Re: Why two cards on the same segment...

[Chris Dillon]

On Thu, 26 Jul 2001, Matt Dillon wrote:

>     I wish it were that easy.  If you have two interfaces on the same LAN
>     segment, but one is configured with an internal IP and one is
>     configured with an external IP, and the default route points out the
>     interface configured with the external IP, then you are ok.
>
>     If you have one interface with *two* ip addresses.  For example (taking
>     a real life example):
>
> ash:/home/dillon> ifconfig
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 208.161.114.66 netmask 0xffffffc0 broadcast 208.161.114.127
>         inet 10.0.0.3 netmask 0xffffff00 broadcast 10.0.0.255
>         ether 00:b0:d0:49:3b:fd
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
>
>     Then the 'source IP' address the machine uses is completely up in the
>     air.   It could be the external IP, or the internal IP, and it could
>     change out from under you if you manipulate the interface with ifconfig.
>     You have to explicitly bind to the correct source IP if you care.
>
>     For our machines I bind our external services specifically to the
>     external IP.  Beyond that I usually don't care because I NAT-out our
>     internal IP space anyway, so any packets sent 'from' an internal IP
>     to the internet wind up going through the NAT, which hides the fact
>     that the source machine chose the wrong IP.


Hmm.. That hasn't been my experience at all.  I have _always_ seen
outgoing connections use a source address of the closest interface
address that exists on the same IP network as the destination, OR, if
it is a non-local destination, then the source is whatever IP address
is on the same IP network as the next-hop gateway.  If your next-hop
gateway is an RFC1918 address, then your source address will be your
RFC1918 address on the same subnet, unless you specify otherwise of
course.  Maybe if you set net.inet.ip.subnets_are_local to 1, then
maybe the system will use the primary non-alias address of the closest
physical interface, be it a public address or whatever, but I've not
tried that.


-- Chris Dillon - [EMAIL PROTECTED] - [EMAIL PROTECTED]
   FreeBSD: The fastest and most stable server OS on the planet
   - Available for IA32 (Intel x86) and Alpha architectures
   - IA64 (Itanium), PowerPC, and ARM architectures under development
   - http://www.freebsd.org



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message