet cards. The first two
>>>>>are recognised as fxp0 and fxp1 and the second as em0 (intel gigabit
>>>>>card). I configured the em0 with address 192.168.0.1/24. I then wanted
>>>>>to configure fxp0 with the address 192.168.0.2/24, and also connect it
>>>>>to the switch so that I can connect to the server via both addresses.
>>>>>However, FreeBSD's ifconfig command fails, and won't let me add the
>>>>
> second
> 
>>>>>address to the fxp0 interface. I read the manual page about ifconfig,
>>>>>and read about aliases, where it said that for aliases, I must use the
>>>>>netmask /32. When I do try to add the second address with a netmask of
>>>>>/32, it works, but it doesn't make sense to me. How is that interface
>>>>>going to to know that it is part of a /24 network if I use a /32
>>>>
> netmask?
> 
>>>>>Would anyone be kind enough to explain why:
>>>>>
>>>>>1. For aliases, I need the /32 mask
>>>>
>>>>I didn't know that you did.  I've certainly had aliases that weren't /32
>>>
>>>I have been using linux for about 2 years now. Let me explain why I
>>>don't understand.
>>
>>Well, first off, I misunderstood your original question.
>>
>>
>>>I have addresses 192.168.0.1 and 192.168.0.2. I want to run different
>>>services on the 2 different IP addresses. In a linux system, I do:
>>>
>>>ifconfig eth0 192.168.0.1 netmask 255.255.255.0
>>>ifconfig eth0:0 192.168.0.2 netmask 255.255.255.0
>>>
>>>So that I have 2 different addresses bound to the same interface.
>>>
>>>On FreeBSD, if I do:
>>>
>>>ifconfig fxp0 192.168.0.1 netmask 255.255.255.0
>>>ifconfig fxp0 192.168.0.2 netmask 255.255.255.0 alias
>>>
>>>That fails.
>>
>>It should, it creates an ambiguous network situation.
>>Also, I don't understand why you would want to do this.
>>
>>
>>>The ifconfig manpage states that a nonconflicting netmaks must be used
>>>for the alias, and suggests to use 0xffffffff. I don't understand why,
>>>because I don't see why one network interface cannot have more than one
>>>address bound to it within the same network. If I use a /32 netmask for
>>>the alias address, how will the kernel respond to arp requests for that
>>>alias address?
>>
>>What would you expect it to do that would be unusual?
>>If you really want two IPs on the same subnet on the same NIC, then use
>>a /32 subnet for one.  What's it going to hurt?
>>
>>
>>>>>2. Adding a second IP to a *different* network card in the same server
>>>>>does not work if the second IP is within the network of the first one.
>>>>
>>>>Because it breaks routing and the basic concept of IP addys and
>>>
> netmasks.
> 
>>>>If you have two NICs on the same network, how is the kernel supposed to
>>>>route packets?
>>>
>>>I still don't understand. In a linux system I can do:
>>>
>>>route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.0.254 dev eth0
>>>route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.0.254 dev eth1
>>
>>Just because you can do it on a Linux system doesn't mean it's right.
>>
>>
>>>This adds 2 default routes in the linux kernel, telling it to route
>>>packets to the outside world using either network interface, where eth0
>>>has address 192.168.0.1/24 and eth1 has address 192.168.0.2/24. What's
>>>wrong with that?
>>
>>It's ambiguous.  Where does the kernel route to when there are two
> 
> possible
> 
>>routes?  There's really no reason for such a thing.
>>
>>
>>>>If you want this setup as a failover solution, there are other ways.
>>>>There's a program in the ports (I can't remember the name, you'll have
>>>
> to
> 
>>>>do some research) that will monitor an interface, and if it becomes non-
>>>>responsive, run a script of your choosing.  Thus, you can have it start
>>>>up the other network card if the first fails.
>>>
>>>Ok, I understand that, and it may be a very useful program, *if* you
>>>want to bring up the other interface with perhaps the same IP address.
>>
>>Well, it's useful for other reasons as well, but it doesn't apply to your
>>situation.  I suggested it because I didn't understand what you were
>>asking before.
>>
>>
>>>All I want to do is to have 2 different IP addresses on each of the
>>>different interfaces in the server, where the addresses are in the
>>>same network. I can do it in linux. Why can't I do it in FreeBSD?
>>
>>Because you shouldn't do it.
>>
>>
>>>>If failover isn't what you're looking for, then I'd reconsider your
>>>>network topology.  It doesn't really make sense to have 2 NICs with the
>>>>same network number in one machine.
>>>
>>>
>>>Why not? I haven't seen any such warning in my IP networking books
>>>or courses.
>>
>>My answer to your question is:
>>1. Why would you WANT to do that?  I don't care if Linux, Windows and
> 
> everyone
> 
>>    but FreeBSD _allows_ you to, the reason for it escapes me.
>>2. If you reall _do_ want to do that, use a /32 netmask as required.  If
> 
> that
> 
>>    doesn't work for you for some reason, then the answer to your question
> 
> is
> 
>>    beyond my expertise.
>>
>>--
>>Bill Moran
>>Potential Technologies
>>http://www.potentialtech.com
>>
>>
>>To Unsubscribe: send mail to majordomo@FreeBSD.org
>>with "unsubscribe freebsd-questions" in the body of the message
>>
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 
> 


-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E235815.90605>