# [SOLVED] 4 networks, 4 nics, 1 host. Does not work properly

## RioFL

I can do the elementary networking stuff well but am lost when it comes to setting this up. What I tried did not work.  First a bit of topology:

one border router

a /19 network split into /24 segments

vlan to a smart switch which divides

the network segments into various assigned

switch port groups (eg. #1-4=39net, 5-7=34net etc)

a private internal network with its own switch not connected to the outside.

unique gateways are .1 for each /24

the host is Gentoo 2005.1 with the vserver patch installed in a 2.6.13.1 vanilla kernel with no other patches applied with 3 unique nics.. once this works they will be replaced by a 4 nic card.

ultimately the guest 'machines' will each be assigned a single network. Guest 1 may be on eth0, guest 2 eth2 etc.

However the vserver portion is not in question and will work once the host can properly see and use all networks.

assignments:

eth0 - public 1/24

eth1 - privatenet/24

eth2 - public 2/24

eth3 - public 3/24

requests for services will come from the internet at large to one of the public networks as determined by dns.

I will assume setting up eth3 on the 4 port card will be the same method used for setting up eth2 once that works.

the problem:

eth0 and eth1 up - both work fine.

eth1 appears unaffected by all of this experimenting.

bring eth2 up and eth0 stops responding to pings from the outside and eth2 responds to pings from outside to its network instead. take eth2 down and eth0 responds to pings to its network again.

I have tried -host routing, no gateway, several things none of which work. At the very best I got it so eth0 responds to pings from the outside but eth2 only responds to pings from within its subnet not from the outside.

how do i need to configure this monster to work properly? eth0 and eth2 must respond to requests from the outside directed toward their respective networks.

do i need iproute2?

is there some special setup i must place into the /etc/conf.d/net file?

i presently have the following set up in net

```

#modules=( "iproute2" )

config_eth0=("64.113.34.5 netmask 255.255.255.0 broadcast 64.113.34.255")

routes_eth0=(" default via 64.113.34.1")

config_eth1=( "172.30.0.50 netmask 255.255.255.0 broadcast 172.30.0.255" )

routes_eth1=( "-net 172.30.0.0/24 via 172.30.0.1" )

config_eth2=( "64.113.39.254 netmask 255.255.255.0 broadcast 64.113.39.255")

routes_eth2=( "-net 64.113.39.0/24 via 64.113.39.1" )

```

note that I tried default via in routes_eth2 as well as -net.

i'm no networking genius but have been given the task to get this done. I was supposed to have this up and running by monday, but since it is now sunday it is impossible to accomplish due to the delay in getting this networking right.

are there any special settings i need to enable in the kernel networking code for this?

here is my kernel network config

```

#

# Networking options

#

CONFIG_PACKET=y

# CONFIG_PACKET_MMAP is not set

CONFIG_UNIX=y

CONFIG_XFRM=y

# CONFIG_XFRM_USER is not set

# CONFIG_NET_KEY is not set

CONFIG_INET=y

CONFIG_IP_MULTICAST=y

CONFIG_IP_ADVANCED_ROUTER=y

CONFIG_ASK_IP_FIB_HASH=y

# CONFIG_IP_FIB_TRIE is not set

CONFIG_IP_FIB_HASH=y

CONFIG_IP_MULTIPLE_TABLES=y

CONFIG_IP_ROUTE_FWMARK=y

CONFIG_IP_ROUTE_MULTIPATH=y

# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set

CONFIG_IP_ROUTE_VERBOSE=y

CONFIG_IP_PNP=y

# CONFIG_IP_PNP_DHCP is not set

# CONFIG_IP_PNP_BOOTP is not set

# CONFIG_IP_PNP_RARP is not set

CONFIG_NET_IPIP=y

CONFIG_NET_IPGRE=y

# CONFIG_NET_IPGRE_BROADCAST is not set

# CONFIG_IP_MROUTE is not set

# CONFIG_ARPD is not set

CONFIG_SYN_COOKIES=y

# CONFIG_INET_AH is not set

# CONFIG_INET_ESP is not set

# CONFIG_INET_IPCOMP is not set

CONFIG_INET_TUNNEL=y

CONFIG_IP_TCPDIAG=y

# CONFIG_IP_TCPDIAG_IPV6 is not set

# CONFIG_TCP_CONG_ADVANCED is not set

CONFIG_TCP_CONG_BIC=y

