Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Adding static routes to a network Network
I have two LANS, each with their own OS X Server, that need to talk to each other through a low bandwidth, secure, dedicated connection. There are various ways to do this, but I opted for using a pair of EtherBridges, which are devices that bridge over a dialup modem connection. So, each server has three ethernet cards: one for the Internet (en0), one for the LAN (en1), and one for the bridging connection between the LANs (en2). The problem was how to configure a route such that traffic for the "other" LAN goes through en2. Note that I did not want simply to bridge the two LANs into a single subnetwork. I needed each to be its own distinct subnet, but with traffic routed between them.

After a bunch of research on the problem, I concluded that the OS X GUI configuration package simply doesn't understand about any kind of routing except a single default route. The traditional BSD way to deal with this problem is to insert code into rc.local, but if I added a route command there, it had no effect or a bizarre effect. I experimented with LaunchDaemons and StartupItems, but they also had no effect or the wrong effect.

To make a long story (several days) short, the trick here is that you must use an ifconfig command in the rc.local script, even though at a later point in the process, the GUI-specified interface configuration will be done redundantly. If you do not do this, the route command will fail, because there will be no device configured for the bridging subnet.

Here is the critical portion of the rc.local script:
ifconfig en2 inet 11.22.33.5 netmask 255.255.255.252
route -n add 11.22.33.64/26 111.222.333.6
Note that 11.22.33 represents my Class C network; the "other" LAN subnet is .64/26 off of that, and the bridging subnet is 4/30 (a point-to-point subnet) of of the same Class C. On the other server, the script is:
ifconfig en2 inet 11.22.33.6 netmask 255.255.255.252
route -n add 11.22.33.32/27 111.222.333.5
Note that the LAN subnet is different, the bridging subnet is the same, but the two ports are swapped in terms of direction.

Once you understand that (1) rc.local is still the best place for this (not the GUI), and (2) you have to do an early ifconfig to help the route command do the right thing, adding static routes is really simple. Now, you could probably do it in LaunchDaemons or StartupItems, if you do ifconfig before route, but in truth, no daemon is launched here, and StartupItems is deprecated, so rc.local may be the best option.

It goes without saying that you have to make sure that the ifconfig in rc.local matches what the GUI assumes about the interfaces, otherwise you're in big trouble.

Incidently, I'm currently still testing the two servers in a "sandbox", using an Ethernet cable to connect them. I haven't tried out the EtherBridges yet (but assuming they work as advertised, there doesn't seem to be any reason they won't fly right out of the box).
    •    
  • Currently 2.33 / 5
  You rated: 1 / 5 (6 votes cast)
 
[62,496 views]  

Adding static routes to a network | 10 comments | Create New Account
Click here to return to the 'Adding static routes to a network' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Adding static routes to a network
Authored by: lukasha on Apr 04, '06 08:23:04AM

This may help me do what I'm looking for, but I'm such a noob, that it's confusing to me. I have an XServe running on a T-1 on the first ethernet port. I have a cable modem plugged directly into the second ethernet port. The T-1 line is where all the normal traffic comes from, ie. web, email, file serving, etc. I'd like for my remote clients to perform rsync backups to the cable modem interface. I'd also like the XServe to perform it's offsite rsync backup to a G4 at one of the remote locations. The G4 is setup the same way, the primary ethernet is plugged into the office LAN, a second network card is plugged directly into a cable modem. I'd like to keep the rsync traffic all going through the cable modems. Can I accomplish this with your hint or a modification of it? Thanks in advance!

Jeff



[ Reply to This | # ]
Adding static routes to a network
Authored by: gshenaut on Apr 04, '06 10:10:00AM

The critical difference between your setup and mine is that you are using cable modems (and, I assume, the cable company's IP addresses & DNS) for your second port, where I went with the slower dial-up modems, where I have control over the the IP addresses & DNS. Another difference is that I have two LANs that I am linking together, where you have a number of single machines at various points. I don't think that my hint will be of much help to you.

