Solved

setting up multiple gateways on a single subnet

Posted on 2013-01-12
12
464 Views
Last Modified: 2013-01-21
I have a Debian based Linux router with 2 NICS using iptables that is working fine.  We recently installed a second Internet connection along with a separate consumer router for that connection.  Everything works fine as it is and the default gateway can be changed on a computer to use the other network connection if needed.

My question is if I can configure a virtual interface on the linux router so that I can access the router from the other network if need be.  For everything else it would stay with the default gateway currently in use.

The current /etc/network/interfaces file looks like this:
auto eth1
iface eth1 inet static
        address 10.233.0.1
        gateway 10.233.0.1
        netmask 255.255.255.0
        network 10.233.0.0
        broadcast 10.233.0.255

auto eth0
iface eth0 inet static
        address x.x.x.153
        gateway x.x.x.158
        netmask 255.255.255.248
        network x.x.x.152
        broadcast x.x.x.159

Open in new window


I am thinking of adding the following (10.233.0.254 is the other internet connection router):
auto eth1:0
iface eth1:0 inet static
        address 10.233.0.253
        gateway 10.233.0.254
        netmask 255.255.255.0

Open in new window

I am guessing that I will need to add some route information, and/or something to the iptables config to get it to work properly.  The current routing table is:
0.0.0.0         x.x.x.158       0.0.0.0         UG        0 0          0 eth0
10.233.0.0      0.0.0.0         255.255.255.0   U         0 0          0 eth1
x.x.x.152       0.0.0.0         255.255.255.248 U         0 0          0 eth0

Open in new window

I am not on site and therefore want to double check the configuration before I activate it and lose access to the network (if it is incorrect).

Any help would be appreciated!
0
Comment
Question by:bdhtechnology
  • 4
  • 2
  • 2
  • +3
12 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 38771056
That will allow you to have a second IP address.  However a host can only have a single default gateway.

Right now your default gateway is x.x.x.158.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 38771132
A reason why you aren't running pfsense?
http://www.tomschaefer.org/web/wordpress/?p=538
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 38771148
Does the new router have a management interface that can be placed on an existing VLAN so that it is accessible, regardless of how internet traffic is being routed?
0
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 500 total points
ID: 38771167
normally a host can have only a single gateway. in other words, only the single gateway is used for all destinations that are not located on the subnet, even when you configure multiple default gateways.

however, the actual implementation varies for different operating systems.

for example, most "Windows NT based computers can be configured with multiple default gateways. When a dead gateway is detected by TCP, it can direct IP to switch default gateways to the next gateway in the backup list. This switch can occur when there are multiple gateways configured for the same network adapter or when different default gateway addresses are given on various network cards on a multihomed computer."

Multiple Default Gateways Can Cause Connectivity Problems
http://support.microsoft.com/kb/159168

for your Debian based Linux router, it may be a totally different story. check the Debian docs for more information.

Instead, as another approach to have additional paths (not default gateways) for specific destinations, you may use static routes or dynamic routing protocols to add the routes for the other disjoint networks to the local IP routing table.

If the routing infrastructure uses Routing Information Protocol (RIP) for IPv4, you can turn on RIP Listener (if it is supported by the OS), which allows your computer to learn other routes on the network by "listening" to broadcast RIP messages, and then adding IPv4 routes to the routing table.

If the routing infrastructure does not use RIP, you cannot use RIP listening. The alternative is to use the route add -p command to manually add the individual routes to the IPv4 routing table.

does it make sense?

hope it helps,
bbao
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 38771821
The key word is 'default'.

You can only use one default at a time, even if you an configure more.  To use each gateway simultaneously you need to use a load-balancing protocol between the routers, or use specific static routes at the clients.
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 38771829
I don't want to setup a second default gateway, it would more be just so that the server could respond to requests coming from the other network connection.  That way if the primary connection is down I can still login remotely and change the default gateway over.

The other router is just a consumer based D-link that we were using only as a wireless access point previously.  It doesn't have any VLAN options.  I was thinking about creating a new subnet for this other connection.  That would obviously be easier to route connections coming from the new subnet back to it, instead of through the default gateway.  I guess I was hoping to achieve a simple solution so that I could change the default gateway of all the computers that need to use the new Internet connection and be done when/if problems arise.

I suppose that instead of using the Dlink I could add a 3rd NIC to the server and put the new Internet connection into that.  That would obviously let the server respond so I could SSH to it and change the default gateway if I needed to.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Author Comment

by:bdhtechnology
ID: 38771834
The reason why I am not running pfsense is that I developed the script I am using from an old iptables web interface called fbuilder: http://www.innertek.com/Software/fbplus.shtml  It worked well enough in it's day, but was no longer updated and I found it easier to maintain the script on my own.  That and I am not familiar at all with FreeBSD :)
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 38771837
I am not familiar with RIP at all, though I am sure Debian/Linux would support it.  That option sounds like it may be a more complicated solution, however.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 38771856
You would need to use a dynamic routing protocol, like RIP as suggested, to do this.  It's not complicated at all.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38771947
Based on your routing table "x.x.x.158" is your current default route.  This I am assuming is your current Internet connection.

Is the device x.x.x.158 at the same location as your Linux router?

What type of device is it?

Do you own it, or is it vendor supplied?

As some have implied, you need to be able to detect that the path from your Linux router to the Internet is down in order to take a different default route (a.k.a gateway).  This could be done using a dynamic routing protocol (RIP, RIPV2, OSPF) or using a simple script on the Linux router.

You could point the address of the 1st hop after x.x.x.158 every so often and if the pings stop working, change the default route to whatever you want.  Once the pings start to work you can change it back.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 38772231
The reason I ask about pfsense is because load balancing/failover is more than just adding a second gateway.
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 38803564
I will check out RIP to see if I can adapt it to the current setup for now.  If not I will just add a 3rd NIC to the server so that it can accessed from the other Internet connection.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now