```

i also have a script which runs before network gets set up on boot which contains the following code.. i may need to change some of it to work?

```

#!/sbin/runscript

depend() {

 before net.eth0

}

start() {

 ebegin "Setting /proc options."

 /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

 /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

 /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

 /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

 /bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies

 eend 0

}

```

i have a standard iptables with no devices mentioned in it. will this also need special entries?

totally out of my league here.. hopefully someone can give detailed instructions to get this running which will buy me time to study what i need to learn about it (presently caught in the "peter principle").Last edited by RioFL on Sun Sep 25, 2005 6:38 pm; edited 1 time in total

----------

## NeddySeagoon

RioFL,

Post your routing table with eth0 and eth1 only, when it works and 

your routing table with eth0, eth1, and eth2, when it fails.

Are you controlling the eth driver module load order so the logical names don't change interfaces ?

----------

## RioFL

 *NeddySeagoon wrote:*   

> RioFL,
> 
> Post your routing table with eth0 and eth1 only, when it works and 
> 
> your routing table with eth0, eth1, and eth2, when it fails.
> ...

 

No,the kernel has modules disabled. However they are not changing roles. If they did, then eth0 and eth1 would get mixed up and never work. If I have a nic plugged into the 34 net switch group it absolutely cannot work on any other network but 34 net and eth0 has never failed in this. it also means that i cannot assign multiple networks to one nic.

here is with eth2 down, all works as it should:

```

prometheus ~ # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

64.113.34.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

172.30.0.0      172.30.0.1      255.255.255.0   UG    0      0        0 eth1

172.30.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         64.113.34.1     0.0.0.0         UG    0      0        0 eth0

```

now with eth2 up.

```

prometheus ~ # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

64.113.34.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

172.30.0.0      172.30.0.1      255.255.255.0   UG    0      0        0 eth1

172.30.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1

64.113.39.0     64.113.39.1     255.255.255.0   UG    0      0        0 eth2

64.113.39.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         64.113.34.1     0.0.0.0         UG    0      0        0 eth0

```

symptoms with this particular eth2 setup:

when enabled, eth2 is not available outside its own network (39.0/24). additionally when pinging from another 39 net machine, eth0 34 net is no longer available to the 39 net machine yet is still available from the outside. if i use default gw for eth2 routes instead of -net xxxx via xxx, then the roles to the outside switch and it becomes even more selective within the various /24 segments.  weird..

----------

## splooge

Not only are the routes on eth1 and eth2 unnecessary, they're also incorrect.  Lose 'em and let us know how it goes.

----------

## NeddySeagoon

RioFL,

This is strange

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 

64.113.39.0     64.113.39.1     255.255.255.0   UG    0      0        0 eth2

64.113.39.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2 
```

Only the first route will be obeyed. All packets being sent to 64.113.39.0/24 will be sent via 64.113.39.1 on eth2 and teh second route will never be invoked.

The second route is more normal, it says that no gateway is required for 64.113.39.0/24, just send the packets out of eth2

Your working set up has a similar problem here 

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 

172.30.0.0      172.30.0.1      255.255.255.0   UG    0      0        0 eth1

172.30.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
```

which is propogated into your 3 NIC setup.

A routing table like this

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

64.113.34.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

172.30.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1

64.113.39.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         64.113.34.1     0.0.0.0         UG    0      0        0 eth0 
```

whould be more promising. Your machine prometheus would then be able to talk on all three NICs and reach the outside world using the last route.

If you turn forwarding on then machines on the other networks can talk to each other using prometheus as a gateway.

```
# For Routing (IP forwarding Actually)

echo "1" >/proc/sys/net/ipv4/ip_forward
```

I presume you will be using firewalling an NAT when the logic is sorted out ?

----------

## RioFL

 *NeddySeagoon wrote:*   

> RioFL,
> 
> This is strange
> 
> ```
> ...

 

ok guys. lost the routes on eth1 and eth2. here is the route table

```

prometheus conf.d # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

64.113.34.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

172.30.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1

64.113.39.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         64.113.34.1     0.0.0.0         UG    0      0        0 eth0

```

symptoms using above:

eth1 fine.

eth0 available to outside world, and all subnets but blocked from 39net

eth2 blocked to outside and all subnets except 39net

i then uncommented iproute2 module and restarted the network. same symptoms.

----------

## RioFL

 *NeddySeagoon wrote:*   

> RioFL,
> 
> A routing table like this
> 
> ```
> ...

 

using the last route? you mean through the 34.1 gateway? impossible. it only allows 34 net through. each /24 network has its own gateway from the switch port group to the border router via unique vpn connection and only that /24s gateway is allowed to pass only its own block.

the host could not be used as a gateway this is a setup where all hosts must communicate via the router with no shortcuts allowed.. there is no nat. every one of our 39 machines is available to the internet directly. all firewalling is done via ip inspection and acls in the router and iptables on each machine.

----------

## splooge

Ahh, yes.  Gotta love multi homed boxes.  =)

I'm no expert, but I'm sure if you walk through this guide you'll be up and running:

http://lartc.org/howto/lartc.rpdb.multiple-links.html

----------

## RioFL

 *splooge wrote:*   

> Ahh, yes.  Gotta love multi homed boxes.  =)
> 
> I'm no expert, but I'm sure if you walk through this guide you'll be up and running:
> 
> http://lartc.org/howto/lartc.rpdb.multiple-links.html

 

okwill look at that.. thanks!

as an update, I ran tcpdump on eth2. pings are coming into the machine from the outside but are being ignored totally, not even trying to reply, unless the pings come in from the same subnet.  :Sad: 

----------

## NeddySeagoon

RioFL,

Lets go through the routing table I proposed one line at a time, just like the kernel does when it has a packet to send.

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

64.113.34.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

172.30.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1

64.113.39.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         64.113.34.1     0.0.0.0         UG    0      0        0 eth0
```

The first line says to reach the 64.113.34.0/24 network, send the packet out of eth0 and no gateway is required. If our packet matches that route, its sent and no further routes are tested.

The second line says to reach the 172.30.0.0/24 network send the packet via eth1.

The third line says to reach  64.113.39.0/24 send the packet via eth2.

The fourth line says to reach 127.0.0.0/8 send the pacl via the lo interface.

The last line matches all left over packets, which are addressed to the gateway 64.113.34.1 on eth0.

This provides 3 isolated networks, which appears to be want you want.

----------

## splooge

 *RioFL wrote:*   

>  *splooge wrote:*   Ahh, yes.  Gotta love multi homed boxes.  =)
> 
> I'm no expert, but I'm sure if you walk through this guide you'll be up and running:
> 
> http://lartc.org/howto/lartc.rpdb.multiple-links.html 
> ...

 

Traffic coming into eth1-3 is probably getting replied to on eth0 which is where your default gateway is.  This causes TCP sequencing errors and that's why you'll need to work with iproute2.

----------

## NeddySeagoon

splooge,

The routing table will be used for ping replies.

Anything comming in eth0..2 not from those subnets will get replies on eth0, since only the defualt route matches the return IP address.

Responding to packets over the same interface as the request arrived is much more tricky.

----------

## RioFL

 *NeddySeagoon wrote:*   

> splooge,
> 
> The routing table will be used for ping replies.
> 
> Anything comming in eth0..2 not from those subnets will get replies on eth0, since only the defualt route matches the return IP address.
> ...

