How to assign names/labels to IP aliases

Hi,
when a network interface has two or more IP addresses assigned there is a possibility to assign a name or a label to each IP address. I have tried with yast but when assigning a name the address does not work. I have seen it can be done in other distributions to create names like eth0.1, eth0.2 etc. But can this be done in openSuse?

Hello and welcome here.

I do not understand all what you say. IP addresses are connected to devices (ahrdware). Thus when you have an IP address, the device should be there. That is also true for extra IP addresses, the devices are then more or less “logica” and I have seen indications like eth0.1 earlier in my life. However I am not sure ho this is done in openSUSE (I do not have that situation here). I assume you can see what is used when you list them:

ip addr

ip addr gives this response:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 0c:c4:7a:da:d9:36 brd ff:ff:ff:ff:ff:ff
inet 173.212.214.189/24 brd 173.212.214.255 scope global eth0
valid_lft forever preferred_lft forever
inet 144.91.68.249/18 brd 144.91.127.255 scope global eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 0c:c4:7a:da:d9:37 brd ff:ff:ff:ff:ff:ff

As seen are two IP addresses associated with eth0. I need to handle them differently in the firewall, therefore I need a name

Content in the file /etc/sysconfig/network/ifcfg-eth0:

BOOTPROTO=‘static’
STARTMODE=‘auto’
IPADDR=‘173.212.214.189/24’
PREFIXLEN=‘24’
USERCONTROL=‘no’
IPADDR_=‘2a02:c207:0000:4471:0000:0000:0000:0001/64’
ZONE=‘public’
BROADCAST=’’
ETHTOOL_OPTIONS=’’
MTU=’’
NAME=’’
NETWORK=’’
REMOTE_IPADDR=’’
IPADDR_0=‘2a02:c207:0000:4471:0000:0000:0000:0001/64’
IPADDR_1=‘144.91.68.249/18’

I have tried to add LABEL_1=‘1’ but it does not help

I understand why you want to have the device name.

The problem is that the underlying software must provide it, you can not set it yourself. Like you, I have seen installations (earlier Unix ones) that used additions like .1, etc. This seems to work different here.

I will try to search if I can find something. In the meantime, just wait, there are more people here :wink: and many have good ideas.

I have to mention as well as I want the outgoing traffic to have a different source IP even it they share a single interface

I am now reading

man 5 ifcfg

There it says things about “Multiple addresses” (rather low in the document) and it also says:

LABEL[suffix]
Each address may be tagged with a label string. In order to preserve compatibility with Linux-2.0 net aliases, this string must coincide with the name of the device or must be prefixed with the device name followed by colon. This may be useful with Multiple addresses (see below).

I interprete this as that it should be:

LABEL_1="eth0:1"

@Bjorn24:

What we’re discussing here, used to be known as “IP-Aliasing” but, that’s deprecated: <https://www.kernel.org/doc/html/latest/networking/alias.html>.

In the openSUSE Documentation it’s mentioned here: <https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha-network.html#sec-network-yast-configure-addresses>.

But, I suspect what you want is this: <https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha-network.html#sec-network-manconf-ip>.

  • The magic word is “iproute2
    ”.

Once you’ve gotten up to speed with iproute2, you’ll have to work out where the iproute2 commands need to be stored in a configuration file.

Looking through the openSUSE Reference documentation for Networking, the section’s title is possibly a little bit misleading – the latter parts of the section are any but “basic” … ;)[HR][/HR]AFAICS, the official iproute2 documentation is not terribly clear about multiple addresses on a single interface: <https://wiki.linuxfoundation.org/networking/iproute2>.

Those are one variant of VLAN interface names, and yes, this can be done in openSUSE.

I miss any connection between two parts of the second sentence. If you need to handle two addresses differently you can always create rules to handle them differently.

I have hard time parsing this sentence, sorry. Something cannot be “different” by itself - it can only be “different” to something else. Also there is nothing “they” can refer to. So presumably you want different source IP for different outgoing packets. This usually happens automatically - by default kernel will use source address on the same network to which packet is sent. And on reply source address is fixed anyway - it is the same address incoming packet was sent to.

P.S. it is rather bad design to have multiple IP networks on the same physical L2 broadcast domain. If supported by your environment, you should really consider using VLAN to align logical and physical topology.

The @OP’s first post cites an example that is almost certainly an interface name.
Of course, interface names can be anything although we follow conventions to avoid confusion.
I suppose a special parameter can be specified in the interface file, I haven’t heard of it being done but I can’t think of a reason why it wouldn’t work… Like any configuration file, if something parses the file and makes sense of a setting, then something happens, else usually if it makes no sense, then nothing happens… It’s not like that kind of thing would throw an error and prevent the network interface from working.

I’d recommend that anyone simply investigate what an interface and interface file is, how it’s different but enables access to a device, and what you can typically do with the file. YaST is a graphical way of editing the file but you can certainly edit the file manually instead.

TSU

I beg to differ.

[HR][/HR]“IP-Aliasing” is a somewhat “mature” feature – it’s been around since about 1995 – about ¼ of a century …

  • An additional use is, Web Servers – one Server – one Interface – more than Web address – in different domains – being served …

Although it is technically ‘legal’ (and in fact I’ve had occasion to do this with Miktrotik routers), the impact can depend on the size of the network/connected hosts etc. Best practice is to use VLANS where possible to provide separate broadcast domains…broadcast traffic could be an issue for an example. There can be security implications as well.

