How do you multihome with netplan - bind multiple IPs to one network adapter?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
2
down vote

favorite












How do you multihome with netplan - bind multiple IPs to one network adapter?



I see several people have taken two different approaches to solve the problem -
One where both IPs are defined under the same device name as the nic which limits options with IPTables.



and



The other option is to create a vlan and point it to the nic.



Which is correct the correct way to do it and why was this changed in the first place. /etc/network/interfaces was simple, made sense, and obviously supported multi-homing.






networking server netplan







share|improve this question





















  • Can you clarify how you see defining multiple ips on a single device as limiting iptables? Attaching multiple IPs to a single interface is current best practice, not just in netplan but in Linux networking generally (interface aliases are broadly deprecated, and I've never heard of using a vlan this way); so it would be good to understand what problems you're seeing with this in order to best address your question.
    – slangasek
    Apr 13 at 22:58










  • with the new netplan method you lose the ability to make custom rules in IPTABLEs that can refrence eth0, eth0:0, eth0:1 as three different adapters with three different rules as far the interface is concerned. You can make rules that match the different IPs but you cannot fine tune the rules to pay attention to aliased interface name (eth0:1) only the parent interface eth0.
    – Charles Jordan
    Apr 14 at 1:45














up vote
2
down vote

favorite












How do you multihome with netplan - bind multiple IPs to one network adapter?



I see several people have taken two different approaches to solve the problem -
One where both IPs are defined under the same device name as the nic which limits options with IPTables.



and



The other option is to create a vlan and point it to the nic.



Which is correct the correct way to do it and why was this changed in the first place. /etc/network/interfaces was simple, made sense, and obviously supported multi-homing.






networking server netplan







share|improve this question





















  • Can you clarify how you see defining multiple ips on a single device as limiting iptables? Attaching multiple IPs to a single interface is current best practice, not just in netplan but in Linux networking generally (interface aliases are broadly deprecated, and I've never heard of using a vlan this way); so it would be good to understand what problems you're seeing with this in order to best address your question.
    – slangasek
    Apr 13 at 22:58










  • with the new netplan method you lose the ability to make custom rules in IPTABLEs that can refrence eth0, eth0:0, eth0:1 as three different adapters with three different rules as far the interface is concerned. You can make rules that match the different IPs but you cannot fine tune the rules to pay attention to aliased interface name (eth0:1) only the parent interface eth0.
    – Charles Jordan
    Apr 14 at 1:45












up vote
2
down vote

favorite









up vote
2
down vote

favorite











How do you multihome with netplan - bind multiple IPs to one network adapter?



I see several people have taken two different approaches to solve the problem -
One where both IPs are defined under the same device name as the nic which limits options with IPTables.



and



The other option is to create a vlan and point it to the nic.



Which is correct the correct way to do it and why was this changed in the first place. /etc/network/interfaces was simple, made sense, and obviously supported multi-homing.






networking server netplan







share|improve this question













How do you multihome with netplan - bind multiple IPs to one network adapter?



I see several people have taken two different approaches to solve the problem -
One where both IPs are defined under the same device name as the nic which limits options with IPTables.



and



The other option is to create a vlan and point it to the nic.



Which is correct the correct way to do it and why was this changed in the first place. /etc/network/interfaces was simple, made sense, and obviously supported multi-homing.






networking server netplan




networking server netplan






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Apr 13 at 8:19









Charles Jordan

111




111











  • Can you clarify how you see defining multiple ips on a single device as limiting iptables? Attaching multiple IPs to a single interface is current best practice, not just in netplan but in Linux networking generally (interface aliases are broadly deprecated, and I've never heard of using a vlan this way); so it would be good to understand what problems you're seeing with this in order to best address your question.
    – slangasek
    Apr 13 at 22:58










  • with the new netplan method you lose the ability to make custom rules in IPTABLEs that can refrence eth0, eth0:0, eth0:1 as three different adapters with three different rules as far the interface is concerned. You can make rules that match the different IPs but you cannot fine tune the rules to pay attention to aliased interface name (eth0:1) only the parent interface eth0.
    – Charles Jordan
    Apr 14 at 1:45
















