3

I added a second network interface to a vmware VM. The second network interface is on a different network. I used nmtui to define the new interface and then rebooted the machine. Both interfaces come up and have IP addresses on the expected networks. For the sake of this question, I'll call these network interfaces nic1 and nic2.

When both the nic1 and nic2 are active, I can only ping nic2. nic1 times out. When I deactivate nic2, I can ping nic1.

What is going on here and how do I get both network interfaces working at the same time?

UPDATE:

Per request, here's the output of ip route show:

default via x.y.a.1 dev nic1  proto static  metric 100
default via x.y.b.1 dev nic2  proto static  metric 101
x.y.a.0/24 dev nic1  proto kernel  scope link  src x.y.a.185  metric 100
x.y.c.233 via x.y.b.1 dev nic2  proto dhcp  metric 100
x.y.b.0/24 dev nic2  proto kernel  scope link  src x.y.b.152  metric 100
x.z.d.239 via x.y.a.1 dev nic1  proto dhcp  metric 100

I have masked out the first three octets with letters in order to not inadvertently create a security risk. But for the purposes of this conversation, the ip addresses of my two networks are:

x.y.a.185 and x.y.b.152

The device doing the pings (using the masks above) would be x.v.w.70. I don't think it's a routing issue because I can ping either nic, just not both at the same time when both are active.

Jason Thompson
  • 413
  • 2
  • 6
  • 16

1 Answers1

3

It's a routing issue. When you set your route tables anywhere, always remember about the return traffic. If the traffic is returning through a different path (a different router), then the design is probably broken. Sometimes there is a tradeoff that justifies such design (called asymmetric routing), but it's very rare.

In particular, Linux by default has rp_filter 1 (return path filtering mode 1). In your case when your Linux notices a ping packet from x.v.w.70 to x.y.b.152 it ignores it on interface x.y.b.152. It checks how routing goes in the backward way and thinks hmmm, since the packets back to x.v.w.70 I send to x.y.a.1, they shouldn't come from x.y.b.1 at all. Since rp_filter 1 makes you much safer against spoofing attacks, it's not generally recommended to change it to 0 or 2.

When you turn off one NIC, the routing table becomes simpler and the same packet is handled correctly.

kubanczyk
  • 13,812
  • 5
  • 41
  • 55
  • Thanks!!! For those wanting to learn more, here's an article from Red Hat I found when researching this topic further: https://access.redhat.com/solutions/53031 – Jason Thompson Jan 17 '19 at 15:45