PDA

View Full Version : Need Multi-NIC/IP/Networks Help



carnold6
17-Feb-2013, 16:29
SLES11 SP2 with 2 NIC's. Each NIC has its own (private) ip and each NIC is physically attached to a different network. A quick network diagram:
|sles11 server|--nic 1 192.168.123.3---192.168.123.x network switch (unmanaged)--trusted port of sonicwall\
|___________|--nic 2 192.168.124.3---192.168.124.x network switch (unmanaged)--opt port of sonicwall----/
This server has a default gateway of 192.168.124.2 which is the sonicwall OPT interface.

I spent days (and money) making sure it was not the sonicwall. From a device on the LAN, you can access other devices on the OPT side and OPT to LAN works fine. When it comes to this multihomed server, the problems arise.

Using the (rough) diagram above, when (specifically) 192.168.123.3 sends a requests to 192.168.124.3, it fails (whether a ping, telnet to port 25, https or anything). So i added a route on the sles11 server: route add -net 192.168.123.0 netmask 255.255.255.0 gw 192.168.124.2 (i know this is not persistent and will address this at a later time when the correct fix is found). This route add now allow a device on the LAN to access the 192.168.124.3 via ping, telnet port 25 and https. But a server on the LAN, 192.168.123.3, can not access 192.168.124.3. This server is not multihomed and is also a SLES11 server.

What i believe is happening is when a request is sent to 192.168.124.3, the request makes it to 192.168.124.3 server but comes out from 192.168.123.x and the requestor is not looking for an ACK from 192.168.123.x but from 192.168.124.x and therefore drops the packet. First, does that sound right to you? Then if that is right, how do i keep ACK's (request sent back to the requestor) so it returns from the right NIC?

In an effort to give as much needed info as possible, here is the bigger sketch of what is going on:
When you go to https://mail.domain.tld (i will give you this info privately if you want it) it goes to the sonicwall which sends 443 requests to a private ip of 192.168.123.3. That sles11 server(LAN) is running apache and via proxypass statements will send the request to 192.168.124.3(OPT) which is the multihomed sles server. I am sure the proxypass statement works fine as i have had apache guru's verify its correct. If you would like to look at anything related to this, i will be happy to share.

carnold6
17-Feb-2013, 18:28
To verify this is a dual NIC issue, i disabled the 192.168.123.3 NIC. Then access https://mail.domain.tld=works, ping 192.168.124.3 from 192.168.123.3=works and telnet from LAN to 192.168.124.3=works.

We have to have this 192.168.123.3 NIC however. How do i successfully use both NIC's in this environment?

KBOYLE
17-Feb-2013, 19:14
carnold6 wrote:

> How do i successfully
> use both NIC's in this environment?

Do this TID help?

TID 7000318 Reply packets are sent over an unexpected interface
http://www.novell.com/support/kb/doc.php?id=7000318



--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

carnold6
17-Feb-2013, 20:38
Kevin, thanks for that link. I added the tables T1 nd T2 and then run:
ip route add 192.168.123.0/24 dev eth0 src 192.168.123.3 table T1

and get: RNETLINK answers: invalid arguments

Any ideas?

carnold6
17-Feb-2013, 22:03
Got it and it works as advertised!!! Many thanks

carnold6
17-Feb-2013, 22:33
Do you know of any way to make these routes persistent so they will live through a reboot?

carnold6
05-Mar-2013, 17:22
I am trying to make a script that run at boot to run the ip route commands. Here is what i have done so far: made a script, iproute.sh. I have added the following to that file:
#! /bin/sh
#
# Author: Chris A
#
# /etc/init.d/apache2
#
### BEGIN INIT INFO
# Provides: IP Route Tables
# Required-Start: $local_fs $remote_fs $network
# Should-Start:
# Should-Stop:
# Required-Stop: $local_fs $remote_fs $network
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: IP Route Commands
# Description: Adds IP Route Tables for Multi-NIC's
### END INIT INFO

ip route add 192.168.123.0/24 dev eth0 src 192.168.123.4 table T1
ip route add default via 192.168.123.1 dev eth0 src 192.168.123.4 table T1
ip rule add from 192.168.123.3 table T1

ip route add 192.168.124.0/24 dev eth1 src 192.168.124.3 table T2
ip route add default via 192.168.124.2 dev eth1 src 192.168.124.3 table T2
ip rule add from 192.168.124.3 table T2

Do I need the init info section? Where do i put this file so it runs at boot, in /etc/init.d or a /etc/rc.d folder?

jmozdzen
05-Mar-2013, 18:52
Hi carnold6,

the init info section is helpful when using this as an init script *and* have it managed by the system rutines.

"Provides" should be a single word i.e. "iprt".

