RE: Multiple network cards with IP addresses in the same network

[Michael Ritchie]

I realise that this question has gone on further than the point at which I
am replying, but I believe it is around here that everything seems to go
astray.

From my fairly primitive understanding of the TCP stack in FreeBSD, it would
seem that in the case of two network cards being on the same subnet, one is
designated as the 'primary' card (if you like) -- in this case, 192.168.0.1,
and the other the 'secondary' card -- 192.168.0.2.

The primary card is assigned the address 192.168.0.1/24, and will be used to
send data to that designated subnet, and receive packets as per normal to
its assigned ip address.  The secondary card (with the address
192.168.0.2/32) will only be used for receiving data, because the subnet
mask does not allow packets to be sent to any address other than that card
itself.
Linux must therefore use another means by which to determine which interface
is used to send packets:  my guess would be (in the given example, the eth0
interface, whilst the eth0:0 'alias' is only used to receive data?)

As for the gateways, AFAIK, since two devices can only communicate within
their own subnets, an interface must be assigned a valid IP address in the
same subnet as the router, so that interface can communicate WITH the router
itself, which can then route the packets to another wan/lan/whatever.

Regards,
Michael


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Dax Eckenberg
Sent: Tuesday, 14 January 2003 12:44 AM
To: Anand Buddhdev
Cc: [EMAIL PROTECTED]
Subject: Re: Multiple network cards with IP addresses in the same
network


 I have addresses 192.168.0.1 and 192.168.0.2. I want to run different
 services on the 2 different IP addresses. In a linux system, I do:

 ifconfig eth0 192.168.0.1 netmask 255.255.255.0
 ifconfig eth0:0 192.168.0.2 netmask 255.255.255.0

 So that I have 2 different addresses bound to the same interface.

 On FreeBSD, if I do:

 ifconfig fxp0 192.168.0.1 netmask 255.255.255.0
 ifconfig fxp0 192.168.0.2 netmask 255.255.255.0 alias

 That fails.

It should fail, you should enter:

# ifconfig fxp0 192.168.0.2 netmask 255.255.255.255 alias

In this situation you can ignore the /32 netmask, it will act as /24.

 The ifconfig manpage states that a nonconflicting netmaks must be used
 for the alias, and suggests to use 0x. I don't understand why,
 because I don't see why one network interface cannot have more than one
 address bound to it within the same network. If I use a /32 netmask for
 the alias address, how will the kernel respond to arp requests for that
 alias address?

arp requests for .2 will be handled properly by the kernel as if it were
/24.

  2. Adding a second IP to a *different* network card in the same server
  does not work if the second IP is within the network of the first one.
 
  Because it breaks routing and the basic concept of IP addys and
netmasks.
  If you have two NICs on the same network, how is the kernel supposed to
  route packets?

 I still don't understand. In a linux system I can do:

 route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.0.254 dev eth0
 route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.0.254 dev eth1

To my knowledge, this is a Linux feature.  Solaris, *BSD, and others don't
let you specify the network interface when you add a
route.  I know for a fact under Solaris that when you have 2 interfaces
which live in the same subnet, the interface with the lowest
numbered IP will be the interface used for outbound traffic.

 All I want to do is to have 2 different IP addresses on each of the
 different interfaces in the server, where the addresses are in the
 same network. I can do it in linux. Why can't I do it in FreeBSD?


Good question.  I'd defer this anwser to someone a bit more intimate with
FreeBSD's IP stack and routing.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Multiple network cards with IP addresses in the same network

[Bill Moran]

[please stop top-posting]

John wrote:

Short version:
I am running an application that receives traffic on ranges of ports that
are already mapped from the current external interface to machines on my
network.

I was advised by the vendor that my options were to:
1) connect my workstation directly to the internet
or
2) See option #1
The vendor modifying the app is not an option.


That's unfortunate.  Can you change the port ranges of the _other_ programs
to free up the ports required by the non-configurable one?


So.. as I see it, if I had another external interface I could direct these
ports coming into to the second external IP address (along with pretty much
all other network traffic destined for this workstation), to my workstation.
As I would like my workstation to access resources from other machines
within my lan, directly connecting it would cause some SERIOUS headaches..
especially considering this particular workstation is Windoze.  I won't
touch the s word on this one...


