Date: Tue, 14 Jan 2003 09:38:37 -0500 From: Bill Moran <wmoran@potentialtech.com> To: John <sephtin@techgodz.com> Cc: freebsd-questions@freebsd.org Subject: Re: Multiple network cards with IP addresses in the same network Message-ID: <3E2420ED.5020308@potentialtech.com> References: <20030113114954.GQ1330@anand.org> <3E22B6B4.70401@potentialtech.com> <20030113141031.GA11679@anand.org> <3E22CDA4.4010401@potentialtech.com> <003a01c2bb50$dc9e87f0$be22410a@corporate.amfam.com> <3E235815.90605@potentialtech.com> <001c01c2bb7a$9a4c6fa0$6401a8c0@sonic>
next in thread | previous in thread | raw e-mail | index | archive | help
[please stop top-posting] John wrote: > Short version: > I am running an application that receives traffic on ranges of ports that > are already mapped from the current external interface to machines on my > network. > > I was advised by the vendor that my options were to: > 1) connect my workstation directly to the internet > or > 2) See option #1 > The vendor modifying the app is not an option. That's unfortunate. Can you change the port ranges of the _other_ programs to free up the ports required by the non-configurable one? > So.. as I see it, if I had another external interface I could direct these > ports coming into to the second external IP address (along with pretty much > all other network traffic destined for this workstation), to my workstation. > As I would like my workstation to access resources from other machines > within my lan, directly connecting it would cause some SERIOUS headaches.. > especially considering this particular workstation is Windoze. I won't > touch the "s" word on this one... I still don't see the need for an additional NIC. Just add an IP address to it. If you're the one that wanted to use DHCP to get two different addys, then I don't have an _easy_ solution for you. If you're running a server, though, I should think that you could get a static IP. > Long version: > Convenience. At least I'd hoped there would be an easy answer to the > question. I would prefer to not have rules to direct traffic for specific > ranges of ports to multiple machines via NAT as this would require (most > likely) several dozen extra rules. > It would also be very nice to have an external interface directly mapped to > this workstation. Sounds like you're getting into a fairly complex arrangement. To think that there's any easy way to make it work would be a little niave (if you ask me). But it still seems to me like you can do that simply by adding an alias to your NIC. > ... > One way to accomplish what I'm trying to do, would be to configure another > dual homed machine. The end result is more costly and time consuming than I > had hoped, but it would work. Most folks I know would accomplish your goal by adding a second gateway/firewall machine. Not to be rude, but I think you're trying to do a $5000 project with a $1000 budget. > Or I suppose I could reload linux on the current box. (And of course learn > the goofy quirks of a particular distro.). This option would definitely be > time consuming. Linux is only free if your time has no value. Much lower > on the list of possible resolutions... but it is another method to make this > work. True, but why not just use an alias? > But... In my fantasy world.. I guess I had hoped that rather than be asked > why I wanted to do something, I might hear from someone who has shared > similar experience in making something like this work. I do appreciate your > feedback. And I'm sure there is possibly a workaround, a hundred or so > IPNAT rules that could be written, a script or two, or some other hack for > it... but before taking that route, I ask again... > Any thoughts or suggestions as to how to get FreeBSD to simply allow for 2 > interfaces on the same subnet??? Sorry. This is beyond my expertise. My recommendations are (in order) 1) Juggle port ranges until you free up the ports you need 2) add a second firewall/gateway 3) Use 1 NIC with an alias IP 4) Hack the FreeBSD kernel to allow what you want 5) Use Linux, if it does what you need I know those aren't the answers that you want, and I wish I had better ones to give you. Good luck, I hope you find a solution that fits within everything you need. > > Thanks, > John > > ----- Original Message ----- > From: "Bill Moran" <wmoran@potentialtech.com> > To: "John" <sephtin@techgodz.com> > Cc: <freebsd-questions@freebsd.org> > Sent: Monday, January 13, 2003 6:21 PM > Subject: Re: Multiple network cards with IP addresses in the same network > > > >>John wrote: >> >>>I'm going to jump in here, because this question was my reason for >> > having > >>>joined the Freebsd-questions list in the first place. Of all the time >> > I've > >>>been running FreeBSD, this is my first post to this list... :P >> >>Welcome. >> >> >>>I have a similar situation. Firewall/NAT machine with 3 nics. Only >> > rather > >>>than using the two external interfaces for different services, I would >> > like > >>>to use two nic's on the external subnet (using the FreeBSD machine as a >>>NAT/Firewall) for the following purpose: >>>--I would like one interface to be used for external IPF/NAT >> > connectivity > >>>for my network computers, allowing my network connectivity to my ISP. >>>--I would like a second interface to acquire a SECOND ip address to be >> > set > >>>up as bimap in NAT, to allow a second machine (my workstation) to be the >>>only machine to utilize the second external IP. Similar to being in a >> > DMZ, > >>>but it would still use an internal address, as well as be subject to the >>>firewall rules in IPF. >> >>I don't understand: >>a) Why you need 3 NICs to do this? >>b) Why you need 3 IPs to do this? >>Just put an internal and external IP (2 NICs) and if you have a specific >>machine within the network that you want treated specially, write special >>ipfw rules for it. Why the need for 3 IPs/NICs? >> >> >>>Again, I have read that this is available on Linux. My searches have >> > shown > >>>that there are ways to do this on RedHat w/ ipchains (etc.).. ... but I >>>digress... >> >>That's fine. I'm sure there are lots of systems that have spiffy (or > > maybe > >>not so spiffy) things that you can do that you can't in FreeBSD (or other >>spiffy system). >> >>My only question I have is why do you need it? There are other ways to > > get > >>the end result. >> >> >>>I have tried putting two nics in and having dhclient obtain addresses >> > for > >>>both on the same subnet. dhclient will get both addresses (shown in >>>dhclient.leases), but fails to assign an ip to the second interface, >> > failing > >>>with the error "file already exists". I'm sure this is a different (but >>>related) issue. >> >>Sounds very related. >> >> >>>In my situation, another solution might be to use an alias on a single >>>external interface.. only I'm not sure how to get dhclient to obtain the >>>second IP address and assign it to the alias, nor how to get IPF to >>>recognize the alias'd interface properly. >> >>That sure seems to be beyond what the software was designed to do. You >>could probably write some fancy scripts or something, but I ask my > > original > >>question: What are you trying to accomplish in the end? Because it sure >>seems like you're trying to use a wrench to hammer nails. >> >> >>>Bridging also comes to mind, but I'm not certain that if I bridge the >>>interface to my workstation computer it would correctly handle having an >>>internal as well as external address (other software application >>>complications would arise as well, I'm sure). That's not my intent >> > anyway, > >>>so I have not and likely will not persue bridging as an option. >> >>If you need NAT to get out, then bridging won't work. >> >> >>>Maybe I should have posted this on a diff. thread? :P But I believe >> > the > >>>resolution to this issue is the same as the originally posted issue. >>>Hopefully something will come out of it. >> >>I could be wrong, but I suspect the "resolution" of your problem is to > > determine > >>what you want to accomplish, and then use FreeBSD in the manner it was > > intended > >>to achieve your goal. >> >> >>>Thanks, >>>John >>>Addtn'l info: I have a FreeBSD 4.7 Stable #2 (updated yesterday). >>> >> > ---Previous messages snipped--- > > > -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2420ED.5020308>