Re: VLAN Konfig

Re: VLAN Konfig

[Thomas Berthel]

[-- Attachment #1: Type: text/plain, Size: 2131 bytes --]


> I meant in this section --> http://wiki.ipfire.org/de/optimization/vlan/start#iptables_uebersicht are only spts: to be seen, but no dpts: in the rules you define "--dports 993,995,110,587,465" but they are listed as "spts:" (source ports) for example i have in the iptables -L listing for Mail something like this
> RETURN     tcp  --  192.168.7.0/24      anywhere             multiport dports imaps,urd,submission,pop3s,smtp TIME from 00:00:00 to 00:00:00 UTC
> so the dports are specified. I can´t find something like that in your iptables -L listing.

Ah. I'm using dport for single port (dpts:52 for DNS) an multiport
dports for more destination ports, is this not okay?

> So you have allowed only unprivileged ports as a source port, but isn´t it that the case per default anyway ? Or do you regard a security method with this ? 
> So i´am also not sure with this, but if you define only --dports isn´t it the same behavior anyway with the source port then you defined it ?

is this a default? Sorry, i don't now. Is that so wrong?

> What rules do you use in Mode 1 ?

A lot of rules ;) I can't post it here... one snipp: DNS, Mail,
Game-Ports, Whois, FTP, NTP and ssh for green, red and all interfaces.

But these rules are all double in my tables after the restart. Another
problem is when I usually re-upload my FW mode 0 although the WUI shows
me mode 1.

I have all my ports manually specified are no longer seen in the tables,
only when I reboot the FW.

> Ahh O.K. but is it possible to arrange rules for the VLAN interfaces over the WUI (e.g. DMZ pinnholes, etc...) ?
> So maybe it is less complicated (especially for the explanations in the wiki) if all the rules which can be arranged over the WUI will be set in that way ? MIght be nice if you can go for a try . So also if the outgoing FW will be configured, i think the CUSTOMFORWARD rules are defined then in the FORWARD and OUTPUT chains.

I just tested it on wui and FW mode 1 do not apply the rules. It seems
as if for wireless (blue) and the rule come from a different direction
no matter what is stored in the WUI.

Re: VLAN Konfig

[Erik K.]

[-- Attachment #1: Type: text/plain, Size: 3102 bytes --]


Am 09.06.2013 um 13:58 schrieb Thomas Berthel:

> 
>> I meant in this section --> http://wiki.ipfire.org/de/optimization/vlan/start#iptables_uebersicht are only spts: to be seen, but no dpts: in the rules you define "--dports 993,995,110,587,465" but they are listed as "spts:" (source ports) for example i have in the iptables -L listing for Mail something like this
>> RETURN     tcp  --  192.168.7.0/24      anywhere             multiport dports imaps,urd,submission,pop3s,smtp TIME from 00:00:00 to 00:00:00 UTC
>> so the dports are specified. I can´t find something like that in your iptables -L listing.
> 
> Ah. I'm using dport for single port (dpts:52 for DNS) an multiport
> dports for more destination ports, is this not okay?

O.K. my bad have overseen it.

> 
>> So you have allowed only unprivileged ports as a source port, but isn´t it that the case per default anyway ? Or do you regard a security method with this ? 
>> So i´am also not sure with this, but if you define only --dports isn´t it the same behavior anyway with the source port then you defined it ?
> 
> is this a default? Sorry, i don't now. Is that so wrong?

This was more a question then a statement ;-)

> 
>> What rules do you use in Mode 1 ?
> 
> A lot of rules ;) I can't post it here... one snipp: DNS, Mail,
> Game-Ports, Whois, FTP, NTP and ssh for green, red and all interfaces.
> 
> But these rules are all double in my tables after the restart.

May it is because you define them in firewall.local also ? Did you try a complete reboot ?

> Another
> problem is when I usually re-upload my FW mode 0 although the WUI shows
> me mode 1.

This is really strange, have no clue why this happens. 

> 
> I have all my ports manually specified are no longer seen in the tables,
> only when I reboot the FW.

Have had the same issue since i was working a little bit with firewall.local. After modifications of firewall.local and stop|start|restart|reload tests the iptables -L listing shows me sometimes nothing in the CUSTOM chains. It seems that the best way is to reboot IPFire . Important to test this behavior with the new Firewall. I think in Core 69 (test image) the new FW is already implemented.

> 
>> Ahh O.K. but is it possible to arrange rules for the VLAN interfaces over the WUI (e.g. DMZ pinnholes, etc...) ?
>> So maybe it is less complicated (especially for the explanations in the wiki) if all the rules which can be arranged over the WUI will be set in that way ? MIght be nice if you can go for a try . So also if the outgoing FW will be configured, i think the CUSTOMFORWARD rules are defined then in the FORWARD and OUTPUT chains.
> 
> I just tested it on wui and FW mode 1 do not apply the rules. It seems
> as if for wireless (blue) and the rule come from a different direction
> no matter what is stored in the WUI.

Which rules did you try to edit ?

> 
> _______________________________________________
> Documentation mailing list
> Documentation(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/documentation

Re: VLAN Konfig

[Thomas Berthel]

[-- Attachment #1: Type: text/plain, Size: 3986 bytes --]

Hi,

> This was more a question then a statement ;-)
me too ;-)

> This is really strange, have no clue why this happens.
There is not the Problem  - i must restart my FW and then all Modus1 and
Custom-changes Rules back.

> Which rules did you try to edit ?
Only in my firewall.local file, and then i stop and start the
/etc/init.d/firewall. I check the WhatsApp-Ports in WUI for Blue. He did
nothing - then i change it in my firewall.local the functionality was there.

As I see it, everything is well controlled in the IPTables and nothing
in the WUI. :(

