| View previous topic :: View next topic |
| Author |
Message |
Vieri
l33t
Joined: 18 Dec 2005
Posts: 877
|
 Posted: Mon Nov 20, 2017 4:39 pm Post subject: Gentoo bridged VLAN |
 |
|
Hi,
I'm new to setting up VLANs.
Is it possible to have 2 VLANs with the IP addresses overlapping in the same range?
eg. VLAN1: 192.168.0.1/24, VLAN2: 192.168.0.10,192.168.0.20
Obviously, no host in VLAN1 will have the same IP addresses as those in VLAN2.
Can this be done with a bridged VLAN?
| Code: | bridge_forward_delay_br0=0
bridge_hello_time_br0=200
bridge_stp_state_br0=1
bridge_br0="eth0 eth1"
config_eth0="null"
config_eth1="null"
config_br0="192.168.0.1/24"
rc_need_br0="net.eth0 net.eth1"
vlans_br0="1 2"
routes_br0_2="
192.168.0.10 gw 192.168.0.1
192.168.0.20 gw 192.168.0.1
" |
Thanks,
Vieri |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3134
|
| Posted: Mon Nov 20, 2017 11:10 pm Post subject: |
|
|
Close enough.
Yes, you can have 2 vlans on the same interface (even on the same bridge), and they can share a single IP pool, and there are even valid use cases for this, though things can get tricky if you go this way. Error-prone. Hard to debug. So, well, it's not inherently wrong, but you better think twice.
Really, rethink your goals, grab a sheet of paper and a pencil, and draw a map representing the network you want. Trust me on this, it helps with designing funny things.
Also, if you decide to share your goals, we will be more likely to come up with something actually helpful.
Now, your config:
Forward delay=0 together with stp=1 makes me a bit uneasy.
How many switches you have there? Are you likely to encounter accidental loops?
I mean, if you are afraid of loops, you probably should set some delay. Probably 2, as it seems to be the minimum (2 seconds). If you're not afraid of loops, why would you need STP?
STP is good in an "unstable" environment, when other people can find some loose ends and stuff them into the nearest socket. In a controlled environment, where you keep dummies out the door, there are better ways to achieve redundancy.
| Quote: | | bridge_br0="eth0 eth1" |
Not sure what you're trying to do here. If you want to use those 2 sockets to provide connectivity to other machines, that's perfectly fine. If you want redundancy, consider bonding instead.
| Quote: | | config_br0="192.168.0.1/24" |
This will send untagged packets.
This line tells me you don't want untagged packets.
| Quote: | | rc_need_br0="net.eth0 net.eth1" |
Don't do that unless you actually have a good reason to take the limitations implied (E.g. creating vlans on eth0 and attaching vlan to bridge requires you to need eth0). Configuring bridge with | Quote: | | bridge_br0="eth0 eth1" |
will bring those interfaces up without configuring them, so dhcp etc. will not start on your slave when you start your bridge.
| Quote: | routes_br0_2="
192.168.0.10 gw 192.168.0.1
192.168.0.20 gw 192.168.0.1
" |
I really don't understand this part. Being your own gateway is not what you usually want. I means, how are you to know the next hop?
I've been thinking about vlans too, and I decided to go with a convention like this:
vlan1: *.*.1.*/24
vlan2: *.*.2.*/24
vlan3: *.*.2.*/24
You get the point. It becomes self-documenting this way. Also, I can easily set up dhcp on each of those vlans (even a shared dhcp server, with access to all vlans), and then change netmask to /16 if I want to allow crossing vlans on layer 2.
Also, 255 is obviously the broadcast address, 254 stands for default gateway, 253,252 reserved for redundant router management IP, should I ever need them (kinda follows data center style), a handfull of the other high IPs in a pool reserved for future "static" services (maybe DNS, NFS, NIS, email? Who knows...), and then DHCP pool starts, going all the way down to 1. Of course this is not the only way, nor even the best. It's just something that seems reasonably good at this time and flexible enough not to lock me out in near future. |
|
| Back to top |
|
|
Vieri
l33t
Joined: 18 Dec 2005
Posts: 877
|
| Posted: Wed Nov 22, 2017 12:30 am Post subject: |
|
|
Thanks for the feedback.
I'll try to explain my goal.
BTW, I'm dropping the idea of a bridge (actually bonding interfaces would be better) because I do not need the redundancy/failover. So the setup is simpler.