You could establish VPN connections from the G4 & your other sites via the xserve's cable modem IP address, but if it is a dynamically allocated address (as all cable IP services I've seen are), then you will have the classic problem of how to discover the current IP address so the VPNs can be set up. If I were you, I'd investigate http://www.dyndns.com/ and set up dynamically redirected names for the two cable-modem ports, and then try to use those access points to set up secure VPN connections for the other functions you need.

Greg Shenaut



[ Reply to This | # ]
Adding static routes to a network
Authored by: dlgraves on Apr 05, '06 03:28:42PM

Hi,

I have the same question, I think: I have access to two interfaces, one is my school's wireless network and one is my cable modem account. I want to be able to dedicate one interface to gaming, and use the other for surfing, email, streaming, etc.

Question is, can you assign en0 and en1 by application? Would you do this using the "route" command? I looked at amn pages and didn't see how...

thanks
Lucas



[ Reply to This | # ]
Adding static routes to a network
Authored by: captain caveman on Apr 07, '06 04:18:01PM

Nah, you'd have to figure out which networks your games communicated with, and route those to one NIC or the other



[ Reply to This | # ]
Don't forget the encryption
Authored by: TrumpetPower! on Apr 04, '06 12:21:54PM

If you're doing this for security reasons, please don't think that bypassing the 'Net by using a couple modems directly talking to each other over the phone network is going to be even marginally more secure.

Encrypt the link anyways. If you've got a high-speed network connection available, just set up a VPN and be done with it. But, even if you don't have a high-speed connection, you still should set it up as a VPN.

If you think it through, you'll realize that the set of people who can eavesdrop on Internet traffic--telecom companies and law enforcement--is pretty much the same set of people that can eavesdrop on POTS traffic. Few ISPs aren't also telecom companies, and all the big backbone providers are all major telecoms, after all....

Cheers,

b&



[ Reply to This | # ]
Don't forget the encryption
Authored by: gshenaut on Apr 04, '06 12:59:50PM

That's an interesting point, and definitely on my to-do list. I'm assuming I can use IPsec on both servers to do this on the bridge subnet (with setkey?), and I'll be set. But IPsec is still somewhat mysterious to me.

Greg Shenaut



[ Reply to This | # ]
Don't forget the encryption
Authored by: Azathoth on Apr 04, '06 11:24:26PM

Just use openvpn http://openvpn.net/ it's really easy to set up und performs well.

I use it on my dedicated server (Linux) with a Samba listening on the VPN interface to mount my home dir over the encrypted line on my iBook.



[ Reply to This | # ]
Adding static routes to a network
Authored by: djdawson on Apr 05, '06 07:27:19AM
I was faced with a similar problem when I added second ethernet interface to my work machine to connect to a test network. I needed to move the default route to the other interface, and add a bunch of static routes out the various interfaces for full connectivity. However, I used launchd and created a script I put in /etc to do this. Here's my launchd .plist file, which I put in /Library/LaunchDaemons/net.routes.static.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://
www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
         <key>Label</key>
         <string>net.routes.static</string>
         <key>ProgramArguments</key>
         <array>
                 <string>/etc/routes.sh</string>
         </array>
         <key>RunAtLoad</key>
         <true/>
         <key>ServiceDescription</key>
         <string>Install various static routes to support multiple NIC cards</string>
</dict>
</plist>
And here's the shell script I slapped together and put in /etc/routes.sh:

#!/bin/sh
#
#
# We need to trap on TERM signals, according to Apple's launchd docs:
#
trap 'exit 1' 15

#
# Issue a log message so we know when we started
#
syslog -s -l 1 routes.sh: Starting...

#
# Use the "ipconfig waitall" command to wait for all the
# interfaces to come up:
#
ipconfig waitall

#
# Find out how many interfaces are up.
# Look only for IPv4 interfaces and ignore "lo0"
# We expect to see 2 - "en0" and "en1":
#
numup=$(ifconfig -u | egrep "inet " | egrep -v 127\.0\.0\.1 | wc -l)