I still don't see the need for an additional NIC.  Just add an IP address to
it.  If you're the one that wanted to use DHCP to get two different addys,
then I don't have an _easy_ solution for you.  If you're running a server,
though, I should think that you could get a static IP.


Long version:
Convenience.  At least I'd hoped there would be an easy answer to the
question.  I would prefer to not have rules to direct traffic for specific
ranges of ports to multiple machines via NAT as this would require (most
likely) several dozen extra rules.
It would also be very nice to have an external interface directly mapped to
this workstation.


Sounds like you're getting into a fairly complex arrangement.  To think that
there's any easy way to make it work would be a little niave (if you ask me).
But it still seems to me like you can do that simply by adding an alias to
your NIC.


...
One way to accomplish what I'm trying to do, would be to configure another
dual homed machine.  The end result is more costly and time consuming than I
had hoped, but it would work.


Most folks I know would accomplish your goal by adding a second gateway/firewall
machine.  Not to be rude, but I think you're trying to do a $5000 project with
a $1000 budget.


Or I suppose I could reload linux on the current box.  (And of course learn
the goofy quirks of a particular distro.).  This option would definitely be
time consuming.  Linux is only free if your time has no value.  Much lower
on the list of possible resolutions... but it is another method to make this
work.


True, but why not just use an alias?


But... In my fantasy world.. I guess I had hoped that rather than be asked
why I wanted to do something, I might hear from someone who has shared
similar experience in making something like this work.  I do appreciate your
feedback.  And I'm sure there is possibly a workaround, a hundred or so
IPNAT rules that could be written, a script or two, or some other hack for
it... but before taking that route, I ask again...
Any thoughts or suggestions as to how to get FreeBSD to simply allow for 2
interfaces on the same subnet???


Sorry.  This is beyond my expertise.  My recommendations are (in order)
1) Juggle port ranges until you free up the ports you need
2) add a second firewall/gateway
3) Use 1 NIC with an alias IP
4) Hack the FreeBSD kernel to allow what you want
5) Use Linux, if it does what you need

I know those aren't the answers that you want, and I wish I had better ones
to give you.

Good luck, I hope you find a solution that fits within everything you need.



Thanks,
John

- Original Message -
From: Bill Moran [EMAIL PROTECTED]
To: John [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, January 13, 2003 6:21 PM
Subject: Re: Multiple network cards with IP addresses in the same network




John wrote:


I'm going to jump in here, because this question was my reason for



having


joined the Freebsd-questions list in the first place.  Of all the time



I've


been running FreeBSD, this is my first post to this list... :P


Welcome.



I have a similar situation.  Firewall/NAT machine with 3 nics.  Only



rather


than using the two external interfaces for different services, I would



like


to use two nic's on the external subnet (using the FreeBSD machine as a
NAT/Firewall) for the following purpose:
--I would like one interface to be used for external IPF/NAT



connectivity


for my network computers, allowing my network connectivity to my ISP.
--I would like a second interface to acquire a SECOND ip address to be



set


up as bimap in NAT, to allow a second machine (my workstation) to be the
only machine to utilize the second external IP.  Similar to being in a



DMZ,


but it would still use an internal address, as well as be subject to the
firewall rules in IPF.


I don't understand:
a) Why you need 3 NICs to do this?
b) Why you need 3 IPs to do this?
Just put an internal and external IP (2 NICs) and if you have

Re: Multiple network cards with IP addresses in the same network

[Lowell Gilbert]

Anand Buddhdev [EMAIL PROTECTED] writes:

 I have a FreeBSD 4.7 system, with 3 ethernet cards. The first two
 are recognised as fxp0 and fxp1 and the second as em0 (intel gigabit
 card). I configured the em0 with address 192.168.0.1/24. I then wanted
 to configure fxp0 with the address 192.168.0.2/24, and also connect it
 to the switch so that I can connect to the server via both addresses.
 However, FreeBSD's ifconfig command fails, and won't let me add the second
 address to the fxp0 interface. I read the manual page about ifconfig,
 and read about aliases, where it said that for aliases, I must use the
 netmask /32. When I do try to add the second address with a netmask of
 /32, it works, but it doesn't make sense to me. How is that interface
 going to to know that it is part of a /24 network if I use a /32 netmask?
 