I have no VLANs configured yet, and my knowledge in this field is somewhat limited.
I have a multi-NIC Gentoo firewall router which needs to have several VLANs on its LAN interface because I need to:
1) isolate some networks from each other
2) allow only selected traffic from one VLAN to another through the firewall's LAN interface
3) allow selected traffic from hosts behind another NIC on the firewall to any one of the networks in the VLANs on the LAN interface
My understanding of "tagged and untagged VLANs" to put it bluntly is that generally only "trunks" should be "tagged" with all the VLAN IDs which traffic is allowed to go through, and that all other ports (usually switch ports) should have untagged VLAN IDs for each segregated network.
Let's suppose I want to have two VLANs named vlan1 and vlan2 with IDs 1 and 2 respectively. Please correct me if I'm wrong, but I would set up tagged packets 1 and 2 on both the firewall's LAN interface and the switch's "trunk" port, ie. the one connected to the firewall's LAN interface.
The rest of the switch ports should be either "untagged 1" or "untagged 2", right?
The other NICs on the firewall would not require VLAN tagging, right?
If the above is true then I would finally need to set up iptables rules to allow/deny traffic from one VLAN to another through the firewall's virtual LAN interfaces. I should also be able to apply accept/drop rules for traffic to these VLANs from any other network behind any other NIC on the firewall.
I'll just assume I'm right for now ;.)... and move on with the example.
Currently, my LAN hosts (without VLAN) are in subnet 10.215.0.0/16. There are machines I cannot modify, and will need to keep their network settings. However, they need to be isolated and moved to vlan2. The rest will go to vlan1.
I'm just guessing here, but maybe my net config could be:
| Code: | vlans_eth0="1 2"
vlan1_name="vlan1"
config_eth0_1="10.215.144.91 netmask 255.255.0.0"
routes_eth0_1="
10.215.0.10 gw 10.215.144.92
10.215.0.20 gw 10.215.144.92
default via 172.16.1.2
" # 172.16.1.2 is IP addr. of a Gentoo gateway behind another firewall NIC
config_eth0_2="10.215.144.92/32"
routes_eth0_2="
10.215.0.10/32 dev eth0_2 proto kernel scope link src 10.215.144.92 metric 1
10.215.0.20/32 dev eth0_2 proto kernel scope link src 10.215.144.92 metric 1
"
|
The hosts with IP addr. 10.215.0.{1,2}0 in the above example would be in vlan2.
Does this make sense, or am I way off?
Finally, in my real setup I'd have a lot more hosts in vlan2, and they wouldn't be on the same switch as the one connected to the Gentoo firewall (switch1). I'd have most of them on switch2 which would be connected to switch1 with fibre channel. I suppose a fibre channel port can be treated just like an ethernet port VLAN-wise. So I'd have untagged VLAN IDs 1 and 2 on switch2 with all my isolated hosts on ports with untagged VLAN 2. The rest of LAN hosts on untagged VLAN 1. The fibre channel port on switch2 would be "tagged 1, 2", ie. trunk, just like the fibre channel port on switch1. Finally, the ethernet port on switch1 connecting to the Gentoo firewall would be also be "tagged 1,2".
Thanks for your help,
Vieri |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3134
|
| Posted: Wed Nov 22, 2017 8:58 pm Post subject: |
|
|
| Quote: | | My understanding of "tagged and untagged VLANs" to put it bluntly is that generally only "trunks" should be "tagged" with all the VLAN IDs which traffic is allowed to go through, and that all other ports (usually switch ports) should have untagged VLAN IDs for each segregated network. |
Well, "trunk port" is basically defined by being tagged. You can compare it to a tree: you you have a bunch of roots (access ports) on one end, then you have the (tagged) trunk, where tags allow you to distinguish packets from different VLANs running over a shared wire, and then all that traffic branches out to access ports again.
So, trunk is tagged by definition, and access port is by definition untagged, and only allows one VLAN, which makes the term "untagged vlan" extremely confusing. Everyone talks about vlans in context of the protocol, and then we jump to a physical network, grab a few physcial wires and call it virtual network. Bravo, network guys, bravo 
This said, "trunk" is intended as an interconnect between 2 switches. The end client should be plugged to an access port. A single port can also carry tagged vlans traffic in addition to untagged traffic, which can be used (or exploited) for crossing VLANs.
