This description applies to a new desktop PC installation of openSUSE12.2.
Separately wired LANs (see network card configuration below) were used.
Statically assigned IP addresses were used for the PC discussed here (the same applies to other networked desktop PCs). The reason for this is that static addresses enable LAN communications even when the DHCP server (gateway) is switched off. Laptops and tablets use DHCP to connect to LAN 2.
Introductory problem description
With a computer’s dual network card configuration as follows:
|eth0 (192.168.1.61) ----------> LAN 1 (not connected to the internet)
|
eth1 (192.168.0.11) ----------> LAN 2 ----------> gateway (192.168.0.1) -------------> internet|
NM (NM = Network Manager) 0.9.4.0-5.13.1 (x86-64) performed routing **incorrectly** although the routing (gateway) IP address was suitably defined (=192.168.0.1) in NM settings. I have not detected a means to specify the desired routing interface (eth1) that is unless NM's "IPv4 Settings/Routes/Metric" setting can be utilised in some way that so far I have been unable to understand/achieve.
Inspection of the NM log file revealed that when eth0 was connected, the following event was logged:
Policy set 'Wired connection 1' (eth0) as default for IPv4 routing and DNS
...but when eth0 was disconnected, the following event was logged:
Policy set 'Wired connection 2' (eth1) as default for IPv4 routing and DNS
**A summary of the above**
When I switched off eth0 (via NM) then the desired routing was implemented and I could access the internet. However when I switched eth0 back on, NM routed to the wrong interface (eth0) and internet access was impossible.
By contrast, when I switched network control to "Traditional Method with ifup" (without changing any wiring connections), then routing was directed to the gateway address (192.168.0.1) via device (eth1) as specified in the routing settings and everything worked as it should.
**Additional comments**
Subsequently changing NM’s IPv4 setting for eth1 back to DHCP did not solve the routing problem.
I did not encounter these problems with NM under openSUSE12.1 despite having exactly the same network wiring. Was this just a matter of luck however? Up until now I had no idea that order of configuring the interfaces might be critical (see “Question 1” below).
A possible pragmatic approach
I could possibly have worked around the problem by merely swapping the network interface connections and reconfiguring the interfaces accordingly, but this would have taken me no closer to understanding the problem so I chose not to take this path.
What I actually did (in order to try and understand the problem)
Firstly I changed network interface control to ifup. Next I de-installed NM (despite the many resolution conflict warnings which suggested that this action would de-install multiple Gnome/system files). I then reinstalled NM (to hopefully erase all previous settings - alas many of the de-installed files were not re-instated) with the view of testing the theory contained in “Question 1” below. I then switched off the power to the unmanaged network switch connected to “eth0”. Next I switched from ifup to Network manager and configured “eth1”. Finally I powered on the unmanaged network switch back on and then configured “eth0”. Hey presto, I now had access to the internet via LAN 2 and simultaneous comms via LAN 1! Unfortunately when I rebooted, Gnome semi-predictably went missing.
Since my previous experiment had failed, I re-installed openSUSE12.2 and this time before I started configuring the interfaces with NM, I powered off the unmanaged network switch which was connected to “eth0”. At the end of the day, the routing and LANs functioned as intended, apparently confirming the theory contained in “Question 1” below.
**Questions**
Can anyone else confirm my suspicion that NM probably assigns the overall
default routing interface from whichever network interface it configures first? During my investigation I unearthed this hyperlink which seemed to provide a possible clue (albeit IPv6 specific) about general NM routing philosophy (which may need a re-think). 1. If you can confirm 1, is this feature formally documented anywhere? If it is, I apologise: I missed it.
If you can confirm 1, where/how is the assignment stored? Can/should this be edited?
What is the default routing policy mentioned in the NM log file (quoted earlier) and can/should this policy be user modified?
Why doesn’t NM settings provide an obvious means of selecting the default routing interface or have I missed the obvious? The current situation appears to be a thorn in the side for the unprepared.
Additional context information
Operating system/desktop in use during problem + investigation + resolution = openSUSE12.2 64-bit, kernel 3.4.11-2.16-desktop, Gnome 3.4.2
I limited the scope of the problem investigation to IPv4 via:
Don’t have much time ATM, but in your situation I would never use the Networkmanager, but ifup. What’s the point in using ifup, specially since you mentioned it works?
The impression I get from your story is a fixed setup, with fixed UP addresses, witch a fixed default router (to the internet) and fixed DNS server(s). That is something that the system manager (you?) configures at installation and that is it. Works for ages. No end-user intervention needed.
Well things in reality things are more complicated than that but I don’t want to open a can of worms.
Please allow me to stick to the most relevant stuff:
LAN 2 contains a single adsl modem/router with a DHCP server which allows fixed addresses from 2 to 99, dynamic allocation from 100 to 199 and fixed addresses from 200 to 254. All of these ranges are used but not filled (this home network serves a theoretical simultaneous maximum of 5 desktops with fixed addresses, 11 fixed address peripherals (consisting of media servers, data NAS and printers), 2 laptops and 1 tablets using dynamic allocation. The use of laptops and tablets require additional use of wireless access points/bridges (more fixed addresses) but the laptop and tablets do not run linux so these are irrelevant to the discussion.
It is normal practice to protect unattended linux desktops from prolonged exposure to the internet by switching off the PC’s LAN 2 interface using Network Manager. In the past this was achievable using kinternet or qinternet but some time ago now, I received a Bugzilla reply from the relevant programmer who indicated that kinternet/qinternet control was in future going to be limited to dialup use only “as most people preferred Network Manager”. Qinternet was simplicity itself for interface on/off switching, but the latest incarnation of the Network Manager interface is almost as simple. Simple is what my network users say they want.
Well, that makes it a bit (just a bit) more clear.
I must say that I never heard of switching off the network interface as a casual way to protect a system. Most people use a good firewall at the connection point between the internet and their WAN/LAN. And do not trust that users will switch off the network using NetworkManager (or whatever) before going to the loo. Users normaly boycot even locking their screen in that case.
In any case, as I do not use NM (I do not want to burden my users wth any connection stuff), I hope that others will soon come to this thread to explain how you can let NM jump though hoops.
In general the advice is to use ifup on connections that need to be there all the time, NM on ad hoc connections. What one wants is a network that can easily be maintained.
Here’s my own home situation:
LAN-1: router-1
static IP’s
desktop machines all on if-up
a number of devices connect through DHCP, on the outside the router connects to
LAN-2: router-2
static IP for router-1
DHCP for guests, friends, all through Wifi. They cannot touch LAN-1, so not use the printer, not use their phone as a remote for the TV etc etc.
On Thu 15 Nov 2012 07:06:01 PM CST, Bloggs J wrote:
Well things in reality things are more complicated than that but I don’t
want to open a can of worms.
Please allow me to stick to the most relevant stuff:
LAN 2 contains a single adsl modem/router with a DHCP server which
allows fixed addresses from 2 to 99, dynamic allocation from 100 to
199 and fixed addresses from 200 to 254. All of these ranges are used
but not filled (this home network serves a theoretical simultaneous
maximum of 5 desktops with fixed addresses, 11 fixed address
peripherals (consisting of media servers, data NAS and printers), 2
laptops and 1 tablets using dynamic allocation. The use of laptops and
tablets require additional use of wireless access points/bridges (more
fixed addresses) but the laptop and tablets do not run linux so these
are irrelevant to the discussion.
It is normal practice to protect unattended linux desktops from
prolonged exposure to the internet by switching off the PC’s LAN 2
interface using Network Manager. In the past this was achievable using
kinternet or qinternet but some time ago now, I received a Bugzilla
reply from the relevant programmer who indicated that
kinternet/qinternet control was in future going to be limited to
dialup use only “as most people preferred Network Manager”. Qinternet
was simplicity itself for interface on/off switching, but the latest
incarnation of the Network Manager interface is almost as simple.
Simple is what my network users say they want.
Hi
have you had a look at the network settings via YaST /etc/sysconfig
editor. There are also udev rules in play which you should be able to
tweak.
–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.2 (x86_64) Kernel 3.4.11-2.16-desktop
up 3 days 17:45, 4 users, load average: 0.00, 0.03, 0.05
CPU Intel i5 CPU M520@2.40GHz | Intel Arrandale GPU
Well that sounds quite a normal and reasonable attitude. Unfortunately my (Windows) experience of being forced to shut down all banking, renew all credit cards and passwords, spending weeks trying to finally get ahead of hacker(s) and not least of all the stress involved, has made me paranoid.
Sincere thanks to hcv, Knurpht and Malcolm Lewis for your comments and/or advice which I value. Unfortunately I am unable to contribute anything new because I have already re-installed openSUSE12.2 (as I stated in my original post) and the original problem no longer exists.
My condolences. I never had that experience (but I never used Windows), thus it may be a bit difficult for me to get a feeling for your post Windows-traumatic syndromes. In any case my advice would be: use the right tools on the right place, specialy when you want to increase security. Thus a good firewall at your boundary to the Internet, a rootkit check now and then on your Linux systems, caution at installing software “from elsewhere”, keep the root password(s) secret to your users.
NM is no security tool. It is a solution to the problem that the end-user can not configure the network, but when end-users carry around systems from airport to hotel to bussiness place, one requires an easy interface from the end-user to network configuring. In fact it is more of a potential hole in the security :). (but when the NM server program is programmed correctly, one can ignore that).
And the NM client tries of course to be of (intelligent?) help to the lay end-user. And thus rules are implemented like: when there is a cabled and a wired connection, NM prefers the cabled one as being the fastest. But those rules are simple and do not take into account multiple LAN connections at the same time with different usage per LAN, etc.
Sorry to hear about your troubles, I know what that’s like from someone in my neighbourhood (he found out he couldn’t touch any money when trying to pay a hotel bill in London), it’s a true mess.
For the rest, I’m with Henk: the NM is not a security tool, it’s merely a connection manager. A couple of tips:
Use strong passwords
Pay attention to the security perms on every service that makes in/outbound connections
