One idea is send traffic to one subset (e.g. 192.168.1.1-100) of IP addresses via one card, and another subset (e.g. 192.168.1.101-255) to another.
This isn't a job for a firewall (other than to restrict/allow traffic) but a situation where you use routing.
Some background
To see your routing table, run
sudo route
(or sudo route -n if you want to resolve names)
Here's the routing table of the gateway in this post where eth0 is connected to the Outside World, and eth1 is connected (and acting as the gateway of) a subnet of 192.168.0.-255:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default xxx.xxx.xx7.254 0.0.0.0 UG 0 0 0 eth0
xxx.xxx.xx0.0 * 255.255.248.0 U 0 0 0 eth0
link-local * 255.255.0.0 U 1000 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
It says:
unless the target is in network xxx.xxx.xx0.0-255 or
unless the target is in 169.254.0.0 - 169.254.255.255 (link-local is 169.254.0.0) or
unless the target is in 192.168.1.0-255
Here's the routing table of a box with a single card attached to the LAN:
Kernel IP routing tableDestination Gateway Genmask lags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
Finally, here's the routing table of a box with two cards connected to different LANs:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.1 0.0.0.0 UG 0 0 0 eth3
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth2
192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
192.168.2.0 * 255.255.255.0 U 0 0 0 eth3
Default and * both equal 0.0.0.0 using sudo route -n.
SOLUTIONS
1. Two cards on the same network using /etc/network/interfaces -- very simple:
Yup, I talked about route before, but this is a less granular method using /etc/network/interfaces:
auto eth2
iface eth2 inet static
address 192.168.1.105
netmask 255.255.255.0
gateway 192.168.1.1
auto eth3
iface eth3 inet static
address 192.168.1.130
netmask 255.255.255.128
gateway 192.168.1.1
This configuration gives the following sudo route -n:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.1.128 0.0.0.0 255.255.255.128 U 0 0 0 eth3
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.1.128 0.0.0.0 255.255.255.128 U 0 0 0 eth3
Which is exactly what we wanted.
Solution 1.b using network-manager
In gnome 3/gnome-shell, go to system settings/network/select your interface (e.g. eth1), click on Configure (bottom right corner), and select the IP v4 tab and change the address and netmask as shown in solution 2. Or hit 'Routes...' in the lower left corner and do your configuration there...
Solution 2. Two cards on the same network and another card connected to 'internet'
eth0 is connected to the outside world, eth1 acts as the gateway for 192.168.1.0-127, and eth2 acts as the gateway for 192.168.1.128-255
I configured this in network-manager by setting:
eth0 to dhcp
eth1 to 192.168.1.1, mask 255.255.255.0, gw 192.168.1.1
eth2 to 192.168.1.129, mask 255.255.255.128, gw 192.168.1.129
I didn't edit route settings.
The corresponding /etc/network/interfaces settings would probably be:
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
gateway 192.168.1.1
auto eth2
iface eth2 inet static
address 192.168.1.129
netmask 255.255.255.128
gateway 192.168.1.129
Anyway, here's the sudo route -n:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 130.194.167.254 0.0.0.0 UG 0 0 0 eth0
130.194.160.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.128 0.0.0.0 255.255.255.128 U 0 0 0 eth2
Using this configuration you should probably set the gateway for eth3 in solution 1 to 192.168.1.128 -- that way you split all the traffic and in effect create two subnets (so technically, the 'same LAN' isn't really true)
Don't forget to open up your firewall to allow broadcasting from both 192.168.1.127 and 192.168.1.255
Don't forget to open up your firewall to allow broadcasting from both 192.168.1.127 and 192.168.1.255
No comments:
Post a Comment