We have to do the following routing (done manually) which the ifup- script can't handle: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface x.y.z.178 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 x.y.z.177 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 x.y.z.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 0.0.0.0 x.y.z.177 0.0.0.0 UG 0 0 0 eth0 x.y.z.178 is a firewall machine connected to a cicso router (x.y.z.177) with a twisted pair crosslink cable (no hup will be used). x.y.z.176 is a subnet from our provider used for a demilitarizied zone and are reach- able via interface eth1 (with one exception: the cisco router). all local machines are connected via the eth2 interface. the ifup-script is not able to handle that specific situation where a point-to-point connection is made across two interfaces, but within a subnet. The other point is: the host-routes, are they really necessary? Or could the part of the /sbin/ipup-script --- cut --- # stupid hack, but it should work if [ "$ISALIAS" = no ] && [ -z "`route -n | sed "s/ .*//" | grep ${NETWORK}`" ]; then route add -net ${NETWORK} netmask ${NETMASK} dev ${DEVICE} else route add -host ${IPADDR} ${DEVICE} fi --- cut --- replaced by this: --- cut --- if [ "${NETMASK}" = "255.255.255.255" ]; then route add -host ${IPADDR} ${DEVICE} fi --- cut --- Thanx for considering this point... Andreas J. Bathe <ajb>
Forgot to tell you the ifcfg-files: ifcfg-eth0: DEVICE=eth0 IPADDR=x.y.z.178 NETMASK=255.255.255.255 ONBOOT=yes ifcfg-eth1: DEVICE=eth1 IPADDR=x.y.z.178 NETMASK=255.255.255.240 ONBOOT=yes ifcfg-eth2: DEVICE=eth2 IPADDR=192.168.2.2 NETMASK=255.255.255.0 ONBOOT=yes in /etc/sysconfig/network: ... GATEWAY=x.y.z.177 GATEWAYDEV=eth0 Take care Andreas J. Bathe <ajb>
Your ifcfg-eth0 looks wrong; it should have the 255.255.255.240 netmask, if I'm reading it correctly. What it looks like you'd want is to put the eth0 and eth1 host routes in /etc/sysconfig/static-routes, something like eth0 host x.y.z.178 eth0 Or am I misunderstanding what you're trying to do?
(make that just the eth0 routes, the eth1 config is fine.)
in /etc/sysconfig/static-routes there is the entry: eth0 host 62.96.220.177 at this point (till the rh-scripts will consider the described situation) the gateway will be set via the /etc/rc.d/rc.local-script with: route add default gw 62.96.220.177 At boottime we get the message: [...] Mar 16 06:38:53 gateway kernel: eth1: media is 100Mb/s. [...] Mar 16 06:38:50 gateway network: Bringing up interface lo succeeded Mar 16 06:38:50 gateway ifup: SIOCADDRT: Network is unreachable Mar 16 06:38:50 gateway network: Bringing up interface eth0 succeeded Mar 16 06:38:51 gateway network: Bringing up interface eth1 succeeded Mar 16 06:38:51 gateway network: Bringing up interface eth2 succeeded [...] Mar 16 06:38:53 gateway kernel: eth2: media is 100Mb/s. [...] The net x.y.z.176 net is on eth1 (all machines with the exception of the cisco x.y.z.177). If eth0 would have the netmask 255.255.255.240 all traffic would go to eth0 which would be wrong. on eth0 there are only the gateway x.y.z.178 (our firewall) connected to the cisco-router (x.y.z.177).
Well, this is definitely and odd setup, since you want two Network cards with the same IP, but different subnet masks. It sounds like you are trying to emulate a bridging firewall. If this is the case, the subnetmask is not really 255.255.255.255 it's 255.255.255.254 for that card, but that would give you a network number and broadcast number also (Which is not really what you want). You are technically creating an invalid network (No network/broadcast), but if you configure it with 255.255.255.254 in the ifcfg-eth0, and add the static host route, it should work for you. The suggested fix will work, but as stated does not really create a valid network. You would have to make other changes also (Point-To-Point on the card). -- Keith Moore
A clarification to my last paragraph, I was refering to the ifup patch would not be a valid fix, since it doesn't configure the card properly.
In general, we aren't going to support such esoteric network configs out-of-the-box.