This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Desktop Hardware

What can you do with a second Ethernet port?

By Nathan Willis on May 06, 2008 (4:00:00 PM)

Share    Print    Comments   

Purchase a new PC or motherboard soon, and the chances are good that it will come with two built-in network interfaces -- either two Ethernet jacks or one Ethernet and one Wi-Fi. Tossing in a second adapter is an inexpensive way for the manufacturer to add another bullet point to the product description -- but what exactly are you supposed to do with it? If you are running Linux, you have several alternatives.

Plugging another Ethernet cable into the second jack and hoping for the best will accomplish nothing; you have to configure Linux's networking subsystem to recognize both adapters, and you must tell the OS how to use them to send and receive traffic. You can do the latter step in several different ways, which is where all the fun comes in.

The big distinction between your options lies in the effect each has on the other devices on your network (computers, routers, and other appliances) -- intelligently routing network traffic between them, linking them together transparently, and so on. In some cases, the simplest end result is not the easiest to set up, so it pays to read through all of the alternatives before you decide which to tackle.

Bonding

From your network's perspective, the simplest option is channel bonding or "port trunking" -- combining both of the computer's interfaces into a single interface that looks like nothing out of the ordinary to your applications.

A combined logical interface can provide load balancing and fault tolerance. The OS can alternate which interface it uses to send traffic, or it can gracefully fail over between them in the event of a problem. You can even use it to balance your traffic between multiple wide area network (WAN) connections, such as DSL and cable, or dialup and your next door neighbor's unsecured Wi-Fi.

To bond two Ethernet interfaces, you must have the bonding module compiled for your kernel (which on a modern distro is almost a certainty), and the ifenslave package (which is a standard utility, although you might need to install it from from your distro's RPM or APT repository).

On a typical two-port motherboard, the Ethernet adapters are named eth0 and eth1, so we will use that for our example commands. With ifenslave installed, take both Ethernet adapters offline by running sudo ifdown eth0 and sudo ifdown eth1. Load the bonding module into the Linux kernel with modprobe. There are two important options to pass to the module: mode and miimon. Mode establishes the type of bond (round-robin, failover, and so on), and miimon establishes how often (in milliseconds) the links will be checked for failure. sudo modprobe bonding mode=0 miimon=100 will set up a round-robin configuration in which network packets alternate between the Ethernet adapters as they are sent out. The miimon value of 100 is a standard place to begin; you can adjust if it you really want to tweak your network.

To create an actual bond (which for convenience we'll call bond0), run sudo ifconfig bond0 192.168.1.100 up to assign an IP address to the bond, then run ifenslave bond0 eth0 followed by ifenslave bond0 eth1 to tie the physical Ethernet interfaces into it.

Round-robin mode is good for general purpose load balancing between the adapters, and if one of them fails, the link will stay active via the other. The other six mode options provide features for different setups. Mode 1, active backup, uses just one adapter until it fails, then switches to the other. Mode 2, balance XOR, tries to balance traffic by splitting up outgoing packets between the adapters, using the same one for each specific destination when possible. Mode 3, broadcast, sends out all traffic on every interface. Mode 4, dynamic link aggregation, uses a complex algorithm to aggregate adapters by speed and other settings. Mode 5, adaptive transmit load balancing, redistributes outgoing traffic on the fly based on current conditions. Mode 6, adaptive load balancing, does the same thing, but attempts to redistribute incoming traffic as well by sending out ARP updates.

The latter, complex modes are probably unnecessary for home use. If you have a lot of network traffic you are looking to manage, consult the bonding driver documentation. For most folks, bonding's fault tolerance and failover is a bigger gain than any increased link speed. For example, bonding two WAN links gives you load balancing and fault tolerance between them, but it does not double your upstream throughput, since each connection (such as a Web page HTTP request) has to take one or the other route.

Bridging

The bonding solution is unique in that both network adapters act like a single adapter for the use of the same machine. The other solutions use the two adapters in a manner that provides a new or different service to the rest of your network.

Bridging, for example, links the two network adapters so that Ethernet frames flow freely between them, just as if they were connected on a simple hub. All of the traffic heard on one interface is passed through to the other.

You can set up a bridge so that the computer itself does not participate in the network at all, essentially transforming the computer into an overpriced Ethernet repeater. But more likely you will want to access the Internet as well as bridge traffic between the ports. That isn't complicated, either.