 Would anyone be kind enough to explain why:
 
 1. For aliases, I need the /32 mask

You don't, *unless* the address is inside of a subnet for which you
already have a route.  In that case, you obviously need to avoid
ambiguity.

 2. Adding a second IP to a *different* network card in the same server
 does not work if the second IP is within the network of the first one.

Because when a packet comes in for that network, there's no way to
tell which card it should go to.

I think you need to rethink your network design a bit.  If you have
different Ethernet links, you should either bridge or route between
them.  If you want to route between them, they almost always should
have distinct subnet ranges.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Multiple network cards with IP addresses in the same network

[Bill Moran]

Anand Buddhdev wrote:

I have a FreeBSD 4.7 system, with 3 ethernet cards. The first two
are recognised as fxp0 and fxp1 and the second as em0 (intel gigabit
card). I configured the em0 with address 192.168.0.1/24. I then wanted
to configure fxp0 with the address 192.168.0.2/24, and also connect it
to the switch so that I can connect to the server via both addresses.
However, FreeBSD's ifconfig command fails, and won't let me add the second
address to the fxp0 interface. I read the manual page about ifconfig,
and read about aliases, where it said that for aliases, I must use the
netmask /32. When I do try to add the second address with a netmask of
/32, it works, but it doesn't make sense to me. How is that interface
going to to know that it is part of a /24 network if I use a /32 netmask?

Would anyone be kind enough to explain why:

1. For aliases, I need the /32 mask


I didn't know that you did.  I've certainly had aliases that weren't /32


2. Adding a second IP to a *different* network card in the same server
does not work if the second IP is within the network of the first one.


Because it breaks routing and the basic concept of IP addys and netmasks.
If you have two NICs on the same network, how is the kernel supposed to
route packets?

If you want this setup as a failover solution, there are other ways.
There's a program in the ports (I can't remember the name, you'll have to
do some research) that will monitor an interface, and if it becomes non-
responsive, run a script of your choosing.  Thus, you can have it start
up the other network card if the first fails.

If failover isn't what you're looking for, then I'd reconsider your
network topology.  It doesn't really make sense to have 2 NICs with the
same network number in one machine.

--
Bill Moran
Potential Technologies
http://www.potentialtech.com


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Multiple network cards with IP addresses in the same network

[Anand Buddhdev]

On Mon, Jan 13, 2003 at 07:53:08AM -0500, Bill Moran wrote:

 I have a FreeBSD 4.7 system, with 3 ethernet cards. The first two
 are recognised as fxp0 and fxp1 and the second as em0 (intel gigabit
 card). I configured the em0 with address 192.168.0.1/24. I then wanted
 to configure fxp0 with the address 192.168.0.2/24, and also connect it
 to the switch so that I can connect to the server via both addresses.
 However, FreeBSD's ifconfig command fails, and won't let me add the second
 address to the fxp0 interface. I read the manual page about ifconfig,
 and read about aliases, where it said that for aliases, I must use the
 netmask /32. When I do try to add the second address with a netmask of
 /32, it works, but it doesn't make sense to me. How is that interface
 going to to know that it is part of a /24 network if I use a /32 netmask?
 
 Would anyone be kind enough to explain why:
 
 1. For aliases, I need the /32 mask
 
 I didn't know that you did.  I've certainly had aliases that weren't /32

I have been using linux for about 2 years now. Let me explain why I
don't understand.

I have addresses 192.168.0.1 and 192.168.0.2. I want to run different
services on the 2 different IP addresses. In a linux system, I do:

ifconfig eth0 192.168.0.1 netmask 255.255.255.0
ifconfig eth0:0 192.168.0.2 netmask 255.255.255.0

So that I have 2 different addresses bound to the same interface.

On FreeBSD, if I do:

ifconfig fxp0 192.168.0.1 netmask 255.255.255.0
ifconfig fxp0 192.168.0.2 netmask 255.255.255.0 alias

That fails.

The ifconfig manpage states that a nonconflicting netmaks must be used
for the alias, and suggests to use 0x. I don't understand why,
because I don't see why one network interface cannot have more than one
address bound to it within the same network. If I use a /32 netmask for
the alias address, how will the kernel respond to arp requests for that
alias address?