  • Can you clarify how you see defining multiple ips on a single device as limiting iptables? Attaching multiple IPs to a single interface is current best practice, not just in netplan but in Linux networking generally (interface aliases are broadly deprecated, and I've never heard of using a vlan this way); so it would be good to understand what problems you're seeing with this in order to best address your question.
    – slangasek
    Apr 13 at 22:58










  • with the new netplan method you lose the ability to make custom rules in IPTABLEs that can refrence eth0, eth0:0, eth0:1 as three different adapters with three different rules as far the interface is concerned. You can make rules that match the different IPs but you cannot fine tune the rules to pay attention to aliased interface name (eth0:1) only the parent interface eth0.
    – Charles Jordan
    Apr 14 at 1:45















Can you clarify how you see defining multiple ips on a single device as limiting iptables? Attaching multiple IPs to a single interface is current best practice, not just in netplan but in Linux networking generally (interface aliases are broadly deprecated, and I've never heard of using a vlan this way); so it would be good to understand what problems you're seeing with this in order to best address your question.
– slangasek
Apr 13 at 22:58




Can you clarify how you see defining multiple ips on a single device as limiting iptables? Attaching multiple IPs to a single interface is current best practice, not just in netplan but in Linux networking generally (interface aliases are broadly deprecated, and I've never heard of using a vlan this way); so it would be good to understand what problems you're seeing with this in order to best address your question.
– slangasek
Apr 13 at 22:58












with the new netplan method you lose the ability to make custom rules in IPTABLEs that can refrence eth0, eth0:0, eth0:1 as three different adapters with three different rules as far the interface is concerned. You can make rules that match the different IPs but you cannot fine tune the rules to pay attention to aliased interface name (eth0:1) only the parent interface eth0.
– Charles Jordan
Apr 14 at 1:45




with the new netplan method you lose the ability to make custom rules in IPTABLEs that can refrence eth0, eth0:0, eth0:1 as three different adapters with three different rules as far the interface is concerned. You can make rules that match the different IPs but you cannot fine tune the rules to pay attention to aliased interface name (eth0:1) only the parent interface eth0.
– Charles Jordan
Apr 14 at 1:45










1 Answer
1






active

oldest

votes

















up vote
1
down vote













Independent of netplan, it is best practice today to assign multiple addresses to a single interface rather than using interface aliases. The lack of clean support for this in /etc/network/interfaces is actually a matter of ifupdown showing its age.



Configuring multiple addresses on an interface is simple with netplan: https://netplan.io/examples#multiple-addresses-on-an-interface



To handle these addresses in iptables, you can use -s and -d options to specify the source and destination addresses to match, instead of using -i and -o options to distinguish by input or output interface. In the vast majority of cases this is equivalent. The one exception is if you have multiple aliases on the same interface configured with dynamic addresses, and want to apply different rules to traffic sent to each address; you can't configure the firewall rules before you know the destination address. But you also can't configure netplan to ask for dhcp multiple times on the same interface, so if you need this, you probably do have to use vlans.



You can minimize repetition of addresses in your iptables rules by using something like the following:



iptables -N eth0
iptables -N eth0_0
iptables -N eth0_1
iptables -A INPUT -i enp3s0 -d 192.168.1.5 -j eth0
iptables -A INPUT -i enp3s0 -d 192.168.1.6 -j eth0_0
iptables -A INPUT -i enp3s0 -d 192.168.1.7 -j eth0_1
iptables -A INPUT -i enp3s0 -j DROP
iptables -A eth0 [... eth0 rules here]
iptables -A eth0_0 [... eth0:0 rules here]
iptables -A eth0_1 [... eth0:1 rules here]





share|improve this answer






















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "89"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1024574%2fhow-do-you-multihome-with-netplan-bind-multiple-ips-to-one-network-adapter%23new-answer', 'question_page');

    );

    Post as a guest

















    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote













    Independent of netplan, it is best practice today to assign multiple addresses to a single interface rather than using interface aliases. The lack of clean support for this in /etc/network/interfaces is actually a matter of ifupdown showing its age.