Bridging requires the bridge-utils package, a standard component of every modern Linux distribution that provides the command-line utility brctl.

To create a bridge between your network adapters, begin by taking both adapters offline with the ifdown command. In our example eth0/eth1 setup, run sudo ifdown eth0 and sudo ifdown eth1 from the command line.

Next, create the bridge with sudo brctl addbr bridge0. The addbr command creates a new "virtual" network adapter named bridge0. You then connect your real network adapters to the bridge with addif: sudo brctl addif bridge0 eth0 adds the first adapter, and sudo brctl addif bridge0 eth1 adds the second.

Once configured, you activate the bridge0 virtual adapter just as you would a normal, physical Ethernet card. You can assign it a static IP address with a command like sudo ifconfig bridge0 192.168.1.100 netmask 255.255.255.0, or tell it to retrieve its configuration via DHCP with sudo dhclient bridge0.

You can then attach as many computers, hub, switches, and other devices as you want through the machine's Ethernet port, and they will all be able to see and communicate with each other. On the downside, if you have a lot of traffic, your computer will spend some extra energy passing all of those Ethernet frames back and forth across the two adapters.

Firewalling and gateway-ing

As long as you have excess traffic zipping through your computer, the OS might as well look at it and do something useful, such as filter it based on destination address, or cache repeatedly requested Web pages. And indeed, you can place your dual-port computer between your upstream cable or DSL connection and the rest of your local network, to serve as a simple Internet-connection-sharing gateway, or as a firewall that exerts control over the packets passing between the network interfaces.

First, you will need to bring both network adapters up and assign each a different IP address -- and, importantly, IP addresses that are on different subnets. For example, sudo ifconfig eth0 192.168.1.100 netmask 255.255.255.0 and sudo ifconfig eth1 192.168.2.100 netmask 255.255.255.0. Note that eth0's address is within the 192.168.1.x range, while eth1's is within 192.168.2.x. Maintain this separation when you add other devices to your network and you will keep things running smoothly.

Forwarding the packets between the Internet on one adapter and your LAN on the other is the purview of iptables, a tool for configuring the Linux kernel's IP filtering subsystem. The command sudo iptables -A FORWARD --in-interface eth1 --out-interface eth0 --source 192.168.2.0/255.255.255.0 -m state --state NEW -j ACCEPT allows computers on the LAN interface eth1 to start new connections, and forwards them to the outside world via the eth0 interface. Following that with sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT keeps subsequent packets from those connections flowing smoothly as well.

Next, sudo iptables -A POSTROUTING -t nat -j MASQUERADE activates Network Address Translation (NAT), secretly rewriting the IP addresses of traffic from the LAN so that when it goes out to the Internet, it appears to originate from the Linux box performing the routing. This is a necessary evil for most home Internet connections, both because it allows you to use the private 192.168.x.x IP address block, and because many ISPs frown upon traffic coming from multiple computers.

Finally, run sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward to activate the kernel's packet forwarding.

This setup will pass traffic from your LAN to your Internet connection, but it does not configure the network settings on the LAN computers themselves. Each of them needs an IP address, gateway and network information, and some working DNS server addresses. If your dual-adapter Linux box is serving as a NAT gateway, you could easily have it provide that information to the clients as well, using DHCP. Your distro probably comes with the dhcpd package. Configuring dhcpd is beyond the scope of the subject here, but check your distro's documentation for Internet connection sharing and you will likely find the instructions you need.

Once you are comfortable using iptables to set up basic NAT and packet forwarding, you can dig a little deeper and learn how to use your box as a first-rate firewall by writing rules that filter traffic based on source and destination address, port, and protocol.

Isolating

Finally, you can always configure your secondary network adapter to work in complete isolation from the rest of your LAN.

Sure, there is little gain to such a setup for general-purpose computers, but it is a popular choice for certain Ethernet-connected devices that only need to send data to one destination. Homebrew digital video recorder builders use the technique to connect the HDHomerun HDTV receiver directly to a MythTV back end, thereby isolating the bandwidth-hogging MPEG streams from the LAN. The same traffic separation idea might also come in handy for other single-purpose devices, such as a dedicated network-attached storage (NAS) box, a networked security camera, or your Ethernet-connected houseplant.

For most devices, isolating your second adapter entails setting up the computer to act as a DHCP server as in the gateway example above, but without worrying about NAT rules routing between the secondary client and the rest of the network.

