IPFire vlan, sharing red and orange on same physical NIC

This document covers the most complex way of setting up one physical interface handling two virtual interfaces through vlan tagging. We will be setting up the red0 interface to handle both red and orange traffic. This is more complex since it is not currently built into the system, so requires modifying some systems files manually.

vlan tagging is an advanced topic, but sharing a port for green, blue and orange is configured in the existing setup. The steps taken to use these are similar to this document, it is just that some of the steps will not be necessary.

The basic theory on vlan's for IPFire (and anything) is to use one interface as a trunk, then create interfaces on top of this as aliases which are tagged. Tagging adds a header to all network packets to distinguish which virtual networks they are destined for. This process is called tagging, and ports which recognize these packets are considered "tagged." You should not mix tagged and untagged packets on the same physical ports.

In this case, we will set up the port designated red0 during the install to handle both red and orange traffic. Thus, one wire coming out from your router will handle both red and orange traffic at the same time. This is assuming you are using some intelligent network switch which understands vlans. In this example, we have used an HP Procurve switch and set it up as follows:

VLAN ID 10, name red
VLAN ID 20, name orange

We configure the ports on the switch as follows:

Port  VLAN

1     untagged red
2     tagged orange/red
3     untagged orange
4     untagged orange
5     untagged orange
6     untagged orange

The goal is to connect our outside network (what is feeding us) to port 1, and the red/orange network cable to port 2. Then, all our DMZ machines to ports 3-6. The trick here is that our switch requires traffic on port 2 to be tagged as red or orange, so it knows which virtual network to communicate with. Traffic tagged as orange on port 2 will communicate with ports 2-6. Traffic tagged as red on port 2 will communicate with ports 1 & 2 only.

Note that ports 1 and 3-6 will ONLY communicate with their vlan. Port 3 can not talk to port 1, nor will port 3 "see" traffic tagged as red on port 2. Traffic on ports 1 & 3-6 does not need to be tagged; since they are plugged into the physical switch port, they are on the indicated vlans.

Last thing before we start. The names "red" and "orange" for the vlans are for us, the human. When we set anything in the router, we must use the VLAN ID (10 for red, 20 for orange).

To minimize changes to the IPFire system files, we are going to redefine red0 interface as the trunk by editing the appropriate entry in /etc/udev/rules.d/30-persistent-network.rules. You can quite reassign the name of the inteface to trunk1, or eth0, or whatever with a simple edit. We will then redefine red0 and orange0 to be vlan tagged aliases which use this physical port as their trunk.

We will make changes to all of the configuration files first, then restart the router to bring up the new configuration.

1. Edit /etc/udev/rules.d/30-persistent-network.rules. Find the line which records the interface you want to use (hint, in this case, it is the one ending in NAME="red0". Change "red0" to something else. You can use the standard Linux naming convention (eth0 or eth1), or if you want it to be clear what you are doing, you can use something like "trunk0". In this document, we are calling it "eth0"

2. Edit /var/ipfire/ethernet/vlans, modify the ORANGE entries and add the RED ones as below. This is the definition of the vlan tagged virtual, creating the red0 and orange0 interfaces

ORANGE_PARENT_DEV=eth0
ORANGE_VLAN_ID=20
ORANGE_MAC_ADDRESS=00:22:b2:b1:b1:40
RED_PARENT_DEV=eth0
RED_VLAN_ID=20
RED_MAC_ADDRESS=00:22:b2:b1:b1:41

The choice of the MAC address is arbitrary, but they must be unique within your network; red/green/blue/orange must not contain the MAC addresses you use here. To repeat, NOTHING within any of the networks you are immediately connected to may use the MAC addresses defined above.

3. Edit /etc/rc.d/init.d/network-vlans. This is the one you have to change because we are modifying the red interface. At approximately line 34, there is a for loop. Be sure red0 is part of it. It should look like this:

for interface in green0 red0 blue0 orange0; do

Then, duplicate one of the blocks inside and create a red* interface

4. Reboot your system. You could probably get it working without rebooting, but the number of items needing to be updated is beyond me, so I just rebooted. I THINK restarting udev and then running /etc/init.d/network restart would work. During reboot, you should see "adding VLAN interface red0" and "adding VLAN interface orange0". You can then execute ifconfig, and see the mac addresses you assigned to the interfaces.

5. Run setup to configure any unconfigured interfaces. In our case, red0 was already configured, but we had to change the network type to red/green/orange, then assign the orange interface to the vlan (it will show up as a new interface), then configure the IP address and subnet mask.


NOTE: This is not the only way to do it. There are other people who leave udev alone and create something like 'red10' and 'orange20' on top of red0 (using red0 as the trunk, so there are no modifications). I chose to do it this way because it appears to be the simplest, with the fewest changes to the system to get it working (and thus fewer things to go wrong). But, there are other ways to accomplish the same thing.