Hi zusammen,
ich habe hier: http://wiki.ipfire.org/de/optimization/vlan/start die Doku für das VLAN fertig gestellt, könnte das jemand von euch in ein brauchbares Format für die englisch sprechenden Uer vorbereiten. Korregturen dürfen natürlich ebenso vorgenommen werden ;-)
Ein schönes Wochenende! Thomas
Hi Thomas, first of all, thanks for the wiki in this theme, i think it is important to have some good explanation in there. May the location can be changed if you have finished this wiki, the installation section might be better than optimizations.
I have some questions to your IPTable rules. 1) The results in the CUSTOM Chains doesn´t display the destination ports only the source ports, why is that ? 2) Also, is it necessary to define --sport ? 3) Another question is, are you operating in Mode 0 in the outgoing FW ? 4) Did you also try to add these rules over the webinterface ? Or in other words is it possible to define such rules without problems with the VLAN config and interface names like green 003 etc. ?
One hint to the mailinglist, this is a international area so we write only in english
Greetings
Erik
Am 08.06.2013 um 13:42 schrieb Thomas Berthel:
Hi zusammen,
ich habe hier: http://wiki.ipfire.org/de/optimization/vlan/start die Doku für das VLAN fertig gestellt, könnte das jemand von euch in ein brauchbares Format für die englisch sprechenden Uer vorbereiten. Korregturen dürfen natürlich ebenso vorgenommen werden ;-)
Ein schönes Wochenende! Thomas _______________________________________________ Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Hi Erik,
the installation section might be better than optimizations
True, you're right.
- The results in the CUSTOM Chains doesn´t display the destination
ports only the source ports, why is that ? What exactly do you mean? I just do not see what you mean.
- Also, is it necessary to define --sport ?
Yes. So I give with which ports exactly what to do and what not. But, I'm not an iptables expert. That was my first real attempt and has worked well so far.
- Another question is, are you operating in Mode 0 in the outgoing FW ?
No, i use Modus 1.
Or in other words is it possible to define such rules without
problems with the VLAN config and interface names like green 003 etc. ? I think that is not RFC compliant. However, there is the possibility 0-4095 to put the IDs.
http://www.oit.ucsb.edu/committees/CNC-BEG/vlan_id.asp
- Did you also try to add these rules over the webinterface ?
I have not tested yet. But, I can do that.
BG, Thomas
Am 09.06.2013 06:54, schrieb Erik K.:
Hi Thomas, first of all, thanks for the wiki in this theme, i think it is important to have some good explanation in there. May the location can be changed if you have finished this wiki, the installation section might be better than optimizations.
I have some questions to your IPTable rules.
- The results in the CUSTOM Chains doesn´t display the destination ports only the source ports, why is that ?
- Also, is it necessary to define --sport ?
- Another question is, are you operating in Mode 0 in the outgoing FW ?
- Did you also try to add these rules over the webinterface ? Or in other words is it possible to define such rules without problems with the VLAN config and interface names like green 003 etc. ?
One hint to the mailinglist, this is a international area so we write only in english
Greetings
Erik
Am 08.06.2013 um 13:42 schrieb Thomas Berthel:
Hi zusammen,
ich habe hier: http://wiki.ipfire.org/de/optimization/vlan/start die Doku für das VLAN fertig gestellt, könnte das jemand von euch in ein brauchbares Format für die englisch sprechenden Uer vorbereiten. Korregturen dürfen natürlich ebenso vorgenommen werden ;-)
Ein schönes Wochenende! Thomas _______________________________________________ Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Am 09.06.2013 um 09:37 schrieb Thomas Berthel:
Hi Erik,
the installation section might be better than optimizations
True, you're right.
So if you are finished with your wiki, we can put it together in the installation part.
- The results in the CUSTOM Chains doesn´t display the destination
ports only the source ports, why is that ? What exactly do you mean? I just do not see what you mean.