Now, back to your config:
| Code: | config_eth0_1="10.215.144.91 netmask 255.255.0.0"
routes_eth0_1="
10.215.0.10 gw 10.215.144.92
10.215.0.20 gw 10.215.144.92 |
So.... First you declare that you are a part of network 10.215.0.0/16, and then you exclude 2 remote hosts from this network and demand your traffic to be routed via a remote machine 10.215.144.92.
Makes me thing you're going out of your way just to make things harder. Usually it goes the other way: you declare yourself as a part of a small network, and then add a direct link to a host that does not belong in your network.
| Code: | config_eth0_2="10.215.144.92/32"
routes_eth0_2="
10.215.0.10/32 dev eth0_2 proto kernel scope link src 10.215.144.92 metric 1
10.215.0.20/32 dev eth0_2 proto kernel scope link src 10.215.144.92 metric 1
" |
Yeah, this does make a bit more sense. You declare an IP that does not belong to any network (/32 only holds a single IP) and then you att 2 connections to particular hosts.
Still, this conflicts with your eth0.1 route. Don't configure those routes on eth0.1 at all. If you want to route that traffic via eth0.2, then do just that.
Also, you're gonna have a hard time crossing those VLANs. Using routes to a single host rather than to a network means you have to configure those routes at every single host involved.
Using 2 distinct IP pools would be a better idea. This way you only haave to configure a single router. The other machines would talk to their own network directly, and use default route (the router) for "i don't know what to do" cases. Then, you define pool1 attached to eth0.1 and pool2 attached to eth0.2 (or even skip vlans completely and use separate wires instead of tags), and the default gateway to the internet attached to eth1 or whatever you have there.
And then you set up iptables with FORWARD POLICY DROP, and add a bunch of ACCEPT rules to allow routing between 2 IP pools residing on separate networks (or on different vlans)
With 2 VLANS you wil lhave to resolve to iptables anyway.
With a managed switch and at least 3 VLANs you could handle VLAN crossing at the switch level, e.g. allow one VLAN to cross-talk with all the other VLANs, but keep the rest away from each other.
Also, mind this: a dumb switch (unmanaged) does not really have a predictably defined behaviour regarding tagged frames. It may forward them, drop them, or even strip tags. |
|
| Back to top |
|
|
Ralphred
Guru
Joined: 31 Dec 2013
Posts: 499
|
| Posted: Thu Nov 23, 2017 5:28 pm Post subject: |
|
|
You're basically looking to do "router on a stick".
Point 2 | Quote: | | 2) allow only selected traffic from one VLAN to another through the firewall's LAN interface |
does present some questions regarding whether or not to do the routing for it in the switch.
First is the switch capable of routing that traffic between vlans AND capable satisfying your restrictions
Second, does the amount of traffic warrant managing the required ACLs on the switch AND the static routes on the PC's (which you may not be able to change?)
Once that decision is made it's pretty simple.
Leave your existing network as it is, set-up the existing network as VLAN1 on the switch and the firewall/router:
/etc/conf.d/net
| Code: | mtu_eth0="1504"
vlans_eth0="1 2"
vlan1_name="vlan1"
config_eth0_1="10.215.144.91 netmask 255.255.0.0" |
IOS for the firewalls switchport | Code: | (config-if)#switchport trunk encapsulation dot1q
(config-if)#switchport mode trunk
(config-if)#switchport trunk allowed vlan 1 |
Alter the iptables config to reflect the change of LAN port (and dhcpd etc), and if everything still works, add the VLAN2 config
/etc/conf.d/net
| Code: | vlan2_name="vlan2"
config_eth0_2="192.168.2.253 netmask 255.255.255.0" |
IOS...
| Code: | | switchport trunk allowed vlan add 2 |
Set a few of the switch ports to access the new network, copy the iptables rules to allow for the 2nd network and you should be good to go.
Just add any VLAN1<>VLAN2 traffic rules in iptables, or set-up virtual interfaces for routing on the switch and add the static routes on the PC's. dhcpd.conf allows for an interface option per IP pool, so if you go that way moving a pc from VLAN 1 to 2 would be just a cable swap, it also allows you to set a classless static route for the "other" VLAN on a host by host basis if you do end up using ipforward on the switch.
Oh, and a quick not on tagged/trunk ports, "tagged" is the nomenclature used by HP for VLAN encapsulation, this is "trunk" on Cisco.
On an HP switch a "trunk" is for port aggregation, to Cisco's it's "etherchannel". |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
