MP 6,1 Using the Two Ethernet Ports (resolved)

[nollimac]

So, I have two networks in my home office, one regular and the other a private cloud.
I would like to use the Mac Pro as a bridge access to both networks simultaneously, yet keep them separate.

How to set both Ethernet with the same priority service order? Each network will have it's own DNS.

 

[Silencio]

One interface has to be a higher "priority" than the other, but in practical terms, it doesn't make any difference. You won't get slower network performance on one network if the other one is set higher in the list of preferred interfaces.

 

[flat4]

I think he/she means that they only want certain applications to use certain networks.

 

[nollimac]

One interface has to be a higher "priority" than the other, but in practical terms, it doesn't make any difference. You won't get slower network performance on one network if the other one is set higher in the list of preferred interfaces.

I know with the WiFi won't work if ether1 service order to number 1 in priority; so, I wondered whether this is the same with ether2...that would be a bummer.

 

[nollimac]

I think he/she means that they only want certain applications to use certain networks.

Basically, it's just two apps, MacOS server - ether1 and Firefox (to check Proxmox, VM, etc) ether 2 simultaneously.

 

[Macschrauber]

Basically, it's just two apps, MacOS server - ether1 and Firefox (to check Proxmox, VM, etc) ether 2 simultaneously.

You could run an OS in a virtual machine for those and assign one Ethernet port to it.

 

[bookemdano]

I know with the WiFi won't work if ether1 service order to number 1 in priority; so, I wondered whether this is the same with ether2...that would be a bummer.

Well depending on your exact config (I assume your private cloud devices are on the same LAN as your Mac Pro?), what you may want to do is manually set an IP on your internal ethernet interface that is on the same network as your private cloud stuff and then do not set a default gateway on that interface. You can still use DNS if you want to resolve internal host names rather than using IP addresses. Then set that ethernet connection as first priority. Your other ethernet interface (or WiFi, whichever you wish to use) would be set up normally with DHCP and a default gateway to connect you to the internet. That should work--give it a try.

 

[nollimac]

Folks, this primitive drawing diagram is what I am aiming for with Ether1 and Ether2 each have their own default gateway and DNS. I will need to wait for a new modem to arrived, hopefully next week, because I tried yesterday giving Ether2 a manual IP with DCHP which stated connected but didn't get default gateway nor DNS. That's because the private cloud interface was down as there was no Internet. Note that both networks are at the same location.

 

[flat4]

That's a lot devices on the left side.
This can be done but I have not done it myself, and it requires modifying config files using text editors.
What needs to happen you will have to tell each application what interface it will need to use. At work (windows) we had this exact issue. Device is connected to separate networks and the application was using both and when it picked the incorrect one the task would fail. One the .ini was configured to only let the application used that one interface it worked like a charm.

I'm sure someone with more unix/linux experience can tell you how to accomplish this.

 

[bookemdano]

OK firstly, just saying but this is not really a Mac Pro issue. The setup you are aiming for could be achieved with any computer running macOS and any two network connections--be they ethernet, WiFi, bluetooth, VPNs, etc. So you might get a better response by posting your query here, which is the forum meant for networking questions.

But here is my advice anyway. I assume that you are communicating with everything on the right-side of your diagram via IP addresses on that 10.2.2.x LAN (i.e. all of those containers also have 10.2.2.x IPs). If this is the case then you should not set a default gateway on your Mac Pro for Ethernet 2 (however, those containers should be set up with a default gateway since they connect to the internet). Without a default gateway, macOS will treat that as a local only interface, which I believe is what you are wanting. You can still use a DNS server on that interface if you want to, but you must ensure that that it is translating to the internal IPs, not external IPs. You haven't detailed how you are accessing your private cloud--do you have a publicly routable domain name you are trying to use? If you need to use the same domain name internally and externally then you can set up what's called Split DNS. Alternately, in lieu of an internal DNS server you can just set up the hosts file on your Mac Pro to manually resolve whatever hostnames to the internal IPs.

Anyway, you should then set Ethernet 2 as the higher priority network. Any requests that resolve to IPs on 10.1.2.x or any other local or non-local subnet should be automatically sent to Ethernet 1 and out to its default gateway.

Setting this up "right" is non-trivial and involves a lot of planning and configuration--especially when DNS is involved.

I really do think you'd get a better response if you ask in the other forum. This forum is more meant for issues specific to the Mac Pro (which this question is not).

