# Server with 2 network cards

## oc666

Hello

I'm having server with 2 network cards.

I can't reach to one of them via internet when they connected together.

This is my /etc/cond.d/net:

```

config_eth0=( "192.168.16.14 netmask 255.255.255.0 brd 192.168.16.255" )

routes_eth0=( "default via 192.168.16.4" )

config_eth1=( "192.168.0.101 netmask 255.255.255.0 brd 192.168.0.255" )

routes_eth1=( "default via 192.168.0.1" )

```

If I work only with one eth - it's works fine (each one).

What I did wrong?

Thanks

----------

## JoshFed

Simple question but it has to be asked.  Are you starting the NIC before you try using it?

```
/etc/init.d/net.eth0 start
```

and

```
/etc/init.d/net.eth1 start
```

----------

## oc666

Yep, It started. As I say, when one work alone - it's all fine, but when both of them work, I can't reach to one of them.

Both of them behind routers (which make port forwarding). I think it's because the gatways, but I'm not sure.

More info

My route:

```
$ /sbin/route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.16.0    *               255.255.255.0   U     0      0        0 eth0

192.168.0.0     *               255.255.255.0   U     0      0        0 eth1

loopback        *               255.0.0.0       U     0      0        0 lo

default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1

default         192.168.16.4    0.0.0.0         UG    1      0        0 eth0
```

In this current configuration, I can't reach the eth0 (the /etc/conf.d/net is the same like above (my last message)).

----------

## JoshFed

Where are you (your workstation) in relation (network wise) to the server?  What's your workstation IP?

----------

## jcat

With 2 default gateways I presume it's always the first one one in the routing table that will be used.  Why would the box with two NIC's do anything other than that   :Wink:  , routing tables are really that simple.

The host isn't just going to respond on a particular interface because that's where the traffic came in, it will use the routing table.

Cheers,

jcat

----------

## zeek

 *oc666 wrote:*   

> Hello
> 
> I'm having server with 2 network cards.
> 
> I can't reach to one of them via internet when they connected together.
> ...

 

To multihome a server and run services from both IPs using source routing requires IP advanced router compiled into the kernel.  You need to be using iproute2 and add an entry to /etc/iproute2/rt_tables.  In /etc/conf.d/net.example there are some functions that you need to add that will run `ip rule` commands when the interface is brought up.

Google for "source routing" and "ip rule".  You will find plenty of tutorials to set this up.  Good luck!

----------

## oc666

 *zeek wrote:*   

> 
> 
> To multihome a server and run services from both IPs using source routing requires IP advanced router compiled into the kernel.  You need to be using iproute2 and add an entry to /etc/iproute2/rt_tables.  In /etc/conf.d/net.example there are some functions that you need to add that will run `ip rule` commands when the interface is brought up.
> 
> Google for "source routing" and "ip rule".  You will find plenty of tutorials to set this up.  Good luck!

 

Hey, thanks for the answer.

First of all I need to understand what this is mean and how it's work. Is there any article on how to configure two network cards on one gentoo machine?

Second, I google and  I found this:

 *Quote:*   

> Do not accept source routed packets. Attackers can use source routing to generate traffic pretending to originate from inside your network, but that is actually routed back along the path from which it came, so attackers can compromise your network. Source routing is rarely used for legitimate purposes, so it is safe to disable it. 

 

Additionally, I enabled "IP advanced router" in my kernel. Here is my /etc/iproute2/rt_tables and ip route:

 *Quote:*   

>  $ cat /etc/iproute2/rt_tables
> 
> #
> 
> # reserved values
> ...

 

----------

## oc666

I just reboot because the kernel update. I run "ip route show" again: *Quote:*   

> # ip route show
> 
> 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.101 
> 
> 192.168.16.0/24 dev eth0  proto kernel  scope link  src 192.168.16.14 
> ...

 

Now, I can't reach the server from the card worked before the reboot and I can reach the card which didn't work before the reboot.