I meant in this section --> http://wiki.ipfire.org/de/optimization/vlan/start#iptables_uebersicht are only spts: to be seen, but no dpts: in the rules you define "--dports 993,995,110,587,465" but they are listed as "spts:" (source ports) for example i have in the iptables -L listing for Mail something like this
RETURN tcp -- 192.168.7.0/24 anywhere multiport dports imaps,urd,submission,pop3s,smtp TIME from 00:00:00 to 00:00:00 UTC
so the dports are specified. I can´t find something like that in your iptables -L listing.
- Also, is it necessary to define --sport ?
Yes. So I give with which ports exactly what to do and what not. But, I'm not an iptables expert. That was my first real attempt and has worked well so far.
So you have allowed only unprivileged ports as a source port, but isn´t it that the case per default anyway ? Or do you regard a security method with this ? So i´am also not sure with this, but if you define only --dports isn´t it the same behavior anyway with the source port then you defined it ?
- Another question is, are you operating in Mode 0 in the outgoing FW ?
No, i use Modus 1.
What rules do you use in Mode 1 ?
Or in other words is it possible to define such rules without
problems with the VLAN config and interface names like green 003 etc. ? I think that is not RFC compliant. However, there is the possibility 0-4095 to put the IDs.
Ahh O.K. but is it possible to arrange rules for the VLAN interfaces over the WUI (e.g. DMZ pinnholes, etc...) ?
- Did you also try to add these rules over the webinterface ?
I have not tested yet. But, I can do that.
So maybe it is less complicated (especially for the explanations in the wiki) if all the rules which can be arranged over the WUI will be set in that way ? MIght be nice if you can go for a try . So also if the outgoing FW will be configured, i think the CUSTOMFORWARD rules are defined then in the FORWARD and OUTPUT chains.
BG, Thomas
May there are some ideas to go for further checks.
Best regards
Erik
Am 09.06.2013 06:54, schrieb Erik K.:
Hi Thomas, first of all, thanks for the wiki in this theme, i think it is important to have some good explanation in there. May the location can be changed if you have finished this wiki, the installation section might be better than optimizations.
I have some questions to your IPTable rules.
- The results in the CUSTOM Chains doesn´t display the destination ports only the source ports, why is that ?
- Also, is it necessary to define --sport ?
- Another question is, are you operating in Mode 0 in the outgoing FW ?
- Did you also try to add these rules over the webinterface ? Or in other words is it possible to define such rules without problems with the VLAN config and interface names like green 003 etc. ?
One hint to the mailinglist, this is a international area so we write only in english
Greetings
Erik
Am 08.06.2013 um 13:42 schrieb Thomas Berthel:
Hi zusammen,
ich habe hier: http://wiki.ipfire.org/de/optimization/vlan/start die Doku für das VLAN fertig gestellt, könnte das jemand von euch in ein brauchbares Format für die englisch sprechenden Uer vorbereiten. Korregturen dürfen natürlich ebenso vorgenommen werden ;-)
Ein schönes Wochenende! Thomas _______________________________________________ Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
I meant in this section --> http://wiki.ipfire.org/de/optimization/vlan/start#iptables_uebersicht are only spts: to be seen, but no dpts: in the rules you define "--dports 993,995,110,587,465" but they are listed as "spts:" (source ports) for example i have in the iptables -L listing for Mail something like this RETURN tcp -- 192.168.7.0/24 anywhere multiport dports imaps,urd,submission,pop3s,smtp TIME from 00:00:00 to 00:00:00 UTC so the dports are specified. I can´t find something like that in your iptables -L listing.
Ah. I'm using dport for single port (dpts:52 for DNS) an multiport dports for more destination ports, is this not okay?
So you have allowed only unprivileged ports as a source port, but isn´t it that the case per default anyway ? Or do you regard a security method with this ? So i´am also not sure with this, but if you define only --dports isn´t it the same behavior anyway with the source port then you defined it ?
is this a default? Sorry, i don't now. Is that so wrong?
What rules do you use in Mode 1 ?
A lot of rules ;) I can't post it here... one snipp: DNS, Mail, Game-Ports, Whois, FTP, NTP and ssh for green, red and all interfaces.