 

[nollimac]

Well, folks, I am on the right track...found this confirmation from here:

"This is just a simple example of how a Mac Pro can bridge two networks and provide simultaneous services.

 

[nollimac]

Just to follow up, New modem came and both networks connect simultaneously...tested with Firefox, one tab opens a website on the network on the left (see diagram above) and the next tab connects to Proxmox on the network on the right flawlessly. No modifying code or any extra step...it just worked.

 

[svenmany]

Well, folks, I am on the right track...found this confirmation from here:

"This is just a simple example of how a Mac Pro can bridge two networks and provide simultaneous services.

In that link, all the figures seem to be missing.

I've been tracking this thread, eagerly hoping to learn something. Now that the thread has kind of wrapped up, I'm just left confused.

My main confusion is that there seems to be the suggestion that having a different DNS specified per interface is somehow relevant for name to IP address resolution. Until a name is resolved, it's unknown which interface will be used. I believe that only the DNS server(s) specified on the highest priority service is ever used (not sure about reverse DNS lookups).

Installing your own DNS server (on the Mac or elsewhere) seems to be the only way to get name resolution for both the public names on Ethernet 1 and the private names on Ethernet 2 (other than using entries for the private names in the /etc/hosts file). But, I don't see how a split DNS can help since that approach uses some origination information to determine which dns configuration to choose. But traffic is all coming from the same machine (using Firefox). So, there's no way for the DNS server to determine which namespace to use.

The solution that I've use has been to install a caching DNS server. It has the private names in its configuration and a rule to delegate all unknown names to a public DNS server. I've done this many times in the past (on Linux).

As far is IP routing is concerned, the service order only serves to manipulate the routing table. You can have a default gateway on both interfaces, only the highest priority's service will have its default route being used.

If I put my Ethernet service before the WiFi one I see

user@host ~ % netstat -rn -f inet
Routing tables

Internet:
Destination Gateway Flags Netif Expire
default 10.27.80.1 UGScg en8
default 192.168.0.1 UGScIg en0
10.27.80/24 link#17 UCS en8 !
10.27.80.1/32 link#17 UCS en8 !

en8 is my Ethernet interface and en0 is my WiFi one. If reverse it, I see

user@host ~ % netstat -rn -f inet
Routing tables

Internet:
Destination Gateway Flags Netif Expire
default 192.168.0.1 UGScg en0
default 10.27.80.1 UGScIg en8
10.27.80/24 link#17 UCS en8 !
10.27.80.1/32 link#17 UCS en8 !

My understanding is that the default route with the "I" will only be used if it's known that en8 is the correct interface to use.

If Ethernet 2 has a small collection of known networks (perhaps all 10.2.*), then Ethernet 2 should definitely not be earliest in the service order. There's no relevance to its default route. A default route is only relevant when an IP address' location is unknown; it's the responsibility of that route's gateway to figure it out. But the location of 10.2.* is completely known - it's probably all link-local (reachable without routing). Even if the Ethernet 2's network is more sophisticated, it probably has just known networks where explicit routes can be set up.

Given all that, I'm left wondering how this was all resolved by reading that linked article. Maybe I just need to see the missing pictures.

 

[nollimac]

Installing your own DNS server (on the Mac or elsewhere) seems to be the only way to get name resolution for both the public names on Ethernet 1 and the private names on Ethernet 2

Thanks for asking...that's it...I am using pfSense and Mikrotik's built-in DNS server for Ethernet 1 and pfSense (different and separate from 1) for Ethernet 2 via Proxmox and pfSense VM...they both work simultaneously.

 

[svenmany]

Thanks for asking...that's it...I am using pfSense and Mikrotik's built-in DNS server for Ethernet 1 and pfSense (different and separate from 1) for Ethernet 2 via Proxmox and pfSense VM...they both work simultaneously.

I'm am very, very interested in how that works.

If you attempt name resolution for xyz.com, how does your Mac choose which DNS server to use? The DNS query, since it hasn't yet resolved the IP address, doesn't know which interface will be used to reach that address. How does it choose the appropriate DNS server? Does it try both? Is there something on the Mac which tries all DNS servers, across all interfaces simultaneously and then chooses the first successful answer?

 

[nollimac]

Does it try both?

No...it uses the one to which network it is attaches to...for example, if I open Firefox, and go to apple.com, it will use Ethernet 1 because that network has the highest priority. If I open another tab with Proxmox's address, it knows that's the other network on Ethernet 2. If I open another tab for Google, it will use Ethernet 1. Ethernet 2 DNS won't happen until I launch pfSense VM on Procmox and once up, if I make a DNS request, while in that network, that's when it get resolved. So, If I am on pfSense webGUI and click on a feed link, that will opens another tab on Firefox but use Ethernet 2 DNS to resolve the link's IP.

 

[svenmany]

No...it uses the one to which network it is attaches to...for example, if I open Firefox, and go to apple.com, it will use Ethernet 1 because that network has the highest priority. If I open another tab with Proxmox's address, it knows that's the other network on Ethernet 2. If I open another tab for Google, it will use Ethernet 1. Ethernet 2 DNS won't happen until I launch pfSense VM on Procmox and once up, if I make a DNS request, while in that network, that's when it get resolved. So, If I am on pfSense webGUI and click on a feed link, that will opens another tab on Firefox but use Ethernet 2 DNS to resolve the link's IP.

Thanks

I think I'm going to stay confused. Following a link in Firefox is roughly equivalent to entering that link by yourself into the URL bar of a new tab. "if I make a DNS request, while in that network" - that's the part I don't understand. I don't know what it means to be "in that network". Maybe it's something about some pfSense network architecture that is present on your Mac. I'm completely unfamiliar with that software.

No worries. I'm happy your situation is resolved.

 

[nollimac]

"if I make a DNS request, while in that network" - that's the part I don't understand. I don't know what it means to be "in that network"

Ethernet 1 network is 10.0.8.0/24 with DNS-10.0.8.1 and Ethernet 2 network is 10.8.27.0/24 with DNS-10.8.27.1
So, basic networking, if one is on network 10.8.27.0/24, there is no way DNS 10.0.8.1 would respond to a DNS request from 10.8.27.0/24 network, but an external DNS like Google (8.8.8.8) would if and only if configured to do so.

In my case, there are no EXTERNAL DNS...only internal DNS and only to each network's DNS server.

 

[Nermal]

In that link, all the figures seem to be missing.

The Wayback Machine has them.

 

[TzunamiOSX]

Nothing for you, but this is the normal way to use th two ports:

How to Set Up Ethernet Link Aggregation on Your Mac

Instructions on how to set up Ethernet link aggregation on your Mac.

www.iclarified.com

The switch need to support link aggregation

 

[svenmany]

Ethernet 1 network is 10.0.8.0/24 with DNS-10.0.8.1 and Ethernet 2 network is 10.8.27.0/24 with DNS-10.8.27.1
So, basic networking, if one is on network 10.8.27.0/24, there is no way DNS 10.0.8.1 would respond to a DNS request from 10.8.27.0/24 network, but an external DNS like Google (8.8.8.8) would if and only if configured to do so.

In my case, there are no EXTERNAL DNS...only internal DNS and only to each network's DNS server.

I'm feeling guilty. I often use these forums to learn things - you should see how demanding I was on a recent thread about a Belkin hub. @joevt was amazingly tolerant and offered a wealth of knowledge (I hang on every word). So, don't feel you have to educate me, but I'll throw out a few questions (guesses actually) in case you are up for answering.

This is what I understood:

You are running Firefox on the Mac Pro, outside of any virtual machine. You are entering a domain name (not IP address), either by typing it directly in the URL bar or by following a link on some page. You are then expecting that the entered domain name guides the selection of the DNS server used for address resolution. Is that right?

Perhaps you expect that a page delivered to your browser over a particular network interface guides Firefox or the Mac to interpret links in that page in some way to "stick" to that same network interface for DNS server selection and address resolution. Is that right?

if I make a DNS request, while in that network

Perhaps you are saying that you're running Firefox from inside some "Proxmox VM". Is that right?

Am I missing some complexity in your setup?

As an aside, I have tons of experience (going on 30 years) in networking, virtual machines, routers, switches, DNS server configuration, etc, in corporate and personal settings. I often have multiple interfaces up, have a couple of VLANs on my managed switch, have multiple isolated LAN segments, etc, etc, etc. So, you won't need to explain any basic networking to me. Also, I've reviewed the wayback version of the page that you referenced (thanks @Nermal). It doesn't discuss DNS at all and that is my only confusion.

 

[nollimac]

You are running Firefox on the Mac Pro, outside of any virtual machine. You are entering a domain name (not IP address), either by typing it directly in the URL bar or by following a link on some page. You are then expecting that the entered domain name guides the selection of the DNS server used for address resolution. Is that right?

No...entered the IP address, despite Proxmox have a hostname. That's because DNS isn't available until the pfSense VM boots. Note that Proxmox isn't on the Mac Pro; it's on a Dell Precision 3630MT...please refer to the primitive diagram above.

Perhaps you expect that a page delivered to your browser over a particular network interface guides Firefox or the Mac to interpret links in that page in some way to "stick" to that same network interface for DNS server selection and address resolution. Is that right?

Yes...the Mac Pro is just been used as a bridge access to two separate networks.

thanksPerhaps you are saying that you're running Firefox from inside some "Proxmox VM". Is that right?

No...that would not make the Mac Pro a bridge between two networks. Firefox is on the Mac Pro.

Am I missing some complexity in your setup?

It's really not that complex...I just wanted to use one browser on a Mac Pro to access the web on one network and Proxmox, pfSense VM, FreePBX as well as phone, or the web, on the other network. It would work the same on any computer with two NIC and used as a bridge to access two networks.

 

[svenmany]

No...entered the IP address, despite Proxmox have a hostname. That's because DNS isn't available until the pfSense VM boots. Note that Proxmox isn't on the Mac Pro; it's on a Dell Precision 3630MT...please refer to the primitive diagram above.

Yes...the Mac Pro is just been used as a bridge access to two separate networks.


No...that would not make the Mac Pro a bridge between two networks. Firefox is on the Mac Pro.

It's really not that complex...I just wanted to use one browser on a Mac Pro to access the web on one network and Proxmox, pfSense VM, FreePBX as well as phone, or the web, on the other network. It would work the same on any computer with two NIC and used as a bridge to access two networks.

Thanks so much for answering.

You answered yes to my question of whether a link on a page, which was delivered over a particular network interface, is handled by the browser in some special way, in that it is biased towards that interface for the DNS resolution of the link. I'm going to research this. As an application/web developer and part-time network administrator, I've not seen such a thing. But, I trust your judgement and will give it some due diligence. Quite often I just forget things. It can be quite embarrassing.

Till this point, my understanding of browser/OS handling of links (whether they are typed in or clicked on some page from any random place) follows these steps.

1 - The browser delegates to some DNS server to figure out the IP address. How it does that varies by browser. I've seen (I think it was in Chrome) a setting where you tell it to use its own secure DNS as part of that process. In any case, that lookup doesn't know which interface will ultimately handle the resolved IP address, since only the routing table can answer that, and only after the IP address is known.

2 - once the IP address is known, the interface is chosen. The request goes out to that interface, which could be a different one that the one which delivered the page with the link.

Thanks again for your time. I'll pursue this on my own and leave you alone.

 

[nollimac]

I've seen (I think it was in Chrome) a setting where you tell it to use its own secure DNS as part of that process

Most browsers are doing this now, and it can be a headache for network administrating...some, like Firefox, even makes turning off this feature a great hassle (if one doesn't know)...not sure whether Safari has jumped on this band wagon yet. I still keep Safari as my default browser yet rarely use it. I am a Netscape fan and Firefox is the closest match.

Got into network administrating in 2007 as a hobby when I purchased a Mikrotik RB450G...then, later pfSense...learned so much and still learning...control of DNS is the key.

 

[svenmany]

Got into network administrating in 2007 as a hobby when I purchased a Mikrotik RB450G...then, later pfSense...learned so much and still learning...control of DNS is the key.

Nice!

I'm going to try to run my experiments on Monday, since it's a holiday. A roofer will be tearing off my existing roof, so we'll see if I can concentrate.

I realize now that I really don't understand how it works on the Mac. For systemd, there are good references:

https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html

https://www.freedesktop.org/software/systemd/man/systemd.network.html#

For systemd, unless special steps are taken, DNS servers from all interfaces are queried and the first response used. The special steps are to specify the domains that each interface's DNS server handles. You can also specify whether an interface is a DNSDefaultRoute. Of course, using global DNS servers are much simpler.

On MacOS, the only thing I know about is the "Search Domains" field on the network service entry. But, I understood that to be something quite different - nothing to do with DNS routing. The screenshots you provided didn't show if you specified values there.

But, your assertion is that the browser is involved in DNS routing and the interface that delivered the page with the link is input to the browser's DNS routing decision. That's the main thing that I'll be testing.