Caveat emptoring

So which technique is right for you? My advice is to think about what network trouble you most need to prepare for. If your dual-adapter box is a server with heavy traffic to handle, or you need to balance your traffic across two WAN connections, bonding is for you. On the other hand, if you just bought an HDHomeRun to add to your MythTV back end, think about attaching it directly to the spare interface.

Bridging and gatewaying are most similar, in that they use the dual-adapter box to connect multiple other devices into a single network. If that is what you need to do, consider that bridging works at the Ethernet link level, well below IP and TCP in the protocol stack. At the Ethernet level, the only sort of traffic shaping you can do is that based on the hardware MAC address of the computer. You have significantly more control when you run a full-fledged NAT gateway.

But whichever option you choose, remember that messing around with your network configuration can get you disconnected in a hurry if you make a mistake. For that reason, all of the above examples use commands that change the "live" system, but don't alter the configuration files Linux reads in at startup. If you make a mistake, a reboot should bring you back to a known working state.

If you decide you want to make your changes permanent, your best bet is to consult your distro's documentation. Distros vary slightly in where and how they store network configuration scripts (Red Hat uses /etc/sysconfig/network-scripts/, for example, while Ubuntu uses /etc/network/).

One you start digging into the details, you'll find even more possibilities for utilizing that second network adapter under Linux. But you should now be armed with a general idea of how to make both adapters talk to your network at the same time -- and you can do your part to eliminate network adapter wastefulness.

Share    Print    Comments   

Comments

on What can you do with a second Ethernet port?

Note: Comments are owned by the poster. We are not responsible for their content.

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 77.96.122.110] on May 06, 2008 04:50 PM
Thanks Nathan for this great article - I learnt something new ;-) .

#

What can you do with a second Ethernet port?

Posted by: Seraphyn on May 06, 2008 06:08 PM
Nice,

and i thought i was the only one who knows bonding.
Great article to start into more networking as "normal" needed.
Thank Seraphyn

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 206.210.81.130] on May 06, 2008 06:30 PM
Great! I'm going to do this on my server when I get off work.

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 199.64.0.252] on May 06, 2008 07:53 PM
Great article, I didn't know about bonding.

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 128.146.172.220] on May 06, 2008 07:56 PM
Very informative article

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 91.85.180.38] on May 06, 2008 09:53 PM
how about using it for iSCSI?

#

Re: What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 64.128.214.5] on May 07, 2008 07:05 PM
This is actually a "must" for iSCSI use IMHO. The last thing you need when exporting/importing block storage via Ethernet is a port going down without a fail over.

#

What can you do with a second Ethernet port?

Posted by: proopnarine on May 07, 2008 03:38 AM
Great article! Thanks. Bonding is exactly what I need for one of my servers I think. I'll give it a shot tomorrow!

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 201.9.43.171] on May 07, 2008 05:34 AM
Very nice article, with interesting and useful information. Well done, thanks, and more articles like this are very welcome!

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 80.227.43.34] on May 07, 2008 06:13 AM
Honestly, this is the first time I heard that you can do several things with 2 Ethernet port.
Great article!

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 128.63.61.141] on May 07, 2008 06:59 AM
There is no need to use separate subnets when using the "dual-NIC" system as a firewall. And you also have the ability to combine the "bridge" option with the firewall option. Allowing the system to bridge the two interfaces, pass network traffic, and firewall all of the traffic, same is true for the proxy example, and other traffic inspection solutions. All while being on the same subnet, and bridging the interfaces. One important feature when using a firewall in "bridge" mode is the ability to have no layer-3 (IP) addressing, and placing the system physically in-line, a more secure approach. Obviously you can also do this without bridging, using the two network interfaces separately, and thus requiring addressing/routing, but again a different subnet is not necessary.

Thanks,
Justin M. Wray

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 209.152.96.206] on May 07, 2008 07:27 AM
Good article.

One thing I don't get about bonding and link aggregation in general - is how to set it up for true high availability / fault tolerance.

Suppose I have a server (cluster) as well as two ISPs:

How do you combine this with a web site? Suppose I want http://www.example.com to always stay up.
I want WAN fault tolerance as well as server.

Which server would you point the DNS for your website to?
Can I somehow give both of those WAN interfaces some 'virtual' ip so if either machine or link goes down, it will still be serving requests?
Do I need some special networking hardware?

I've looked at all kinds of articles, howtos, etc, but none seem to actually explain what is required to do this, and how it works.