    Configuring multiple addresses on an interface is simple with netplan: https://netplan.io/examples#multiple-addresses-on-an-interface



    To handle these addresses in iptables, you can use -s and -d options to specify the source and destination addresses to match, instead of using -i and -o options to distinguish by input or output interface. In the vast majority of cases this is equivalent. The one exception is if you have multiple aliases on the same interface configured with dynamic addresses, and want to apply different rules to traffic sent to each address; you can't configure the firewall rules before you know the destination address. But you also can't configure netplan to ask for dhcp multiple times on the same interface, so if you need this, you probably do have to use vlans.



    You can minimize repetition of addresses in your iptables rules by using something like the following:



    iptables -N eth0
    iptables -N eth0_0
    iptables -N eth0_1
    iptables -A INPUT -i enp3s0 -d 192.168.1.5 -j eth0
    iptables -A INPUT -i enp3s0 -d 192.168.1.6 -j eth0_0
    iptables -A INPUT -i enp3s0 -d 192.168.1.7 -j eth0_1
    iptables -A INPUT -i enp3s0 -j DROP
    iptables -A eth0 [... eth0 rules here]
    iptables -A eth0_0 [... eth0:0 rules here]
    iptables -A eth0_1 [... eth0:1 rules here]





    share|improve this answer


























      up vote
      1
      down vote













      Independent of netplan, it is best practice today to assign multiple addresses to a single interface rather than using interface aliases. The lack of clean support for this in /etc/network/interfaces is actually a matter of ifupdown showing its age.



      Configuring multiple addresses on an interface is simple with netplan: https://netplan.io/examples#multiple-addresses-on-an-interface



      To handle these addresses in iptables, you can use -s and -d options to specify the source and destination addresses to match, instead of using -i and -o options to distinguish by input or output interface. In the vast majority of cases this is equivalent. The one exception is if you have multiple aliases on the same interface configured with dynamic addresses, and want to apply different rules to traffic sent to each address; you can't configure the firewall rules before you know the destination address. But you also can't configure netplan to ask for dhcp multiple times on the same interface, so if you need this, you probably do have to use vlans.



      You can minimize repetition of addresses in your iptables rules by using something like the following:



      iptables -N eth0
      iptables -N eth0_0
      iptables -N eth0_1
      iptables -A INPUT -i enp3s0 -d 192.168.1.5 -j eth0
      iptables -A INPUT -i enp3s0 -d 192.168.1.6 -j eth0_0
      iptables -A INPUT -i enp3s0 -d 192.168.1.7 -j eth0_1
      iptables -A INPUT -i enp3s0 -j DROP
      iptables -A eth0 [... eth0 rules here]
      iptables -A eth0_0 [... eth0:0 rules here]
      iptables -A eth0_1 [... eth0:1 rules here]





      share|improve this answer
























        up vote
        1
        down vote










        up vote
        1
        down vote









        Independent of netplan, it is best practice today to assign multiple addresses to a single interface rather than using interface aliases. The lack of clean support for this in /etc/network/interfaces is actually a matter of ifupdown showing its age.



        Configuring multiple addresses on an interface is simple with netplan: https://netplan.io/examples#multiple-addresses-on-an-interface



        To handle these addresses in iptables, you can use -s and -d options to specify the source and destination addresses to match, instead of using -i and -o options to distinguish by input or output interface. In the vast majority of cases this is equivalent. The one exception is if you have multiple aliases on the same interface configured with dynamic addresses, and want to apply different rules to traffic sent to each address; you can't configure the firewall rules before you know the destination address. But you also can't configure netplan to ask for dhcp multiple times on the same interface, so if you need this, you probably do have to use vlans.



        You can minimize repetition of addresses in your iptables rules by using something like the following:



        iptables -N eth0
        iptables -N eth0_0
        iptables -N eth0_1
        iptables -A INPUT -i enp3s0 -d 192.168.1.5 -j eth0
        iptables -A INPUT -i enp3s0 -d 192.168.1.6 -j eth0_0
        iptables -A INPUT -i enp3s0 -d 192.168.1.7 -j eth0_1
        iptables -A INPUT -i enp3s0 -j DROP
        iptables -A eth0 [... eth0 rules here]
        iptables -A eth0_0 [... eth0:0 rules here]
        iptables -A eth0_1 [... eth0:1 rules here]





        share|improve this answer














        Independent of netplan, it is best practice today to assign multiple addresses to a single interface rather than using interface aliases. The lack of clean support for this in /etc/network/interfaces is actually a matter of ifupdown showing its age.