BG, Thomas



Am 09.06.2013 15:31, schrieb Erik K.:
> 
> Am 09.06.2013 um 13:58 schrieb Thomas Berthel:
> 
>>
>>> I meant in this section --> http://wiki.ipfire.org/de/optimization/vlan/start#iptables_uebersicht are only spts: to be seen, but no dpts: in the rules you define "--dports 993,995,110,587,465" but they are listed as "spts:" (source ports) for example i have in the iptables -L listing for Mail something like this
>>> RETURN     tcp  --  192.168.7.0/24      anywhere             multiport dports imaps,urd,submission,pop3s,smtp TIME from 00:00:00 to 00:00:00 UTC
>>> so the dports are specified. I can´t find something like that in your iptables -L listing.
>>
>> Ah. I'm using dport for single port (dpts:52 for DNS) an multiport
>> dports for more destination ports, is this not okay?
> 
> O.K. my bad have overseen it.
> 
>>
>>> So you have allowed only unprivileged ports as a source port, but isn´t it that the case per default anyway ? Or do you regard a security method with this ? 
>>> So i´am also not sure with this, but if you define only --dports isn´t it the same behavior anyway with the source port then you defined it ?
>>
>> is this a default? Sorry, i don't now. Is that so wrong?
> 
> This was more a question then a statement ;-)
> 
>>
>>> What rules do you use in Mode 1 ?
>>
>> A lot of rules ;) I can't post it here... one snipp: DNS, Mail,
>> Game-Ports, Whois, FTP, NTP and ssh for green, red and all interfaces.
>>
>> But these rules are all double in my tables after the restart.
> 
> May it is because you define them in firewall.local also ? Did you try a complete reboot ?
> 
>> Another
>> problem is when I usually re-upload my FW mode 0 although the WUI shows
>> me mode 1.
> 
> This is really strange, have no clue why this happens. 
> 
>>
>> I have all my ports manually specified are no longer seen in the tables,
>> only when I reboot the FW.
> 
> Have had the same issue since i was working a little bit with firewall.local. After modifications of firewall.local and stop|start|restart|reload tests the iptables -L listing shows me sometimes nothing in the CUSTOM chains. It seems that the best way is to reboot IPFire . Important to test this behavior with the new Firewall. I think in Core 69 (test image) the new FW is already implemented.
> 
>>
>>> Ahh O.K. but is it possible to arrange rules for the VLAN interfaces over the WUI (e.g. DMZ pinnholes, etc...) ?
>>> So maybe it is less complicated (especially for the explanations in the wiki) if all the rules which can be arranged over the WUI will be set in that way ? MIght be nice if you can go for a try . So also if the outgoing FW will be configured, i think the CUSTOMFORWARD rules are defined then in the FORWARD and OUTPUT chains.
>>
>> I just tested it on wui and FW mode 1 do not apply the rules. It seems
>> as if for wireless (blue) and the rule come from a different direction
>> no matter what is stored in the WUI.
> 
> Which rules did you try to edit ?
> 
>>
>> _______________________________________________
>> Documentation mailing list
>> Documentation(a)lists.ipfire.org
>> http://lists.ipfire.org/mailman/listinfo/documentation
> 
> _______________________________________________
> Documentation mailing list
> Documentation(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/documentation
> 

Re: VLAN Konfig

[Thomas Berthel]

[-- Attachment #1: Type: text/plain, Size: 8208 bytes --]

Sorry i meant Firewall Modus 1 ;-) Not 2.