Thanks,
Raphael Burnes

#

Re: What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 66.105.23.131] on May 07, 2008 04:59 PM
I would have the same question as Raphael above, as to how bonding might work from "outside" of the "local" network. Can bonding be used to help with keeping a web site going on either interface? How WOULD you have to situate your DNS records to account for that type of failover?

#

Re: What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 64.128.214.5] on May 07, 2008 07:02 PM
You'll want to look into LVS, or linux virtual server (it's built into modern kernels). If you're using RedHat/CentOS (and probably others), this is already packed up with userland utils etc. Saves you 30-40k over getting 2 F5 BigIPs ;)

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 121.241.128.145] on May 07, 2008 08:31 AM
Super post! I have always wondered what to do with my WiFi, now I know! Thanks a ton!
-Des
<a href="http://techwatch.reviewk.com/">http://techwatch.reviewk.com/</a>

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 78.94.204.12] on May 07, 2008 09:34 AM
Very nice article, never heard of bonding before, but I think it's just what I need. Thanks a lot!

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 80.38.207.199] on May 07, 2008 10:01 AM
great article, any hopes of being able to mod vista to handle that kind of thing?
and what exactly are the benefits? Is bandwidth doubled, even though both Ethernet ports in your computer lead to the same router and cable box?

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 198.40.0.9] on May 07, 2008 11:46 AM
Well, as a WinCE developer you can set up a private network on the 2nd NIC so that when your Bootloader starts sending out BOOTME to 255.255.255.255 you don't whack the public network. That's one GOOD use, but 99.9% of the folks DON'T NEED NO STEENKIN 2nd NIC!

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 83.191.6.202] on May 07, 2008 02:21 PM
Regarding bonding in a load balancing configuration, last time I checked (few years ago) it was necessary that the switch that you connected to was also configured to bond the two ports used for bonding (this is called EtherChannel in Cisco parlance, and Linux is compatible with it).
If you don't, the switch is going to see the same MAC address coming from two different ports, and either a) won't know what to do and disable (probably) one of the ports; or b) replicate all traffic on both ports, which will double your traffic and thus negate the benefits of bonding.
And yes, the bond needs to have one and only one MAC, to maintain the mapping one IP -> one mac (the complimentary is not necessarily true, but it does not matter in this case). The packets going out of a bond won't get the MAC of the interface they get out through, but will get the (fictional) bond MAC.

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 63.231.96.126] on May 07, 2008 02:55 PM
This is also known in datacenter-speak as "Teaming". I.E. A "red" and a "blue" interface are each configured on a server. One cat6 cable from each goes to a separate switch and then they are "Teamed" into one logical interface, using the drivers on the server.... usually into a single "purple" interface. This provides nic, cable, and switch fault-tolerance.

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 66.203.62.44] on May 07, 2008 04:19 PM
An additional interface is also handy if virtualize Windows or another OS with a product like VirtualBox. Rather than use NAT or bridge the virtual's nic to your main NIC, you can bridge the virtual to it's very own separate network interface. Since I use VPN on the XP I'm running in VirtualBox, bridging rather than NATing is a must and I don't have to worry that it will futz up the networking on the host OS.

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 199.247.245.13] on May 07, 2008 05:29 PM
bridging is very cool. It may not work for you if you try it on a wireless to wired set up though. The wireless adapter may not support it. I've forgotten the details but arps will not pass between them, thus keeping the setup from working.

#

Application level interface mapping, load balancing?

Posted by: Anonymous [ip: 80.221.24.94] on May 07, 2008 11:30 PM
Is it possible to make the OS use a specific network interface for a specific application? For example, the bittorrent client should use adapter 0 and the browser - adapter 0.

What about dynamic load balancing between the two adapters on application level?..

#

How to double your internet speed for free

Posted by: Anonymous [ip: 189.153.246.246] on May 08, 2008 02:57 AM
"For most folks, bonding's fault tolerance and failover is a bigger gain than any increased link speed."
--- My internet connection almost never dies. Maybe once per month and only for a few minutes. I assume most people also have great internet and don't really need fault tolerance.

"For example, bonding two WAN links gives you load balancing and fault tolerance between them, but it does not double your upstream throughput, since each connection (such as a Web page HTTP request) has to take one or the other route."
----- True. When you connect to a website or download a single file from Download.com you aren't going to notice any/much speed improvement.