 2. Adding a second IP to a *different* network card in the same server
 does not work if the second IP is within the network of the first one.
 
 Because it breaks routing and the basic concept of IP addys and netmasks.
 If you have two NICs on the same network, how is the kernel supposed to
 route packets?

I still don't understand. In a linux system I can do:

route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.0.254 dev eth0
route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.0.254 dev eth1

This adds 2 default routes in the linux kernel, telling it to route
packets to the outside world using either network interface, where eth0
has address 192.168.0.1/24 and eth1 has address 192.168.0.2/24. What's
wrong with that?

 If you want this setup as a failover solution, there are other ways.
 There's a program in the ports (I can't remember the name, you'll have to
 do some research) that will monitor an interface, and if it becomes non-
 responsive, run a script of your choosing.  Thus, you can have it start
 up the other network card if the first fails.

Ok, I understand that, and it may be a very useful program, *if* you
want to bring up the other interface with perhaps the same IP address.

All I want to do is to have 2 different IP addresses on each of the
different interfaces in the server, where the addresses are in the
same network. I can do it in linux. Why can't I do it in FreeBSD?

 If failover isn't what you're looking for, then I'd reconsider your
 network topology.  It doesn't really make sense to have 2 NICs with the
 same network number in one machine.

Why not? I haven't seen any such warning in my IP networking books
or courses.

-- 
Anand Buddhdev
http://anand.org

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Multiple network cards with IP addresses in the same network

[Dax Eckenberg]

 I have addresses 192.168.0.1 and 192.168.0.2. I want to run different
 services on the 2 different IP addresses. In a linux system, I do:

 ifconfig eth0 192.168.0.1 netmask 255.255.255.0
 ifconfig eth0:0 192.168.0.2 netmask 255.255.255.0

 So that I have 2 different addresses bound to the same interface.

 On FreeBSD, if I do:

 ifconfig fxp0 192.168.0.1 netmask 255.255.255.0
 ifconfig fxp0 192.168.0.2 netmask 255.255.255.0 alias

 That fails.

It should fail, you should enter:

# ifconfig fxp0 192.168.0.2 netmask 255.255.255.255 alias

In this situation you can ignore the /32 netmask, it will act as /24.

 The ifconfig manpage states that a nonconflicting netmaks must be used
 for the alias, and suggests to use 0x. I don't understand why,
 because I don't see why one network interface cannot have more than one
 address bound to it within the same network. If I use a /32 netmask for
 the alias address, how will the kernel respond to arp requests for that
 alias address?

arp requests for .2 will be handled properly by the kernel as if it were /24.

  2. Adding a second IP to a *different* network card in the same server
  does not work if the second IP is within the network of the first one.
 
  Because it breaks routing and the basic concept of IP addys and netmasks.
  If you have two NICs on the same network, how is the kernel supposed to
  route packets?

 I still don't understand. In a linux system I can do:

 route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.0.254 dev eth0
 route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.0.254 dev eth1

To my knowledge, this is a Linux feature.  Solaris, *BSD, and others don't let you 
specify the network interface when you add a
route.  I know for a fact under Solaris that when you have 2 interfaces which live in 
the same subnet, the interface with the lowest
numbered IP will be the interface used for outbound traffic.

 All I want to do is to have 2 different IP addresses on each of the
 different interfaces in the server, where the addresses are in the
 same network. I can do it in linux. Why can't I do it in FreeBSD?


Good question.  I'd defer this anwser to someone a bit more intimate with FreeBSD's IP 
stack and routing.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Multiple network cards with IP addresses in the same network

[Bill Moran]

Anand Buddhdev wrote:

On Mon, Jan 13, 2003 at 07:53:08AM -0500, Bill Moran wrote:


I have a FreeBSD 4.7 system, with 3 ethernet cards. The first two
are recognised as fxp0 and fxp1 and the second as em0 (intel gigabit
card). I configured the em0 with address 192.168.0.1/24. I then wanted
to configure fxp0 with the address 192.168.0.2/24, and also connect it
to the switch so that I can connect to the server via both addresses.
However, FreeBSD's ifconfig command fails, and won't let me add the second
address to the fxp0 interface. I read the manual page about ifconfig,
and read about aliases, where it said that for aliases, I must use the
netmask /32. When I do try to add the second address with a netmask of
/32, it works, but it doesn't make sense to me. How is that interface
going to to know that it is part of a /24 network if I use a /32 netmask?