 

not the same interface though but i guess it still can apply.. eth0 is assigned strictly 34.0/24 so only aliases within 34 net will be issued to it. each interface will have only one /24 assigned.

----------

## splooge

Following the guide and using your IP addresses I think I came up with the proper syntax:

```
ip route add 64.113.34/24 dev eth0 src 64.113.34.5 table T1

ip route add default via 64.113.34.1 table T1

ip route add 172.30.0/24 dev eth1 src 172.30.0.50 table T2

ip route add default via 172.30.0.1 table T2

ip route add 64.113.39/24 dev eth2 src 64.113.39.254 table T3

ip route add default via 64.113.39.1 table T3

ip route add 64.113.24/24 dev eth0 src 64.113.34.1

ip route add 172.30.0/24 dev eth1 src 172.30.0.1

ip route add 64.113.39/24 dev eth2 src 64.113.39.1

ip rule add from 64.113.34.5 table T1

ip rule add from 172.30.0.5 table T2

ip rule add from 64.113.39.254 table T3

ip route add default scope global \

nexthop via 64.113.34.1 dev eth0 weight 1 \

nexthop via 172.30.0.1 dev eth1 weight 1 \

nexthop via 64.113.39.1 dev eth2 weight 1
```

Outbound traffic (originating from the box itself) will be load balanced out each interface.  Incoming traffic will be properly replied to on the destination interface.  eg: if it comes in eth2, make it go back out eth2.

----------

## RioFL

 *splooge wrote:*   

> Following the guide and using your IP addresses I think I came up with the proper syntax:
> 
> ```
> ip route add 64.113.34/24 dev eth0 src 64.113.34.5 table T1
> 
> ...

 

tried this part of your suggestions and it appears to work!!! thank you!! i eliminated the adding to the global table since the net.ethx startups did that already... what i did to test this was start each interface with no route command then ran the script below and it worked. also im not sure about the last parts of your suggestion. outbound originating from the host must go out the device the host service is bound to.. eg.. apache will listen and reply only on 39 net. qmail will only listen and reply on 34 net.. it will also send when it has a self originated msg such as a bounce also only on 34 net. so im not sure if the last parts with the scope global and nexthops would apply?

```

# eth0

ip route add 64.113.34.0/24 dev eth0 src 64.113.34.5 table 34net

ip route add default via 64.113.34.1 table 34net

# eth1

ip route add 172.30.0.0/24 dev eth1 src 172.30.0.50 table pvtnet

ip route add default via 172.30.0.1 table pvtnet

# eth2

ip route add 64.113.39.0/24 dev eth2 src 64.113.39.254 table 39net

ip route add default via 64.113.39.1 table 39net

# set up rules  

ip rule add from 64.113.34.5 table 34net

ip rule add from 172.30.0.50 table pvtnet

ip rule add from 64.113.39.254 table 39net

```

now i just have to figure out how to add rules to the net file. the rest is straightforward enough for the config and routes statements.

----------

## splooge

 *Quote:*   

> tried this part of your suggestions and it appears to work!!! thank you!! i eliminated the adding to the global table since the net.ethx startups did that already... what i did to test this was start each interface with no route command then ran the script below and it worked. also im not sure about the last parts of your suggestion. outbound originating from the host must go out the device the host service is bound to.. eg.. apache will listen and reply only on 39 net. qmail will only listen and reply on 34 net.. it will also send when it has a self originated msg such as a bounce also only on 34 net. so im not sure if the last parts with the scope global and nexthops would apply?

 

Heh, what you're talking about we've already fixed.  Traffic coming into apache on the 39net will get replied to on the 39net.  What I am talking about now applies for traffic ORIGINATING from the host, not traffic the host is REPLYING to.  Basically, where do you want traffic to go if it originates from the gentoo box?  Which should be the default gateway?  That last line makes all 3 gateways 'default' and load balances between them.