#
# If there are no interfaces, sleep for 10 seconds and try again
#
if [ ${numup} -eq 0 ]; then
   # No real interfaces up yet, so take a nap
   # Issue a log message so we know what happened
   syslog -s -l 1 routes.sh: No interfaces - sleeping for 10 seconds...
   sleep 10

   #
   # Check for interfaces again
   # If there still aren't any, just give up and exit with a status of 1
   #
   numup=$(ifconfig -u | egrep "inet " | egrep -v 127\.0\.0\.1 | wc -l)

   if [ ${numup} -eq 0 ]; then
     # No network found - bail out
     # Issue a log message so we know what happened
     syslog -s -l 1 routes.sh: Still no interfaces - bailing out.
     exit 1
   fi
fi

#
# If we're here, there's at least one real IP interace up.
# Put the list of "up" interfaces in "$ints" and then add
# the appropriate routes for each on in turn.  Note that this
# list includes "lo0", so we'll just ignore it rather than try
# to edit it out of the list.  This also prevents the list from
# being empty and possibly causing other problems.  For now we
# only expect to see "en0" and "en1", so if we see any others
# we'll just ignore them, too.
#
ints=$(ifconfig -lu)

for eth in $ints; do
   case $eth in

     lo0)
          # Skip lo0 - localhost interface
     ;;

     en0)
          # Add routes for en0 - main interface
          #
          # Issue a log message
          syslog -s -l 1 routes.sh: Adding static routes for en0...
          #
          #
          route add  10.0.0.0/8         172.28.56.1
          route add  172.16.0.0/12      172.28.56.1
          route add  192.168.0.0/16     172.28.56.1
     ;;

     en1)
          # Issue a log message
          syslog -s -l 1 routes.sh: Adding static routes for en1...
          #
          # First we need to delete any exisitng default route
          #
          def=$(netstat -rn | grep default | awk '{print $1, $2}')
          if [ "$def" != "" ]; then
            route delete $def
          fi

          # Adding routes for en1 - second interface
          #
          route add  default            172.31.254.1
          route add  172.31.255.0/24    172.31.254.1
          route add  172.31.252.0/24    172.31.254.60
     ;;

     *)
          # Found some other interface(s) - skip
     ;;

   esac
done

#
# Sleep for a while so Launchd won't think we never ran
#
sleep 10

#
# Issue a log message so we'll know when we finished
#
syslog -s -l 1 routes.sh: Done.

#
# Exit with a clean status
#
exit 0
I seems to work fine, but I'm sure it could be cleaned up in a few areas. HTH

[ Reply to This | # ]
Adding static routes to a network
Authored by: dlgraves on Apr 05, '06 03:34:46PM

I think this might answer a question I posted earlier -- can you use this to assign traffic to a particular interface (en0, en1) by either application or by port?

I have access to two interfaces, one is my school's wireless network and one is my cable modem account. I want to be able to dedicate one interface to gaming, and use the other for surfing, email, streaming, etc.

thanks
Lucas



[ Reply to This | # ]
Adding static routes to a network
Authored by: gjanssen on Mar 14, '08 07:27:12AM
I found neither of the other two static route hints were working for me.
Adding the route to /etc/rc.local failed to ever actually add the route. I was adding my route manually without a problem, so figured the trouble adding this at boot was related to the networking not being sufficiently "up" when the /etc/rc.local is executed.

I created a script to be executed 3 minutes after the rc.local is run. This has worked perfectly for me with my 10.4.11 host.
If you don't want the email after booting, you can skip that if you wish.

% cat /etc/rc.local
at -f /scripts/addroute now + 3 minutes
%

% cat /scripts/addroute
#!/bin/csh -f
route -n add -net 172.16.1.0/24 192.168.1.128 | mail -s "add route after reboot on $HOST" admin@company.com
%


[ Reply to This | # ]