2

Looking for some advice, I'm pulling my hair out trying to figure this out! Running Redhat (CentOS) with fairly normal configuration and I've disabled the firewall for now.

I have a web server which has worked wonderfully in the following setup:

Server IP: 10.0.0.10
Firewall/Router: 10.0.0.1

I port forward our public facing IP address part 80/443, lets say 72.94.30.30, to the .10 internal IP and it works great.

However I recently had the need to add a second SSL site, so I needed a new external IP, which I have from the ISP. I added a second NIC to the system, eth1 with a "public" ip of 72.94.30.31. The gateway for this external IP is now 72.94.30.1, which is the same as the firewall/router. Now the system wants to route everything through eth1, rendering the first website (and interface) disabled.

Now I need to set up static routes, but can't seem to get it to do what I want. Basically I want:

Incoming Traffic from 72.94.30.30 to be forwarded to 10.0.0.223 by the firewall/router (already done), return traffic to go through 10.0.0.1 on eth0.

Incoming Traffic from 72.94.30.31 to be served straight up, routed through 72.94.30.1 on eth1.

Any tips on the correct setup?

Right now I have

cat ifcfg-eth0

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.0.0.10
NETMASK=255.255.255.0
GATEWAY=10.0.0.1

cat ifroute-eth0

default 10.0.0.1 dev eth0
10.0.0.0/24 via 10.0.0.1 dev eth0

cat ifcfg-eth1

DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=72.94.30.31
NETMASK=255.255.255.0
GATEWAY=72.94.30.1

cat route-eth1

default 72.94.30.1 dev eth1
72.94.30.30/32 via 72.94.30.1 dev eth1

ip route

72.94.30.31 via 72.94.30.1 dev eth1 
72.94.30.30 via 10.0.0.1 dev eth0 
10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.10 
72.94.30.0/24 dev eth1  proto kernel  scope link  src 72.94.30.31 
169.254.0.0/16 dev eth1  scope link 
default via 72.94.30.1 dev eth1 

This results in 72.94.30.31 traffic working fine, but the other interface is knocked offline.

Any help is appreciated!

2 Answers 2

3

Why are you making life so difficult for yourself? You don't need a second NIC for that. Just add another IP address to the first NIC, so that it picks up the traffic for the other IP address, too.
Then do a port forwarding in your firewall, using DNAT, for both addresses, and to separate internal IP addresses (because of the SSL certificate) on the web server (which also needs to use two IP addresses in the same ethernet interface), and Bob's your uncle.

In case this isn't clear, let me try and explain differently:

Public IP
72.94.30.30 -> DNAT to 10.0.0.10 (ports 80 and 443)
72.94.30.31 -> DNAT to 10.0.0.11 (ports 80 and 443)

Both the public IP addresses use the same physical interface on the firewall/router and both the internal addresses use the same physical interface on the web server.

1
  • Thank you, and yes, I ended up going this way! I forgot to KISS! Commented Aug 15, 2010 at 14:44
0

remove the default route on the eth1 network, then use iproute2 and firewall marks to ensure that the traffic that comes in via the eth1 interface gets sent out via that same interface.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .