Documentation Index
What can you do with a second Ethernet port?
By Nathan Willis on May 06, 2008 (4:00:00 PM)
Share Print Comments
Purchase a new PC or motherboard soon, and the chances are good that it
will come with two built-in network interfaces -- either two Ethernet
jacks or one Ethernet and one Wi-Fi. Tossing in a second adapter is an
inexpensive way for the manufacturer to add another bullet point to the
product description -- but what exactly are you supposed to do with it? If
you are running Linux, you have several alternatives.
Plugging another Ethernet cable into the second jack and hoping for the
best will accomplish nothing; you have to configure Linux's networking
subsystem to recognize both adapters, and you must tell the OS how to use
them to send and receive traffic. You can do the latter step in several
different ways, which is where all the fun comes in.
The big distinction between your options lies in the effect each has on
the other devices on your network (computers, routers, and other
appliances) -- intelligently routing network traffic between them, linking
them together transparently, and so on. In some cases, the simplest end
result is not the easiest to set up, so it pays to read through all of the
alternatives before you decide which to tackle.
Bonding
From your network's perspective, the simplest option is channel bonding or
"port trunking" -- combining both of the computer's interfaces into a
single interface that looks like nothing out of the ordinary to your
applications.
A combined logical interface can provide load balancing and fault
tolerance. The OS can alternate which interface it uses to send traffic,
or it can gracefully fail over between them in the event of a problem. You
can even use it to balance your traffic between multiple wide area network
(WAN) connections, such as DSL and cable, or dialup and your next door
neighbor's unsecured Wi-Fi.
To bond two Ethernet interfaces, you must have the bonding module compiled
for your kernel (which on a modern distro is almost a certainty), and the
ifenslave package (which is a standard utility, although you might need to
install it from from your distro's RPM or APT repository).
On a typical two-port motherboard, the Ethernet adapters are named eth0
and eth1, so we will use that for our example commands. With ifenslave
installed, take both Ethernet adapters offline by running sudo ifdown eth0
and sudo ifdown eth1. Load the bonding module into the Linux kernel with
modprobe. There are two important options to pass to the module: mode and
miimon. Mode establishes the type of bond (round-robin, failover, and so
on), and miimon establishes how often (in milliseconds) the links will be
checked for failure. sudo modprobe bonding mode=0 miimon=100 will set up a
round-robin configuration in which network packets alternate between the
Ethernet adapters as they are sent out. The miimon value of 100 is a
standard place to begin; you can adjust if it you really want to tweak
your network.
To create an actual bond (which for convenience we'll call bond0), run
sudo ifconfig bond0 192.168.1.100 up to assign an IP address to the bond,
then run ifenslave bond0 eth0 followed by ifenslave bond0 eth1 to tie the
physical Ethernet interfaces into it.
Round-robin mode is good for general purpose load balancing between the
adapters, and if one of them fails, the link will stay active via the
other. The other six mode options provide features for different setups.
Mode 1, active backup, uses just one adapter until it fails, then switches
to the other. Mode 2, balance XOR, tries to balance traffic by splitting
up outgoing packets between the adapters, using the same one for each
specific destination when possible. Mode 3, broadcast, sends out all
traffic on every interface. Mode 4, dynamic link aggregation, uses a
complex algorithm to aggregate adapters by speed and other settings. Mode
5, adaptive transmit load balancing, redistributes outgoing traffic on the
fly based on current conditions. Mode 6, adaptive load balancing, does the
same thing, but attempts to redistribute incoming traffic as well by
sending out ARP updates.
The latter, complex modes are probably unnecessary for home use. If you
have a lot of network traffic you are looking to manage, consult the
bonding driver documentation. For most folks, bonding's fault tolerance
and failover is a bigger gain than any increased link speed. For example,
bonding two WAN links gives you load balancing and fault tolerance between
them, but it does not double your upstream throughput, since each
connection (such as a Web page HTTP request) has to take one or the other
route.
Bridging
The bonding solution is unique in that both network adapters act like a
single adapter for the use of the same machine. The other solutions use
the two adapters in a manner that provides a new or different service to
the rest of your network.
Bridging, for example, links the two network adapters so that Ethernet
frames flow freely between them, just as if they were connected on a
simple hub. All of the traffic heard on one interface is passed through to
the other.
You can set up a bridge so that the computer itself does not participate
in the network at all, essentially transforming the computer into an
overpriced Ethernet repeater. But more likely you will want to access the
Internet as well as bridge traffic between the ports. That isn't
complicated, either.
Bridging requires the bridge-utils package, a standard component of every
modern Linux distribution that provides the command-line utility brctl.
To create a bridge between your network adapters, begin by taking both
adapters offline with the ifdown command. In our example eth0/eth1 setup,
run sudo ifdown eth0 and sudo ifdown eth1 from the command line.
Next, create the bridge with sudo brctl addbr bridge0. The addbr command
creates a new "virtual" network adapter named bridge0. You then connect
your real network adapters to the bridge with addif: sudo brctl addif
bridge0 eth0 adds the first adapter, and sudo brctl addif bridge0 eth1
adds the second.
Once configured, you activate the bridge0 virtual adapter just as you
would a normal, physical Ethernet card. You can assign it a static IP
address with a command like sudo ifconfig bridge0 192.168.1.100 netmask
255.255.255.0, or tell it to retrieve its configuration via DHCP with sudo
dhclient bridge0.
