Private Network on second NIC

Printable View

10-13-2007, 01:20 AM
unix

Private Network on second NIC

I ran into an issue awhile back with trying to create a private
network on a second nic.

Our goal was to have en0 with an IP that is reachable through the
corporate network,
but have en1 with a private IP that can not route through en0.

Anything connecting on en1 should be limited to not being able to go
through to en0.

Initially the thought was to not include a default route when setting
up the second nic.
This didn't work. From telnet connections on the private segment to
en1, you can ping hosts on en0.

Second thought was to add a second default gateway with a "bogus" IP
on en1.
This didn't work either as when you have two default gateways, remote
traffic coming in tries to go back out through either gateway. A
simple ping test would show every other ping was not responding.
We can remove the second default gateway but it leaves us with the
inital problem.

Guessing what's needed is to setup a metric or hop limitation on the
second nic?
How would this be done?
10-13-2007, 01:20 AM
unix

Re: Private Network on second NIC

On Fri, 12 Oct 2007 15:24:33 -0700, Scottz <mugi@pinesalad.net> wrote:
[color=blue]
>
>I ran into an issue awhile back with trying to create a private
>network on a second nic.
>
>Our goal was to have en0 with an IP that is reachable through the
>corporate network,
>but have en1 with a private IP that can not route through en0.
>
>Anything connecting on en1 should be limited to not being able to go
>through to en0.
>
>Initially the thought was to not include a default route when setting
>up the second nic.
>This didn't work. From telnet connections on the private segment to
>en1, you can ping hosts on en0.
>
>Second thought was to add a second default gateway with a "bogus" IP
>on en1.
>This didn't work either as when you have two default gateways, remote
>traffic coming in tries to go back out through either gateway. A
>simple ping test would show every other ping was not responding.
>We can remove the second default gateway but it leaves us with the
>inital problem.
>
>Guessing what's needed is to setup a metric or hop limitation on the
>second nic?
>How would this be done?[/color]

There's a network option to prevent routing, which should by set be
default. This will prevent access to systems on the public network from
systems on the private network.

But if you're letting people log on to the system from the private
network, there's no way I can think of to prevent them using the public
network to get out.
10-13-2007, 01:20 AM
unix

Re: Private Network on second NIC

On Oct 12, 3:56 pm, TomK <namff...@NO.skyenet.SPAM.net> wrote:[color=blue]
> On Fri, 12 Oct 2007 15:24:33 -0700, Scottz <m...@pinesalad.net> wrote:
>[color=green]
> >I ran into an issue awhile back with trying to create a private
> >network on a second nic.[/color]
>[color=green]
> >Our goal was to have en0 with an IP that is reachable through the
> >corporate network,
> >but have en1 with a private IP that can not route through en0.[/color]
>[color=green]
> >Anything connecting on en1 should be limited to not being able to go
> >through to en0.[/color]
>[color=green]
> >Initially the thought was to not include a default route when setting
> >up the second nic.
> >This didn't work. From telnet connections on the private segment to
> >en1, you can ping hosts on en0.[/color]
>[color=green]
> >Second thought was to add a second default gateway with a "bogus" IP
> >on en1.
> >This didn't work either as when you have two default gateways, remote
> >traffic coming in tries to go back out through either gateway. A
> >simple ping test would show every other ping was not responding.
> >We can remove the second default gateway but it leaves us with the
> >inital problem.[/color]
>[color=green]
> >Guessing what's needed is to setup a metric or hop limitation on the
> >second nic?
> >How would this be done?[/color]
>
> There's a network option to prevent routing, which should by set be
> default. This will prevent access to systems on the public network from
> systems on the private network.
>
> But if you're letting people log on to the system from the private
> network, there's no way I can think of to prevent them using the public
> network to get out.[/color]

I think your referring to the "no" command and ipforwarding which
makes
the box more of a public router (and is disabled by default).

If there isn't a "built in" method it looks like I'm going to have to
dig into
tcpwrapper, iptables, or some type of firewall solution.
10-13-2007, 07:20 PM
unix

Re: Private Network on second NIC

Scottz wrote:[color=blue]
> I ran into an issue awhile back with trying to create a private
> network on a second nic.
>
> Our goal was to have en0 with an IP that is reachable through the
> corporate network,
> but have en1 with a private IP that can not route through en0.
>
> Anything connecting on en1 should be limited to not being able to go
> through to en0.
>[/color]

Do you really mean Anything, or only authorized traffic/usrs..?

You don't mention which AIX levels, or if you need non-AIX host support,
But if you are running current AIX 5.3.0 levels you might consider:

A. Using route options (-allowgroup GID ; -denygroup GID).
To allow only certain groups (administrators?) to use the en0 routes.

B. Using chgif options (-a security secret) on en1 interfaces.
Keeps higher-classed traffic on en1 from 'leaking' out the en0 interfaces.

Eric
10-15-2007, 01:20 PM
unix

Re: Private Network on second NIC

On Oct 12, 6:24 pm, Scottz <m...@pinesalad.net> wrote:[color=blue]
> I ran into an issue awhile back with trying to create a private
> network on a second nic.
>
> Our goal was to have en0 with an IP that is reachable through the
> corporate network,
> but have en1 with a private IP that can not route through en0.
>
> Anything connecting on en1 should be limited to not being able to go
> through to en0.
>
> Initially the thought was to not include a default route when setting
> up the second nic.
> This didn't work. From telnet connections on the private segment to
> en1, you can ping hosts on en0.
>
> Second thought was to add a second default gateway with a "bogus" IP
> on en1.
> This didn't work either as when you have two default gateways, remote
> traffic coming in tries to go back out through either gateway. A
> simple ping test would show every other ping was not responding.
> We can remove the second default gateway but it leaves us with the
> inital problem.
>
> Guessing what's needed is to setup a metric or hop limitation on the
> second nic?
> How would this be done?[/color]

I don't think there is, or should be, a way to do this. Once a user
has signed onto a
given AIX system why should it matter where they got in from when it
comes to
granting access to other systems? It strikes me that "where are you
coming from"
is an issue for a firewall not an AIX server. Or am I missing
something here?

FWIW

Jim Lane