greetings, Thomas


Am 08.08.2013 20:12, schrieb Thomas Berthel:
> Hi Michael,
> 
> thats it! :) A long way for me. But, its done.
> I write my documentation new. It is so easy,  	
> if you know what you're doing ;-)
> 
> One question to Firewall Mode 2. I would take a new enable rule for
> outgoing Port.
> 
> I set on Wireless (blue) as defination with port XYZ he dont work - When
> I put the ruleset on green works. Is this normal?
> 
> greetings, Thomas
> 
> Am 22.07.2013 10:37, schrieb Michael Tremer:
>> Hi,
>>
>> you will have to grant access to every host on the blue network in the
>> WUI. Please go to Firewall -> Blue Access and do that over there.
>>
>> -Michael
>>
>> On Sun, 2013-07-21 at 22:35 +0200, Thomas Berthel wrote:
>>> Hi,
>>>
>>> nobody any idea?
>>>
>>> good night, Thomas
>>>
>>> On 07/02/2013 12:14 AM, Thomas Berthel wrote:
>>>> Hi Michael,
>>>>
>>>>> Please run /etc/init.d/network-vlans start
>>>> thanks. beginner error :-)
>>>>
>>>> Here my document for vlan:
>>>>
>>>> I configure my fire with the setup modus and change from green+red to
>>>> green+red+organge+blue
>>>>
>>>> I setting up the network-ip's for blue & orange, then i became by the
>>>> end from the setup a message: orange device cant configure not devivce
>>>> found or so. Because it does not let me finish the setupmode i have
>>>> cloesed the console-connection.
>>>>
>>>> I check my /var/ipfire/ethernet/settings and all information from my
>>>> change in the setup-menu was written there.
>>>>
>>>> for example one snipp:
>>>>
>>>> BLUE_ADDRESS=192.168.2.1
>>>> BLUE_NETMASK=255.255.255.0
>>>> BLUE_NETADDRESS=192.168.2.0
>>>> BLUE_BROADCAST=192.168.2.255
>>>>
>>>> but, no MAC-Address and no DEV was in there.
>>>>
>>>> The ifconfig says nothing to blue or orange. Okay then the next step.
>>>> I configure my /var/ipfire/ethernet/vlans as follows:
>>>>
>>>> BLUE_PARENT_DEV=green0
>>>> BLUE_VLAN_ID=300
>>>> BLUE_MAC_ADDRESS=00:22:4D:84:A5:30
>>>> ORANGE_PARENT_DEV=green0
>>>> ORANGE_VLAN_ID=400
>>>> ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
>>>>
>>>> Without "" for _PARENT_DEV="device1" and the _MAC_ADDRESS="11:22:33:..."
>>>>
>>>> Then i do /etc/init.d/network-vlan start, this was my messages-output:
>>>>
>>>> /etc/init.d/network-vlans start
>>>> + CONFIG_FILE=/var/ipfire/ethernet/vlans
>>>> + '[' -e /var/ipfire/ethernet/vlans ']'
>>>> ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
>>>> + eval BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300
>>>> BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0
>>>> ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
>>>> ++ BLUE_PARENT_DEV=green0
>>>> ++ BLUE_VLAN_ID=300
>>>> ++ BLUE_MAC_ADDRESS=00:22:4D:84:A5:30
>>>> ++ ORANGE_PARENT_DEV=green0
>>>> ++ ORANGE_VLAN_ID=400
>>>> ++ ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
>>>> + action=start
>>>> + for interface in green0 blue0 orange0
>>>> + case "${interface}" in
>>>> + PARENT_DEV=
>>>> + VLAN_ID=
>>>> + MAC_ADDRESS=
>>>> + case "${action}" in
>>>> + '[' -z '' ']'
>>>> + continue
>>>> + for interface in green0 blue0 orange0
>>>> + case "${interface}" in
>>>> + PARENT_DEV=green0
>>>> + VLAN_ID=300
>>>> + MAC_ADDRESS=00:22:4D:84:A5:30
>>>> + case "${action}" in
>>>> + '[' -z green0 ']'
>>>> + '[' -d /sys/class/net/blue0 ']'
>>>> + '[' '!' -d /sys/class/net/green0 ']'
>>>> + '[' -z 300 ']'
>>>> + echo 'Creating VLAN interface blue0...'
>>>> Creating VLAN interface blue0...
>>>> + vconfig add green0 300
>>>> Added VLAN with VID == 300 to IF -:green0:-
>>>> + ip link set green0.300 name blue0
>>>> + '[' -n 00:22:4D:84:A5:30 ']'
>>>> + ip link set blue0 address 00:22:4D:84:A5:30
>>>> + ip link set green0 up
>>>> + for interface in green0 blue0 orange0
>>>> + case "${interface}" in
>>>> + PARENT_DEV=green0
>>>> + VLAN_ID=400
>>>> + MAC_ADDRESS=00:22:4D:84:A5:40
>>>> + case "${action}" in
>>>> + '[' -z green0 ']'
>>>> + '[' -d /sys/class/net/orange0 ']'
>>>> + '[' '!' -d /sys/class/net/green0 ']'
>>>> + '[' -z 400 ']'
>>>> + echo 'Creating VLAN interface orange0...'
>>>> Creating VLAN interface orange0...
>>>> + vconfig add green0 400
>>>> Added VLAN with VID == 400 to IF -:green0:-
>>>> + ip link set green0.400 name orange0
>>>> + '[' -n 00:22:4D:84:A5:40 ']'
>>>> + ip link set orange0 address 00:22:4D:84:A5:40
>>>> + ip link set green0 up
>>>>
>>>> Yeah! The finale countdown ;-)
>>>>
>>>> So, i checket my ifconfig and only the device with no IP was displayed:
>>>>
>>>> blue0     Link encap:Ethernet  HWaddr 00:22:4D:84:A5:30
>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>>           collisions:0 txqueuelen:0
>>>>           RX bytes: (0 Kb)  TX bytes: (0 Kb)
>>>>
>>>> WTF? okay. I configure my /var/ipfire/ethernet/settings once again as
>>>> described here:
>>>>
>>>> BLUE_DEV=blue0
>>>> BLUE_MACADDR=00:22:4d:84:a5:30
>>>> BLUE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network
>>>> Connection"'
>>>> BLUE_DRIVER=e1000e
>>>> BLUE_ADDRESS=192.168.2.1
>>>> BLUE_NETMASK=255.255.255.0
>>>> BLUE_NETADDRESS=192.168.2.0
>>>> BLUE_BROADCAST=192.168.2.255
>>>>
>>>> Next step - reboot firewall! then the result from ifconfig said:
>>>>
>>>> blue0     Link encap:Ethernet  HWaddr 00:22:4D:84:A5:30
>>>> 	  inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>>           collisions:0 txqueuelen:0
>>>>           RX bytes: (0 Kb)  TX bytes: (0 Kb)
>>>>
>>>> BUT - my firewall droped my DNS and HTTP requests. I tried to change the
>>>> rules with the firewall-mode from 1 to 0 and in the WUI by mode 1 to set
>>>> rules for wireless to allow this connections. Without success!
>>>>
>>>> for example:
>>>> Jul  1 21:23:10 ipfw kernel: DROP_WirelessinputIN=blue0 OUT=
>>>> MAC=00:22:4d:84:a5:30:7c:61:93:16:2f:82:08:00 SRC=192.168.2.10
>>>> DST=192.168.2.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=25514 DF PROTO=UDP
>>>> SPT=1083 DPT=53 LEN=4
>>>>
>>>> Any idea?
>>>>
>>>> BG, Thomas
>>>>
>>>> Am 01.07.2013 11:53, schrieb Michael Tremer:
>>>>> On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
>>>>>> Hi @ all,
>>>>>>
>>>>>> i have checked the /etc/init.d/network-vlans Script and become following
>>>>>> messages: Invalid action
>>>>>>
>>>>>> The dubug output says:
>>>>>>
>>>>>> (/var/ipfire/ethernet):/etc/init.d/network-vlans
>>>>>> + CONFIG_FILE=/var/ipfire/ethernet/vlans
>>>>>> + '[' -e /var/ipfire/ethernet/vlans ']'
>>>>>> ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
>>>>>> + eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
>>>>>> + action=
>>>>>> + for interface in green0 blue0 orange0
>>>>>> + case "${interface}" in
>>>>>> + PARENT_DEV=
>>>>>> + VLAN_ID=
>>>>>> + MAC_ADDRESS=
>>>>>> + case "${action}" in
>>>>>> + echo 'Invalid action: '
>>>>>> Invalid action:
>>>>>> + exit 1
>>>>>
>>>>> Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans
>>>>> to start and stop the virtual interfaces.
>>>>>
>>>>> -Michael
>>>>>
>>>>
>>>> _______________________________________________
>>>> Documentation mailing list
>>>> Documentation(a)lists.ipfire.org
>>>> http://lists.ipfire.org/mailman/listinfo/documentation
>>>>
>>>
>>> _______________________________________________
>>> Documentation mailing list
>>> Documentation(a)lists.ipfire.org
>>> http://lists.ipfire.org/mailman/listinfo/documentation
>>
>> _______________________________________________
>> Documentation mailing list
>> Documentation(a)lists.ipfire.org
>> http://lists.ipfire.org/mailman/listinfo/documentation
>>
> 
> _______________________________________________
> Documentation mailing list
> Documentation(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/documentation
> 

Re: VLAN Konfig

[Thomas Berthel]

[-- Attachment #1: Type: text/plain, Size: 7450 bytes --]

Hi Michael,

thats it! :) A long way for me. But, its done.
I write my documentation new. It is so easy,  	
if you know what you're doing ;-)

One question to Firewall Mode 2. I would take a new enable rule for
outgoing Port.

I set on Wireless (blue) as defination with port XYZ he dont work - When
I put the ruleset on green works. Is this normal?