Little clarification: from the gentoo box, do a couple traceroutes to yahoo.com.  You'll notice it always goes out the one default gateway on eth0.  Now, add the default scope, and do several more traceroutes.  You'll notice the traffic going out all 3 of your gateways.

 *Quote:*   

> now i just have to figure out how to add rules to the net file. the rest is straightforward enough for the config and routes statements.

 

Show me the config file when you're done so I can copy your work!  =)

----------

## RioFL

 *splooge wrote:*   

>  *Quote:*   tried this part of your suggestions and it appears to work!!! thank you!! i eliminated the adding to the global table since the net.ethx startups did that already... what i did to test this was start each interface with no route command then ran the script below and it worked. also im not sure about the last parts of your suggestion. outbound originating from the host must go out the device the host service is bound to.. eg.. apache will listen and reply only on 39 net. qmail will only listen and reply on 34 net.. it will also send when it has a self originated msg such as a bounce also only on 34 net. so im not sure if the last parts with the scope global and nexthops would apply? 
> 
> Heh, what you're talking about we've already fixed.  Traffic coming into apache on the 39net will get replied to on the 39net.  What I am talking about now applies for traffic ORIGINATING from the host, not traffic the host is REPLYING to.  Basically, where do you want traffic to go if it originates from the gentoo box?  Which should be the default gateway?  That last line makes all 3 gateways 'default' and load balances between them.
> 
> Little clarification: from the gentoo box, do a couple traceroutes to yahoo.com.  You'll notice it always goes out the one default gateway on eth0.  Now, add the default scope, and do several more traceroutes.  You'll notice the traffic going out all 3 of your gateways.
> ...

 

ok.. if qmail originates a status report or a virus scan report it is not replying to anything, however it must travel in the 'mail subnet' which of course it is bound to so. i just answered my own question... outside of the host doing a cron for emerge sync, i cannot think of anything that will originate from the box that will not be bound to a particular ip by the originating service's configs. if i  must ftp outside the box for getting an update, i don't much care which interface it uses. bandwidth isn't an issue. customers do not get into the boxes under any circumstances except for web and they cannot ftp out. only ftp in. no shell access for them.

once i figure out rules ill post a final one, but here is a single one i was experimenting with which works nicely except for rules

```

config_eth2=( "64.113.39.254 netmask 255.255.255.0 broadcast 64.113.39.255")

routes_eth2=( "64.113.39.0/24 src 64.113.39.254 table 39net")

routes_eth2=( "default via 64.113.39.1 table 39net" )

```

there will be other ip aliases assigned and removed by guest machines as they are started or stopped. will i have to add these routes and rules for them too or will they automatically obey the primary rule and table setups for the device?

----------

## splooge

 *Quote:*   

> ok.. if qmail originates a status report or a virus scan report it is not replying to anything, however it must travel in the 'mail subnet' which of course it is bound to so. i just answered my own question... outside of the host doing a cron for emerge sync, i cannot think of anything that will originate from the box that will not be bound to a particular ip by the originating service's configs. if i  must ftp outside the box for getting an update, i don't much care which interface it uses. bandwidth isn't an issue. customers do not get into the boxes under any circumstances except for web and they cannot ftp out. only ftp in. no shell access for them.

 

Yeah.  It's a "nice to have" -- not to mention you get bonus geek points -- but certainly not necessary.

----------

## RioFL

 *splooge wrote:*   

>  *Quote:*   ok.. if qmail originates a status report or a virus scan report it is not replying to anything, however it must travel in the 'mail subnet' which of course it is bound to so. i just answered my own question... outside of the host doing a cron for emerge sync, i cannot think of anything that will originate from the box that will not be bound to a particular ip by the originating service's configs. if i  must ftp outside the box for getting an update, i don't much care which interface it uses. bandwidth isn't an issue. customers do not get into the boxes under any circumstances except for web and they cannot ftp out. only ftp in. no shell access for them. 
> 
> Yeah.  It's a "nice to have" -- not to mention you get bonus geek points -- but certainly not necessary.

