Private Network on second NIC - Aix

This is a discussion on Private Network on second NIC - Aix ; I ran into an issue awhile back with trying to create a private network on a second nic. Our goal was to have en0 with an IP that is reachable through the corporate network, but have en1 with a private ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Private Network on second NIC

  1. Private Network on second NIC


    I ran into an issue awhile back with trying to create a private
    network on a second nic.

    Our goal was to have en0 with an IP that is reachable through the
    corporate network,
    but have en1 with a private IP that can not route through en0.

    Anything connecting on en1 should be limited to not being able to go
    through to en0.

    Initially the thought was to not include a default route when setting
    up the second nic.
    This didn't work. From telnet connections on the private segment to
    en1, you can ping hosts on en0.

    Second thought was to add a second default gateway with a "bogus" IP
    on en1.
    This didn't work either as when you have two default gateways, remote
    traffic coming in tries to go back out through either gateway. A
    simple ping test would show every other ping was not responding.
    We can remove the second default gateway but it leaves us with the
    inital problem.

    Guessing what's needed is to setup a metric or hop limitation on the
    second nic?
    How would this be done?


  2. Re: Private Network on second NIC

    On Fri, 12 Oct 2007 15:24:33 -0700, Scottz wrote:

    >
    >I ran into an issue awhile back with trying to create a private
    >network on a second nic.
    >
    >Our goal was to have en0 with an IP that is reachable through the
    >corporate network,
    >but have en1 with a private IP that can not route through en0.
    >
    >Anything connecting on en1 should be limited to not being able to go
    >through to en0.
    >
    >Initially the thought was to not include a default route when setting
    >up the second nic.
    >This didn't work. From telnet connections on the private segment to
    >en1, you can ping hosts on en0.
    >
    >Second thought was to add a second default gateway with a "bogus" IP
    >on en1.
    >This didn't work either as when you have two default gateways, remote
    >traffic coming in tries to go back out through either gateway. A
    >simple ping test would show every other ping was not responding.
    >We can remove the second default gateway but it leaves us with the
    >inital problem.
    >
    >Guessing what's needed is to setup a metric or hop limitation on the
    >second nic?
    >How would this be done?



    There's a network option to prevent routing, which should by set be
    default. This will prevent access to systems on the public network from
    systems on the private network.

    But if you're letting people log on to the system from the private
    network, there's no way I can think of to prevent them using the public
    network to get out.



  3. Re: Private Network on second NIC

    On Oct 12, 3:56 pm, TomK wrote:
    > On Fri, 12 Oct 2007 15:24:33 -0700, Scottz wrote:
    >
    > >I ran into an issue awhile back with trying to create a private
    > >network on a second nic.

    >
    > >Our goal was to have en0 with an IP that is reachable through the
    > >corporate network,
    > >but have en1 with a private IP that can not route through en0.

    >
    > >Anything connecting on en1 should be limited to not being able to go
    > >through to en0.

    >
    > >Initially the thought was to not include a default route when setting
    > >up the second nic.
    > >This didn't work. From telnet connections on the private segment to
    > >en1, you can ping hosts on en0.

    >
    > >Second thought was to add a second default gateway with a "bogus" IP
    > >on en1.
    > >This didn't work either as when you have two default gateways, remote
    > >traffic coming in tries to go back out through either gateway. A
    > >simple ping test would show every other ping was not responding.
    > >We can remove the second default gateway but it leaves us with the
    > >inital problem.

    >
    > >Guessing what's needed is to setup a metric or hop limitation on the
    > >second nic?
    > >How would this be done?

    >
    > There's a network option to prevent routing, which should by set be
    > default. This will prevent access to systems on the public network from
    > systems on the private network.
    >
    > But if you're letting people log on to the system from the private
    > network, there's no way I can think of to prevent them using the public
    > network to get out.


    I think your referring to the "no" command and ipforwarding which
    makes
    the box more of a public router (and is disabled by default).

    If there isn't a "built in" method it looks like I'm going to have to
    dig into
    tcpwrapper, iptables, or some type of firewall solution.


  4. Re: Private Network on second NIC

    Scottz wrote:
    > I ran into an issue awhile back with trying to create a private
    > network on a second nic.
    >
    > Our goal was to have en0 with an IP that is reachable through the
    > corporate network,
    > but have en1 with a private IP that can not route through en0.
    >
    > Anything connecting on en1 should be limited to not being able to go
    > through to en0.
    >


    Do you really mean Anything, or only authorized traffic/usrs..?

    You don't mention which AIX levels, or if you need non-AIX host support,
    But if you are running current AIX 5.3.0 levels you might consider:

    A. Using route options (-allowgroup GID ; -denygroup GID).
    To allow only certain groups (administrators?) to use the en0 routes.

    B. Using chgif options (-a security secret) on en1 interfaces.
    Keeps higher-classed traffic on en1 from 'leaking' out the en0 interfaces.


    Eric

  5. Re: Private Network on second NIC

    On Oct 12, 6:24 pm, Scottz wrote:
    > I ran into an issue awhile back with trying to create a private
    > network on a second nic.
    >
    > Our goal was to have en0 with an IP that is reachable through the
    > corporate network,
    > but have en1 with a private IP that can not route through en0.
    >
    > Anything connecting on en1 should be limited to not being able to go
    > through to en0.
    >
    > Initially the thought was to not include a default route when setting
    > up the second nic.
    > This didn't work. From telnet connections on the private segment to
    > en1, you can ping hosts on en0.
    >
    > Second thought was to add a second default gateway with a "bogus" IP
    > on en1.
    > This didn't work either as when you have two default gateways, remote
    > traffic coming in tries to go back out through either gateway. A
    > simple ping test would show every other ping was not responding.
    > We can remove the second default gateway but it leaves us with the
    > inital problem.
    >
    > Guessing what's needed is to setup a metric or hop limitation on the
    > second nic?
    > How would this be done?


    I don't think there is, or should be, a way to do this. Once a user
    has signed onto a
    given AIX system why should it matter where they got in from when it
    comes to
    granting access to other systems? It strikes me that "where are you
    coming from"
    is an issue for a firewall not an AIX server. Or am I missing
    something here?

    FWIW

    Jim Lane


+ Reply to Thread