Would anyone be kind enough to explain why:

1. For aliases, I need the /32 mask


I didn't know that you did.  I've certainly had aliases that weren't /32


I have been using linux for about 2 years now. Let me explain why I
don't understand.


Well, first off, I misunderstood your original question.


I have addresses 192.168.0.1 and 192.168.0.2. I want to run different
services on the 2 different IP addresses. In a linux system, I do:

ifconfig eth0 192.168.0.1 netmask 255.255.255.0
ifconfig eth0:0 192.168.0.2 netmask 255.255.255.0

So that I have 2 different addresses bound to the same interface.

On FreeBSD, if I do:

ifconfig fxp0 192.168.0.1 netmask 255.255.255.0
ifconfig fxp0 192.168.0.2 netmask 255.255.255.0 alias

That fails.


It should, it creates an ambiguous network situation.
Also, I don't understand why you would want to do this.


The ifconfig manpage states that a nonconflicting netmaks must be used
for the alias, and suggests to use 0x. I don't understand why,
because I don't see why one network interface cannot have more than one
address bound to it within the same network. If I use a /32 netmask for
the alias address, how will the kernel respond to arp requests for that
alias address?


What would you expect it to do that would be unusual?
If you really want two IPs on the same subnet on the same NIC, then use
a /32 subnet for one.  What's it going to hurt?


2. Adding a second IP to a *different* network card in the same server
does not work if the second IP is within the network of the first one.


Because it breaks routing and the basic concept of IP addys and netmasks.
If you have two NICs on the same network, how is the kernel supposed to
route packets?


I still don't understand. In a linux system I can do:

route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.0.254 dev eth0
route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.0.254 dev eth1


Just because you can do it on a Linux system doesn't mean it's right.


This adds 2 default routes in the linux kernel, telling it to route
packets to the outside world using either network interface, where eth0
has address 192.168.0.1/24 and eth1 has address 192.168.0.2/24. What's
wrong with that?


It's ambiguous.  Where does the kernel route to when there are two possible
routes?  There's really no reason for such a thing.


If you want this setup as a failover solution, there are other ways.
There's a program in the ports (I can't remember the name, you'll have to
do some research) that will monitor an interface, and if it becomes non-
responsive, run a script of your choosing.  Thus, you can have it start
up the other network card if the first fails.


Ok, I understand that, and it may be a very useful program, *if* you
want to bring up the other interface with perhaps the same IP address.


Well, it's useful for other reasons as well, but it doesn't apply to your
situation.  I suggested it because I didn't understand what you were
asking before.


All I want to do is to have 2 different IP addresses on each of the
different interfaces in the server, where the addresses are in the
same network. I can do it in linux. Why can't I do it in FreeBSD?


Because you shouldn't do it.


If failover isn't what you're looking for, then I'd reconsider your
network topology.  It doesn't really make sense to have 2 NICs with the
same network number in one machine.



Why not? I haven't seen any such warning in my IP networking books
or courses.


My answer to your question is:
1. Why would you WANT to do that?  I don't care if Linux, Windows and everyone
   but FreeBSD _allows_ you to, the reason for it escapes me.
2. If you reall _do_ want to do that, use a /32 netmask as required.  If that
   doesn't work for you for some reason, then the answer to your question is
   beyond my expertise.

--
Bill Moran
Potential Technologies
http://www.potentialtech.com


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: Multiple network cards with IP addresses in the same network

[John]

I'm going to jump in here, because this question was my reason for having
joined the Freebsd-questions list in the first place.  Of all the time I've
been running FreeBSD, this is my first post to this list... :P

I have a similar situation.  Firewall/NAT machine with 3 nics.  Only rather
than using the two external interfaces for different services, I would like
to use two nic's on the external subnet (using the FreeBSD machine as a
NAT/Firewall) for the following purpose:
--I would like one interface to be used for external IPF/NAT connectivity
for my network computers, allowing my network connectivity to my ISP.
--I would like a second interface to acquire a SECOND ip address to be set
up as bimap in NAT, to allow a second machine (my workstation) to be the
only machine to utilize the second external IP.  Similar to being in a DMZ,
but it would still use an internal address, as well as be subject to the
firewall rules in IPF.

