[clug-talk] (advanced?) networking question

Gustin Johnson gustin at echostar.ca
Sat Aug 29 02:00:26 PDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Van den Wildenbergh wrote:
<snip>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 10.10.20.0      0.0.0.0         255.255.255.0   U     0      0        0
> bond1
> 192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0
> bond0
> 0.0.0.0         10.10.20.1      0.0.0.0         UG    100    0        0
> bond1
> 0.0.0.0         192.168.10.1    0.0.0.0         UG    100    0        0
> bond0
> 
> 
You have two default gateways.  While not necessarily a bad thing since
a Linux box can be multi-homed, you need to do a little more work.  For
these sorts of configurations you may wish to consult the advanced
routing and traffic shaping site, http://www/lartc.org

> cat /etc/network/interfaces
> 
> auto bond0
> iface bond0 inet static
>  address 192.168.10.200
>  network 192.168.10.0
>  netmask 255.255.255.0
>  gateway 192.168.10.1
>  dns-nameservers 192.168.10.1
>  post-up ifenslave bond0 eth0 eth2
>  pre-down ifenslave -d bond0 eth0 eth2
> 
> auto bond1
> iface bond1 inet static
>  address 10.10.20.200
>  network 10.10.20.0
>  netmask 255.255.255.0
>  gateway 10.10.20.1
>  post-up ifenslave bond1 eth1 eth3
>  pre-down ifenslave -d bond1 eth1 eth3
> 

You do not always need to define a default gateway.  The only interface
that needs a default gateway is the one that traffic will go through to
get to the rest of the Internet.  Since both of these are non-routable,
you can probably pick either one.

I also do not usually use IPCop in these more complex situations though
I am sure it is capable.  Instead I tend to use one of the following:

1) Vanilla Linux install, usually Voyage (Debian) or Ubuntu server,
pretty much doing all the things found in the lartc guide.
2) Microtik RouterOS
3) Vyatta
4) pfsense/monowall

The reason is that IPCop has a pretty rigid definition of its networks,
red, green, blue etc.  and they do not usually work out of the box with
whatever it is I am trying to do. Since it requires a bunch of work on
my part anyway, I will use something less awkward and more flexible and
in the end easier to maintain.

I do not really see the point in having a green *and* an orange network
on the same VM server.  It is doable, but since all the traffic is
routed through the IPCop box anyway I do not see an advantage here, only
needless complexity which is the sworn enemy of security.

Hth,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqY7icACgkQwRXgH3rKGfNgkACgkYX8A7Jv5JRbe3Ood3ibXRwc
JlsAn34Bo32hQOexaxI5YbAOVk5boksC
=eHl5
-----END PGP SIGNATURE-----

More information about the clug-talk mailing list