# Two network cards - same network. Is that possible?

## ggeeoo

I was wondering if it possible to install two network cards and have them connected to the very same network so that some services use the first card and some the other. For example, have one card for apache exclusively and one card for all other network services.

----------

## Roman_Gruber

i don*t think sharing network traffic via two cards is possible. => CONFIG Question.

Yes you can set up two cards and you can use the one or the other card.

If it is possilbe, let it me know, please.

----------

## liber!

You could do card bonding and have 2x a connection to the same switch for a 2gbit connection (but who needs that?)

----------

## steveL

I thought this was possible, just by setting the network parameters, eg eth0 to use 192.168.2.2 and eth1 to use 192.168.2.3. Then you would use the apache config to Listen on say 192.168.2.2 instead of all network addresses (the default.) I'm guessing other services can be similarly configured.

What have you tried so far?

----------

## fatcat.00

Yes this is possible.  In apache you can tell the server to listen only on a specific interface.  If I recall correctly it listens on all interfaces by default, but I don't remember the directive to tell it to listen on only a certain one.  BIND and Samba can do this, and so also with most well written server applications, I am sure.

Having said that you need to be aware of what your default route statement says.  If you have eth0 and eth1 and apache is setup to listen on eth1, if non-local requests come in on eth1 they will go out eth0 (assuming your default route uses eth0).  No biggy, in terms of performance, but if you are using iptables it will be broken due to the lack of state across interfaces (I am not 100% certain about this, but pretty sure iptables cares about interfaces even if configured on the same subnet).  Also you said "apache using one interface exclusively," or some such.  So, check your routing for any gotchas.

----------

## ggeeoo

Thanks for the replies everyone! I haven't tried anything myself since I dont have two ethernet cards yet. The reason Im asking is because some of my remote users are complaining that downloading from apache can get awfully slow sometimes and Ive noticed that this happens when I do other things with the network at the same time, such as seeding a torrent. So I thought, maybe purchasing an additional network interface would solve the problem. But for this to work I must find a way to force apache use this interface for both inbound and outbound connections while having my routing tables refer to the other one.

----------

## steveL

 *fatcat.00 wrote:*   

> Yes this is possible.  In apache you can tell the server to listen only on a specific interface.  If I recall correctly it listens on all interfaces by default, but I don't remember the directive to tell it to listen on only a certain one.  BIND and Samba can do this, and so also with most well written server applications, I am sure.

 The directive is Listen (that's why it was capitalised in my post ;)

 *Quote:*   

> Having said that you need to be aware of what your default route statement says.  If you have eth0 and eth1 and apache is setup to listen on eth1, if non-local requests come in on eth1 they will go out eth0 (assuming your default route uses eth0).  No biggy, in terms of performance, but if you are using iptables it will be broken due to the lack of state across interfaces (I am not 100% certain about this, but pretty sure iptables cares about interfaces even if configured on the same subnet).  Also you said "apache using one interface exclusively," or some such.  So, check your routing for any gotchas.

 The route thing I hadn't thought about- good point.

As for iptables, the last time i configured it manually, which was admittedly a few years ago, I don't recall there being an issue with interfaces. IIRC you can specify interfaces (indeed it's a good idea to, especially for stuff like NAT) but you don't have to. I don't think it would be a major problem in any case, although definitely something to configure.

ggeeoo- have you considered QoS (quality of service) which is a set of kernel options? It's exactly what you're looking for; rate-limiting for apps etc. I'm afraid I have no experience with it, and from what I hear on #gentoo it's not very well documented. So if you get anywhere with it, write it up for your fellow gentooers ;)

edit: (Very minor) BTW this is an example of a user not really specifying what they wanted to do in the first place. Just be thankful you're not on #bash ;)

Please, please, please if you are using BIND, think about djbdns instead (it's a gentoo pkg) as BIND is notorious for security problems. (Check out this site as well if you're thinking of using any of the excellent djb software.)

----------

## fatcat.00

Hmmm, users complaining of slowness, eh?  

If you think your Apache is really getting slow and it seems slower than it should be even taking into consideration seeding torrents etc., you might want to check and make sure you don't have autonegotiate turned on (if both sides of the connection are 10/100).  Gigabit requires autoneg, and it seems to work fine.

10/100 ethernet autonegotiate works well in some cases, doesn't in others, and you can have your switch autoneg to 100 full duplex, but your host will be at 100 half duplex.  In a case like this, things will work, but not very well.  Generally I recommend for 10/100 connections to hard-strap both sides to 100 full duplex and eliminate that as a source of squirrelly network issues.  In Linux I think you use "mii-tool" or something like that.

