vlan on red documentation

vlan on red documentation

[R. W. Rodolico]

[-- Attachment #1: Type: text/plain, Size: 409 bytes --]

I needed to share orange and red on a router. Read through the stuff and
figured it out, though it is slightly different from the way it is
described in the Wiki.

Do you think it would be good to have a separate article "VLAN on Red
interface" article? If not, I'll put it on my own wiki instead.

Rod
-- 
"Rod" Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170
http://www.dailydata.net

Re: vlan on red documentation

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 557 bytes --]

Hi,

are we talking about this one?

http://wiki.ipfire.org/en/optimization/vlan/start

What has been different for you and what would you suggest to clarify
this howto?

-Michael

On Sat, 2014-12-06 at 01:09 -0600, R. W. Rodolico wrote:
> I needed to share orange and red on a router. Read through the stuff and
> figured it out, though it is slightly different from the way it is
> described in the Wiki.
> 
> Do you think it would be good to have a separate article "VLAN on Red
> interface" article? If not, I'll put it on my own wiki instead.
> 
> Rod

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: vlan on red documentation

[R. W. Rodolico]

[-- Attachment #1: Type: text/plain, Size: 1485 bytes --]

I'm not sure about clarifying the article. I just did not see it when I
was searching for instructions, so I ended up coming up with my own. I'm
attaching what I wrote. It has no examples or images in it, and needs to
be cleaned up some.

One thing that is different the way I did it was that I used the
hardware port as a trunk, then attached the vlan ports to it. So, in my
case, red0 is not the underlying port. I change the name in udev to
something else, then build the red0 and orange0 on top of it.

Like I said, I did not see the vlan article when I was doing my
research. It is based mainly on
http://forum.ipfire.org/index.php?topic=7242.0
and some conversations with one of our network people here, and some
experimentation.

Rod


On 12/06/2014 06:41 AM, Michael Tremer wrote:
> Hi,
> 
> are we talking about this one?
> 
> http://wiki.ipfire.org/en/optimization/vlan/start
> 
> What has been different for you and what would you suggest to clarify
> this howto?
> 
> -Michael
> 
> On Sat, 2014-12-06 at 01:09 -0600, R. W. Rodolico wrote:
>> I needed to share orange and red on a router. Read through the stuff and
>> figured it out, though it is slightly different from the way it is
>> described in the Wiki.
>>
>> Do you think it would be good to have a separate article "VLAN on Red
>> interface" article? If not, I'll put it on my own wiki instead.
>>
>> Rod

-- 
"Rod" Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170
http://www.dailydata.net



[-- Attachment #2: IPFire_VLAN.txt --]
[-- Type: text/plain, Size: 5610 bytes --]

IPFire vlan, sharing red and orange on same physical NIC

This document covers the most complex way of setting up one physical interface handling two virtual interfaces through vlan tagging. We will be setting up the red0 interface to handle both red and orange traffic. This is more complex since it is not currently built into the system, so requires modifying some systems files manually.

vlan tagging is an advanced topic, but sharing a port for green, blue and orange is configured in the existing setup. The steps taken to use these are similar to this document, it is just that some of the steps will not be necessary.

The basic theory on vlan's for IPFire (and anything) is to use one interface as a trunk, then create interfaces on top of this as aliases which are tagged. Tagging adds a header to all network packets to distinguish which virtual networks they are destined for. This process is called tagging, and ports which recognize these packets are considered "tagged." You should not mix tagged and untagged packets on the same physical ports.

In this case, we will set up the port designated red0 during the install to handle both red and orange traffic. Thus, one wire coming out from your router will handle both red and orange traffic at the same time. This is assuming you are using some intelligent network switch which understands vlans. In this example, we have used an HP Procurve switch and set it up as follows:

VLAN ID 10, name red
VLAN ID 20, name orange

We configure the ports on the switch as follows:

Port  VLAN

1     untagged red
2     tagged orange/red
3     untagged orange
4     untagged orange
5     untagged orange
6     untagged orange

The goal is to connect our outside network (what is feeding us) to port 1, and the red/orange network cable to port 2. Then, all our DMZ machines to ports 3-6. The trick here is that our switch requires traffic on port 2 to be tagged as red or orange, so it knows which virtual network to communicate with. Traffic tagged as orange on port 2 will communicate with ports 2-6. Traffic tagged as red on port 2 will communicate with ports 1 & 2 only.

Note that ports 1 and 3-6 will ONLY communicate with their vlan. Port 3 can not talk to port 1, nor will port 3 "see" traffic tagged as red on port 2. Traffic on ports 1 & 3-6 does not need to be tagged; since they are plugged into the physical switch port, they are on the indicated vlans.

Last thing before we start. The names "red" and "orange" for the vlans are for us, the human. When we set anything in the router, we must use the VLAN ID (10 for red, 20 for orange).

To minimize changes to the IPFire system files, we are going to redefine red0 interface as the trunk by editing the appropriate entry in /etc/udev/rules.d/30-persistent-network.rules. You can quite reassign the name of the inteface to trunk1, or eth0, or whatever with a simple edit. We will then redefine red0 and orange0 to be vlan tagged aliases which use this physical port as their trunk.

We will make changes to all of the configuration files first, then restart the router to bring up the new configuration.

1. Edit /etc/udev/rules.d/30-persistent-network.rules. Find the line which records the interface you want to use (hint, in this case, it is the one ending in NAME="red0". Change "red0" to something else. You can use the standard Linux naming convention (eth0 or eth1), or if you want it to be clear what you are doing, you can use something like "trunk0". In this document, we are calling it "eth0"

2. Edit /var/ipfire/ethernet/vlans, modify the ORANGE entries and add the RED ones as below. This is the definition of the vlan tagged virtual, creating the red0 and orange0 interfaces

ORANGE_PARENT_DEV=eth0
ORANGE_VLAN_ID=20
ORANGE_MAC_ADDRESS=00:22:b2:b1:b1:40
RED_PARENT_DEV=eth0
RED_VLAN_ID=20
RED_MAC_ADDRESS=00:22:b2:b1:b1:41

The choice of the MAC address is arbitrary, but they must be unique within your network; red/green/blue/orange must not contain the MAC addresses you use here. To repeat, NOTHING within any of the networks you are immediately connected to may use the MAC addresses defined above.

3. Edit /etc/rc.d/init.d/network-vlans. This is the one you have to change because we are modifying the red interface. At approximately line 34, there is a for loop. Be sure red0 is part of it. It should look like this:

for interface in green0 red0 blue0 orange0; do

Then, duplicate one of the blocks inside and create a red* interface

4. Reboot your system. You could probably get it working without rebooting, but the number of items needing to be updated is beyond me, so I just rebooted. I THINK restarting udev and then running /etc/init.d/network restart would work. During reboot, you should see "adding VLAN interface red0" and "adding VLAN interface orange0". You can then execute ifconfig, and see the mac addresses you assigned to the interfaces.

5. Run setup to configure any unconfigured interfaces. In our case, red0 was already configured, but we had to change the network type to red/green/orange, then assign the orange interface to the vlan (it will show up as a new interface), then configure the IP address and subnet mask.


NOTE: This is not the only way to do it. There are other people who leave udev alone and create something like 'red10' and 'orange20' on top of red0 (using red0 as the trunk, so there are no modifications). I chose to do it this way because it appears to be the simplest, with the fewest changes to the system to get it working (and thus fewer things to go wrong). But, there are other ways to accomplish the same thing.