It is all very nice to read about the values of IP aliasing compared with other techniques that may be alternatives in certain circumstances, but can any of you confirm or reject my interpretation on how to do this and how to create an interface name like eth0:1 that one can use with further configuratin (like routing, firewalling, etc.)

The OP suggested eth0,1. I used IP aliasing for te last time at least 20 years ago on some Unix flavour. As I read the man page I have a solution for Wicked, but not using Wicked (nor NM) I can not realy test it. So I hope that either the OP can come back with test results and.or others can report from their usage of it.

One learns something new every day – thanks Deano!

I know additional addresses can be added to a given interface, but AFAIU IP aliases are considered deprecated (even if still supported by the kernel). The newer iproute2 tools eliminate the need for them. For example, adding a second IP address to eth0 on the fly…

~> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:74:e4:b1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.31/24 brd 192.168.0.255 scope global noprefixroute dynamic eth0
       valid_lft 86181sec preferred_lft 86181sec
    inet6 fe80::a00:27ff:fe74:e4b1/64 scope link 
       valid_lft forever preferred_lft forever
~> sudo ip address add 10.12.0.1/24 dev eth0
[sudo] password for root: 
~> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:74:e4:b1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.31/24 brd 192.168.0.255 scope global noprefixroute dynamic eth0
       valid_lft 86168sec preferred_lft 86168sec
    inet 10.12.0.1/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe74:e4b1/64 scope link 
       valid_lft forever preferred_lft forever
~> 

Ok, that is as the OP reported in post #1 as his situation. But how do you now address that second interface in commands and/or configurations? Because that is what the OP asked!

It’s not clear (to me at least) about where or why the need for this would arise.

If “IP Aliasing” is assigning more than one IP address to an interface, that’s different than the examples given in early posts of this thread which were to assign multiple labels to the same interface.

As for whether one should assign multiple addresses to an interface…
I don’t see why that should be a problem.
The wikipedia article describes two main configurations, one which which is very common (multiple IP addresses on the same netowrk) and the other rather rare (IP addresses on different networks).

I’ve done both.
For multiple addresses on the same network, it’s one of the basic configurations when you configure multiple websites on a single webserver, you generally have choices… Configure each website with its own Host Header sharing a single IP address, configure each website on a different port but using the same IP address and configure each website with its own IP address. The last example typically is set up on a single interface with multiple IP addresses configured.

As the wikipedia article describes, I’ve set up multiple IP addresses on an external interface to separate inbound VPN connections from outbound HTTP/HTTPS connections and SSH connections. I didn’t want hackers to get the idea that they could try to hack a complex, multi-function machine instead of simpler, more easily secured machines and I wanted to simplify managing services on their own IP addresses.

As for using VLANs, in some of the situations I describe above it’s not likely appropriate (like setting up multiple websites or setting up VPN beachheads).

I’ve also set up multiple IP addresses on LAN networks, primarily for segregating network traffic logically. Yes, this was done on a trusted network because of course someone on one network could hack the other network. It can be useful to do light monitoring and network management. No VLAN necessary or worth the trouble to set up.

TSU

Seems to me that that’s /still/ an alias. Apache’s 2.4.4 documentation for VirtualHosts seems to somewhat frown on name-based virtual hosts (at least that’s the way I interpreted it).

  • The IP address of the virtual host;

  • A fully qualified domain name for the IP address of the virtual host (
    not recommended*); *(Emph. mine)

BTW, does Leap 15.3’s YaST fix the problem in 15.2 that the additional addresses you add to an interface do not show up when you exit YaST and issue “ip addr”. (My memory’s fuzzy as to whether the additional addresses added via YaST were pingable.) Nor does 15.2’s YaST allow special characters – “-”, “:”, etc – in the labels that the user might assign to an additional address so your stuck with labels like “eth0a”, “eth0b”, etc. (Which, frankly, doesn’t bother me.) The “ip” command is blissfully ignorant that the additional addresses had been added via YaST. Could it be a case of “defined but not set” so “ip” isn’t seeing them? If YaST still doesn’t work correctly with “aliases”, that’s a huge oversight. I seem to recall that It dealt with aliases in older versions – like Suse 9 and 10 – just fine. Additionally, using the manual “ip” commands to add the additional addresses does not save that information anywhere under /etc; using YaST does. Unfortunately, the on-disk information that YaST leaves behind doesn’t work—until, perhaps, a Windows-style reboot (ugh!) is performed for it to “take”? The “ip” commands don’t require that. Seems to me that there’s an opportunity for both tools’ maintainers to get this right.

Try this:

“Seems everything working smoothly, With these new IPs’ you can setup virtual sites in Apache, FTP accounts and many other things.” https://www.tecmint.com/create-multiple-ip-addresses-to-one-single-network-interface/

I don’t normally use wicked, but after switching to that and then using YaST to assign a fixed address (10.10.8.1/24) to my eth0 interface (already using a DHCP-assigned address), it was applied upon completing the edit as expected.

The ‘ip’ command reflected the change and I could ping it successfully as expected…

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:8f:eb:84 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 192.168.1.14/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.10.8.1/24 brd 10.10.8.255 scope global eth0:test
       valid_lft forever preferred_lft forever
linux-4k1z:~ # ping 10.10.8.1
PING 10.10.8.1 (10.10.8.1) 56(84) bytes of data.
64 bytes from 10.10.8.1: icmp_seq=1 ttl=64 time=0.067 ms
^C
--- 10.10.8.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.067/0.067/0.067/0.000 ms

I’m not clear on what isn’t working for you.