Two different public IP for inbound/outbound traffic

Latest response

Hello everybody,
I would like to ask a question how to configure two different public IP addresses for inbound/outbound traffic on my cloud server.
I use RHEL 8 and I got three network cards (ens32, ens33, ens34). Actually I use only ens32 with the main public IP but I would like to use ens32 only for inbound traffic and ens33 for outgoing traffic.
How can I configure system? Which is best solution?

Thank you for your support, best regard!

Responses

Hi Vicenzo,

Are you building a software router or will you build a server.

For a server it might get complicated to keep the routing working.

Regards,

Jan Gerrit

Hi Jan, thank you for your reply. In my scenario I building a server. Actually all inbound/outbound traffic pass through ens32 card only. I would like to separate outbound traffic to use a second network card that's connected to another public IP.

Why do you feel it's necessary to have inbound traffic in one NIC, and outbound traffic out another NIC?

Whilst this probably can be done, it would be a very uncommon setup. This increases the potential for things to go wrong as nobody's probably testing that, few people will know the details of how to configure or troubleshoot it, probably many admins logging onto the system won't even know to look for it in the first place.

All that is a large system administration and support risk, which increases potential cost to your organisation. Cost in time to implement and use such a solution, and in the event something goes wrong, cost in downtime figuring out and fixing the complex one-off unique solution.

Probably your best option is to configure a load-balancing bond or team - Bonding Mode 2 or 4, or team runner loadbalance or lacp - and put all the system's IPs on that interface. These link aggregation methods require similar support on the switch as well.

That will provide you the potential performance of both links, redundancy in the event of one link failure, and is a much simpler and more common setup so reduces complexity and admin/support cost.

Hi Vicenzo,

Like Jamie stated, if you want to use the other NIC's go for bonding or teaming

Another option is a setup with different network functions, where each card is put in a different ip-range/network segment, I would advise to consult a network engineer in your company to help with this:

1) Applicatie traffic: ens32 2) system management traffic: ens33 3) backup traffic: ens34

be aware this option with seperate traffic only works if the sources/destinations of system management and backup are on dedicated ip-ranges.

Regards,

Jan Gerrit

Hi guys,

I'm sorry for delay, I never receveid e-mail for this post updates! Thank you for your replies.

According your answers, would it be better to use a single network card (ens32) for all traffics? If I wanted to use the second IP address only for outgoing connections, what would be the best solution? The ens32 network card is already connected to my primary IP address.

Thank you, best regards!

Vincenzo,

I think what you're trying to say is that you want traffic that originates on the server to use one interface (ens32) and you want traffic destined for the server to use a different interface. If that is correct, then you should be ok because by default, traffic will use the primary interface.

Then for things that have inbound traffic, you should specify the secondary interface or IP as the listening interface or address for your applications. The traffic that originates through that interface should be returned through that interface.

You could then supplement this with firewalld and ensure that there is no new traffic coming in to the primary interface, only traffic related to that which has originated through the primary interface.

Hopefully my slightly different perspective helps; otherwise I agree with everyone else - it will be a difficult path to walk to handle horseshoe routing like you may mean.

To change the source IP of outbound traffic, you can do something like:

If you don't have a floating/moving/virtual IP then you could automate the route change with a NetworkManager dispatcher script if using NM, or ifup-local if using the network service.

That's possibly venturing into "obscure configuration" territory.

If you have just one primary application whose traffic you want to use the secondary IP, then contact the support of that application. The app should be able to bind to the secondary IP address and so send the application traffic outbound with the secondary IP as the source IP.

Hi guys, thank you to everyone for your replies. Maybe my request is venturing into "obscure configuration" territory, just like Jamie said.

After reading your feedback, I think the best solution is to use a "standard configuration" without too much complexity.

Thanks for the ideas!