greetings, Thomas

Am 22.07.2013 10:37, schrieb Michael Tremer:
> Hi,
> 
> you will have to grant access to every host on the blue network in the
> WUI. Please go to Firewall -> Blue Access and do that over there.
> 
> -Michael
> 
> On Sun, 2013-07-21 at 22:35 +0200, Thomas Berthel wrote:
>> Hi,
>>
>> nobody any idea?
>>
>> good night, Thomas
>>
>> On 07/02/2013 12:14 AM, Thomas Berthel wrote:
>>> Hi Michael,
>>>
>>>> Please run /etc/init.d/network-vlans start
>>> thanks. beginner error :-)
>>>
>>> Here my document for vlan:
>>>
>>> I configure my fire with the setup modus and change from green+red to
>>> green+red+organge+blue
>>>
>>> I setting up the network-ip's for blue & orange, then i became by the
>>> end from the setup a message: orange device cant configure not devivce
>>> found or so. Because it does not let me finish the setupmode i have
>>> cloesed the console-connection.
>>>
>>> I check my /var/ipfire/ethernet/settings and all information from my
>>> change in the setup-menu was written there.
>>>
>>> for example one snipp:
>>>
>>> BLUE_ADDRESS=192.168.2.1
>>> BLUE_NETMASK=255.255.255.0
>>> BLUE_NETADDRESS=192.168.2.0
>>> BLUE_BROADCAST=192.168.2.255
>>>
>>> but, no MAC-Address and no DEV was in there.
>>>
>>> The ifconfig says nothing to blue or orange. Okay then the next step.
>>> I configure my /var/ipfire/ethernet/vlans as follows:
>>>
>>> BLUE_PARENT_DEV=green0
>>> BLUE_VLAN_ID=300
>>> BLUE_MAC_ADDRESS=00:22:4D:84:A5:30
>>> ORANGE_PARENT_DEV=green0
>>> ORANGE_VLAN_ID=400
>>> ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
>>>
>>> Without "" for _PARENT_DEV="device1" and the _MAC_ADDRESS="11:22:33:..."
>>>
>>> Then i do /etc/init.d/network-vlan start, this was my messages-output:
>>>
>>> /etc/init.d/network-vlans start
>>> + CONFIG_FILE=/var/ipfire/ethernet/vlans
>>> + '[' -e /var/ipfire/ethernet/vlans ']'
>>> ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
>>> + eval BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300
>>> BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0
>>> ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
>>> ++ BLUE_PARENT_DEV=green0
>>> ++ BLUE_VLAN_ID=300
>>> ++ BLUE_MAC_ADDRESS=00:22:4D:84:A5:30
>>> ++ ORANGE_PARENT_DEV=green0
>>> ++ ORANGE_VLAN_ID=400
>>> ++ ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
>>> + action=start
>>> + for interface in green0 blue0 orange0
>>> + case "${interface}" in
>>> + PARENT_DEV=
>>> + VLAN_ID=
>>> + MAC_ADDRESS=
>>> + case "${action}" in
>>> + '[' -z '' ']'
>>> + continue
>>> + for interface in green0 blue0 orange0
>>> + case "${interface}" in
>>> + PARENT_DEV=green0
>>> + VLAN_ID=300
>>> + MAC_ADDRESS=00:22:4D:84:A5:30
>>> + case "${action}" in
>>> + '[' -z green0 ']'
>>> + '[' -d /sys/class/net/blue0 ']'
>>> + '[' '!' -d /sys/class/net/green0 ']'
>>> + '[' -z 300 ']'
>>> + echo 'Creating VLAN interface blue0...'
>>> Creating VLAN interface blue0...
>>> + vconfig add green0 300
>>> Added VLAN with VID == 300 to IF -:green0:-
>>> + ip link set green0.300 name blue0
>>> + '[' -n 00:22:4D:84:A5:30 ']'
>>> + ip link set blue0 address 00:22:4D:84:A5:30
>>> + ip link set green0 up
>>> + for interface in green0 blue0 orange0
>>> + case "${interface}" in
>>> + PARENT_DEV=green0
>>> + VLAN_ID=400
>>> + MAC_ADDRESS=00:22:4D:84:A5:40
>>> + case "${action}" in
>>> + '[' -z green0 ']'
>>> + '[' -d /sys/class/net/orange0 ']'
>>> + '[' '!' -d /sys/class/net/green0 ']'
>>> + '[' -z 400 ']'
>>> + echo 'Creating VLAN interface orange0...'
>>> Creating VLAN interface orange0...
>>> + vconfig add green0 400
>>> Added VLAN with VID == 400 to IF -:green0:-
>>> + ip link set green0.400 name orange0
>>> + '[' -n 00:22:4D:84:A5:40 ']'
>>> + ip link set orange0 address 00:22:4D:84:A5:40
>>> + ip link set green0 up
>>>
>>> Yeah! The finale countdown ;-)
>>>
>>> So, i checket my ifconfig and only the device with no IP was displayed:
>>>
>>> blue0     Link encap:Ethernet  HWaddr 00:22:4D:84:A5:30
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:0
>>>           RX bytes: (0 Kb)  TX bytes: (0 Kb)
>>>
>>> WTF? okay. I configure my /var/ipfire/ethernet/settings once again as
>>> described here:
>>>
>>> BLUE_DEV=blue0
>>> BLUE_MACADDR=00:22:4d:84:a5:30
>>> BLUE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network
>>> Connection"'
>>> BLUE_DRIVER=e1000e
>>> BLUE_ADDRESS=192.168.2.1
>>> BLUE_NETMASK=255.255.255.0
>>> BLUE_NETADDRESS=192.168.2.0
>>> BLUE_BROADCAST=192.168.2.255
>>>
>>> Next step - reboot firewall! then the result from ifconfig said:
>>>
>>> blue0     Link encap:Ethernet  HWaddr 00:22:4D:84:A5:30
>>> 	  inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:0
>>>           RX bytes: (0 Kb)  TX bytes: (0 Kb)
>>>
>>> BUT - my firewall droped my DNS and HTTP requests. I tried to change the
>>> rules with the firewall-mode from 1 to 0 and in the WUI by mode 1 to set
>>> rules for wireless to allow this connections. Without success!
>>>
>>> for example:
>>> Jul  1 21:23:10 ipfw kernel: DROP_WirelessinputIN=blue0 OUT=
>>> MAC=00:22:4d:84:a5:30:7c:61:93:16:2f:82:08:00 SRC=192.168.2.10
>>> DST=192.168.2.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=25514 DF PROTO=UDP
>>> SPT=1083 DPT=53 LEN=4
>>>
>>> Any idea?
>>>
>>> BG, Thomas
>>>
>>> Am 01.07.2013 11:53, schrieb Michael Tremer:
>>>> On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
>>>>> Hi @ all,
>>>>>
>>>>> i have checked the /etc/init.d/network-vlans Script and become following
>>>>> messages: Invalid action
>>>>>
>>>>> The dubug output says:
>>>>>
>>>>> (/var/ipfire/ethernet):/etc/init.d/network-vlans
>>>>> + CONFIG_FILE=/var/ipfire/ethernet/vlans
>>>>> + '[' -e /var/ipfire/ethernet/vlans ']'
>>>>> ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
>>>>> + eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
>>>>> + action=
>>>>> + for interface in green0 blue0 orange0
>>>>> + case "${interface}" in
>>>>> + PARENT_DEV=
>>>>> + VLAN_ID=
>>>>> + MAC_ADDRESS=
>>>>> + case "${action}" in
>>>>> + echo 'Invalid action: '
>>>>> Invalid action:
>>>>> + exit 1
>>>>
>>>> Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans
>>>> to start and stop the virtual interfaces.
>>>>
>>>> -Michael
>>>>
>>>
>>> _______________________________________________
>>> Documentation mailing list
>>> Documentation(a)lists.ipfire.org
>>> http://lists.ipfire.org/mailman/listinfo/documentation
>>>
>>
>> _______________________________________________
>> Documentation mailing list
>> Documentation(a)lists.ipfire.org
>> http://lists.ipfire.org/mailman/listinfo/documentation
> 
> _______________________________________________
> Documentation mailing list
> Documentation(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/documentation
> 

Re: VLAN Konfig

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 6861 bytes --]

Hi,

you will have to grant access to every host on the blue network in the
WUI. Please go to Firewall -> Blue Access and do that over there.