But these rules are all double in my tables after the restart. Another problem is when I usually re-upload my FW mode 0 although the WUI shows me mode 1.
I have all my ports manually specified are no longer seen in the tables, only when I reboot the FW.
Ahh O.K. but is it possible to arrange rules for the VLAN interfaces over the WUI (e.g. DMZ pinnholes, etc...) ? So maybe it is less complicated (especially for the explanations in the wiki) if all the rules which can be arranged over the WUI will be set in that way ? MIght be nice if you can go for a try . So also if the outgoing FW will be configured, i think the CUSTOMFORWARD rules are defined then in the FORWARD and OUTPUT chains.
I just tested it on wui and FW mode 1 do not apply the rules. It seems as if for wireless (blue) and the rule come from a different direction no matter what is stored in the WUI.
Am 09.06.2013 um 13:58 schrieb Thomas Berthel:
I meant in this section --> http://wiki.ipfire.org/de/optimization/vlan/start#iptables_uebersicht are only spts: to be seen, but no dpts: in the rules you define "--dports 993,995,110,587,465" but they are listed as "spts:" (source ports) for example i have in the iptables -L listing for Mail something like this RETURN tcp -- 192.168.7.0/24 anywhere multiport dports imaps,urd,submission,pop3s,smtp TIME from 00:00:00 to 00:00:00 UTC so the dports are specified. I can´t find something like that in your iptables -L listing.
Ah. I'm using dport for single port (dpts:52 for DNS) an multiport dports for more destination ports, is this not okay?
O.K. my bad have overseen it.
So you have allowed only unprivileged ports as a source port, but isn´t it that the case per default anyway ? Or do you regard a security method with this ? So i´am also not sure with this, but if you define only --dports isn´t it the same behavior anyway with the source port then you defined it ?
is this a default? Sorry, i don't now. Is that so wrong?
This was more a question then a statement ;-)
What rules do you use in Mode 1 ?
A lot of rules ;) I can't post it here... one snipp: DNS, Mail, Game-Ports, Whois, FTP, NTP and ssh for green, red and all interfaces.
But these rules are all double in my tables after the restart.
May it is because you define them in firewall.local also ? Did you try a complete reboot ?
Another problem is when I usually re-upload my FW mode 0 although the WUI shows me mode 1.
This is really strange, have no clue why this happens.
I have all my ports manually specified are no longer seen in the tables, only when I reboot the FW.
Have had the same issue since i was working a little bit with firewall.local. After modifications of firewall.local and stop|start|restart|reload tests the iptables -L listing shows me sometimes nothing in the CUSTOM chains. It seems that the best way is to reboot IPFire . Important to test this behavior with the new Firewall. I think in Core 69 (test image) the new FW is already implemented.
Ahh O.K. but is it possible to arrange rules for the VLAN interfaces over the WUI (e.g. DMZ pinnholes, etc...) ? So maybe it is less complicated (especially for the explanations in the wiki) if all the rules which can be arranged over the WUI will be set in that way ? MIght be nice if you can go for a try . So also if the outgoing FW will be configured, i think the CUSTOMFORWARD rules are defined then in the FORWARD and OUTPUT chains.
I just tested it on wui and FW mode 1 do not apply the rules. It seems as if for wireless (blue) and the rule come from a different direction no matter what is stored in the WUI.
Which rules did you try to edit ?
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Hi,
This was more a question then a statement ;-)
me too ;-)
This is really strange, have no clue why this happens.
There is not the Problem - i must restart my FW and then all Modus1 and Custom-changes Rules back.
Which rules did you try to edit ?
Only in my firewall.local file, and then i stop and start the /etc/init.d/firewall. I check the WhatsApp-Ports in WUI for Blue. He did nothing - then i change it in my firewall.local the functionality was there.