----------

## fatcat.00

 *steveL wrote:*   

> As for iptables, the last time i configured it manually, which was admittedly a few years ago, I don't recall there being an issue with interfaces. IIRC you can specify interfaces (indeed it's a good idea to, especially for stuff like NAT) but you don't have to. I don't think it would be a major problem in any case, although definitely something to configure.

 

I wasn't real clear about that part...it was late  :Smile: 

What I really meant was in a case where you have asymmetrically routed traffic (ie, in eth1 and out eth0) does iptables take the interface into account if the interfaces are configured on the same LAN?  I know it would drop the traffic if the interfaces were on different LANs and asymmetrical routing was going on.  I suspect iptables is aware of the interface and will drop the traffic as spoofed or out-of-state even if the interfaces in question are on the same LAN.  But, like I said, I am not 100% certain of that and I don't have a way to quickly test it.

Naturally this would only be an issue if ggeeoo was running iptables on his web server.  Good practice to do that, but kind of a pain so many don't do it.

----------

## steveL

 *fatcat.00 wrote:*   

> I wasn't real clear about that part...it was late  

 For shame!  :Wink: 

 *Quote:*   

> What I really meant was in a case where you have asymmetrically routed traffic (ie, in eth1 and out eth0) does iptables take the interface into account if the interfaces are configured on the same LAN?  I know it would drop the traffic if the interfaces were on different LANs and asymmetrical routing was going on.  I suspect iptables is aware of the interface and will drop the traffic as spoofed or out-of-state even if the interfaces in question are on the same LAN.  But, like I said, I am not 100% certain of that and I don't have a way to quickly test it.

 No nor do I, but from what I remember you can configure on the interface or on the address or on anything else. So it really depends on the rules you use. He's not using NAT in this instance, so that takes a layer of complexity out. But basically it just follows whatever rules you specify. If you don't tell it to drop a packet it won't (although default -j DROP rules are normally used similarly to accept, deny in Apache.)

 *Quote:*   

> Naturally this would only be an issue if ggeeoo was running iptables on his web server.  Good practice to do that, but kind of a pain so many don't do it.

 Indeed. Many people find the whole config thing difficult and end up using a script (last one I checked on gentoo was firehol but that was 3 years ago.) TBH I think it's good to be able to say you can configure iptables by hand- the scripts tend to produce more rules than you actually need. ggeeoo: you did mention remote users, so I hope you have a hardware firewall, or at minimum iptables on your machine/s. Personally if I were opening a port (and I don't) I'd have iptables on the dest machine at minimum in conjunction with my router fw. Preferably you should have software firewalls on all your machines if there is any remote access at all.

----------

## fatcat.00

 *steveL wrote:*   

>  *fatcat.00 wrote:*   Naturally this would only be an issue if ggeeoo was running iptables on his web server.  Good practice to do that, but kind of a pain so many don't do it. Indeed. Many people find the whole config thing difficult and end up using a script (last one I checked on gentoo was firehol but that was 3 years ago.) TBH I think it's good to be able to say you can configure iptables by hand- the scripts tend to produce more rules than you actually need.

 

Yep, I used Shorewall for quite awhile and its a really great script wrapper for iptables.  It does an awful lot considering its a bash script!  For GUI tools and doing simple stuff like protecting a web server, you can't beat Firestarter.  Its awesome for a single host or workstation firewall.  It gives you a nice GUI and outputs a iptables script, but also monitors the iptables logs so you can highlight traffic and create a permit or deny rule on the fly.  Sweet and Grandma-proof.

For more advanced firewalls, IPCop is impressive as is fwbuilder, which  is incredible (particularly because its FLOSS software) and gets no attention whatsoever.  I mean, its amazing what kinda stuff the FLOSS community puts out.  fwbuilder is really sweet if you are managing multiple firewalls...it allows the centralized management of dozens, if not hundreds, of policies on separate hosts.

I work for a very large enterprise-class firewall manufacturer so I am no stranger to good firewalls, but the FLOSS community's cup runneth over with extremely good alternatives.

I am really interested to hear what ggeeoo chooses to do, and why.

----------

## ggeeoo

Currently I do use iptables but as a firewall only. I don't need any kind of masquerading, so configuring iptables by hand was relatively easy. The QoS option in the kernel seems interesting so I think I'm gonna give it a shot. Configuring it properly seems a bit more complicated than configuring iptables though. Nevertheless, it seems the most appropriate thing to do. My initial thought of using two interfaces doesn't seem to work, or at least it doesn't seem to work the way I want it to.

----------