-Michael

On Sun, 2013-07-21 at 22:35 +0200, Thomas Berthel wrote:
> Hi,
> 
> nobody any idea?
> 
> good night, Thomas
> 
> On 07/02/2013 12:14 AM, Thomas Berthel wrote:
> > Hi Michael,
> > 
> >> Please run /etc/init.d/network-vlans start
> > thanks. beginner error :-)
> > 
> > Here my document for vlan:
> > 
> > I configure my fire with the setup modus and change from green+red to
> > green+red+organge+blue
> > 
> > I setting up the network-ip's for blue & orange, then i became by the
> > end from the setup a message: orange device cant configure not devivce
> > found or so. Because it does not let me finish the setupmode i have
> > cloesed the console-connection.
> > 
> > I check my /var/ipfire/ethernet/settings and all information from my
> > change in the setup-menu was written there.
> > 
> > for example one snipp:
> > 
> > BLUE_ADDRESS=192.168.2.1
> > BLUE_NETMASK=255.255.255.0
> > BLUE_NETADDRESS=192.168.2.0
> > BLUE_BROADCAST=192.168.2.255
> > 
> > but, no MAC-Address and no DEV was in there.
> > 
> > The ifconfig says nothing to blue or orange. Okay then the next step.
> > I configure my /var/ipfire/ethernet/vlans as follows:
> > 
> > BLUE_PARENT_DEV=green0
> > BLUE_VLAN_ID=300
> > BLUE_MAC_ADDRESS=00:22:4D:84:A5:30
> > ORANGE_PARENT_DEV=green0
> > ORANGE_VLAN_ID=400
> > ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
> > 
> > Without "" for _PARENT_DEV="device1" and the _MAC_ADDRESS="11:22:33:..."
> > 
> > Then i do /etc/init.d/network-vlan start, this was my messages-output:
> > 
> > /etc/init.d/network-vlans start
> > + CONFIG_FILE=/var/ipfire/ethernet/vlans
> > + '[' -e /var/ipfire/ethernet/vlans ']'
> > ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
> > + eval BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300
> > BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0
> > ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
> > ++ BLUE_PARENT_DEV=green0
> > ++ BLUE_VLAN_ID=300
> > ++ BLUE_MAC_ADDRESS=00:22:4D:84:A5:30
> > ++ ORANGE_PARENT_DEV=green0
> > ++ ORANGE_VLAN_ID=400
> > ++ ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
> > + action=start
> > + for interface in green0 blue0 orange0
> > + case "${interface}" in
> > + PARENT_DEV=
> > + VLAN_ID=
> > + MAC_ADDRESS=
> > + case "${action}" in
> > + '[' -z '' ']'
> > + continue
> > + for interface in green0 blue0 orange0
> > + case "${interface}" in
> > + PARENT_DEV=green0
> > + VLAN_ID=300
> > + MAC_ADDRESS=00:22:4D:84:A5:30
> > + case "${action}" in
> > + '[' -z green0 ']'
> > + '[' -d /sys/class/net/blue0 ']'
> > + '[' '!' -d /sys/class/net/green0 ']'
> > + '[' -z 300 ']'
> > + echo 'Creating VLAN interface blue0...'
> > Creating VLAN interface blue0...
> > + vconfig add green0 300
> > Added VLAN with VID == 300 to IF -:green0:-
> > + ip link set green0.300 name blue0
> > + '[' -n 00:22:4D:84:A5:30 ']'
> > + ip link set blue0 address 00:22:4D:84:A5:30
> > + ip link set green0 up
> > + for interface in green0 blue0 orange0
> > + case "${interface}" in
> > + PARENT_DEV=green0
> > + VLAN_ID=400
> > + MAC_ADDRESS=00:22:4D:84:A5:40
> > + case "${action}" in
> > + '[' -z green0 ']'
> > + '[' -d /sys/class/net/orange0 ']'
> > + '[' '!' -d /sys/class/net/green0 ']'
> > + '[' -z 400 ']'
> > + echo 'Creating VLAN interface orange0...'
> > Creating VLAN interface orange0...
> > + vconfig add green0 400
> > Added VLAN with VID == 400 to IF -:green0:-
> > + ip link set green0.400 name orange0
> > + '[' -n 00:22:4D:84:A5:40 ']'
> > + ip link set orange0 address 00:22:4D:84:A5:40
> > + ip link set green0 up
> > 
> > Yeah! The finale countdown ;-)
> > 
> > So, i checket my ifconfig and only the device with no IP was displayed:
> > 
> > blue0     Link encap:Ethernet  HWaddr 00:22:4D:84:A5:30
> >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >           collisions:0 txqueuelen:0
> >           RX bytes: (0 Kb)  TX bytes: (0 Kb)
> > 
> > WTF? okay. I configure my /var/ipfire/ethernet/settings once again as
> > described here:
> > 
> > BLUE_DEV=blue0
> > BLUE_MACADDR=00:22:4d:84:a5:30
> > BLUE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network
> > Connection"'
> > BLUE_DRIVER=e1000e
> > BLUE_ADDRESS=192.168.2.1
> > BLUE_NETMASK=255.255.255.0
> > BLUE_NETADDRESS=192.168.2.0
> > BLUE_BROADCAST=192.168.2.255
> > 
> > Next step - reboot firewall! then the result from ifconfig said:
> > 
> > blue0     Link encap:Ethernet  HWaddr 00:22:4D:84:A5:30
> > 	  inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
> >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >           collisions:0 txqueuelen:0
> >           RX bytes: (0 Kb)  TX bytes: (0 Kb)
> > 
> > BUT - my firewall droped my DNS and HTTP requests. I tried to change the
> > rules with the firewall-mode from 1 to 0 and in the WUI by mode 1 to set
> > rules for wireless to allow this connections. Without success!
> > 
> > for example:
> > Jul  1 21:23:10 ipfw kernel: DROP_WirelessinputIN=blue0 OUT=
> > MAC=00:22:4d:84:a5:30:7c:61:93:16:2f:82:08:00 SRC=192.168.2.10
> > DST=192.168.2.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=25514 DF PROTO=UDP
> > SPT=1083 DPT=53 LEN=4
> > 
> > Any idea?
> > 
> > BG, Thomas
> > 
> > Am 01.07.2013 11:53, schrieb Michael Tremer:
> >> On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
> >>> Hi @ all,
> >>>
> >>> i have checked the /etc/init.d/network-vlans Script and become following
> >>> messages: Invalid action
> >>>
> >>> The dubug output says:
> >>>
> >>> (/var/ipfire/ethernet):/etc/init.d/network-vlans
> >>> + CONFIG_FILE=/var/ipfire/ethernet/vlans
> >>> + '[' -e /var/ipfire/ethernet/vlans ']'
> >>> ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
> >>> + eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
> >>> + action=
> >>> + for interface in green0 blue0 orange0
> >>> + case "${interface}" in
> >>> + PARENT_DEV=
> >>> + VLAN_ID=
> >>> + MAC_ADDRESS=
> >>> + case "${action}" in
> >>> + echo 'Invalid action: '
> >>> Invalid action:
> >>> + exit 1
> >>
> >> Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans
> >> to start and stop the virtual interfaces.
> >>
> >> -Michael
> >>
> > 
> > _______________________________________________
> > Documentation mailing list
> > Documentation(a)lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/documentation
> > 
> 
> _______________________________________________
> Documentation mailing list
> Documentation(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/documentation

