Server is routing traffic through its own interface?



  • Hi All,

    I have 3 networks…

    192.168.33.0/24
    192.168.66.0/24
    192.168.99.0/24

    I have 2 computers.

    1 computer at: 192.168.33.2

    1 server that has two nics at:

    192.168.66.2
    192.168.99.2

    When I connect through SSH to 192.168.99.2 it connects fine. AS SOON AS I turn off the eth adapter for 192.168.66.2 I lose connection to 192.168.99.2...

    I don't understand why it is happening. I do a traceroute on the 192.168.33.2 computer and it shows the first hop as 192.168.33.1 and then 192.168.99.2... It's like it is using the 66.2 adapter as a bridge, but I don't know why.


  • LAYER 8 Netgate

    What is the default gateway on the host with two NICs?

    Two NICs on different networks like that generally causes nothing but headaches unless that host is a proper router.



  • The server with two nics is running Debian and I have each interface setup with its own default gateway? If I was to take a look at some kind of routing table I would imagine that the system would go out the network interface is came in from? Or that it's configured for…

    Unfortunately I have to have these nics in a different subnet. They are a backbone for server traffic while the other side is public facing.


  • LAYER 8 Global Moderator

    " I have each interface setup with its own default gateway? "

    Well that is BORKED out of the gate.. While you can for sure setup a multihome host.. bad idea if you ask pretty much anyone that actual works with network and any experience at all.

    If you want to setup a multihome device.  With interfaces in multiple networks, only 1 of them should be the default.  If one of them is the internet than that would be the default gateway.  Since pretty much impossible to route to all the public IPs on the planet ;)

    Your other interface to use that network as any sort of gateway to get to other networks you would create routes for what IP to talk to on that nics network to get to the other network you want to get too.

    When you setup a defalt gateway your telling the system - hey when you don't have a route, this is where you send it.  It knows how to get everywhere!!  If you have more than 1 of these then the system will based upon some metric determine which one to send to if does not have a specific route for where its trying to go.  There are lots of things that can com come into play in determining the metric on which default gateway to send too.

    You normally should never have more than 1 default gateway… If these interfaces can not get to everwhere, then its a bad idea to make it a default.  If you have one interface in the public network, set its gateway as default.  All other internal networks would be setup routing on this host.  This could be as simple as 3 route statements for the 3 rfc1918 networks.  Or less if not using all of them.

    If your using 10 space internal be it your using just a small portion of it or all of it a simeple 10/8 route pointing to the gateway on your internal nic would be fine, etc.

    So your 3 networks??  What is routing them - pfsense?  Why does a host need 2 interfaces in rfc1918 space??  This screams asymmetrical routing problems just waiting to happen..


  • LAYER 8 Netgate

    I think you need to take a hard look at your network design and what is really required.

    That will give you nothing but problems.

    One interface should have a default gateway. That interface will be used for traffic to anything but 192.168.66.0/24 and 192.168.99.0/24.

    People get into asymmetric routing issues ALL THE TIME with setups such as this.

    Unless that host is a proper router, with neat-o features like pf's reply-to, then there is no guarantee which interface will be used to send traffic to 192.168.33.0/24 given two equal-cost default routes.

    And when you are dealing with a stateful firewall routing the traffic, you can't just change interfaces - the traffic will be blocked as out-of-state.



  • I'm sorry but I'm still a little confused. If I have a host that needs to be in two networks to separate the traffic that needs to be separate, how would you do it? I need the traffic in the .66 network to be separate from the .99 network. but that one machine needs to be in both.

    I don't understand why its causing a problem because this computer has two paths, Path A or Path B; Path A allows the computer out to the internet. that should be the default path. Path B is restricted to just the networks it can see, which is the inside networks. Path A does not allow ANYTHING other hten going to the internet. Why is that asymmetrical routing?  There should no way for traffic to start one way and end another because they are two very different paths for different purposes. They should have no access to each other.


  • LAYER 8 Netgate

    Yeah. You don't understand.

    https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

    If you have local hosts on 66 and 99 that only access that server on 66 and 99 then it will work.

    You are trying to access a host that has multiple paths to the host (66 and 99) through a stateful firewall. That will cause you nothing but pain.


  • LAYER 8 Global Moderator

    So again lets ask what is routing these networks?  And how exactly do you have this host connected to both?  What is its routing table.. Is it windows machine - post up

    route print

    If linux

    netstat -r

    "If I have a host that needs to be in two networks to separate the traffic that needs to be separate"

    Why??? does a host need to be in 2 networks at the same time… If he is in 99, and needs to talk to something in the 66, why can you not route this traffic??

    Yes you can have machine connected to more than 1 network at a time, but you wouldn't use both of these networks to route to a default.. So for example you could have the attached pic.  Where machines have an interface in 192.168.0/24 this would be their default gateway.

    They then could have another interface in 192.168.1/24 and they could use this interface to talk to each other - lets say for backup or something..  But you would need to make sure you use the 192.168.1 IP address of the other machine, or a fqdn that resolves to that 192.168.1 IP.  And 192.168.1 interface would not have any gateways set on it, etc etc..



Log in to reply