3 NIC Card Network

[winchester169]

I want to use three NIC cards in my system.
I have two working fine now.
ETH0 is setup to the outside (internet) with DHCP
ETH1 is setup to the LAN with a static IP 192.168.10.1 and runs DHCP for the connected devices (a few workstations and a wireless with a static IP of x.x.10.2)
I would like to configure ETH2 also as a static (x.x.10.3) and also run DHCP for connected devices.

how do I set up my dhcp.conf file for this and I have a bash script to enable masquarading and forwarding, what do I add to this.

There is a two part reason I want to do this.

1) I have an asterisk telephony system running and during heavy load the calls get choppy. I would like to throttle back all other traffic chen a call comes in or out.

2) Either with this setup or, once I find out how to add the third NIC I can set up a fourth, I want to be able to use a cron job to shut down a NIC during certain hours to limit the time my kids spend online.

Thank you

[STanner]

Hello,

Just for clarification, you'd like eth1 and eth2 to be on the same subnet (192.168.10)?
-- And If so, I'm guessing you'll configure some machines to use 10.1 as their default gateways and other machines to use 10.3?
-- And have the ip and gateway configured via dhcp?

[winchester169]

Correct. The gateway/nic interface will be determined by the hub connected to that nic (or wireless

hub) but I would like all the machines to be on the same subnet therefore reachable by all others in

that subnet.
I just have no idea what to put in the dhcp.conf file or others

Thank you for your help


I run the following script at boot (it was set up by a friend to help make sure asterisk too priority)

#############################################
/usr/local/bin/natstart
#############################################
#!/bin/bash

iptables -F
iptables -t nat -F
iptables -t mangle -F asterisk
iptables -t mangle -F common
iptables -t mangle -F INPUT
iptables -t mangle -F FORWARD
iptables -t mangle -F OUTPUT
iptables -t mangle -F PREROUTING
iptables -t mangle -X common
iptables -t mangle -X asterisk


iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo "1" >/proc/sys/net/ipv4/ip_forward

### CLEAR ALL IP ROUTING RULES
iptables -F

### MASQUERADE CONNECTIONS TO THE INTERNET FOR ALL MACHINES INSIDE LOCAL NET (NAT)
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A INPUT -i tap+ -j ACCEPT

### TURN ON FORWARDING OF PACKETS BETWEEN INTERFACES
echo "1" >/proc/sys/net/ipv4/ip_forward
echo "1" >/proc/sys/net/ipv4/ip_dynaddr

### VOIP QOS RULES - SET ASTERISK AS HIGH PRIORITY ###


iptables -t mangle -N common
iptables -t mangle -N asterisk
iptables -t mangle -A common -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A common -p tcp --dport 8080 -j MARK --set-mark 2
iptables -t mangle -A common -p tcp --dport 443 -j MARK --set-mark 2
iptables -t mangle -A common -p tcp --dport 110 -j MARK --set-mark 2
iptables -t mangle -A common -p tcp --dport 119 -j MARK --set-mark 2
iptables -t mangle -A common -p tcp --dport 25 -j MARK --set-mark 2
iptables -t mangle -A common -p udp --dport 53 -j MARK --set-mark 2
iptables -t mangle -A common -p udp --dport 68 -j MARK --set-mark 2
iptables -t mangle -A asterisk -p udp --sport 5060 -j MARK --set-mark 1
iptables -t mangle -A asterisk -p udp --dport 5060 -j MARK --set-mark 1
iptables -t mangle -A asterisk -p tcp --dport 5036 -j MARK --set-mark 1
iptables -t mangle -A asterisk -p udp --dport 5036 -j MARK --set-mark 1
iptables -t mangle -A asterisk -p udp --dport 4569 -j MARK --set-mark 1
iptables -t mangle -A asterisk -p udp --sport 16384:32767 -j MARK --set-mark 1
iptables -t mangle -A FORWARD -i eth0 -o eth1 -j MARK --set-mark 3
iptables -t mangle -A FORWARD -i eth0 -o eth1 -j common
iptables -t mangle -A FORWARD -i eth0 -o eth1 -j asterisk
iptables -t mangle -A FORWARD -i eth0 -o eth1 -p icmp -j MARK --set-mark 1