 

i'll probably put them in just to have especially as working examples if i ever do need them on a box ill know which one gave me all the initial headaches and its all in there  :Smile:  for now though im getting ready to reboot the machine to watch it and be sure it all goes in proper order and it all works so far before i put the other things in  :Smile: 

----------

## RioFL

 *splooge wrote:*   

>  *Quote:*   ok.. if qmail originates a status report or a virus scan report it is not replying to anything, however it must travel in the 'mail subnet' which of course it is bound to so. i just answered my own question... outside of the host doing a cron for emerge sync, i cannot think of anything that will originate from the box that will not be bound to a particular ip by the originating service's configs. if i  must ftp outside the box for getting an update, i don't much care which interface it uses. bandwidth isn't an issue. customers do not get into the boxes under any circumstances except for web and they cannot ftp out. only ftp in. no shell access for them. 
> 
> Yeah.  It's a "nice to have" -- not to mention you get bonus geek points -- but certainly not necessary.

 

Ok, first i really want to thank you both for the help! I gave up for now trying to add rules to the net file and simply made a startup script to do it.

Below are the contents of the /etc/iproute2/rt_tables, the contents of the net file and the contents of the startup script which was added to the default runlevel.

```

I added the 3 values below to /etc/iproute2/rt_tables

34      34net

39      39net

172     pvtnet

-----------------------

prometheus ~ # cat /etc/conf.d/net

modules=( "iproute2" )

config_eth0=( "64.113.34.5 netmask 255.255.255.0 broadcast 64.113.34.255" )

routes_eth0=( "64.113.34.0/24 src 64.113.34.5 table 34net" )

routes_eth0=( "default via 64.113.34.1 table 34net" )

config_eth1=( "172.30.0.50 netmask 255.255.255.0 broadcast 172.30.0.255" )

routes_eth1=( "172.30.0.0/24 src 172.30.0.50 table pvtnet" )

routes_eth1=( "default via 172.30.0.1 table pvtnet" )

config_eth2=( "64.113.39.254 netmask 255.255.255.0 broadcast 64.113.39.255" )

routes_eth2=( "64.113.39.0/24 src 64.113.39.254 table 39net" )

routes_eth2=( "default via 64.113.39.1 table 39net" )

--------------------------

script "iprules"

placed in /etc/init.d and added to default runlevel

#!/sbin/runscript

depend() {

 need net

 before svscan

}

start() {

  ebegin "Setting iproute2 rules."

   #set up system default gateway

   /sbin/ip route add default via 64.113.34.1

   # set up rules  

   /sbin/ip rule add from 64.113.34.5 table 34net

   /sbin/ip rule add from 172.30.0.50 table pvtnet

   /sbin/ip rule add from 64.113.39.254 table 39net

   eend 0

}

```

The iprules script is also where i will place the load-balancing code. If there is a way to add rules to the net config file I'll post it here once i find it.

----------

## RioFL

What if there are a bunch of alias ip addys on one of the nics? Do i need to do an ip rule add from <ip> table <whatever> for each alias? 

will have to look things up but the linux docs are a bit presumptous... many of them are written for people who already know how to use the stuff  :Smile: 

Am hoping it won't need it or will support something like 

ip rule add from <netblock> table <whatever>

----------

## RioFL

netblocks work fine in iproute2 rules  :Smile: 

```

scriptname iprules

#!/sbin/runscript

depend() {

 need net

 before svscan

}

start() {

  ebegin "Setting iproute2 rules."

   #set up system default gateway

   /sbin/ip route add default via 64.113.34.1

   # set up rules  

        /sbin/ip rule add from 64.113.34.0/24 table 34net

        /sbin/ip rule add from 172.30.0.0/24 table pvtnet

        /sbin/ip rule add from 64.113.39.0/24 table 39net

   eend 0

}
```

without doing a lot of exhaustive testing it appears to return answers on the ip that was queried. if it turns out otherwise it wont be much to change it to unique ips.