Re: VLAN Konfig

[Thomas Berthel]

[-- Attachment #1: Type: text/plain, Size: 6095 bytes --]

Hi,

nobody any idea?

good night, Thomas

On 07/02/2013 12:14 AM, Thomas Berthel wrote:
> Hi Michael,
> 
>> Please run /etc/init.d/network-vlans start
> thanks. beginner error :-)
> 
> Here my document for vlan:
> 
> I configure my fire with the setup modus and change from green+red to
> green+red+organge+blue
> 
> I setting up the network-ip's for blue & orange, then i became by the
> end from the setup a message: orange device cant configure not devivce
> found or so. Because it does not let me finish the setupmode i have
> cloesed the console-connection.
> 
> I check my /var/ipfire/ethernet/settings and all information from my
> change in the setup-menu was written there.
> 
> for example one snipp:
> 
> BLUE_ADDRESS=192.168.2.1
> BLUE_NETMASK=255.255.255.0
> BLUE_NETADDRESS=192.168.2.0
> BLUE_BROADCAST=192.168.2.255
> 
> but, no MAC-Address and no DEV was in there.
> 
> The ifconfig says nothing to blue or orange. Okay then the next step.
> I configure my /var/ipfire/ethernet/vlans as follows:
> 
> BLUE_PARENT_DEV=green0
> BLUE_VLAN_ID=300
> BLUE_MAC_ADDRESS=00:22:4D:84:A5:30
> ORANGE_PARENT_DEV=green0
> ORANGE_VLAN_ID=400
> ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
> 
> Without "" for _PARENT_DEV="device1" and the _MAC_ADDRESS="11:22:33:..."
> 
> Then i do /etc/init.d/network-vlan start, this was my messages-output:
> 
> /etc/init.d/network-vlans start
> + CONFIG_FILE=/var/ipfire/ethernet/vlans
> + '[' -e /var/ipfire/ethernet/vlans ']'
> ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
> + eval BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300
> BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0
> ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
> ++ BLUE_PARENT_DEV=green0
> ++ BLUE_VLAN_ID=300
> ++ BLUE_MAC_ADDRESS=00:22:4D:84:A5:30
> ++ ORANGE_PARENT_DEV=green0
> ++ ORANGE_VLAN_ID=400
> ++ ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
> + action=start
> + for interface in green0 blue0 orange0
> + case "${interface}" in
> + PARENT_DEV=
> + VLAN_ID=
> + MAC_ADDRESS=
> + case "${action}" in
> + '[' -z '' ']'
> + continue
> + for interface in green0 blue0 orange0
> + case "${interface}" in
> + PARENT_DEV=green0
> + VLAN_ID=300
> + MAC_ADDRESS=00:22:4D:84:A5:30
> + case "${action}" in
> + '[' -z green0 ']'
> + '[' -d /sys/class/net/blue0 ']'
> + '[' '!' -d /sys/class/net/green0 ']'
> + '[' -z 300 ']'
> + echo 'Creating VLAN interface blue0...'
> Creating VLAN interface blue0...
> + vconfig add green0 300
> Added VLAN with VID == 300 to IF -:green0:-
> + ip link set green0.300 name blue0
> + '[' -n 00:22:4D:84:A5:30 ']'
> + ip link set blue0 address 00:22:4D:84:A5:30
> + ip link set green0 up
> + for interface in green0 blue0 orange0
> + case "${interface}" in
> + PARENT_DEV=green0
> + VLAN_ID=400
> + MAC_ADDRESS=00:22:4D:84:A5:40
> + case "${action}" in
> + '[' -z green0 ']'
> + '[' -d /sys/class/net/orange0 ']'
> + '[' '!' -d /sys/class/net/green0 ']'
> + '[' -z 400 ']'
> + echo 'Creating VLAN interface orange0...'
> Creating VLAN interface orange0...
> + vconfig add green0 400
> Added VLAN with VID == 400 to IF -:green0:-
> + ip link set green0.400 name orange0
> + '[' -n 00:22:4D:84:A5:40 ']'
> + ip link set orange0 address 00:22:4D:84:A5:40
> + ip link set green0 up
> 
> Yeah! The finale countdown ;-)
> 
> So, i checket my ifconfig and only the device with no IP was displayed:
> 
> blue0     Link encap:Ethernet  HWaddr 00:22:4D:84:A5:30
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes: (0 Kb)  TX bytes: (0 Kb)
> 
> WTF? okay. I configure my /var/ipfire/ethernet/settings once again as
> described here:
> 
> BLUE_DEV=blue0
> BLUE_MACADDR=00:22:4d:84:a5:30
> BLUE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network
> Connection"'
> BLUE_DRIVER=e1000e
> BLUE_ADDRESS=192.168.2.1
> BLUE_NETMASK=255.255.255.0
> BLUE_NETADDRESS=192.168.2.0
> BLUE_BROADCAST=192.168.2.255
> 
> Next step - reboot firewall! then the result from ifconfig said:
> 
> blue0     Link encap:Ethernet  HWaddr 00:22:4D:84:A5:30
> 	  inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes: (0 Kb)  TX bytes: (0 Kb)
> 
> BUT - my firewall droped my DNS and HTTP requests. I tried to change the
> rules with the firewall-mode from 1 to 0 and in the WUI by mode 1 to set
> rules for wireless to allow this connections. Without success!
> 
> for example:
> Jul  1 21:23:10 ipfw kernel: DROP_WirelessinputIN=blue0 OUT=
> MAC=00:22:4d:84:a5:30:7c:61:93:16:2f:82:08:00 SRC=192.168.2.10
> DST=192.168.2.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=25514 DF PROTO=UDP
> SPT=1083 DPT=53 LEN=4
> 
> Any idea?
> 
> BG, Thomas
> 
> Am 01.07.2013 11:53, schrieb Michael Tremer:
>> On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
>>> Hi @ all,
>>>
>>> i have checked the /etc/init.d/network-vlans Script and become following
>>> messages: Invalid action
>>>
>>> The dubug output says:
>>>
>>> (/var/ipfire/ethernet):/etc/init.d/network-vlans
>>> + CONFIG_FILE=/var/ipfire/ethernet/vlans
>>> + '[' -e /var/ipfire/ethernet/vlans ']'
>>> ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
>>> + eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
>>> + action=
>>> + for interface in green0 blue0 orange0
>>> + case "${interface}" in
>>> + PARENT_DEV=
>>> + VLAN_ID=
>>> + MAC_ADDRESS=
>>> + case "${action}" in
>>> + echo 'Invalid action: '
>>> Invalid action:
>>> + exit 1
>>
>> Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans
>> to start and stop the virtual interfaces.
>>
>> -Michael
>>
> 
> _______________________________________________
> Documentation mailing list
> Documentation(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/documentation
> 

