# multiple interfaces in the same subnet



## beckzg (Feb 12, 2020)

Dear Team,

  I have a machine with 4 interfaces, all have IP address from the same subnet (10.0.0.0/24), running FreeBSD 12.1. I would like that the reply to a request to go on the same interface where it comes in. With the default config all goes on the default (first) interface.

  Kind Regards,
Zoltan


----------



## SirDice (Feb 12, 2020)

Don't put multiple interfaces on the same network. What are you hoping to achieve by doing that?


----------



## beckzg (Feb 12, 2020)

Its a special proxy so I've no choice, but with Linux this can be created easily. On each ports there is a switch connected except the first which connects to the "main" network.


----------



## SirDice (Feb 12, 2020)

beckzg said:


> Its a special proxy so I've no choice


There's always a choice. You just haven't figured out what the alternatives are. What's so "special" about this proxy?



beckzg said:


> On each ports there is a switch connected except the first which connects to the "main" network.


Because everything is on the same network this really doesn't matter, it's all the same network anyway. Regardless of the number of switches you used.


----------



## msplsh (Feb 12, 2020)

The way the question is phrased indicates you don't know aren't sure why it's set up this way or how it "works" in Linux, particularly since it isn't working the way you want it to.  So, you'll have to be more specific about your objectives instead of "why doesn't it work this way" because the answer is "you're not supposed to do that, so it doesn't."


----------



## beckzg (Feb 12, 2020)

Sorry, I don't wanted to start a flame, maybe this picture can make things clear. That's what I would like to do, if a packet is comming through Switch01 then reply should go on ix0, if Switch02 then ix1, etc ...

On Linux with neplan is easy to do this, but we have everything in FreeBSD, so would be nice if it should work.


----------



## SirDice (Feb 13, 2020)

Actually, on Linux you shouldn't do this either. It's not "easy" to make this work, you really have to screw around with basic networking functionality to get it working.

Your design is flawed from the start. All those 10.0.0.0/24 networks are the same, regardless of how you connected them to the proxy host. For the proxy functionality this isn't going to benefit you, it only makes things more difficult. So, why do you want to set it up like this? What is the point of splitting up those connections? If you're looking for load-balancing/bundling those ix0-ix3 interfaces you should use lagg(4) instead.

31.7. Link Aggregation and Failover


----------



## msplsh (Feb 13, 2020)

The problem is going to be getting data in reverse from the gateway.  10.0.0.10 is valid to show up on all four interfaces because of /24 and there's no way to know which one to send that packet out on when the "proxy" needs to talk back.  You may think "oh, well that IP should only show up on one interface/switch" but there's no way to guarantee that.  It would need to blast four redundant packets out.

Again, why would you do it this way?  What's the objective?


----------



## beckzg (Feb 21, 2020)

Just to answer my own question, the "trick" is PF reply-to (https://man.openbsd.org/pf.conf#reply-to)

pass in quick on ix1 reply-to ix1 keep state
pass in quick on ix2 reply-to ix2 keep state


----------



## msplsh (Feb 21, 2020)

good luck...


----------



## LVLouisCyphre (Feb 29, 2020)

It makes me wonder when posters here make things much more difficult than they are or need to be.


SirDice said:


> Your design is flawed from the start.
> ...
> If you're looking for load-balancing/bundling those ix0-ix3 interfaces you should use lagg(4) instead.


Exactly; lagg(4) is the solution.  It makes me  wonder if there's a WalMart in Budpest that started selling servers.  Why does it need to go out on the same interface since it's going out into the same broadcast domain or subnet?  If you're using lagg(4), it's going out through the same aggregated interface via lagg(4).  


msplsh said:


> good luck...


Exactly, he doesn't know what he's doing.


----------



## gpw928 (Mar 1, 2020)

Hi Zoltan,

It's a well known axiom that the two things which remain irretrievable are time and a first impression.

Happily your experience is not typical.  This place is usually respectful and competent.  I hope you will find that if you give it some more time.


----------



## ShelLuser (Mar 1, 2020)

Not looking for any discussions here, but...



gpb said:


> And you can say the design is flawed, but you have no idea what the reason was for the architecture in the beginning.


That doesn't quite apply within this context. As soon as I read the OP's comment about those firewall rules I too came to the same conclusion as Louis did up there. As Scotty once said: "_You can't change the laws of physics_".

And there's nothing rude about being direct. Within the field of tech it's best to be direct and cut out all the unrelated fluffy talk so that you won't risk any misunderstandings. As always with these things: intent & perception. I don't believe anyone in this thread wrote what they did with the intent to be rude. Only to be direct and to the point, and for very good reasons too.

Yah, if your perception of that is different and you chose to assume that people just want to bully others without any further proof to back up those weird ideas.... then that's on you. Guess tech fora aren't for you then.

Just my 2 cents here.


----------



## LVLouisCyphre (Mar 1, 2020)

gpb said:


> What's the reason for making a comment such as this?  Does it make you feel superior?  Does it make you think you know more?


A vast majority of my IT professional career was spent cleaning up after messes by people who have no business being a net or sys admin.  Some of the messes I've had to clean up were by managers who had no business being my manager who took down servers and a majority of a large WAN.  Office Space (1999) in some work environments, particularly government, are more of a documentary than a comedy.  I kid you not.

Two axioms I've learned during my career are the following;

You can't fix stupid even with duct tape.
Stupid should hurt.
Reading posts such as this that I know are blatantly wrong with respect to proper network design and make me shake my head and fist at the screen.  


gpb said:


> And you can say the design is flawed, but you have no idea what the reason was for the architecture in the beginning.  I work for a Fortune 400 company, and I can tell you that outside of there, many would say "WTF" when looking at how things are done.  It's how they've decided to do it, and have their reasons.


Which is why I asked.  What is the reason for this bizzaro world topology.  Those of us here who are into designing it right the first damn time will be shaking our heads at this.


----------



## msplsh (Mar 2, 2020)

gpb said:


> What a very unwelcoming community ...  but you have no idea what the reason was for the architecture in the beginning



I counted at least three _nice_ "why are you doing this" questions in the thread before the comment you replied to.  The whole thread seemed nice until the original poster arrived at a solution that will fall down in the future and never answered the "why."  I can understand being angry because of having to clean up messes like this and having to explain to people that the network infrastructure somebody built for them only "worked" because of dumb luck.

This setup is going to "work" until it doesn't for a variety of reasons stated here.  If somebody comes back with why their "working" setup quit working, the answer is going to be "this never actually worked" but that will be "wrong" to them, because it did... until it didn't.  Then the community _would still be_ perceived as being unhelpful.

I don't know what you're supposed to do here.  Even if they did supply the reasons, I suppose the "requirements" might be impossible anyway, so the answer might be "this will never work" would be unsatisfactory.


----------



## scotia (Mar 3, 2020)

This looks a lot like MAC pinning to me.  Something I've seen in reverse proxies/accelerators as well as VMware ESXi (it's their cheap load-sharing solution).  It's certainly a valid solution for various use cases, but it seems like the short answer is "FreeBSD can't do this".  Unless there's a clever netgraph module for it.


----------



## msplsh (Mar 3, 2020)

I was thinking that would never work with WiFi without deep integration


----------