so far still no luck in putting iproute2 rules into /etc/conf.d/net  :Sad: 

----------

## RioFL

 *splooge wrote:*   

> 
> 
> Show me the config file when you're done so I can copy your work!  =)

 

it all works perfectly within the net file  :Smile:  below is a complete net file from my system i have been working on. it includes rules.

```

# This makes use of the preup and postdown

# functions to actually do a bit of script

# programming within the network setup to

# create a rules configuration that mirrors

# the ease of the config and routes.

# note that the ipaddr_ethx functions can also be used here

# in place of the config_ethx functions.

modules=( "iproute2" )

config_eth0=( "64.113.34.5 netmask 255.255.255.0 broadcast 64.113.34.255" )

routes_eth0=( "64.113.34.0/24 src 64.113.34.5 table 34net" )

routes_eth0=( "default via 64.113.34.1 table 34net" )

rules_eth0=( "from 64.113.34.0/24 table 34net" )

config_eth1=( "172.30.0.50 netmask 255.255.255.0 broadcast 172.30.0.255" )

routes_eth1=( "172.30.0.0/24 src 172.30.0.50 table pvtnet" )

routes_eth1=( "default via 172.30.0.1 table pvtnet" )

rules_eth1=( "from 172.30.0.0/24 table pvtnet" )

config_eth2=( "64.113.39.254 netmask 255.255.255.0 broadcast 64.113.39.255" )

routes_eth2=( "64.113.39.0/24 src 64.113.39.254 table 39net" )

routes_eth2=( "default via 64.113.39.1 table 39net" )

rules_eth2=( "from 64.113.39.0/24 table 39net" )

flush_route_cache() {

    ebegin "Flushing route cache for ${IFACE}"

    ip route flush cache dev ${IFACE}

    ret=$?

    eend $ret

    return $ret

}

ip_rule_runner() {

    cmd="$1"

    case ${IFACE} in

        eth2) rules=( "${rules_eth2[@]}" ) ;;

        eth1) rules=( "${rules_eth1[@]}" ) ;;

        eth0) rules=( "${rules_eth0[@]}" ) ;;

    esac

    max=$((${#rules[@]} - 1))

    cmd="ip rule ${cmd}"

    for ln in `seq 0 $max`; do

        ebegin "   ${cmd} ${rules[$ln]}"

        ${cmd} ${rules[$ln]}

        eend $?

    done

}

# need to flush route caches and delete rules as listed or else

# the system can do weird things on startup such as not

# talk to an interface for some period of time then start working.

postup() {

    einfo "Adding rules"

    ip_rule_runner add

    flush_route_cache

}

predown() {

    einfo "Removing rules"

    ip_rule_runner del

    flush_route_cache

}

```

How i got this info is I filed a suggestion bug report and got an answer back from one of the developers along with a sample that he used some time ago. i never thought about this ability and did not truly know it could be used in this way.