As I see it, everything is well controlled in the IPTables and nothing in the WUI. :(
BG, Thomas
Am 09.06.2013 15:31, schrieb Erik K.:
Am 09.06.2013 um 13:58 schrieb Thomas Berthel:
I meant in this section --> http://wiki.ipfire.org/de/optimization/vlan/start#iptables_uebersicht are only spts: to be seen, but no dpts: in the rules you define "--dports 993,995,110,587,465" but they are listed as "spts:" (source ports) for example i have in the iptables -L listing for Mail something like this RETURN tcp -- 192.168.7.0/24 anywhere multiport dports imaps,urd,submission,pop3s,smtp TIME from 00:00:00 to 00:00:00 UTC so the dports are specified. I can´t find something like that in your iptables -L listing.
Ah. I'm using dport for single port (dpts:52 for DNS) an multiport dports for more destination ports, is this not okay?
O.K. my bad have overseen it.
So you have allowed only unprivileged ports as a source port, but isn´t it that the case per default anyway ? Or do you regard a security method with this ? So i´am also not sure with this, but if you define only --dports isn´t it the same behavior anyway with the source port then you defined it ?
is this a default? Sorry, i don't now. Is that so wrong?
This was more a question then a statement ;-)
What rules do you use in Mode 1 ?
A lot of rules ;) I can't post it here... one snipp: DNS, Mail, Game-Ports, Whois, FTP, NTP and ssh for green, red and all interfaces.
But these rules are all double in my tables after the restart.
May it is because you define them in firewall.local also ? Did you try a complete reboot ?
Another problem is when I usually re-upload my FW mode 0 although the WUI shows me mode 1.
This is really strange, have no clue why this happens.
I have all my ports manually specified are no longer seen in the tables, only when I reboot the FW.
Have had the same issue since i was working a little bit with firewall.local. After modifications of firewall.local and stop|start|restart|reload tests the iptables -L listing shows me sometimes nothing in the CUSTOM chains. It seems that the best way is to reboot IPFire . Important to test this behavior with the new Firewall. I think in Core 69 (test image) the new FW is already implemented.
Ahh O.K. but is it possible to arrange rules for the VLAN interfaces over the WUI (e.g. DMZ pinnholes, etc...) ? So maybe it is less complicated (especially for the explanations in the wiki) if all the rules which can be arranged over the WUI will be set in that way ? MIght be nice if you can go for a try . So also if the outgoing FW will be configured, i think the CUSTOMFORWARD rules are defined then in the FORWARD and OUTPUT chains.
I just tested it on wui and FW mode 1 do not apply the rules. It seems as if for wireless (blue) and the rule come from a different direction no matter what is stored in the WUI.
Which rules did you try to edit ?
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Hey Thomas,
very nice illustration and colouring :)
But I got some questions:
The part about the configuration file /var/ipfire/ethernet/vlans looks right for me. For some reason, you are writing a new script a little bit later which manually creates the virtual interfaces. Why is that? According to you configuration in /var/ipfire/ethernet/vlans, a new blue0 and orange0 interface will show up after reboot.
It is very convenient to name the devices blue0, green0, orange0 and red0, because some scripts rely on those names. That's not good practice, I know. But it's the way it is at the moment.
Then, why all that iptables stuff? I cannot see how this is relevant for the VLANs in general.
-Michael
On Sat, 2013-06-08 at 13:42 +0200, Thomas Berthel wrote:
Hi zusammen,
ich habe hier: http://wiki.ipfire.org/de/optimization/vlan/start die Doku für das VLAN fertig gestellt, könnte das jemand von euch in ein brauchbares Format für die englisch sprechenden Uer vorbereiten. Korregturen dürfen natürlich ebenso vorgenommen werden ;-)
Ein schönes Wochenende! Thomas _______________________________________________ Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Hi,
very nice illustration and colouring :)
thx! :)
For some reason, you are writing a new script a little bit later which manually creates the virtual interfaces. Why is that?
You mean this section: /etc/rc.d/rc3.d/S18network-vlan ? I have tested VLAN to configurate only in /var/ipfire/ethernet/vlans. There have no createt the Interfaces for blue & orange. Therefore I have made it so.
That's not good practice, I know. But it's the way it is at the moment.
