You are not logged in.
I'm the IT guy at my company and I have two network interfaces in my PC, both are connected to my company's corporate network. The thing is that one interface (eth0) is connected to my company's domain, whereas the other interface (eth1) is connected to the corporate network but it is outside the domain/firewall (Please save me the moral/ethical discussion on whether or not I should be connected to this). I would like to have them both connected at the same time so that I can access websites that aren't blocked by the firewall (FTP servers and other things) but also access printers, file server shares, and local users computers.
I attempted to do this in Windows via a program called ForceBindIP and it worked slightly but DNS would get confused sometimes and wouldn't let me access anything if I had both interfaces connected at the same time. I asked over at MSFN and was told that I needed to implement Static Routes but wasn't given much help so I figured Linux would be better at having two network interfaces, also I like Linux way more.
If possible I would like it set up in this fashion
eth0 handles all domain traffic and connections to the 10.66.*.* and 10.138.*.* networks (10.66.160.* and 10.66.159.* are our in-house subnets that the devices are on, 10.138.40.* is the subnet that our domain controller is on)
eth1 handles all other traffic (connections to the 10.1.10.* network/outside world)
If that's not possible would it be possible to set a "default" interface that all traffic goes over (eth0) and only bind a web browser/ssh/ftp client to the outside interface (eth1)?
Last edited by brando56894 (2013-04-22 19:45:26)
Offline
anyone?
Offline
anyone?
Not really, no.
I've never done anything like that, but it might be possible. iptables comes to my mind, but it may be completely unrelated.
But then again, wouldn't it be easier to simply configure the current firewall/filter in a way that those users responsible for network administration (currently only you) have access to the websites and protocolls required to do your work/research while the other users don't? Just a little idea I had, maybe it helps.
Last edited by cookies (2013-04-22 18:22:50)
Offline
I'm not sure I really understood your problem, but what you want to do is to route all your 10.66.*.* and 10.138.*.* traffic to eth0 and make eth1 handle the rest. I'm correct so far?
Try deleting your current routes, and use this instead:
ip route add 10.66.0.0/16 dev eth0
ip route add 10.138.0.0/16 dev eth0
ip route add default route dev eth1
Doing that solves your problem? (make sure your rules are no conflicting and that you have correctly set your ip addresses on each device)
"open source is about choice"
No.
Open source is about opening the source code complying with this conditions, period. The ability to choose among several packages is just a nice side effect.
Offline
@cookie
yes that would be easier, but my company doesn't make things easy since we have a WAN that covers the whole USA and is used by multiple companies. I don't have login access to the routers/switches and our net admin is over a thousand miles away and he probably wouldn't help me with this anyway since it's not necessary, it's just something to make my life a little easier considering I wouldn't have to go in to our MDF and switch my patch cable from the "inside" line to the "outside" line whenever I need to bypass the firewall.
@Chris_I
You understood my problem correctly, sadly your suggestion killed my internet connection completely, packets were probably getting confused/lost just like before :-/ Addresses are assigned via DHCP and I have to have a valid (and necessary, which this isn't) reason to get a static IP. It also takes a while, we asked for one for a printer 5 days ago and still haven't gotten it!
[bran@STARMTLLNX0391 ~]$ ip route show
default via 10.66.160.1 dev eth0 metric 202
default via 10.1.10.1 dev enp3s2 metric 203
10.1.10.0/24 dev enp3s2 proto kernel scope link src 10.1.10.20 metric 203
10.66.160.0/24 dev eth0 proto kernel scope link src 10.66.160.86 metric 202
[bran@STARMTLLNX0391 ~]$ sudo ip route flush table all
[bran@STARMTLLNX0391 ~]$ ip route show
[bran@STARMTLLNX0391 ~]$ ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:21:9b:65:3a:e6 brd ff:ff:ff:ff:ff:ff
inet 10.66.160.86/24 brd 10.66.160.255 scope global eth0
inet6 fe80::221:9bff:fe65:3ae6/64 scope link
valid_lft forever preferred_lft forever
3: enp3s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 48:02:2a:07:96:12 brd ff:ff:ff:ff:ff:ff
inet 10.1.10.20/24 brd 10.1.10.255 scope global enp3s2
inet6 fe80::4a02:2aff:fe07:9612/64 scope link
valid_lft forever preferred_lft forever
[bran@STARMTLLNX0391 ~]$ sudo ip route add 10.66.0.0/16 dev eth0
[bran@STARMTLLNX0391 ~]$ sudo ip route add 10.138.0.0/16 dev eth0
[bran@STARMTLLNX0391 ~]$ sudo ip route add default route dev enp3s2
Error: either "to" is duplicate, or "route" is a garbage.