These are my eth0 eth1 config files. (I am aware they are "backwards" but it is a remnant that I don't need/want to change right now)


#############################################
/etc/sysconfig/network-scripts/ifcfg-eth0
#############################################
DEVICE=eth1
HWADDR=00:e0:4c:39:07:23
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Ethernet

#############################################
/etc/sysconfig/network-scripts/ifcfg-eth1
#############################################
BOOTPROTO=none
DHCP_HOSTNAME=cronus.wisenetworks.net
TYPE=Ethernet
HWADDR=00:16:17:6a:5b:78
DEVICE=eth0
NETMASK=255.255.255.0
BROADCAST=192.168.10.255
IPADDR=192.168.10.1
NETWORK=192.168.10.0
ONBOOT=yes



My dhcpd.conf file

#############################################
/etc/dhcpd.conf
#############################################
ddns-update-style interim;
ignore client-updates;

subnet 192.168.162.0 netmask 255.255.255.0 {
# Note: No range is given, vmnet-dhcpd will deal with this subnet.
}

subnet 192.168.151.0 netmask 255.255.255.0 {
# Note: No range is given, vmnet-dhcpd will deal with this subnet.
}


subnet
192.168.10.0 netmask 255.255.255.0 {

# --- default gateway
option routers 192.168.10.1;
option subnet-mask 255.255.255.0;

# option nis-domain "wisenetworks.net";
# option domain-name "wisenetworks.net";
option domain-name-servers 68.87.69.146;
option domain-name-servers 68.87.85.98;

option time-offset -31200; # Eastern Standard Time
# option ntp-servers 192.168.10.1;
option netbios-name-servers 192.168.10.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;

range dynamic-bootp 192.168.10.91 192.168.10.99;
default-lease-time 3600;
max-lease-time 43200;
# we want the nameserver to appear at a fixed address

#-------------------------------------------------------------------
#-------------------STATIC HOSTS -----------------------------------
#-------------------------------------------------------------------

# --- DESKTOP COMPUTERS 10 - 39 --
# --- LAPTOP COMPUTERS 40 - 99 --
# --- GAMING CONSOLES 100-199 --
# --- ASTERISK PHONES 200-254 --

#-------------------------------------------------------------------
#-------------------DESKTOP COMPUTERS-------------------------------
#-------------------------------------------------------------------


#Host Phaedra Family Room 192.168.10.20
host phaedra {
hardware ethernet 0:e0:4d:1c:50:7a;
fixed-address 192.168.10.20;
}

######Truncated for space ############################################

[STanner]

okay, that makes everything perfectly clear. We have a similar setup at company, assigning a different gateway for hosts being load-balanced. Unfortunately, I don't know of a simple way to have dhcp assign the gateway according to the nic it comes in on. I do know 2 difficult ways to do this though:

1) You can define a default gateway for a subnet (which you have), and then override it at the host level. For example:

subnet 192.168.10.0 netmask 255.255.255.0 {

option routers 192.168.10.1;
range dynamic-bootp 192.168.10.91 192.168.10.99;

}

host test1 {

hardware ethernet 00:14:22:21:83:ff;
fixed-address 192.168.10.50;
option routers 192.168.10.3;

}

So test1 will use 10.3 and test2 (not listed) would use the default 10.1.

2) The other way is to limit the dhcp server to a specific interface and have 2 dhcp server instances running on the host. You can specify the interface in the /etc/sysconfig/dhcpd file, or in the init script (which calls the sysconfig file) or as the last option in the dhcpd command. This means copying / creating a second init script, dhcpd.conf file, /etc/sysconfig/dhcp file and /var/lib/dhcp directory. Not really worth doing unless you have enough hosts to warrant it.
----
You'll also need to add a few iptables rules to allow forwarding for eth2 in your natstart script. Basically duplicating any line with '-i eth0' and changing it to '-e eth2'.

