Re: 2 NIC's on same subnet = problems

From: Martin A. Brown (mabrown-linux-net@securepipe.com)
Date: Tue Apr 08 2003 - 22:56:58 EST


 : I'm having a problem with one NIC always answering for both.

Short answer to one of your problems:

 : The problem is when a box on the internet pings or tries to connect to
 : an IP that is supposed to be on the "private" side (eth1) I get
 : responses from the eth0.

You are experiencing a side effect of a kernel feature.

Longer answer:

Your problem is similar to ARP flux, the phenomenon that an IP address
appears to be jump from one MAC to another. This can happen when a
machine has multiple NICs attached to the same segment, or multiple IPs on
a machine which are within a subnet visible on another interface.

The kernel will happily reply for any IP address which is hosted on the
machine. This is considered a feature of the 2.2 and 2.4 kernel series,
although there are ways to suppress this behaviour.

I have a description of how to take advantage of the arp_filter (2.4)
sysctl and the hidden (2.2) sysctl to prevent this behaviour. There are
other solutions if you need even finer control over the ARP tables, but
they are not part of the standard kernel and iproute2 networking package.

See here:

  http://linux-ip.net/html/ether-arp.html
  http://linux-ip.net/html/ether-arp.html#ether-arp-flux

Note, that ARP flux doesn't appear to be your problem, but the solution
should be the same.

 : On box1:
 : ping box2-gw
 : the ping goes out thru eth0 and is accepted by box2's eth0 instead of
 : going over the private network.

Hm. That certainly doesn't seem right. Have you tried specifying the
source address on a ping: "ping -n -I eth1 box2-gw"? The routes look
correct to me....the kernel will select the most specific route. Did you
flush the route cache after adding the static host route entries? "ip
route flush cache".

 : Apparently on this setup (so I'm told by the Senior Sun/Solaris admin)
 : Solaris will not accept packets from one nic that is the ip of another.

Well, that's Solaris's shortcoming, although I suppose you could simulate
this behaviour with a handful of iptables/ipchains.

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html



This archive was generated by hypermail 2b29 : Tue Apr 15 2003 - 22:00:01 EST