Re: VLAN Konfig

[Thomas Berthel]

[-- Attachment #1: Type: text/plain, Size: 5506 bytes --]

Hi Michael,

> Please run /etc/init.d/network-vlans start
thanks. beginner error :-)

Here my document for vlan:

I configure my fire with the setup modus and change from green+red to
green+red+organge+blue

I setting up the network-ip's for blue & orange, then i became by the
end from the setup a message: orange device cant configure not devivce
found or so. Because it does not let me finish the setupmode i have
cloesed the console-connection.

I check my /var/ipfire/ethernet/settings and all information from my
change in the setup-menu was written there.

for example one snipp:

BLUE_ADDRESS=192.168.2.1
BLUE_NETMASK=255.255.255.0
BLUE_NETADDRESS=192.168.2.0
BLUE_BROADCAST=192.168.2.255

but, no MAC-Address and no DEV was in there.

The ifconfig says nothing to blue or orange. Okay then the next step.
I configure my /var/ipfire/ethernet/vlans as follows:

BLUE_PARENT_DEV=green0
BLUE_VLAN_ID=300
BLUE_MAC_ADDRESS=00:22:4D:84:A5:30
ORANGE_PARENT_DEV=green0
ORANGE_VLAN_ID=400
ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40

Without "" for _PARENT_DEV="device1" and the _MAC_ADDRESS="11:22:33:..."

Then i do /etc/init.d/network-vlan start, this was my messages-output:

/etc/init.d/network-vlans start
+ CONFIG_FILE=/var/ipfire/ethernet/vlans
+ '[' -e /var/ipfire/ethernet/vlans ']'
++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
+ eval BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300
BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0
ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
++ BLUE_PARENT_DEV=green0
++ BLUE_VLAN_ID=300
++ BLUE_MAC_ADDRESS=00:22:4D:84:A5:30
++ ORANGE_PARENT_DEV=green0
++ ORANGE_VLAN_ID=400
++ ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
+ action=start
+ for interface in green0 blue0 orange0
+ case "${interface}" in
+ PARENT_DEV=
+ VLAN_ID=
+ MAC_ADDRESS=
+ case "${action}" in
+ '[' -z '' ']'
+ continue
+ for interface in green0 blue0 orange0
+ case "${interface}" in
+ PARENT_DEV=green0
+ VLAN_ID=300
+ MAC_ADDRESS=00:22:4D:84:A5:30
+ case "${action}" in
+ '[' -z green0 ']'
+ '[' -d /sys/class/net/blue0 ']'
+ '[' '!' -d /sys/class/net/green0 ']'
+ '[' -z 300 ']'
+ echo 'Creating VLAN interface blue0...'
Creating VLAN interface blue0...
+ vconfig add green0 300
Added VLAN with VID == 300 to IF -:green0:-
+ ip link set green0.300 name blue0
+ '[' -n 00:22:4D:84:A5:30 ']'
+ ip link set blue0 address 00:22:4D:84:A5:30
+ ip link set green0 up
+ for interface in green0 blue0 orange0
+ case "${interface}" in
+ PARENT_DEV=green0
+ VLAN_ID=400
+ MAC_ADDRESS=00:22:4D:84:A5:40
+ case "${action}" in
+ '[' -z green0 ']'
+ '[' -d /sys/class/net/orange0 ']'
+ '[' '!' -d /sys/class/net/green0 ']'
+ '[' -z 400 ']'
+ echo 'Creating VLAN interface orange0...'
Creating VLAN interface orange0...
+ vconfig add green0 400
Added VLAN with VID == 400 to IF -:green0:-
+ ip link set green0.400 name orange0
+ '[' -n 00:22:4D:84:A5:40 ']'
+ ip link set orange0 address 00:22:4D:84:A5:40
+ ip link set green0 up

Yeah! The finale countdown ;-)

So, i checket my ifconfig and only the device with no IP was displayed:

blue0     Link encap:Ethernet  HWaddr 00:22:4D:84:A5:30
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes: (0 Kb)  TX bytes: (0 Kb)

WTF? okay. I configure my /var/ipfire/ethernet/settings once again as
described here:

BLUE_DEV=blue0
BLUE_MACADDR=00:22:4d:84:a5:30
BLUE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network
Connection"'
BLUE_DRIVER=e1000e
BLUE_ADDRESS=192.168.2.1
BLUE_NETMASK=255.255.255.0
BLUE_NETADDRESS=192.168.2.0
BLUE_BROADCAST=192.168.2.255

Next step - reboot firewall! then the result from ifconfig said:

blue0     Link encap:Ethernet  HWaddr 00:22:4D:84:A5:30
	  inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes: (0 Kb)  TX bytes: (0 Kb)

BUT - my firewall droped my DNS and HTTP requests. I tried to change the
rules with the firewall-mode from 1 to 0 and in the WUI by mode 1 to set
rules for wireless to allow this connections. Without success!

for example:
Jul  1 21:23:10 ipfw kernel: DROP_WirelessinputIN=blue0 OUT=
MAC=00:22:4d:84:a5:30:7c:61:93:16:2f:82:08:00 SRC=192.168.2.10
DST=192.168.2.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=25514 DF PROTO=UDP
SPT=1083 DPT=53 LEN=4

Any idea?