[winchester169]

Thank you very much for your response. I have been looking for an answer to this all over the place. A few questions...

what exactly does the -e eth2 do? and to avoid confusion here if I have the following:
(yes I know the eth0 & eth1 are "backwards")

iptables -t mangle -A FORWARD -i eth0 -o eth1 -j MARK --set-mark 3
iptables -t mangle -A FORWARD -i eth0 -o eth1 -j common

this becomes
iptables -t mangle -A FORWARD -i eth0 -o eth1 -j MARK --set-mark 3
iptables -t mangle -A FORWARD -e eth2 -o eth1 -j MARK --set-mark 3
iptables -t mangle -A FORWARD -i eth0 -o eth1 -j common
iptables -t mangle -A FORWARD -e eth2 -o eth1 -j common

or does it become
iptables -t mangle -A FORWARD -e eth0 -o eth1 -j MARK --set-mark 3
iptables -t mangle -A FORWARD -e eth2 -o eth1 -j MARK --set-mark 3
iptables -t mangle -A FORWARD -e eth0 -o eth1 -j common
iptables -t mangle -A FORWARD -e eth2 -o eth1 -j common


and with this setup devices connected to NIC eth2 must have an entry in the dhcpd.conf file denoting MAC address and options router yes?

but devices connected to the existing NIC will still pull DHCP info the same way they have been if they are not programed as hosts with a MAC address and will pull an IP 192.168.10.91-99?

If they are included with a MAC address do they need the options router as well or can it be left off?

[STanner]

oops! Sorry about that, it should be "-i eth2" to allow traffic coming in eth2 and going out eth0. The "-e" was a mistype. So it should be:
iptables -t mangle -A FORWARD -i eth0 -o eth1 -j MARK --set-mark 3
iptables -t mangle -A FORWARD -i eth2 -o eth1 -j MARK --set-mark 3

and with this setup devices connected to NIC eth2 must have an entry in the dhcpd.conf file denoting MAC address and options router yes?

Correct.

but devices connected to the existing NIC will still pull DHCP info the same way they have been if they are not programed as hosts with a MAC address and will pull an IP 192.168.10.91-99?

Correct.

If they are included with a MAC address do they need the options router as well or can it be left off?

Not sure I understand the question completely.

[winchester169]

Okay, the -i -e conundrum is solved. Just repeat/duplicate all the entries with eth2 where an eth0 exists.

I assume the following are all left as is?
=====================================
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A INPUT -i tap+ -j ACCEPT
echo "1" >/proc/sys/net/ipv4/ip_forward
echo "1" >/proc/sys/net/ipv4/ip_dynaddr
=====================================

and as far as the options routers here is my Q hopefully better explained.

Lets say I have a hub plugged into each nic. eth1 existing and eth2 new.

Devices plugged into eth1 with no entry as a host will be assigned an address via dhcp.

Devices plugged into eth2 with no entry as a host will fail to find dhcp.

devices plugged into eth2 with an entry as host will work. Entry as such.
=====================================
host test1 {
hardware ethernet 00:14:22:21:83:ff;
fixed-address 192.168.10.50;
option routers 192.168.10.3;
}
=====================================

devices plugged into eth1 with an entry as host will work with this
=====================================
host test2 {
hardware ethernet 00:14:22:21:83:90;
fixed-address 192.168.10.60;
}
=====================================

OR do they need to be like this?
=====================================
host test2 {
hardware ethernet 00:14:22:21:83:90;
fixed-address 192.168.10.60;
option routers 192.168.10.1;
}
=====================================

[STanner]

I assume the following are all left as is?

Yup, those are good.

Lets say I have a hub plugged into each nic. eth1 existing and eth2 new.

So two hubs, not connected to each other? So hosts on hub1 wont see hosts on hub2?

Devices plugged into eth1 with no entry as a host will be assigned an address via dhcp.

Correct

Devices plugged into eth2 with no entry as a host will fail to find dhcp.

Nope - dhcp would assign these hosts an address from the range and use the default router for the subnet. By default, dhcpd listens on all interfaces.

devices plugged into eth2 with an entry as host will work

Correct

For the host entries, you'll only need to specify the router command when you want the host to use something other than the default.