I can remind me to the statement. But it works only once. The BLUE_PARENT_DEV="green0" and in /var/ipfire/ethernet/settings delegate to BLUE_DEV=green0.300, i can test it with blue0.300. let's see what happens here. :) I give a statement when testet.
BG, Thomas
Gesendet: Montag, 10. Juni 2013 um 12:22 Uhr Von: "Michael Tremer" michael.tremer@ipfire.org An: documentation@lists.ipfire.org Betreff: Re: VLAN Konfig
Hey Thomas,
very nice illustration and colouring :)
But I got some questions:
The part about the configuration file /var/ipfire/ethernet/vlans looks right for me. For some reason, you are writing a new script a little bit later which manually creates the virtual interfaces. Why is that? According to you configuration in /var/ipfire/ethernet/vlans, a new blue0 and orange0 interface will show up after reboot.
It is very convenient to name the devices blue0, green0, orange0 and red0, because some scripts rely on those names. That's not good practice, I know. But it's the way it is at the moment.
Then, why all that iptables stuff? I cannot see how this is relevant for the VLANs in general.
-Michael
On Sat, 2013-06-08 at 13:42 +0200, Thomas Berthel wrote:
Hi zusammen,
ich habe hier: http://wiki.ipfire.org/de/optimization/vlan/start die Doku für das VLAN fertig gestellt, könnte das jemand von euch in ein brauchbares Format für die englisch sprechenden Uer vorbereiten. Korregturen dürfen natürlich ebenso vorgenommen werden ;-)
Ein schönes Wochenende! Thomas _______________________________________________ Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Hi,
yesterday i have checkt the default setup for vlan. I don't understand what is wrong!
So what I've done (on clean green & red systemnetwork setting):
Step one: ############################### # /var/ipfire/ethernet/vlans ( see this for more details: http://wiki.ipfire.org/de/optimization/vlan/start#vlan_hw-zuweisung)
# reboot - ifconfig and ip link show said to me: nothing! no blue or orange interface generated.
Step two: ############################### # check autostart for rc3.d for this script: http://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/initscripts/init.d/netw...
I dont see a symlink from rc3.d/ to ../init.d/network-vlans - network-vlans captured the vlans-config from here /var/ipfire/ethernet/vlans. Also, i created a S18rule with symlink to ../init.d/network-vlans.
# reboot - ifconfig and ip link show said to me: nothing! no blue or orange interface generated.
Then rm S18rule and added S22rule with the same symlink-path
# reboot - ifconfig and ip link show said to me: nothing! no blue or orange interface generated.
My question, what for a configuration is required for this script: http://wiki.ipfire.org/de/optimization/vlan/start#vlan_netzwerkkonfiguration ? I have testet too with default settings in this file - did not matter no functional.
What can I do? Please help me!
BG, Thomas
Gesendet: Montag, 10. Juni 2013 um 12:22 Uhr Von: "Michael Tremer" michael.tremer@ipfire.org An: documentation@lists.ipfire.org Betreff: Re: VLAN Konfig
Hey Thomas,
very nice illustration and colouring :)
But I got some questions:
The part about the configuration file /var/ipfire/ethernet/vlans looks right for me. For some reason, you are writing a new script a little bit later which manually creates the virtual interfaces. Why is that? According to you configuration in /var/ipfire/ethernet/vlans, a new blue0 and orange0 interface will show up after reboot.
It is very convenient to name the devices blue0, green0, orange0 and red0, because some scripts rely on those names. That's not good practice, I know. But it's the way it is at the moment.
Then, why all that iptables stuff? I cannot see how this is relevant for the VLANs in general.
-Michael
On Sat, 2013-06-08 at 13:42 +0200, Thomas Berthel wrote:
Hi zusammen,
ich habe hier: http://wiki.ipfire.org/de/optimization/vlan/start die Doku für das VLAN fertig gestellt, könnte das jemand von euch in ein brauchbares Format für die englisch sprechenden Uer vorbereiten. Korregturen dürfen natürlich ebenso vorgenommen werden ;-)
Ein schönes Wochenende! Thomas _______________________________________________ Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
On Tue, 2013-06-11 at 14:42 +0200, t.berthel@gmx.net wrote:
Step one: ############################### # /var/ipfire/ethernet/vlans ( see this for more details: http://wiki.ipfire.org/de/optimization/vlan/start#vlan_hw-zuweisung)
# reboot - ifconfig and ip link show said to me: nothing! no blue or orange interface generated.
Please post your configuration. When you run /etc/init.d/network-vlans manuelly, you should see error messages if there are any.
