On Fri, Mar 11, 2005 at 02:26:18PM -0800, Aaron O'Hara wrote:
> I have my firewall connected to my cable modem with one a single NIC.
> (I have another NIC for my LAN). My public NIC is set to DHCP an
> address from my ISP.
>
> Is it possible with Fedora to setup multiple virtual adapters that have
> unique MAC addresses (that I generate) that all DHCP an address from my
> ISP? This way, I'd have multiple public IPs bound to one physical
> adapter.
>
> Of course I'm going to want to firewall all the virtual adapters as
> well.
>
> The end goal is to have multiple SSL-enabled sites (which need to have
> their own IP).
To save time, I'm placing a copy of my conclusion at the top of
my reply also.
My recommendation: consider buying more NICS -- preferably with more
than a single port on each. That way:
-- You will be assured of getting it working, which is not
otherwise a foregone conclusion.
-- what you want to do will be supported "out-of-the-box"
-- you won't have to spend hours and hours in the attempt.
-- you won't have a hassle everytime you upgrade
The details:
A couple of years ago I had the same situation as you. My ISP
(charter.net for cable modem service) offered a package with five
"static" IPs, but the catch was that the "static" addresses had to be
dynamically assigned via DHCP (from pre-configured fixed addresses).
The ISP apparently expected the customer to be attaching five separate
computers. My ultimate solution was to buy a couple of dual-port NICs
so that I actually did have five separate NICs pointing to the outside.
I attempted to do everything from a single NIC with multiple IP
addresses. I was ultimately foiled because:
1. The MAC address is associated with the NIC itself. You can't have
a separate MAC address used for each assigned IP address.
2. The ISP refused to let me bypass DHCP MAC address recognition which
I could have done using DHCP's option "dhcp-client-identifier". The client
identifier lets the dhcp server base decisions on something other than
the client's MAC address.
If the ISP had allowed me to use dhcp-client-identifier, then I think
things would have worked with one NIC. (The ISP used some kind of
MAC-based activated by successful DHCP handshaking. I don't think
that would have interfered with this approach.)
Example of a dhcp config that allows use of "dhcp-client-identifier":
In client file /etc/dhclient-eth0.conf, one could have:
interface "eth0" {
# The uniqueness of the client-identifier could be assured
# basing it on the underlying MAC address, if desired.
# Example: "00:00:40:86:93:5c-whatever"
send dhcp-client-identifier "any-aribtrary-but-unique-string" ;
}
The corresponding entry in the server /etc/dhcpd.conf would be:
host some.name {
# An alternate address for this system when it is booted under Linux.
fixed-address 1.2.3.4 ;
# hardware ethernet 00:00:40:86:93:5c ;
option dhcp-client-identifier "00:00:40:86:93:5c-whatever" ;
}
3. I did this with Red Hat LInux 9. The RHL 9 version of
/sbin/dhclient-script only supported a single address per NIC. I see
that the corresponding FC3 script is much different, but I don't know
whether or not it would allow multiple addresses for a single NIC.
I rewrote the RHL 9 /sbin/dhclient-script to:
1. use the iproute package's "ip" command instead of the
"ifconfig" compatibility commands. That put things closer to the
metal, avoiding the semi-artificial concept of NIC aliases.
2. support multiple addresses per NIC.
My recommendation: consider buying more NICS -- preferably with more
than a single port on each. That way:
-- what you want to do will be supported "out-of-the-box"
-- you won't have to spend countless hours getting it working
-- you won't have a hassle everytime you upgrade
By the way, the same ISP is smarter now. Their five-static-IP package
now provides five truly static (no DHCP) IPs, which works fine with
just a single NIC.
