Adding red interface causes problems


(Bill ) #1

I’ve been running a VM of nethserver with only a green interface for a while now with no issues. Shop has been provided by my tplink router. My new server has multiple Ethernet ports so I’d like add a red interface and take advantage of some of the additional features of nethserver. When i add the red interface i start getting errors. Is there a specific way to do this? Is this possible?
NethServer Version: 7.5
Module: network


(Markus Neuberger) #2

Are you going to replace your tplink router? You may have to change the DNS servers NS is using and enter the gateway in the red interface settings instead of the green interface.
If you use virtualization on the new server, are the physical interfaces mapped to the virtual ones?

Which errors do you get?

No, just add and configure, it should be possible.

For DHCP on red interface:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-base.html#dhcp-on-red-interfaces


(Bill ) #3

When first activating the red interface I get the following:
Task completed with errors
S71nethserver-dc-condrestart #13 (exit status 256)
Adjust service nsdc #38 (exit status 1)
start service nsdc failed!

After reboot I see accounts provider general error.

clicking on users and groups gives me: Account provider generic error: SSSD exit code 1
and users and groups are all empty.


(Ralf Jeckel) #4

Hi Bill,

please have a look at the output of
db networks show => shows your network config
and
journalctl -M nsdc -e => shows the journal of you nsdc container (-e jumps to the end)


(Bill ) #5

Here is what I’m seeing:
net

log1


(Mark Verlinde) #6

Hi Bill, just a small observation:

You are trying to run your red and green interface on the same subnet (192.168.42.xxx).
That is not possible.

Is your tplink router your connection to the internet?
Can describe (or draw) your fiscal layout (wiring) of your network?


(Ralf Jeckel) #7

Just for explanation: The firewall acts as NAT = network address tranlation, there for you need to have 2 different subnets, because the firewall has to “know” if the package comes from “outside” or “inside” and that’s not possible if every pyckage comes from the same LAN-segment.

See also http://shorewall.org/two-interface.htm and also http://shorewall.org/FoolsFirewall.html
The second is important, if you want to connect over a switch to you router. Then you have to user a seperated vlan for this connection.


(Michael Kicks) #8

Therefore, as @flatspin told: network segments/subnets of green, red1 and red2 must be different


(Bill ) #9

Thank you for the responses and from saving me from my self. I was well on my way to creating a fools firewall. :scream:

I’m rethinking the way my network is wired to try and get the best of security speed and minimum down time in case of failure. I’m thinking tplink router DMZ port opened to public to dedicated lan card on my vmware server running red interface on Nethserver. Then nethserver green interface to switch and all computers. If tplink router fails I can just move cable from DMZ port directly to modem. If vmware server fails I can move switch to lan port on tplink. That should at least keep me on the Internet behind a firewall at all times.

And of course the red and green interfaces will be on different subnets.:grin:


(Michael Kicks) #10

Why should TP Link router should fail? Otherwise: could you change the device with something a bit less… problematic?
Last question: why do not have the dual red configuration anyway, using vLan? At least the failover could be managed directly from NethServer…

Should be mandatory… :wink:


(Bill ) #11

The tplink router is running fine and has been for years, but nothing lasts forever. A hardware device can fail due to a power surge, water leak, or even an accidentally spilled cup of coffee. Plan for the worst, hope for the best.:wink:

I believe there are only two physical lan cards on my server, so I was going to make one red and one green. Right now I only have one green on Nethserver. What would the advantage of two red interfaces have if I only have one Internet connection?


(Michael Kicks) #12

Bypass the fail of your TP-Link. Only with a vLan-compliant switch, of course (due to only 2 phisical cards on your host).
(I am not a fan of this brand… but of course there are plenty of TP-Link devices that work quite flawlessly)