BG, Thomas

Am 01.07.2013 11:53, schrieb Michael Tremer:
> On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
>> Hi @ all,
>>
>> i have checked the /etc/init.d/network-vlans Script and become following
>> messages: Invalid action
>>
>> The dubug output says:
>>
>> (/var/ipfire/ethernet):/etc/init.d/network-vlans
>> + CONFIG_FILE=/var/ipfire/ethernet/vlans
>> + '[' -e /var/ipfire/ethernet/vlans ']'
>> ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
>> + eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
>> + action=
>> + for interface in green0 blue0 orange0
>> + case "${interface}" in
>> + PARENT_DEV=
>> + VLAN_ID=
>> + MAC_ADDRESS=
>> + case "${action}" in
>> + echo 'Invalid action: '
>> Invalid action:
>> + exit 1
> 
> Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans
> to start and stop the virtual interfaces.
> 
> -Michael
> 

Re: VLAN Konfig

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 796 bytes --]

On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
> Hi @ all,
> 
> i have checked the /etc/init.d/network-vlans Script and become following
> messages: Invalid action
> 
> The dubug output says:
> 
> (/var/ipfire/ethernet):/etc/init.d/network-vlans
> + CONFIG_FILE=/var/ipfire/ethernet/vlans
> + '[' -e /var/ipfire/ethernet/vlans ']'
> ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
> + eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
> + action=
> + for interface in green0 blue0 orange0
> + case "${interface}" in
> + PARENT_DEV=
> + VLAN_ID=
> + MAC_ADDRESS=
> + case "${action}" in
> + echo 'Invalid action: '
> Invalid action:
> + exit 1

Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans
to start and stop the virtual interfaces.

-Michael

Re: VLAN Konfig

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1273 bytes --]

Hey Thomas,

very nice illustration and colouring :)

But I got some questions:

The part about the configuration file /var/ipfire/ethernet/vlans looks
right for me.
For some reason, you are writing a new script a little bit later which
manually creates the virtual interfaces. Why is that?
According to you configuration in /var/ipfire/ethernet/vlans, a new
blue0 and orange0 interface will show up after reboot.

It is very convenient to name the devices blue0, green0, orange0 and
red0, because some scripts rely on those names. That's not good
practice, I know. But it's the way it is at the moment.

Then, why all that iptables stuff? I cannot see how this is relevant for
the VLANs in general.

-Michael

On Sat, 2013-06-08 at 13:42 +0200, Thomas Berthel wrote:
> Hi zusammen,
> 
> ich habe hier: http://wiki.ipfire.org/de/optimization/vlan/start die
> Doku für das VLAN fertig gestellt, könnte das jemand von euch in ein
> brauchbares Format für die englisch sprechenden Uer vorbereiten.
> Korregturen dürfen natürlich ebenso vorgenommen werden ;-)
> 
> 
> Ein schönes Wochenende! Thomas
> _______________________________________________
> Documentation mailing list
> Documentation(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/documentation

Re: VLAN Konfig

[Thomas Berthel]

[-- Attachment #1: Type: text/plain, Size: 2686 bytes --]

Hi Erik,

> the installation section might be better than optimizations
True, you're right.

> 1) The results in the CUSTOM Chains doesn´t display the destination
ports only the source ports, why is that ?
What exactly do you mean? I just do not see what you mean.

> 2) Also, is it necessary to define --sport ?
Yes. So I give with which ports exactly what to do and what not.
But, I'm not an iptables expert. That was my first real attempt and has
worked well so far.

> 3) Another question is, are you operating in Mode 0 in the outgoing FW ?
No, i use Modus 1.

>  Or in other words is it possible to define such rules without
problems with the VLAN config and interface names like green 003 etc. ?
I think that is not RFC compliant. However, there is the possibility
0-4095 to put the IDs.

http://www.oit.ucsb.edu/committees/CNC-BEG/vlan_id.asp

> 4) Did you also try to add these rules over the webinterface ?
I have not tested yet. But, I can do that.

BG, Thomas


Am 09.06.2013 06:54, schrieb Erik K.:
> Hi Thomas,
> first of all, thanks for the wiki in this theme, i think it is important to have some good explanation in there. May the location can be changed if you have finished this wiki, the installation section might be better than optimizations.
> 
> I have some questions to your IPTable rules. 
> 1) The results in the CUSTOM Chains doesn´t display the destination ports only the source ports, why is that ? 
> 2) Also, is it necessary to define --sport ? 
> 3) Another question is, are you operating in Mode 0 in the outgoing FW ? 
> 4) Did you also try to add these rules over the webinterface ? Or in other words is it possible to define such rules without problems with the VLAN config and interface names like green 003 etc. ?
> 
> One hint to the mailinglist, this is a international area so we write only in english
> 
> Greetings
> 
> Erik
> 
> Am 08.06.2013 um 13:42 schrieb Thomas Berthel:
> 
>> Hi zusammen,
>>
>> ich habe hier: http://wiki.ipfire.org/de/optimization/vlan/start die
>> Doku für das VLAN fertig gestellt, könnte das jemand von euch in ein
>> brauchbares Format für die englisch sprechenden Uer vorbereiten.
>> Korregturen dürfen natürlich ebenso vorgenommen werden ;-)
>>
>>
>> Ein schönes Wochenende! Thomas
>> _______________________________________________
>> Documentation mailing list
>> Documentation(a)lists.ipfire.org
>> http://lists.ipfire.org/mailman/listinfo/documentation
> 
> _______________________________________________
> Documentation mailing list
> Documentation(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/documentation
> 

Re: VLAN Konfig

[Erik K.]

[-- Attachment #1: Type: text/plain, Size: 1415 bytes --]

Hi Thomas,
first of all, thanks for the wiki in this theme, i think it is important to have some good explanation in there. May the location can be changed if you have finished this wiki, the installation section might be better than optimizations.

I have some questions to your IPTable rules. 
1) The results in the CUSTOM Chains doesn´t display the destination ports only the source ports, why is that ? 
2) Also, is it necessary to define --sport ? 
3) Another question is, are you operating in Mode 0 in the outgoing FW ? 
4) Did you also try to add these rules over the webinterface ? Or in other words is it possible to define such rules without problems with the VLAN config and interface names like green 003 etc. ?

One hint to the mailinglist, this is a international area so we write only in english

Greetings

Erik

Am 08.06.2013 um 13:42 schrieb Thomas Berthel:

> Hi zusammen,
> 
> ich habe hier: http://wiki.ipfire.org/de/optimization/vlan/start die
> Doku für das VLAN fertig gestellt, könnte das jemand von euch in ein
> brauchbares Format für die englisch sprechenden Uer vorbereiten.
> Korregturen dürfen natürlich ebenso vorgenommen werden ;-)
> 
> 
> Ein schönes Wochenende! Thomas
> _______________________________________________
> Documentation mailing list
> Documentation(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/documentation

VLAN Konfig

[Thomas Berthel]

[-- Attachment #1: Type: text/plain, Size: 315 bytes --]

Hi zusammen,

ich habe hier: http://wiki.ipfire.org/de/optimization/vlan/start die
Doku für das VLAN fertig gestellt, könnte das jemand von euch in ein
brauchbares Format für die englisch sprechenden Uer vorbereiten.
Korregturen dürfen natürlich ebenso vorgenommen werden ;-)


Ein schönes Wochenende! Thomas