Once in place, you can call "insserv iprt" to have the symbolic links in /etc/rc*.d/ created for you, according to the dependencies described in the various init sections. "insserv -r iprt" disables the service.

So you should place your script in /etc/init.d and let the magic behind "insserv" etc. do its magic.

Some docs can be found i.e. here: http://refspecs.linuxbase.org/LSB_3.1.1/LSB-Core-generic/LSB-Core-generic/initscrcomconv.html

Regards,
Jens

carnold6
06-Mar-2013, 03:35
Once in place, you can call "insserv iprt" to have the symbolic links in /etc/rc*.d/ created for you, according to the dependencies described in the various init sections. "insserv -r iprt" disables the service.
I run insserv iproute.sh and get:
insserv: Service nss has to exists for service ncp2nss
insserv: Service network is missed in the runlevels 4 to use service openslp


So you should place your script in /etc/init.d and let the magic behind "insserv" etc. do its magic.

I have placed the file in /etc/init.d and made it executable.

John_Gill
06-Mar-2013, 12:39
Hi,

If I understand your problem correctly, you can try the following:
in the file /etc/sysctl.conf add the following line
"net.ipv4.conf.allrp_filter=0"

That allowed me to ping/ssh etc to each nic on seperate vlans from either of
the 2 vlans.

Good luck
John

>>> On 17 February 2013 at 17:34, in message
<carnold6.5qwxmn@no-mx.forums.suse.com>,
carnold6<carnold6@no-mx.forums.suse.com> wrote:

> SLES11 SP2 with 2 NIC's. Each NIC has its own (private) ip and each NIC
> is physically attached to a different network. A quick network diagram:
> |sles11 server|--nic 1 192.168.123.3---192.168.123.x network switch
> (unmanaged)--trusted port of sonicwall\
> |___________|--nic 2 192.168.124.3---192.168.124.x network switch
> (unmanaged)--opt port of sonicwall----/
> This server has a default gateway of 192.168.124.2 which is the
> sonicwall OPT interface.
>
> I spent days (and money) making sure it was not the sonicwall. From a
> device on the LAN, you can access other devices on the OPT side and OPT
> to LAN works fine. When it comes to this multihomed server, the problems
> arise.
>
> Using the (rough) diagram above, when (specifically) 192.168.123.3
> sends a requests to 192.168.124.3, it fails (whether a ping, telnet to
> port 25, https or anything). So i added a route on the sles11 server:
> route add -net 192.168.123.0 netmask 255.255.255.0 gw 192.168.124.2 (i
> know this is not persistent and will address this at a later time when
> the correct fix is found). This route add now allow a device on the LAN
> to access the 192.168.124.3 via ping, telnet port 25 and https. But a
> server on the LAN, 192.168.123.3, can not access 192.168.124.3. This
> server is not multihomed and is also a SLES11 server.
>
> What i believe is happening is when a request is sent to 192.168.124.3,
> the request makes it to 192.168.124.3 server but comes out from
> 192.168.123.x and the requestor is not looking for an ACK from
> 192.168.123.x but from 192.168.124.x and therefore drops the packet.
> First, does that sound right to you? Then if that is right, how do i
> keep ACK's (request sent back to the requestor) so it returns from the
> right NIC?
>
> In an effort to give as much needed info as possible, here is the
> bigger sketch of what is going on:
> When you go to https://mail.domain.tld (i will give you this info
> privately if you want it) it goes to the sonicwall which sends 443
> requests to a private ip of 192.168.123.3. That sles11 server(LAN) is
> running apache and via proxypass statements will send the request to
> 192.168.124.3(OPT) which is the multihomed sles server. I am sure the
> proxypass statement works fine as i have had apache guru's verify its
> correct. If you would like to look at anything related to this, i will
> be happy to share.

jmozdzen
06-Mar-2013, 15:41
Hi carnold6,

> insserv: Service nss has to exists for service ncp2nss
> insserv: Service network is missed in the runlevels 4 to use service openslp

these are messages resulting from insserv's dependency checks, independent from your new script (afaict). You might see these messages even without your script, as soon as you use "insserv" to add/delete services.

It basically says that in the script providing "ncp2nss", there's a requirement for "nss" documented in the LSB header section of that script - but no script could be found with the corresponding "Provides:" header. This could point to potential trouble, but otoh these LSB sections are not always to be taken too seriously :/

The other message is similar, stating that openslp (/etc/init.d/slpd) has runlevel 4 defined as one of the run levels it should be activated or deactivated in... and requires "network"... but /etc/init.d/network is not declaring that it should even be started in rl 4. Which is no problem, because in /etc/inittab, rl 4 is commented on as "not used".

After the insserv run, were the corresponding symlinks to your script created in the rc*.d directories?

Regards,
Jens