kleinhp.de

Life, liberty, and the pursuit of happy hour...

You are here: Home / Linux-Blog / Multiple NICs in multihomed hosts / Martian sources

Multiple NICs in multihomed hosts / Martian sources

The problem

The problem with SUSE systems is that YAST can only have one default gateway. Having multiple NICs (Network Interface Controller / network adapter) in different networks means clients outside the local LANs can only be reached through one gateway.

This is a typical scenario:

Let’s assume Gateway-A is set as default. Client-A and Client-B can reach the system on both IPs via NIC-A and NIC-B without a problem since no gateway is needed. Client-C sends its packets for NIC-A through Gateway-A and receives the response the same way. Packets from Client-C for NIC-B reach the destination via Gateway-B (that is OK) but the response will be sent via the Gateway-A and originate from NIC-A since the IP of Client-C is not in Network-B so the default gateway is used. These responses will be discarded and logged as “martian sources” because they come from a different IP than the query packets were sent to. Another problem is Client-B contacting NIC-A. The packet is sent via Gateway-B -> WAN -> Gateway-A since the IP of NIC-A is not in Network-B. The response will be sent via NIC-B because Client-B can be reached through Network-B.

To resolve this issue we need to set up split access routing.

Overview

I have tested this on SLES 15.1. The solutions beeing quite generic could be more or less applicable to other SUSE distributions. But your mileage may vary!

Step 1: Setting up a separate routing table for each NIC. (YAST only uses the default routing table, hence only one gateway.)

Step 2: Adding the routes in each table. In each we can specify the route to the proper network and a default gateway .

Step 3: Adding a rule for each routing table.

Manual solution / Testing:

Step 1: By adding these two enties to /etc/iproute2/rt_tables two new routing tables will be created:

252 neta
251 netb

neta and netb are just identifiers. You can use other names as well like int or ext

Step 2 and 3: Both must be done for each NIC by entering the following commands:

ip route add 192.168.0.0/24 dev eth0 src 192.168.0.1 table neta
ip route add default via 192.168.0.254 dev eth0 src 192.168.0.100 table neta
ip rule add from 192.168.0.1 table neta

ip route add 192.168.1.0/24 dev eth1 src 192.168.1.1 table netb
ip route add default via 192.168.1.254 dev eth1 src 192.168.1.100 table netb
ip rule add from 192.168.1.1 table netb

Now you should test if the everything works as intended. CAUTION: These changes will be lost when the network is reset (rcnetwork restart or after a reboot).

Permanent solution

First you use YAST to configure a standard network setup with two NICs and one gateway to create the normal config files. Then you modify these and create additional configs. Since YAST can’t handle different routing tables don’t use YAST to configure the network after implementing this solution. YAST will revert it to a configuration with only one default gateway.

Step 1: By adding these two entries to /etc/iproute2/rt_tables two new routing tables will be created:

252 neta
251 netb

neta and netb are just identifiers. You can use other names as well likeint or ext

Step 2: For each NIC (eth0, eth …) create/modify in /sysconfig/network/ a file called ifroute-eth0, ifroute-eth1, etc. with the appropriate content:

sysconfig/network/ifroute.eth0:

192.168.0.0/24 - - eth0 src 192.168.0.1 table neta
default 192.168.0.254 - eth0 table neta

sysconfig/network/ifroute.eth1:

192.168.1.0/24 - - eth1 src 192.168.1.1 table netb
default 192.168.1.254 - eth1 table netb

The syntax is

Network Gateway Netmask device options

Each column that has no value set is represented by a “-“. Since the netmask is given in with network it is not used.

Step 3: For each NIC (eth0, eth …) create/modify in /sysconfig/network/ a file called ifrule-eth0, ifrule-eth1, etc. with the appropriate content:

sysconfig/network/ifrule.eth0:

table neta from 192.168.0.1

sysconfig/network/ifrule.eth1:

table netb from 192.168.1.1

To apply these changes restart the network (rcnetwork restart) or reboot the computer. Now you should test if everything works as intended.

The information herein is derived from these articles:

The SUSE description is the basis for the manual solution

Reply packets are sent over an unexpected interface https://www.suse.com/support/kb/doc/?id=7000318

These pointed me in the right direction for the permanent solution:

Thread: static route disappers after network restart https://forums.opensuse.org/showthread.php/526510-static-route-disappers-after-network-restart

Configuring Static Routes in ifcfg files https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-configuring_static_routes_in_ifcfg_files