Again, I have read that this is available on Linux.  My searches have shown
that there are ways to do this on RedHat w/ ipchains (etc.).. ... but I
digress...

I have tried putting two nics in and having dhclient obtain addresses for
both on the same subnet.  dhclient will get both addresses (shown in
dhclient.leases), but fails to assign an ip to the second interface, failing
with the error file already exists.  I'm sure this is a different (but
related) issue.
In my situation, another solution might be to use an alias on a single
external interface.. only I'm not sure how to get dhclient to obtain the
second IP address and assign it to the alias, nor how to get IPF to
recognize the alias'd interface properly.
Bridging also comes to mind, but I'm not certain that if I bridge the
interface to my workstation computer it would correctly handle having an
internal as well as external address (other software application
complications would arise as well, I'm sure).  That's not my intent anyway,
so I have not and likely will not persue bridging as an option.

Maybe I should have posted this on a diff. thread?  :P  But I believe the
resolution to this issue is the same as the originally posted issue.
Hopefully something will come out of it.

Thanks,
John
Addtn'l info:  I have a FreeBSD 4.7 Stable #2 (updated yesterday).

- Original Message -
From: Bill Moran [EMAIL PROTECTED]
To: Anand Buddhdev [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, January 13, 2003 8:31 AM
Subject: Re: Multiple network cards with IP addresses in the same network


 Anand Buddhdev wrote:
  On Mon, Jan 13, 2003 at 07:53:08AM -0500, Bill Moran wrote:
 
 I have a FreeBSD 4.7 system, with 3 ethernet cards. The first two
 are recognised as fxp0 and fxp1 and the second as em0 (intel gigabit
 card). I configured the em0 with address 192.168.0.1/24. I then wanted
 to configure fxp0 with the address 192.168.0.2/24, and also connect it
 to the switch so that I can connect to the server via both addresses.
 However, FreeBSD's ifconfig command fails, and won't let me add the
second
 address to the fxp0 interface. I read the manual page about ifconfig,
 and read about aliases, where it said that for aliases, I must use the
 netmask /32. When I do try to add the second address with a netmask of
 /32, it works, but it doesn't make sense to me. How is that interface
 going to to know that it is part of a /24 network if I use a /32
netmask?
 
 Would anyone be kind enough to explain why:
 
 1. For aliases, I need the /32 mask
 
 I didn't know that you did.  I've certainly had aliases that weren't /32
 
  I have been using linux for about 2 years now. Let me explain why I
  don't understand.

 Well, first off, I misunderstood your original question.

  I have addresses 192.168.0.1 and 192.168.0.2. I want to run different
  services on the 2 different IP addresses. In a linux system, I do:
 
  ifconfig eth0 192.168.0.1 netmask 255.255.255.0
  ifconfig eth0:0 192.168.0.2 netmask 255.255.255.0
 
  So that I have 2 different addresses bound to the same interface.
 
  On FreeBSD, if I do:
 
  ifconfig fxp0 192.168.0.1 netmask 255.255.255.0
  ifconfig fxp0 192.168.0.2 netmask 255.255.255.0 alias
 
  That fails.

 It should, it creates an ambiguous network situation.
 Also, I don't understand why you would want to do this.

  The ifconfig manpage states that a nonconflicting netmaks must be used
  for the alias, and suggests to use 0x. I don't understand why,
  because I don't see why one network interface cannot have more than one
  address bound to it within the same network. If I use a /32 netmask for
  the alias address, how will the kernel respond to arp requests for that
  alias address?

 What would you expect it to do that would be unusual?
 If you really want two IPs on the same subnet on the same NIC, then use
 a /32 subnet for one.  What's it going to hurt?

 2. Adding a second IP to a *different* network card in the same server
 does not work if the second IP is within the network of the first one

Re: Multiple network cards with IP addresses in the same network

[Bill Moran]

John wrote:

I'm going to jump in here, because this question was my reason for having
joined the Freebsd-questions list in the first place.  Of all the time I've
been running FreeBSD, this is my first post to this list... :P


Welcome.