        Configuring multiple addresses on an interface is simple with netplan: https://netplan.io/examples#multiple-addresses-on-an-interface



        To handle these addresses in iptables, you can use -s and -d options to specify the source and destination addresses to match, instead of using -i and -o options to distinguish by input or output interface. In the vast majority of cases this is equivalent. The one exception is if you have multiple aliases on the same interface configured with dynamic addresses, and want to apply different rules to traffic sent to each address; you can't configure the firewall rules before you know the destination address. But you also can't configure netplan to ask for dhcp multiple times on the same interface, so if you need this, you probably do have to use vlans.



        You can minimize repetition of addresses in your iptables rules by using something like the following:



        iptables -N eth0
        iptables -N eth0_0
        iptables -N eth0_1
        iptables -A INPUT -i enp3s0 -d 192.168.1.5 -j eth0
        iptables -A INPUT -i enp3s0 -d 192.168.1.6 -j eth0_0
        iptables -A INPUT -i enp3s0 -d 192.168.1.7 -j eth0_1
        iptables -A INPUT -i enp3s0 -j DROP
        iptables -A eth0 [... eth0 rules here]
        iptables -A eth0_0 [... eth0:0 rules here]
        iptables -A eth0_1 [... eth0:1 rules here]






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Apr 14 at 20:52

























        answered Apr 14 at 20:24









        slangasek

        2,27811318




        2,27811318



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1024574%2fhow-do-you-multihome-with-netplan-bind-multiple-ips-to-one-network-adapter%23new-answer', 'question_page');

            );

            Post as a guest
































































            -

            Popular posts from this blog

            pylint3 and pip3 broken

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have tried sudo apt remove --purge on various packages. I get the same when I reinstall. I have also tried reinstall using aptitude. This does not work. My current workaround is to run pylint3 as root, which works, but is bad practice. pip3 $ pip3 Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pip/_vendor/__init__.py", line 33, in vendored __import__(vendored_name, globals(), locals(), level=0) ImportError: No module named 'pip._vendor.pkg_resources' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/bin/pip3", line 9, in <module> from pip import main File "/usr/lib/python3/dist-packages/pip/__init__.py", line 13, in <module> from pip.exceptions import InstallationError, CommandError, PipError File "/usr/lib/python3/dist-packages/pip/exceptions.py", line 6, ...
            Read more

            Missing snmpget and snmpwalk

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried to install it with: apt-get install net-snmp-utils but I have error message: Unable to locate package. I have also check what from SNMP is preinstalled and there is: libsnmp-base libsnmp30:amd64 snmp-mibs-downloader snmpd snmptrapd snmptrapfmt How can I install snmpget and snmpwalk ? snmp zabbix share | improve this question edited Jan 29 at 10:10 Yaron 8,552 7 18 38 asked Jan 29 at 9:51 Alfista 1 apt install snmp perhaps ? If named differently - apt cache snmp – fugitive Jan 29 at 10:00 add a comment  |  up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried...
            Read more

            How to enroll fingerprints to Ubuntu 17.10 with VFS491

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I decided to switch from Windows to Ubuntu 17.10, I meet it like 8 years ago and I didn't decided to switch until now (haha). Well, my actual device is an HP Probook 4540s with a Validity fingerprint sensor (VFS491). The fingerprint sensor worked fine on Windows but I can't get it to work in Ubuntu. The device is recognized as 138a:003d but is not detected as a fingerprint scanner by some apps like Fingerprint GUI. I want to use the fingerprint scanner to log in into my user account in Ubuntu but it doesn't supports fingerprints without special software and the drivers of the fingerprint scanner are available for Windows but not for any Linux distribution. I found something on GitHub (https://github.com/eekpie/libfprint) about the integration of the VFS491 in libfprint and I think it can help but I don't know what to do with it, so that's why I need the help of the community to do it since I am...
            Read more