You can then attach as many computers, hub, switches, and other devices as
you want through the machine's Ethernet port, and they will all be able to
see and communicate with each other. On the downside, if you have a lot of
traffic, your computer will spend some extra energy passing all of those
Ethernet frames back and forth across the two adapters.
Firewalling and gateway-ing
As long as you have excess traffic zipping through your computer, the OS
might as well look at it and do something useful, such as filter it based
on destination address, or cache repeatedly requested Web pages. And
indeed, you can place your dual-port computer between your upstream cable
or DSL connection and the rest of your local network, to serve as a simple
Internet-connection-sharing gateway, or as a firewall that exerts control
over the packets passing between the network interfaces.
First, you will need to bring both network adapters up and assign each a
different IP address -- and, importantly, IP addresses that are on
different subnets. For example, sudo ifconfig eth0 192.168.1.100 netmask
255.255.255.0 and sudo ifconfig eth1 192.168.2.100 netmask 255.255.255.0.
Note that eth0's address is within the 192.168.1.x range, while eth1's is
within 192.168.2.x. Maintain this separation when you add other devices to
your network and you will keep things running smoothly.
Forwarding the packets between the Internet on one adapter and your LAN on
the other is the purview of iptables, a tool for configuring the Linux
kernel's IP filtering subsystem. The command sudo iptables -A FORWARD
--in-interface eth1 --out-interface eth0 --source
192.168.2.0/255.255.255.0 -m state --state NEW -j ACCEPT allows computers
on the LAN interface eth1 to start new connections, and forwards them to
the outside world via the eth0 interface. Following that with sudo
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT keeps
subsequent packets from those connections flowing smoothly as well.
Next, sudo iptables -A POSTROUTING -t nat -j MASQUERADE activates Network
Address Translation (NAT), secretly rewriting the IP addresses of traffic
from the LAN so that when it goes out to the Internet, it appears to
originate from the Linux box performing the routing. This is a necessary
evil for most home Internet connections, both because it allows you to use
the private 192.168.x.x IP address block, and because many ISPs frown upon
traffic coming from multiple computers.
Finally, run sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward to
activate the kernel's packet forwarding.
This setup will pass traffic from your LAN to your Internet connection,
but it does not configure the network settings on the LAN computers
themselves. Each of them needs an IP address, gateway and network
information, and some working DNS server addresses. If your dual-adapter
Linux box is serving as a NAT gateway, you could easily have it provide
that information to the clients as well, using DHCP. Your distro probably
comes with the dhcpd package. Configuring dhcpd is beyond the scope of the
subject here, but check your distro's documentation for Internet
connection sharing and you will likely find the instructions you need.
Once you are comfortable using iptables to set up basic NAT and packet
forwarding, you can dig a little deeper and learn how to use your box as a
first-rate firewall by writing rules that filter traffic based on source
and destination address, port, and protocol.
Isolating
Finally, you can always configure your secondary network adapter to work
in complete isolation from the rest of your LAN.
Sure, there is little gain to such a setup for general-purpose computers,
but it is a popular choice for certain Ethernet-connected devices that
only need to send data to one destination. Homebrew digital video recorder
builders use the technique to connect the HDHomerun HDTV receiver directly
to a MythTV back end, thereby isolating the bandwidth-hogging MPEG streams
from the LAN. The same traffic separation idea might also come in handy
for other single-purpose devices, such as a dedicated network-attached
storage (NAS) box, a networked security camera, or your Ethernet-connected
houseplant.
For most devices, isolating your second adapter entails setting up the
computer to act as a DHCP server as in the gateway example above, but
without worrying about NAT rules routing between the secondary client and
the rest of the network.
Caveat emptoring
So which technique is right for you? My advice is to think about what
network trouble you most need to prepare for. If your dual-adapter box is
a server with heavy traffic to handle, or you need to balance your traffic
across two WAN connections, bonding is for you. On the other hand, if you
just bought an HDHomeRun to add to your MythTV back end, think about
attaching it directly to the spare interface.
Bridging and gatewaying are most similar, in that they use the
dual-adapter box to connect multiple other devices into a single network.
If that is what you need to do, consider that bridging works at the
Ethernet link level, well below IP and TCP in the protocol stack. At the
Ethernet level, the only sort of traffic shaping you can do is that based
on the hardware MAC address of the computer. You have significantly more
control when you run a full-fledged NAT gateway.
But whichever option you choose, remember that messing around with your
network configuration can get you disconnected in a hurry if you make a
mistake. For that reason, all of the above examples use commands that
change the "live" system, but don't alter the configuration files Linux
reads in at startup. If you make a mistake, a reboot should bring you back
to a known working state.
If you decide you want to make your changes permanent, your best bet is to
consult your distro's documentation. Distros vary slightly in where and
how they store network configuration scripts (Red Hat uses
/etc/sysconfig/network-scripts/, for example, while Ubuntu uses
/etc/network/).
One you start digging into the details, you'll find even more
possibilities for utilizing that second network adapter under Linux. But
you should now be armed with a general idea of how to make both adapters
talk to your network at the same time -- and you can do your part to
eliminate network adapter wastefulness.
Documentation Index
|