But what's the biggest bandwidth hog these days? P2P and Torrents. I think it's safe to say that many of us are using LimeWire to download MP3s and uTorrent to download movies and TV shows. What? You're not?? Hurry on over to www.LimeWire.com and www.uTorrent.com and www.RLSLOG.net and drag yourself into the future.

When you use the "bonding" method listed above (aka port trunking, aka teaming) you immediately double your bandwidth, both upload and download. Let's say you have 2MB/s internet connection in your house and you can "borrow" another 2MB/s connection from your nice neighbor. You now have a total download speed of 4MB/s. If the internet in your house is 10MB/s and you borrow another 5MB/s connection from your neighbor you will now have a 15MB/s total download speed.

When you download a single file from Download.com for example, your FireFox browser opens one single connection from your computer to the server and the file is downloaded over that single connection. But if you use a download accelerator program (such as DAP) the program will try to open multiple connections from your computer to the server. So now you will be able to download at 15MB/s (10MB/s from your house and another 5MB/s thanks to your neighbors unsecured wifi connection).

All P2P and Torrent programs are designed to upload/download the files in little sections. So when you download an MP3 via LimeWire or a video via uTorrent you are actually getting lots of little pieces of the file, each from a different user. Using nic bonding you will be downloading some of the pieces from your own internet connection and some pieces using your neighbors connection, all at the same time. Same goes for uploading/sharing files. You just doubled your internet's upload/download speed and the extra bandwidth didn't cost you a penny.

So now some of you are thinking, Dude, wouldn't it be cool if I bought like 5 more USB wireless cards and borrowed internet from more of my neighbors! Imagine how fast my net would be! Yea, that would be cool :) You could have like a 25MB download speed. It would be even cooler if you hooked up a good strong Access Point in your house and started broadcasting that new 25MB/s connection to all your neighbors. Everyone on the block pays for their own 1MB internet but gets to use a nice 25MB connection. Sharing is caring.

Or maybe you have a membership to a private tracker and you wish you could seed faster? Get a seed box! (a dedicated server that runs a torrent client). Or just start seeding using the neighbors net :P

But my neighbor doesn't have unsecured wifi. It's got encryption and a password :( Ummm, go google WEPCrack and learn how to solve that problem.

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 194.216.193.50] on May 08, 2008 11:30 AM
Couple of errors in this

' From your network's perspective, the simplest option is channel bonding or "port trunking"' - Channel Bonding is just what it says and stems from the old days of ISDN and dial up channels for the Cicso people it is called "EtherChannel". "Port Trunking" in Cisco land is a technology that means switches can tag and forward multiple VLANS across a single link, it also allows the switches to pass VTP traffic and other nice stuff.

Also I think it's been made to look easier than it really is as there are different channel bonding methods, each have pluses and minuses, and certain pieces of equipment can't handle some, which means if you do choose this you may not be able to use other things on your network.

Methods include:-

802.3ad Dynamic - provides receive and transmit load balancing on a single switch. In this team type, the nic members negotiate with the switch to automatically form a port group, so no additional configuration is required on the switch. The switch must support the IEEE 802.3ad Link Aggregation Control Protocol (LACP).

Switch-assisted Load Balancing (SLB) - provides receive and transmit load balancing on a single switch and is functionally identical to 802.3ad Dynamic Teaming. SLB requires the switch itself to be configured to form a port group. The switch must support port aggregation, but it does not need to support the IEEE 802.3ad Link Aggregation Control Protocol.

Transmit Load Balancing (TLB) - balances the transmit traffic among the nic members, but does not require any special switch intelligence or switch configuration. In addition, TLB teams can be split across switches as long as all members are in the same layer 2 network. In TLB teams, receive traffic is not load balanced, but is received on a single nic member.

Network fault tolerance (NFT) - prevents network downtime by transferring the workload from a failed port to a working port. Clients on the network see no disruption of service, and the network can remain in use while the failed component is repaired. NFT teaming functions at any speed, on any media. It is switch-independent and can be split across Layer 2 switches but must be in the same Layer 2 domain.

Gotta be honest, I'm not a Linux boy so I've no idea whether it goes this in depth. Thought this may help anybody thinking about it thou.

=)

#

What can you do with a second Ethernet port?

Posted by: Anonymous [ip: 76.126.54.199] on May 12, 2008 05:44 AM
This is the coolest article on linux.com... damn man, thank you so much. I KNEW this had to be possible but i gave up searching a while back.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya