1. Welcome to the new MacRumors forums. See our announcement and read our FAQ

MacPro - dual ethernet, two different subnets?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by bombardier.v2, Jun 28, 2012.

  1. macrumors member

    I have a client who wants me to set some networking bits and pieces up for him. He currently runs Rumpus as an FTP server on his own, local MacPro that has dual ethernet adaptors, has a BT Business Hub Router that connects to a Netgear switch, and then 6 macs and a ReadyNAS connect to that switch.

    In the new office he's moving to he is having two ADSL lines installed. My initial thought was to put each router on a different subnet (so 192.168.0.x and 192.168.1.x), have one router connected to one ethernet port that would be used purely to serve his Mac internet and run his FTP server from, the other port connected to the switch so that he can use the NAS and see the other Macs.

    One factor that needs to be considered is that his other Macs need to be able to copy to the FTP. I could probably achieve this with an external IP but I want to do it locally.

    Is that all possible/realistic, and would there be problems with internet given that his Mac will be able to get a connection from both router one, and router two via the switch? Should both routers be plugged into the switch? You know when you've been thinking about something so much it starts to get confusing?!

    Have I missed something blindingly obvious?
  2. macrumors 603


    I'm no networking expert, but it sounds ok to me.

    You shouldn't have problems with the two internet connections, he should see 2 Ethernet services in his Network preferences pane and can set the order so his Mac will use the router he chooses (and fall back on the other router if the first choice isn't available).

    And if the other Macs are on the network connected to the other port, they should be able to access the FTP server via a private IP address no problem.
  3. macrumors 65816

    Is the switch a managed switch? i.e. Cisco switch that you can assign VLANs to ports? Is it just a "dumb" switch?

    If it's a dumb switch, even if both routers are plugged into it and the Mac has both ethernet cables plugged into it your other devices will not be able to access each other unless there is a router. Let me rephrase that, your LAN devices will not be able to access the FTP via the switch.

    Here's a tutorial where you can share both netowrks via your Mac that has the two ethernet cables - simply replace wireless with ethernet2:

    This will work if you DO NOT plug both ethernet cables into the same switch. (technically you can, but you will/can cause problems.) K.I.S.S

    If you are using a managed switch:

    Put ports 1&2 into VLAN2, plug your modem for the FTP into port one and plug Eth2 into port 2.

    Put all other ports into VLAN3: plug everything else in.

    Enable IP Routing, if you are using an IOS that supports that feature. Enable RIPv2 routing protocol and advertise your two networks. You can get even "fancier" but there wouldn't be a need to go that far.
  4. macrumors 601

    I was with you up until here. From the description the OP gave, I don't see any reason why the two subnets need to communicate with each other. If they did, I certainly wouldn't choose RIP; if the switch supports IP routing, you could use OSPF or EIGRP which are better overall. In this case, it's so small a static route on the router would work just fine.

    If the Mac is plugged into both subnets, then there's no need to enable IP routing.
  5. macrumors 65816

    The OP stated that he would like for the other LAN devices to access the FTP server. They will not be able to unless something does the routing. I gave him two options around it. His LAN devices would have to access the FTP via the internet versus his LAN.

    Static route could be used, you would actually need two static routes. For such a small network, the OP would not see a difference in performance between RIPv2, OSPF and EIGRP. OSPF and EIGRP benefit much larger networks.
  6. macrumors 601

    If the Mac is plugged into both subnets, there's no routing required. The machines can use the local address of the Mac.

    If the Mac is only plugged into one subnet, then routing is required. RIP is just too noisy and old to be deploying it this day and age (my opinion of course).
  7. devilofspades, Jun 29, 2012
    Last edited: Jun 29, 2012

    macrumors member

    i will try and give as brief of a detailed explanation as possible. first there really is no need to use both nics on the mac pro, but for now i will digress. connecting the 6 macs to the mac pro as well as using it for an external ftp server isn't a problem. you just need to make sure the ftp service is using the ip on the mac pro that is on the same subnet as the rest of the macs. so if the mac pro had an ip for each nic (which again, you only need to use one nic), lets say & the ftp program needs to be configured to use both ip address to listen for ftp (tcp port 21) traffic. the next step is connecting to the internet. you can only use one internet connection at a time, so you would need to set your default route ( to which ever connection you feel like using for the mac pro. lets just say the router is by default when you set the second ip as, which is the same subnet as the rest of the macs, the mac pro will already have a route in its route table for that "local" subnet. anything "off-net" or in other words anything not a part of either the subnet or the subnet needs to be directed out to the interwebs. you could simply just set the default gateway on the first nic to and not set a default gateway at all on the second nic and you would be done. the 6 macs can have their default gateways set to and they would use the second dsl connection to get to the internet. this could all be done with everything plugged into the same switch with no vlans since all the traffic is going over ip which is a layer 3 protocol. if you want to use dhcp or any layer 2 broadcast services like bonjour, then you need to segregate your networks with vlans or separate switches as layer 2 traffic will broadcast over the entire switch regardless what the ip address is.

    now to my original point, you could accomplish the same task by simply assigning two ip address to a single nic on the mac pro and do the same thing. the only advantage of using two nics is if you segregated your switched network by using vlans or two switches.

    lastly, if the end game of the two internet feeds is redundancy or load balancing then you need a slightly more complicated setup. as i said before, a host will only use one route at a time, and the route used is determined by if the route exists or if they are competing routes (which your internet traffic would be) then it uses the routes metric. some more advanced routing protocols can be setup that will dynamically change the metric of a route based on the availability or usage. you can also setup sourced based routing that will use a specific connection based on the traffic it came from. you would need a cisco router to use eigrp, or most every "smart" router or linux based router will support ospf, bgp & is-is which will accomplish the same task. at that point you would need to point all your devices default gateways to that new router to take advantage of that type of configuration, and let that router take care of the best route for the traffic to take.

    so thats a little more long winded then i expected, but it should "explain" everything in detail. this way you know why your network does or doesn't work, which will help you trouble shoot it in the future.

    p.s. don't forget your network translation inbound to your ftp service on the mac pro if this isn't already done.
  8. belvdr, Jun 29, 2012
    Last edited: Jun 29, 2012

    macrumors 601

    Running two subnets on one VLAN is a bad idea and can lead to problems, such as broadcast traffic, like DHCP, being seen by the wrong systems.

    It is best to use both NICs to prevent these types of issues and keep Internet based FTP traffic separate from the office network.
  9. macrumors member

    there is nothimg wrong with running two subnets on the same vlan, especially with a network this small. if its so terrible how would using two nics fix the problem? unless you are using a seperate switch for each nic, using two nics on the same switch is just going to double the same amount of "issues" you are talking about. putting both nics on different subnets wont do anything for layer 2 broadcasts. by using both nics, you just simply added another device to the same broadcast domain. he obviously doesnt have a managed switch so adding a vlan is not an option. plus it would be more cost effective to just buy a cheap workgroup switch vs. a managed switch that supports 802.1q if he really needed to isolate broadcast domains.
  10. belvdr, Jun 30, 2012
    Last edited: Jun 30, 2012

    macrumors 601

    Yes there is and it has nothing to do with the size of the network This is easily a problem if you were to have a DHCP server on both subnets.

    It's not just using two NICs. By using two separate NICs, whether into separate VLANs or two physically separate switches, the problem cannot occur.

    You can use separate VLANs on a single switch, provided it supports that feature. Considering this is a small network, you can use a simple unmanaged switch for each side very inexpensively.

    These two are exactly equal aside from the use of an additional NIC:
    1. One NIC, running two different subnets, on one VLAN
    2. Two NICs, each on a different subnet, on the same VLAN

    You're not going to magically double the potential problems by choosing either. One is as bad as the other.

    Obviously, but who said anything about layer 2 broadcasts?

    Running two subnets on one NIC is doing the same thing; you have created two broadcast domains on the same VLAN. If there are DHCP servers on both, you could run into issues very easily.

    That's an assumption on your part. There is no evidence in the OP's post to determine that, although it is likely it doesn't support it.

  11. macrumors 65816

    For the Mac, you are correct. However if you go back and re-read my posts and the OP posts you will see that he specifically mentioned other devices on the LAN reaching the FTP via his network.

    AGAIN, I gave two options in which the OP could accomplish this task. One would be sharing the FTP connection to the other network and the other is using a router to join the two networks.

    Your opinion on RIP is fine, however with this size of his network it is invalid as it would not make a difference.
  12. devilofspades, Jun 30, 2012
    Last edited: Jun 30, 2012

    macrumors member

    well you obviously don't have much advanced networking experience. in enterprise environments, running multiple nics into the same switch is common place. this is how redundancy, fault tolerance and load balancing is achieved. why do you think advanced servers and hardware come with multiple nics? cuz it looks cool?

    now you are the one making assumptions his switch can do manaaged vlans.

    first, yes you will. you're adding a second mac (address not apple) to the existing broadcast domain. second, even though there are two mac (again, addresses no apples) its still not really a problem.

    you did...

    and if you read my original post and didn't selectively take comments to make your point. you saw that i mentioned dhcp (which the dhcp server doesnt do broadcasts anyway) and the bonjour (which is a layer 2 protocol unlike dhcp). even still, the 6 mac & mac pro can still use bonjour because most likely the other devices on the switch wont even respond to it and will just be ignored. as far as dhcp, he can just simply run static address and avoid any "problems" you think are happening. when i mentioned those items, i simply stated they had to account for them. and if you read my post, you would see that i specifically mentioned using vlans or two switches if these services are indeed needed.

    this is absolutely incorrect. creating a separate vlan will create two braodcast domains, not running two ip address on one nic. ip subneting and addressing (layer 3) has nothing to do with switching and data link communication (layer 2)

    i have been doing this a long time a have a laundry list of certifications from major routing and switching venders, not to mention voip and network design certifications. i am not trying cast your comments in a negative light, but your fundamental understanding of networking and the osi model is wrong.
  13. belvdr, Jun 30, 2012
    Last edited: Jun 30, 2012

    macrumors 601

    I have read it and think we're saying the same thing here (i.e. running FTP on both subnets). I thought you were saying to use both NICs and also route the traffic.

    Nobody asked for redundancy and yes, I have lots of experience in this. This isn't an enterprise environment and you're bringing up topics that either don't apply or are irrelevant to this case.

    No, I said "providing that" which means I don't know what functions their current switch provides.

    Adding a MAC isn't what is causing the issue. It's the additional subnet on the same VLAN.

    No I didn't. I mentioned DHCP, which is not layer 2. DHCP clients broadcast to on UDP 67 (so we're at layer 4 now). If you have two DHCP servers (i.e. one for each subnet) running on the same VLAN, your clients could get an address on either subnet. That can cause issues, because now, you've mixed your Internet traffic with the FTP server, which is a requirement to separate. If you also limit your services on the Mac Pro for each subnet, you could then have clients who couldn't access services if they end up on the wrong subnet.

    You're right I did miss your statement. For the record, when looking at how DHCP functions, broadcasts are involved (from the client, not the server).

    You're right. I meant to say you have two broadcast addresses on one broadcast domain. Why have every client see broadcasts from a subnet they aren't even on?

    I've been doing this a long time too and good for you for having certifications, but that doesn't mean you're automatically making the right choices either.

    For example, I actually came into an environment in the mid-1990s where a CCIE ran two subnets on one VLAN. Unfortunately, it was the outside Internet subnet and the internal subnet ( and it had to be token ring :/ ) It was a serious mess and I never understood why anyone would want to do that.

    For such a small setup of this, you could easily get a NetGear gigabit switch for $50, so why even introduce a potential problem down the road if someone checks the box to add DHCP to the other subnet? In essence, sure you're solution will work, but it's not optimal and a simple check box could cause outages.
  14. dyn
    macrumors 68000

    That's not quite true. You can run a service on a machine and have it listen to a specific ip-address, specific ip-addresses (plural!) or to any ip-address. The latter two will allow you to setup the ftp server to listen to the address configured on the first network card as well as the second network card. If the FTP server being used does not have this ability and will only listen to 1 ip-address than this will be impossible without any routing and things like that.

    However, this is not the problem. The way he is using the routers and switches is. The Mac Pro will be behind 2 routers and thus 2 ways of reaching the internet. The other part of the network will be behind 1 router and only 1 connection. Most companies that have 2 internet connections want to use them both: if one goes down the other takes over and being able to spread the load over the 2 connections. This will stop working with the new kind of setup unless the Mac Pro will act as the gateway to the internet configured with high availability. Most companies will use something like a firewall to do so. This setup also allows you to use multiple networks either via subnets and/or via vlans but you don't have to. You can also set firewall rules to limit who or what gets access to various parts of the network such as the ftp server on the Mac Pro.

    There really is little to no need at all for 2 separate networks when you have a firewall properly set up. Having multiple networks can give you the advantage of finer control to who/what can access which part of the entire network. Most set ups I've seen use a different subnet for things like servers because of the finer control (just like with policies in OD or AD; you set a basic one and built up from that).
  15. macrumors member

    actually dhcp is a layer 7 protocol. it just happens to use udp for its ip services.

    i guess i fail to see (outside of dhcp) what this huge problem with running multiple subnets on the same vlan you keep talking about. the only "problem" you keep mentioning is dhcp. and while i agree its an annoyance, its easily rectified with static addressing. given such a small network it really isnt that troublesome to do either. and yes, my solution will work without any issues. yes yours will work too at a cost. i tried to give the simpliest solution that could be deployed with the current equipment that was stated. if we wanted to nit pick, it could easily be said that an asa firewall with ips should be added. he needs multiple managed switches with redundant etherchannel links, 802.1x authentication, etc. but while a good design philosophy all that is immensely overkill for the situation.

    bottom line, while not nessesarily the ideal design but when using static addressing, there is nothing wrong with having two subnets on the same switch. or for that matter two ip addresses on the same nic. if you're mixing public & private traffic, then it probably should be avoided but he is obviously using natting to gain access to the public internet, so its no a cause for concern.

    the osi model is a wonderful hierarchy that can be used to your advantage to achive things that wouldnt normally be considered if you understand the theoretical design paradigms. apple doesnt want people to jailbreak iphones and claims it will cause global destruction, but we all know that isnt the case. as long as you understand the fundimental workings, its properties can be manipulated and taylored to do things that they may not have nessesarily originally been intended for.
  16. macrumors 68030

    Les Kern

    A perfect example of technology overkill, complicated yet useless, doing it because one can, not that one should. When I drive from Chicago to O'Hare, I don't go by way of Tranquility Base, and neither should you. Hint: pretend your boss didn't suggest a thing, then start from nothing. What are the reasons? What are his needs? Simple is better, security can be robust without knowing some of the rocket science suggestions above. My 25 years of experience are BEGGING you to re-think this.
  17. dyn
    macrumors 68000

    My goodness...some people here are pretending this is rocket science while in fact a lot of home users do this already with their home routers that they got from their ISP. There really is no need for things like subnets, vlans, etc. to make this work. You use those for creating a robust network for the future.

    This topic also shows the problem with people that have say a Cisco certification. Those are not technicians, those are salesreps because they only think in what kind of products/solutions from that particular company they can use. Instead they should look at it from a more objective view: what does the client have already, can it be done with that or do we need other stuff (if so, what do we need exactly)? It is the client that should be the main focus, not the stuff Cisco, Juniper, etc. sells!
  18. macrumors 65816

    Obviously you don't know how to read, you should go back and do that. If you had actually read the posts you wouldn't have come to that conclusion...
  19. macrumors 65816

    Actually it is entirely true. What you suggested is nothing more than I did in my first suggestion to the OP - USE THE MAC TO CONVEY DATA BETWEEN THE TWO NETWORKS....

    That is what a ROUTER does. You can call a skunk by any other name and it still smells like a skunk...
  20. dyn
    macrumors 68000

    Then you clearly have no idea what networking is and how to admin a server nor do you even read what somebody says. What I suggested wasn't what you suggested at all!

    You falsely said that one needed a router to make something reachable on the internal and external network. This is absolutely not true at all since most services (especially those in the UNIX world) are able to listen to one, more or all ip-addresses on that machine. This is done so that in certain advanced network setups (a machine that is in several VLANs) the service is reachable for all that need it. You certainly do not need a router for most of these services such as ftp.

    What I suggested alternatively was a firewall that does routing as well as other things if you could use that or simply use the existing infrastructure (aka the existing routers). These would be good suggestions for when the service is not able to listen on more than 1 ip-address.

    It is not what a router does ;) A router only relays traffic from one network to the other. The internet connection sharing on the Mac does more than just that because it also functions as a dhcp server to provide the clients with proper ip-addresses. Which is also the reason why one should definitely not use this setup because it will wreak absolute havoc on the network.

    If you have no idea what you are doing or need a quick fix this instance than you'd use internet connection sharing on Windows/OS X. If you want to do it properly you either use the existing infrastructure and rearrange that or you get new stuff that will get the job done properly.
  21. macrumors member


    ill just assume you glossed over my posts or just flat out didnt read them. just because someone has certifications from a hardware vender like cisco and juniper, etc. does not make them a sales rep for that company. i have actually turned down positions from companies like these to be a "sales engineer". i have great distain for sales people, as they will tell you pretty much anything to sell their product. i cant in good conscience sell someone something they dont absolutly need. my post is perfect example of that, and dispite all the "rocket science" everything i suggested could all be done with hardware the original poster already had. i have worked with large enterprised companies as well as small businesses. small business are beyond penny pinchers, wether good or bad working with them in my early years i had to learn to think outside the box. this increased my fundimental understanding of data and storage networks, and can confidently say that my methods simply make use of open standards and take full advantage of pre exsisting equipment with proper configuration.
  22. macrumors 65816

    Yes I don't know what networking is, though I have been a Network Engineer for 10 years....

    You are are incorrect. If you have a machine with an IP address of it WILL NOT be able to communicate with a machine with an IP address of It's not possible unless something does the routing in between the networks. If ONE machine has either dual NICs or is setup with subinterfaces then it would be able to communicate and could be setup to share services in both networks. THAT IS ALSO WHAT I SAID EARLIER - learn how to READ. (my first post)

    If there is a way in the "UNIX" world to do something beyond that then I'd like to know to tell my UNIX admins to go pound dirt instead of bothering me all day long when they want network changes to be made so their devices can talk to each other.

    How is that different from my suggestion? Yes you can use a router, a firewall or heck there are even UNIX based software packages you can get for free to turn on old box into all of the above.

    WTF are you talking about? A router does join networks, relays information if you prefer that term better. I even posted a link in my first post how to do ICS on his Mac Pro with to NICs. You don't have to setup a DHCP server on the Mac Pro - it can be disabled. I also posted a better, but more complex way by using a managed router/switch(with IP routing enabled) to route traffic between the networks.

    This is the exact SAME THING I stated in my first post.

    AGAIN! Learn how to read what one types.
  23. macrumors newbie

    Okay you knuckleheads, the OP is probably scared ******** now from all of your pointless bantering about issues that are completely besides the point. The one good suggestion I've seen so far is READ. The OP gives us two useful things, a list of what equipment he has, and also the clients requirements. Why are enterprise and commercial solutions and products being offered to this individual who is clearly an everyday user and would have no need for these things. Why are they even being mentioned??? that is like hijacking the thread... Good job! Considering the way the OP states the equipment on hand and asks the question if he overlooked something makes me guess the OP is the somewhat tech-savvy friend of the non-tech-savvy client who simply needs his computer equipment moved and to be setup again so that it works.
    In any case, the simplest possible solution is generally the best and least expensive. The one thing that would seem to fulfill the clients requirements as relayed by the OP would be a multihomed or dual WAN Router. Unless someone is able to read into things deeper without a reply from the OP, that would make use of both internet connections, and allow for communication between all the machines and the ftp and the nas. If necessary they can setup security to block specific things but there was no mention of that I saw.

    Oh yeah, I am cisco trained, but I didn't bother to cert, it doesn't prove as much as the decade long work trail behind me of fixed computer and network issues, most of which have been done remotely and working with everyday people that know nothing of what they are trying to even attempt with their routers, computers, portable devices, etc...

    Remember, a cert is not a license to not listen

Share This Page