I see the different in the last two lines in the "ip route show" command: *Quote:*   

> 
> 
> Before reboot:
> 
> default via 192.168.0.1 dev eth1 <---- I can reach this
> ...

 

How could I fix this?

----------

## zeek

 *oc666 wrote:*   

> Second, I google and  I found this:
> 
>  *Quote:*   Do not accept source routed packets. Attackers can use source routing to generate traffic pretending to originate from inside your network, but that is actually routed back along the path from which it came, so attackers can compromise your network. Source routing is rarely used for legitimate purposes, so it is safe to disable it.  

 

Ignore that, its talking about something different.

It looks to me like your setup is almost there, its just missing an ip rule.  Here is my setup (mac zero'd):

```
linky ~ # ip addr ls

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

    inet 10.0.0.44/24 brd 10.0.0.255 scope global eth0

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

    inet 10.0.0.46/24 brd 10.0.0.255 scope global eth1

linky ~ # ip rule ls

0:      from all lookup local

32765:  from 10.0.0.46 lookup cable

32766:  from all lookup main

32767:  from all lookup default

linky ~ # cat /etc/iproute2/rt_tables

#

# reserved values

#

255     local

254     main

253     default

0       unspec

#

# local

#

#1      inr.ruhep

100 cable

```

----------

## oc666

Thanks on the reply, but I don't understand the ip rules you wrote. Where can I  find more info or you can explain this?

Thanks.

----------

## zeek

 *oc666 wrote:*   

> Thanks on the reply, but I don't understand the ip rules you wrote. Where can I  find more info or you can explain this?
> 
> Thanks.

 

I only have one rule:

ip rule add from 10.0.0.46 table stealth

Search for 'ip rule' in /etc/conf.d/net.example and add the post up/down functions.  Or be lazy like me and just run the command from /etc/conf.d/local.start.

This net config might be helpful:

```
# cat /etc/conf.d/net

modules=( "iproute2" )

config_eth0=( "10.0.0.44/24 brd 10.0.0.255" )

config_eth1=( "10.0.0.46/24 brd 10.0.0.255" )

routes_eth0=( "default via 10.0.0.254" )

routes_eth1=(

        "127.0.0.0/8 dev lo table cable"

        "default via 10.0.0.253 table cable"

        )

```

----------

## oc666

Thanks a lot, it's works just fine.

Also, I learned a lot in the next two articles in the wiki:

http://gentoo-wiki.com/Dual_internet_connections

http://gentoo-wiki.com/TIP_Dual-Homed_Gentoo_Server

----------

## oc666

Sorry to pop up this post, but I have a problem and the sources (from gentoo-wiki) I build the configuration removed.

I reinstall my server on new machine. I add the following configuration:

 *Quote:*   

> 
> 
> # cat /etc/conf.d/net
> 
> dns_servers=( "212.150.48.169 206.49.94.234 194.90.1.5" )
> ...

 

I can't connect to the machine via the eth1. After The system reboot I get the next message: *Quote:*   

> RTNETLINK answers: File exists

 

I try to debug this problem, but I don't know where to start.

Thanks for the help.

----------

## oc666

I try to debug it, and got the next interesting info:

1. When I surf to the eth1 I got tcpdump info:

 *Quote:*   

> # tcpdump port 80 -i eth1
> 
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> 
> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
> ...

 

2. I don't have ping outside from the problematic eth:

 *Quote:*   

> # ping -I eth1 google.com
> 
> PING google.com (209.85.171.99) from 192.168.16.14 eth1: 56(84) bytes of data.
> 
> From BCGENTOO.BCLIBRARY (192.168.16.14) icmp_seq=2 Destination Host Unreachable
> ...

 

----------

## oc666

I just update the local.start line to use the ip instead the gw:

 *Quote:*   

> /sbin/ip rule add from 192.168.16.14 table neteth1 

 

192.168.16.14=IP

192.168.16.4=GW

----------