I have a similar situation.  Firewall/NAT machine with 3 nics.  Only rather
than using the two external interfaces for different services, I would like
to use two nic's on the external subnet (using the FreeBSD machine as a
NAT/Firewall) for the following purpose:
--I would like one interface to be used for external IPF/NAT connectivity
for my network computers, allowing my network connectivity to my ISP.
--I would like a second interface to acquire a SECOND ip address to be set
up as bimap in NAT, to allow a second machine (my workstation) to be the
only machine to utilize the second external IP.  Similar to being in a DMZ,
but it would still use an internal address, as well as be subject to the
firewall rules in IPF.


I don't understand:
a) Why you need 3 NICs to do this?
b) Why you need 3 IPs to do this?
Just put an internal and external IP (2 NICs) and if you have a specific
machine within the network that you want treated specially, write special
ipfw rules for it.  Why the need for 3 IPs/NICs?


Again, I have read that this is available on Linux.  My searches have shown
that there are ways to do this on RedHat w/ ipchains (etc.).. ... but I
digress...


That's fine.  I'm sure there are lots of systems that have spiffy (or maybe
not so spiffy) things that you can do that you can't in FreeBSD (or other
spiffy system).

My only question I have is why do you need it?  There are other ways to get
the end result.


I have tried putting two nics in and having dhclient obtain addresses for
both on the same subnet.  dhclient will get both addresses (shown in
dhclient.leases), but fails to assign an ip to the second interface, failing
with the error file already exists.  I'm sure this is a different (but
related) issue.


Sounds very related.


In my situation, another solution might be to use an alias on a single
external interface.. only I'm not sure how to get dhclient to obtain the
second IP address and assign it to the alias, nor how to get IPF to
recognize the alias'd interface properly.


That sure seems to be beyond what the software was designed to do.  You
could probably write some fancy scripts or something, but I ask my original
question: What are you trying to accomplish in the end?  Because it sure
seems like you're trying to use a wrench to hammer nails.


Bridging also comes to mind, but I'm not certain that if I bridge the
interface to my workstation computer it would correctly handle having an
internal as well as external address (other software application
complications would arise as well, I'm sure).  That's not my intent anyway,
so I have not and likely will not persue bridging as an option.


If you need NAT to get out, then bridging won't work.


Maybe I should have posted this on a diff. thread?  :P  But I believe the
resolution to this issue is the same as the originally posted issue.
Hopefully something will come out of it.


I could be wrong, but I suspect the resolution of your problem is to determine
what you want to accomplish, and then use FreeBSD in the manner it was intended
to achieve your goal.


Thanks,
John
Addtn'l info:  I have a FreeBSD 4.7 Stable #2 (updated yesterday).

- Original Message -
From: Bill Moran [EMAIL PROTECTED]
To: Anand Buddhdev [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, January 13, 2003 8:31 AM
Subject: Re: Multiple network cards with IP addresses in the same network




Anand Buddhdev wrote:


On Mon, Jan 13, 2003 at 07:53:08AM -0500, Bill Moran wrote:



I have a FreeBSD 4.7 system, with 3 ethernet cards. The first two
are recognised as fxp0 and fxp1 and the second as em0 (intel gigabit
card). I configured the em0 with address 192.168.0.1/24. I then wanted
to configure fxp0 with the address 192.168.0.2/24, and also connect it
to the switch so that I can connect to the server via both addresses.
However, FreeBSD's ifconfig command fails, and won't let me add the



second


address to the fxp0 interface. I read the manual page about ifconfig,
and read about aliases, where it said that for aliases, I must use the
netmask /32. When I do try to add the second address with a netmask of
/32, it works, but it doesn't make sense to me. How is that interface
going to to know that it is part of a /24 network if I use a /32



netmask?


Would anyone be kind enough to explain why:

1. For aliases, I need the /32 mask


I didn't know that you did.  I've certainly had aliases that weren't /32


I have been using linux for about 2 years now. Let me explain why I
don't understand.


Well, first off, I misunderstood your original question.



I have addresses 192.168.0.1 and 192.168.0.2. I want to run different
services on the 2 different IP addresses. In a linux system, I do:

ifconfig eth0 192.168.0.1 netmask

Re: Multiple network cards with IP addresses in the same network

[John]

Short version:
I am running an application that receives traffic on ranges of ports that
are already mapped from the current external interface to machines on my
network.