[bran@STARMTLLNX0391 ~]$ sudo ip route add default dev enp3s2
[bran@STARMTLLNX0391 ~]$ ip route show
default dev enp3s2 scope link
10.66.0.0/16 dev eth0 scope link
10.138.0.0/16 dev eth0 scope link
[bran@STARMTLLNX0391 ~]$ ping google.com
^C
[bran@STARMTLLNX0391 ~]$ ping -v google.com
^C
[bran@STARMTLLNX0391 ~]$ ip a
(I had unplugged the cat5e that was connected to eth0 at this point, hence the reason it's down)
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:21:9b:65:3a:e6 brd ff:ff:ff:ff:ff:ff
inet6 fe80::221:9bff:fe65:3ae6/64 scope link
valid_lft forever preferred_lft forever
3: enp3s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 48:02:2a:07:96:12 brd ff:ff:ff:ff:ff:ff
inet 10.1.10.20/24 brd 10.1.10.255 scope global enp3s2
inet6 fe80::4a02:2aff:fe07:9612/64 scope link
valid_lft forever preferred_lft forever
[bran@STARMTLLNX0391 ~]$ restart net-auto-wired
[bran@STARMTLLNX0391 ~]$ ip route show
default dev enp3s2 scope link
default via 10.1.10.1 dev enp3s2 metric 203
I actually had to reboot because restarting the network service didn't fix anything.
Last edited by brando56894 (2013-04-22 19:48:53)
Offline
Addresses are assigned via DHCP and I have to have a valid (and necessary, which this isn't) reason to get a static IP.
When you get an ip via dhcp, you also get a default route.
If you check your route tables on a system with only one ethernet device (and no vpn or other things) working correctly, you'll see something like this:
$ ip route
default via 192.168.1.254 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.217
In this case, your eth0 has the 192.168.1.217 ip.
But, if you have 2 ethernet devices getting their ip via dhcp, you'll have two default routes.
And that is a problem. You can't have two default routes. So maybe at least one of your ethernet devices will have to get its ip manually (the non-default, the eth0, probably is a good option)
My example was not exactly a copy-paste, but was more like to show you a path you can follow. Sorry for not specify that.
Since you want eth1 to be the default route instead of eth0, delete the default route of eth0, and adjust the example I gave you before to add routes for 10.66.0.0/16 and 10.138.0.0/16
(by the way, 10.16.0.0/16 is the way to say 10.16.* The /16 part means netmask 255.255.0.0)
The problem is really simple, you just need to read documentation about routing using iproute2
A fast google search gave me this: http://www.cyberciti.biz/faq/howto-linu … ipcommand/
But you'll need to look for a more complete tutorial.
"open source is about choice"
No.
Open source is about opening the source code complying with this conditions, period. The ability to choose among several packages is just a nice side effect.
Offline
Thanks, I pretty much gave up on this since the other IT guy I work with keeps disconnecting my "Outside Line" and he says he's doing it to protect me, but I think it's more to protect himself so if our boss happens to find out, I don't see how that would ever happen, but then again he's paranoid about these kinds of things since he's been in the field about 20 years more than me. I was going to ask how to set static routes using my phone's data connection as the default connection but it seems like that was done automatically, all I had to do was restart chromium.
Thanks for all the help!
Offline
I've decided to fall back to USB tethering so that I still can access what I want and I have two different routes setup and my Verizon IP is the default route, but it still won't let me access internal (10.*) network resources. What's wrong here?
[bran@STARMTLLNX0391 ~]$ ip route
default via 192.168.42.129 dev usb0 proto static
10.66.160.0/24 dev enp3s2 proto kernel scope link src 10.66.160.80
192.168.42.0/24 dev usb0 proto kernel scope link src 192.168.42.26 metric 206
Edit: Turns out, it actually does work but only for the 10.66.160.0/24 subnet. How can I get access to the 10.138.0.0 subnet also (accessible through the 10.66.160.1 gateway)? Do I need to add another route of 10.0.0.0?
