2 nic route problem

[eriled]

I have 2 nic in one VM centOs7
each one have is one network connect to a router completely different ip schema.
I try many many many thing to fix the route table sommething I don't catch.

If I do ip route add 10.0.0.0/24 dev ens224 tab 2
ip route add default via 10.0.0.1 dev ens224 tab 2
ip rule add from 10.0.0.10/32 tab 2 priority 200
All works perfectly.

I so I said cool I will just create a file /etc/sysconfig/network-script/route-ens224 like :
10.0.0.0/24 dev ens224 tab 2
default via 10.0.0.1 dev ens224 tab 2
and
/etc/sysconfig/network-script/route-ens224 like:
from 10.0.0.10/32 tab 2 priority 200

but after reboot or service network restart all stop working....
So I pass let 3 full day read stuff try figure what miss and can't find it...
So diced ok let do something ugly but suppose works I think so create a crontab... "@reboot" to add this route and rule but not works... only works hen I run it manually

What I don't catch?

[jlehtone]

A new continuation thread for viewtopic.php?f=50&t=64668 ?

1. Why do you create "static routes" in multiple "tab"s?

2. If you do use NetworkManager (NM), then use NM for everything. It is definitely possible to add static routes, to change route metric, and to use policy based routing with NM.

[eriled]

A new continuation thread for viewtopic.php?f=50&t=64668 ?

Yes I figure the toptip change enough to start a new thread... I have a no answer on the other one and with all the chang I do I figure is will be more clear.

1. Why do you create "static routes" in multiple "tab"s?

Is the only way I figure to make it works...
If I make exactly the but on the main tab is not working correctly.

2. If you do use NetworkManager (NM), then use NM for everything. It is definitely possible to add static routes, to change route metric, and to use policy based routing with NM.

I try stay with the nmtui to create my route but is not working is for that I try a other way...
Now I'm at a point to want more understand what is going because before this issue I have the impression to understand the concept of route, now I'm really confuse...
#1 if some one can tel me what I can do the make this think works after a reboot is will be really appreciate! (please)
#2 I want understand the concept of route and route table... Anny suggestion for a reading documentation to clarify all that concept?

THANKS!

[jlehtone]

http://linux-ip.net/html/routing-selection.html
http://devemmeff.blogspot.fi/2016/02/ho ... using.html

Is the only way I figure to make it works

What is the it?

Your machine is member of two subnets. Both subnets have a route "towards the Internet".
Your machine can trivially communicate with all its neighbours, members of link-local subnets.

One of the subnets is your machine's preferred route out.
When your machine connects to remote subnet, it uses the preferred interface and the remote partner will reply as expected.

If the preferred interface goes down, then the secondary interface's default route will be used.

None of that requires "rules & routes".


What is the it then? What "works not" without extra work? Are you a server that is connected to, rather than a client that connects?

[eriled]

http://linux-ip.net/html/routing-selection.html
http://devemmeff.blogspot.fi/2016/02/ho ... using.html

Is the only way I figure to make it works

Thanks I will go read it!
What is the it?

Your machine is member of two subnets. Both subnets have a route "towards the Internet".
Your machine can trivially communicate with all its neighbours, members of link-local subnets.

Yes to subnet
one give access to local network
the second one the one don't until I add a ssecond route table is connect trow firewall to be expose public (web server) throw a nat

One of the subnets is your machine's preferred route out.
When your machine connects to remote subnet, it uses the preferred interface and the remote partner will reply as expected.

If the preferred interface goes down, then the secondary interface's default route will be used.

None of that requires "rules & routes".


What is the it then? What "works not" without extra work? Are you a server that is connected to, rather than a client that connects?

What I try achieve is one nic for respond for the web service and the others nic for local communication like shh, mysql, backup etc...

Question do you think is necessary to make a vlan to guaranties the security between the nic?



And again thanks for your Help is really appreciate

[jlehtone]

Define "local communication". Which subnets are "local"?


VLAN is a LAN that one makes to use the same physical network as some other (V)LAN when it is not possible to provision dedicated (i.e. separate) network hardware for each LAN.


Note, in your example both subnets are private IPv4 subranges. If your VM acts as a HTTPD-server on one of the subnets and is accessible from public subnets, then there must be a router with NAT and port forwarding at the boundary between private and public subnets. That can make setup either more complex or simpler.


If you have a VM, you probably could have more than one. Why should multiple unrelated functions cramp into one machine?

[eriled]

Define "local communication". Which subnets are "local"?


VLAN is a LAN that one makes to use the same physical network as some other (V)LAN when it is not possible to provision dedicated (i.e. separate) network hardware for each LAN.


Note, in your example both subnets are private IPv4 subranges. If your VM acts as a HTTPD-server on one of the subnets and is accessible from public subnets, then there must be a router with NAT and port forwarding at the boundary between private and public subnets. That can make setup either more complex or simpler.


If you have a VM, you probably could have more than one. Why should multiple unrelated functions cramp into one machine?

I know is local address I use a firewall with a nat to give access to the webservice of this machine
This vm as only one function Webserver...
But I want manage it trow the other local network I don't want open any other port then the 443... on the ip 10.0.... I want keep all management inside the other nic

I know what is a vlan I use that on siwtch to segregate networks...
For this machine I want more secure I can due is will be open to the internet for webservice
Is for that I ask the question it's necary to separate the 2 nic by a vlan ? to make sure never be possible to have access to the other network by the other nic... I want make sure never a bit can be exchange between the to nic

[eriled]

jlehtone Thanks the link you give explain me what I need to do to make thing works!


So recapt of my config for others that have same issue...:
cat ifcfg-ens224
HWADDR=00:0C:29:47:F2:A0
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
NAME=eth02
UUID=11d4e3f9-a456-361b-ad77-5c2b45d73501
ONBOOT=yes
AUTOCONNECT_PRIORITY=-999
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
IPADDR=10.0.0.10
PREFIX=24
GATEWAY=10.0.0.1
DNS1=8.8.4.4


cat ifcfg-eno16780032
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=eth01
UUID=6053bc2a-fa2a-46ef-b500-4a15d8383f1b
DEVICE=eno16780032
ONBOOT=yes
IPADDR=11.95.16.26
PREFIX=20
GATEWAY=11.95.16.51
DNS1=11.95.16.1
PROXY_METHOD=none
BROWSER_ONLY=no
IPV6_ADDR_GEN_MODE=stable-privacy

cat route-ens224
10.0.0.0/24 dev ens224 table 2
default via 10.0.0.1 dev ens224 table 2

cat rule-ens224
iif ens224 table 2
from 10.0.0.10 table 2