For completeness and possibly some other information I did not use in mine, below is his original net file he attached for me:

```

# This blank configuration will automatically use DHCP for any net.*

# scripts in /etc/init.d.  To create a more complete configuration,

# please review /etc/conf.d/net.example and save your configuration

# in /etc/conf.d/net (this file :]!).

modules=( "iproute2" )

peer_dns="no"

peer_nis="no"

peer_ntp="no"

#ipaddr_eth0=( "apipa" )

#ipaddr_eth0=( "dhcp" )

#dhcpcd_eth0="-t 10 -o -N -R -Y"

#dhcp_eth0="nodns nontp nonis"

ipaddr_eth0=( "192.168.1.1/24 broadcast 192.168.1.255" )

#"192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 table localnet"

rules_eth0=(

    "from 24.80.102.112/32 to 192.168.1.0/24 table localnet priority 100"

    "from 216.113.223.51/32 to 192.168.1.0/24 table localnet priority 100"

)

routes_eth0=(

    "from all to 192.168.1.0/24 table localnet"

)

ipaddr_eth1=( "dhcp" )

dhcpcd_eth1="-t 10 -o -N -R -Y -G"

dhcp_eth1="nodns nontp nonis"

ipaddr_eth2=( "dhcp" )

dhcpcd_eth2="-t 10 -o -N -R -Y -G"

dhcp_eth2="nodns nontp nonis"

# blocks from  'whois SHAW-COMM'

#24.64.0.0/13 24.76.0.0/14 24.80.0.0/13 24.108.0.0/15 24.244.0.0/18 64.59.128.0/18 68.144.0.0/13 70.64.0.0/14 70.68.0.0/15 70.70.0.0/16 70.71.0.0/18 70.71.64.0/19 70.71.96.0/20 204.209.208.0/21

rules_eth1=( 

    "from 24.80.102.112/32  table shaw priority 500"

    "to 24.64.0.0/13        table shaw priority 550"

    "to 24.76.0.0/14        table shaw priority 550"

    "to 24.80.0.0/13        table shaw priority 550"

    "to 24.108.0.0/15       table shaw priority 550"

    "to 24.244.0.0/18       table shaw priority 550"

    "to 64.59.128.0/18      table shaw priority 550"

    "to 68.144.0.0/13       table shaw priority 550"

    "to 70.64.0.0/14        table shaw priority 550"

    "to 70.68.0.0/15        table shaw priority 550"

    "to 70.70.0.0/16        table shaw priority 550"

    "to 70.71.0.0/18        table shaw priority 550"

    "to 70.71.64.0/19       table shaw priority 550"

    "to 70.71.96.0/20       table shaw priority 550"

    "to 204.209.208.0/21    table shaw priority 550"

    "from all               table shaw priority 41000" # needed for primus failure

)

routes_eth1=( 

    "24.80.100.0/22 dev eth1 table shaw scope link" # non-gw stuff

    "default via 24.80.100.1 table shaw"

)

# blocks for Uniserve/Primus

# PRIMUS-DSL-BLK1 PRIMUS-DSL-BLK2 PRIMUS-DSL-BLK3 NET-216-113-192-0-1

# 

# 216.210.109.64/26 216.210.109.128/25 216.113.223.0/24 216.113.192.0/19

rules_eth2=( 

    "from 216.113.223.51/32 table primus priority 600"

    "to 216.210.109.64/26   table primus priority 650"

    "to 216.210.109.128/25  table primus priority 650"

    "to 216.113.223.0/24    table primus priority 650"

    "to 216.113.192.0/19    table primus priority 650"

    "from all               table primus priority 40000" # send all other traffic via this

)

routes_eth2=( 

    "216.113.223.0/24 dev eth2 table primus scope link" # non-gw stuff

    "default via 216.113.223.1 table primus"

)

# howto on multi-homed boxes

# http://www.linuxjournal.com/article/7291

flush_route_cache() {

    ebegin "Flushing route cache for ${IFACE}"

    ip route flush cache dev ${IFACE}

    ret=$?

    eend $ret

    return $ret

}

ip_rule_runner() {

    cmd="$1"

    case ${IFACE} in

        eth2) rules=( "${rules_eth2[@]}" ) ;;

        eth1) rules=( "${rules_eth1[@]}" ) ;;

        eth0) rules=( "${rules_eth0[@]}" ) ;;

    esac

    max=$((${#rules[@]} - 1))

    cmd="ip rule ${cmd}"

    for ln in `seq 0 $max`; do

        ebegin "   ${cmd} ${rules[$ln]}"

        ${cmd} ${rules[$ln]}

        eend $?

    done

}

postup() {

    einfo "Adding rules"

    ip_rule_runner add

    flush_route_cache

}

predown() {

    einfo "Removing rules"

    ip_rule_runner del

    flush_route_cache

}

```

So it really does work all in the net config file  :Smile: 

----------