I was advised by the vendor that my options were to:
1) connect my workstation directly to the internet
or
2) See option #1
The vendor modifying the app is not an option.

So.. as I see it, if I had another external interface I could direct these
ports coming into to the second external IP address (along with pretty much
all other network traffic destined for this workstation), to my workstation.
As I would like my workstation to access resources from other machines
within my lan, directly connecting it would cause some SERIOUS headaches..
especially considering this particular workstation is Windoze.  I won't
touch the s word on this one...

Long version:
Convenience.  At least I'd hoped there would be an easy answer to the
question.  I would prefer to not have rules to direct traffic for specific
ranges of ports to multiple machines via NAT as this would require (most
likely) several dozen extra rules.
It would also be very nice to have an external interface directly mapped to
this workstation.

...
One way to accomplish what I'm trying to do, would be to configure another
dual homed machine.  The end result is more costly and time consuming than I
had hoped, but it would work.
Or I suppose I could reload linux on the current box.  (And of course learn
the goofy quirks of a particular distro.).  This option would definitely be
time consuming.  Linux is only free if your time has no value.  Much lower
on the list of possible resolutions... but it is another method to make this
work.
But... In my fantasy world.. I guess I had hoped that rather than be asked
why I wanted to do something, I might hear from someone who has shared
similar experience in making something like this work.  I do appreciate your
feedback.  And I'm sure there is possibly a workaround, a hundred or so
IPNAT rules that could be written, a script or two, or some other hack for
it... but before taking that route, I ask again...
Any thoughts or suggestions as to how to get FreeBSD to simply allow for 2
interfaces on the same subnet???

Thanks,
John

- Original Message -
From: Bill Moran [EMAIL PROTECTED]
To: John [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, January 13, 2003 6:21 PM
Subject: Re: Multiple network cards with IP addresses in the same network


 John wrote:
  I'm going to jump in here, because this question was my reason for
having
  joined the Freebsd-questions list in the first place.  Of all the time
I've
  been running FreeBSD, this is my first post to this list... :P

 Welcome.

  I have a similar situation.  Firewall/NAT machine with 3 nics.  Only
rather
  than using the two external interfaces for different services, I would
like
  to use two nic's on the external subnet (using the FreeBSD machine as a
  NAT/Firewall) for the following purpose:
  --I would like one interface to be used for external IPF/NAT
connectivity
  for my network computers, allowing my network connectivity to my ISP.
  --I would like a second interface to acquire a SECOND ip address to be
set
  up as bimap in NAT, to allow a second machine (my workstation) to be the
  only machine to utilize the second external IP.  Similar to being in a
DMZ,
  but it would still use an internal address, as well as be subject to the
  firewall rules in IPF.

 I don't understand:
 a) Why you need 3 NICs to do this?
 b) Why you need 3 IPs to do this?
 Just put an internal and external IP (2 NICs) and if you have a specific
 machine within the network that you want treated specially, write special
 ipfw rules for it.  Why the need for 3 IPs/NICs?

  Again, I have read that this is available on Linux.  My searches have
shown
  that there are ways to do this on RedHat w/ ipchains (etc.).. ... but I
  digress...

 That's fine.  I'm sure there are lots of systems that have spiffy (or
maybe
 not so spiffy) things that you can do that you can't in FreeBSD (or other
 spiffy system).

 My only question I have is why do you need it?  There are other ways to
get
 the end result.

  I have tried putting two nics in and having dhclient obtain addresses
for
  both on the same subnet.  dhclient will get both addresses (shown in
  dhclient.leases), but fails to assign an ip to the second interface,
failing
  with the error file already exists.  I'm sure this is a different (but
  related) issue.

 Sounds very related.

  In my situation, another solution might be to use an alias on a single
  external interface.. only I'm not sure how to get dhclient to obtain the
  second IP address and assign it to the alias, nor how to get IPF to
  recognize the alias'd interface properly.

 That sure seems to be beyond what the software was designed to do.  You
 could probably write some fancy scripts or something, but I ask my
original
 question: What are you trying to accomplish in the end?  Because