Dual NIC usage

I put dual NICs in my generic desktop running OpenSuSE 13.1 as I am running AT&T’s U-Verse and have static IP addresses. One NIC has the static IP address which has a web server that is open to the public while the other is for the local network including Internet access. Since getting this running the desktop is slow loading outside web pages. Is there anyway to isolate the one NIC to just dealing with the webserver to the static IP address? Not sure how to figure out the problem of why the Internet access is so slow now with two NICS. (Any ideas on that one? Another odd problem is when using Firefox to load a pages from outside websites, like local news, is that when I select the site from the bookmarks, Firefox tries to load the page and times out. When clicking on the “try Again” button the page loads.

Thanks!

Hope the two NICs have IPs in different Networks, e.g. 192.168.100.x one, the other 192.168.0.x (of course not a “private” IP for the WEB Server) or the like.

Looks you have a circle in your routes.
Can you post the route settings here?

After all, runnuing a web Server on a Desktop is mostly harmful…

They are on different networks as one is on 192.168.x.x and the other is on 104.35.x.x. And how would I present the routine for each, i.e. what command’s output? This is until I can get another computer. But why is it harmful?

Any active routes can be viewed with

netstat -r

Thank you for that. Forgot about netstat. He is the results:

scott@scott1:~> netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 104-11-35-174.l 0.0.0.0 UG 0 0 0 enp1s0
104-11-35-169.l * 255.255.255.248 U 0 0 0 enp1s0
loopback * 255.0.0.0 U 0 0 0 lo
link-local * 255.255.0.0 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
scott@scott1:~> man netstat
scott@scott1:~> netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
enp1s0 1500 0 927589 0 103 0 788548 0 0 0 BMRU
eth0 1500 0 137005 0 100 0 27645 0 0 0 BMRU
lo 65536 0 446146 0 0 0 446146 0 0 0 LRU

You still haven’t described your network topology sufficiently.

Not only should your two NICs have different IP networks, they should also be attached to two completely separate physical networks.

You also need to describe how your openSUSE is positioned relative to your network’s DG (The U-Verse router).

Recommend you provide
The IP addresses of each of the following devices…

DG router
openSUSE NIC1 and NIC2 (eg run “ip addr” or “ifconfig”)
Any other significant network devices like a firewall appliance

And if the network addresses aren’t sufficient to describe the position and relationship of each device, some further description.
Right now, all that is known is that you have a private network (192.168.x.y) and public (I think it’s 104.11.35.z, not 104.35.y.z)

TSU

Well, first of all the routies show clearly that all traffic going outside of network 192.168… is routed thru the 104… NIC.
Change the routinmg table to put the Default route to the 192.168… router’s address.

It is not a MUST to have the two NICs in two physically separate Networks but I would advise to do so.

Interesting, it’s working a-ok on my server (openSUSE13.1 64bit). I do not run a web service directly on there (but in WM using the same 2 NIC’s).
eth1 192.168.0.0 is the local net at home
eth0 83.227.xx.xx is a dynamic ip net from my ISP

In YaST2/Network settings I have checked “Enable IP Forwarding” in the Routing tab.
In YaST2/Firewall I have set eth1 as a internal zone, eth0 as external zone.
NS1 is set (and configured in) to 192.168.0.1 (eth1). NS2/3 pointing to servers at the external eth1 net.


ghost:~ # netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         ua-83-227-xx-x. 0.0.0.0         UG        0 0          0 eth0
ua-83-227-xx-x. *               255.255.252.0   U         0 0          0 eth0
loopback        *               255.0.0.0       U         0 0          0 lo
link-local      *               255.255.0.0     U         0 0          0 eth0
192.168.0.0     *               255.255.255.0   U         0 0          0 eth1

I dont know if you got any wiser or more confused. I have set up the same config a number of times for use and testing and it always(almost) working from start. When it haven’t work at all I have miss configured the DNS.

Regards

I missed to write that in In YaST2/Firewall I also have checked/enable Masquerading Networks. Sorry:shame:. A guide for openSUSE case like this is here:
https://en.opensuse.org/SDB:Internet_connection_sharing Maybe not exactly your case but…

Regards

Sorry, but you are entirely besides the Point.

What you describe is to have one internal and one external NIC.
The internal is forwarded to the external NIC. FINE.
But this is not what the starter of the threat asked for.

What the starter of the threat wants is:
One (external) for the web Server. Connected to outside. NOT a forwarder/router for the internal network!
One internal NIC which is NOT forwared to the web server NIC, but is forwarded to the router of the internal network.

Please, guys, do me a favor and read before you post.

Well? Have I done a fool of my self again? I don’t think so. I quite often remote connect (vnc, X) to my server an run webbrowsers, Zypper… The list is long. No problems. I have set it up to reach both from inside and outside. WWW-pages, mail, services. Separated. Svetter88 also wrote “This is until I can get another computer…” ? If I have done some misreading please let me now.

Regards.

Well,
I disagree that the physical (and logical) network topology is so clear.
There is ample room for guessing because the topology it’s impossible to know routing for each device, and whether each and every device is in a network (possibly firewall) zone.

You might have read the OP and feel you understand exactly what the network looks like.
I read it and envisioned at least 3 possibilities because of incomplete information.

TSU

Sorry, but it IS clear enough.

  1. There is the “internal” NIC (192.168…) which is connectd to intenal network and a router conecting the internal network to the Internet.
  2. There is a “external” NIC thru which the Web server can be accessed from outside.
  3. There is a misconfiguration which routes the internal network to the external NIC which is not what is desired.

That all what is to be said.

Describing the <physical> (not necessarily logical network because multiple logical networks can be configured on the same physical network) networks:
There is an “internal” network with a Class C private network (192.168.x.y)
There is an “external” network with a public network ( 104.35.x.x)
Somewhere between the public and private networks is the ISP router (I assume a router is being used, and not a modem).

Now, when you setup a multi-homed machine which has access to both networks, there are a number of ways this can be setup depending on the capabilities and configuration of the Gateway device…

  • The machine is setup bare and naked to both networks, essentially in parallel to the Gateway device which is the main routing device for all internal network devices to the Internet. BTW - This configuration has the drawback of introducing a possible exploit vector bypassing any security in the main DG. The following avoids this drawback but have their own configuration issues.
  • The gateway router has a built-in firewall with forwarding capabilities, ie you typically configured external, internal and DMZ zones. Since machines in the DMZ zone can be configured as bridged (same network as the external network, sometimes but not also PAT) or NAT (same address as the internal zone) and although recommended do not have to have more than 2 NICs, you now have the possibility of more than one NIC with different addresses connected to the same network which is tricky and generally to be avoided if possible(exception is bonding NICs).
  • A variation on the above is that the multi-homed machine can be placed either in front of, or behind the Gateway router.

The point is that when someone with no experience sets up a network, anything is possible… good configurations, bad configurations, bad configurations which can still be made to work (although unlikely).

This is why the physical topology has to be described properly. Just because you might see only one possible configuration does not mean that others don’t exist and I’ve found all sorts of very original setups created by people who just guess.

IMO,
TSU

I am extremely grateful for the lecture which unfortunately did not tell me anything which I did not know alreay or did not know even in much more detail than this wonmderful lecture informed.

Unfortunately this academic lecture will not bring the starter of the thread any further with his problem.
As he is not contributing anything anymore here I would like to propose to close the topic now.