Edit 2: that was easy, all I had to do was this: [bran@STARMTLLNX0391 ~]$ sudo ip route add 10.138.40.0/24 via 10.66.160.1
Now how would I go about permanently saving the route I just added? I can't seem to find which config file to put it in.
Edit 3: I decided to give it another try since I thought I may have figured it out....but I don't think I have.
[bran@STARMTLLNX0391 ~]$ ip route
default via 10.1.10.1 dev enp3s2
10.1.10.0/24 dev enp3s2 proto kernel scope link src 10.1.10.10
10.66.160.0/24 dev eth0 proto kernel scope link src 10.66.160.184
10.138.40.0 via 10.66.160.1 dev eth0
[bran@STARMTLLNX0391 ~]$ ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:21:9b:65:3a:e6 brd ff:ff:ff:ff:ff:ff
inet 10.66.160.184/24 brd 10.66.160.255 scope global eth0
inet6 fe80::221:9bff:fe65:3ae6/64 scope link
valid_lft forever preferred_lft forever
3: enp3s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 48:02:2a:07:96:12 brd ff:ff:ff:ff:ff:ff
inet 10.1.10.10/24 brd 10.1.10.255 scope global enp3s2
inet6 fe80::4a02:2aff:fe07:9612/64 scope link
valid_lft forever preferred_lft forever
Everything looks like it should work but I still can't get to any pages like before....
Last edited by brando56894 (2013-05-07 16:43:40)
Offline
From your ip route output it seems that you didn't enter this command:
sudo ip route add 10.138.40.0/24 via 10.66.160.1 src 10.66.160.184
I'm telling this cause in the output there's no /24 netmask (no netmask specified means /32).
Your ip route should look like:
default via 10.1.10.1 dev enp3s2
10.1.10.0/24 dev enp3s2 proto kernel scope link src 10.1.10.10
10.66.160.0/24 dev eth0 proto kernel scope link src 10.66.160.184
10.138.40.0/24 via 10.66.160.1 dev eth0 src 10.66.160.184
To answer your first question:
eth0 handles all domain traffic and connections to the 10.66.*.* and 10.138.*.* networks
eth1 handles all other traffic (connections to the 10.1.10.* network/outside world)
A better solution would be (I'm assuming your company owns 10.66.0.0/16 and 10.138.0.0/16, otherwise change the routes accordingly) :
default via 10.1.10.1 dev enp3s2
10.1.10.0/24 dev enp3s2 proto kernel scope link src 10.1.10.10
10.66.160.0/24 dev eth0 proto kernel scope link src 10.66.160.184
10.66.0.0/16 via 10.66.160.1 dev eth0 src 10.66.160.184
10.138.0.0/16 via 10.66.160.1 dev eth0 src 10.66.160.184
Assuming you're getting 10.66.160.184/24 (on dev enp3s2) and 10.1.10.10/24 (on dev eth0) via dhcp
ip route add 10.66.0.0/16 via 10.66.160.1 dev eth0 src 10.66.160.184
ip route add 10.138.0.0/16 via 10.66.160.1 dev eth0 src 10.66.160.184
just in case you're getting two default gw delete the one from your company network:
ip route del default via 10.66.160.1 dev eth0
All that said, you'll can't access any service that is restricted to the 10.66.159.0/24 subnet if you don't have an (phys/virtual) interface on that Lan.
Hope this helps.
Offline
Thanks for the information! I'll give it a try at some point
As someone stated before not having a static IP on one (or both) of the interfaces does create sort of a problem since it gives me two default routes, one for each interface and if I delete one, it will add it back in within an hour so I have to keep deleting it. I noticed this when I was using enp3s2 as my domain connection and tethering my smartphone to Verizon's network and I would have two default routes and I would have to delete the domain route for web browsing to work. I saw that there was a way to tell dhcpcd to not update the default gateway/route and I tried it but it didn't seem to work. I can't find the exact command since this was a little while ago.
Last edited by brando56894 (2013-05-14 16:03:40)
Offline
This may or may not interest you - in a similar situation, but with only one net interface and no control over the corporate network, I set up a http tunnel from my work PC to my home PC, and accessed all "unauthorised" stuff that way.
Offline