Step two: ############################### # check autostart for rc3.d for this script: http://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/initscripts/init.d/netw...
I dont see a symlink from rc3.d/ to ../init.d/network-vlans - network-vlans captured the vlans-config from here /var/ipfire/ethernet/vlans. Also, i created a S18rule with symlink to ../init.d/network-vlans.
The symlink you are searching for is to be found here: /etc/rc.d/rcsysinit.d/S91network-vlans
That's what my configuration looks like.
GREEN_PARENT_DEV=port0 GREEN_VLAN_ID=20 GREEN_MAC_ADDRESS=00:de:ad:be:ef:20 BLUE_PARENT_DEV=port0 BLUE_VLAN_ID=30 BLUE_MAC_ADDRESS=00:de:ad:be:ef:30 ORANGE_PARENT_DEV=port0 ORANGE_VLAN_ID=40 ORANGE_MAC_ADDRESS=00:de:ad:be:ef:40
I have a dual NIC. One port is dedicated for my internet connection (i.e. red0). The other port has all the virtual subnets on it.
-Michael
Hi @ all,
i have checked the /etc/init.d/network-vlans Script and become following messages: Invalid action
The dubug output says:
(/var/ipfire/ethernet):/etc/init.d/network-vlans + CONFIG_FILE=/var/ipfire/ethernet/vlans + '[' -e /var/ipfire/ethernet/vlans ']' ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans + eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400 + action= + for interface in green0 blue0 orange0 + case "${interface}" in + PARENT_DEV= + VLAN_ID= + MAC_ADDRESS= + case "${action}" in + echo 'Invalid action: ' Invalid action: + exit 1
my vlans Setting is:
#GREEN_PARENT_DEV="eth0" #GREEN_VLAN_ID=20 #GREEN_MAC_ADDRESS="00:11:22:33:44:55" BLUE_PARENT_DEV="green0" BLUE_VLAN_ID=300 BLUE_MAC_ADDRESS="00:22:4D:84:A5:30" ORANGE_PARENT_DEV="green0" ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS="00:22:4D:84:A5:40"
Whats wrong, any idea?
BG, Thomas
Am 13.06.2013 11:45, schrieb Michael Tremer:
On Tue, 2013-06-11 at 14:42 +0200, t.berthel@gmx.net wrote:
Step one: ############################### # /var/ipfire/ethernet/vlans ( see this for more details: http://wiki.ipfire.org/de/optimization/vlan/start#vlan_hw-zuweisung)
# reboot - ifconfig and ip link show said to me: nothing! no blue or orange interface generated.
Please post your configuration. When you run /etc/init.d/network-vlans manuelly, you should see error messages if there are any.
Step two: ############################### # check autostart for rc3.d for this script: http://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/initscripts/init.d/netw...
I dont see a symlink from rc3.d/ to ../init.d/network-vlans - network-vlans captured the vlans-config from here /var/ipfire/ethernet/vlans. Also, i created a S18rule with symlink to ../init.d/network-vlans.
The symlink you are searching for is to be found here: /etc/rc.d/rcsysinit.d/S91network-vlans
That's what my configuration looks like.
GREEN_PARENT_DEV=port0 GREEN_VLAN_ID=20 GREEN_MAC_ADDRESS=00:de:ad:be:ef:20 BLUE_PARENT_DEV=port0 BLUE_VLAN_ID=30 BLUE_MAC_ADDRESS=00:de:ad:be:ef:30 ORANGE_PARENT_DEV=port0 ORANGE_VLAN_ID=40 ORANGE_MAC_ADDRESS=00:de:ad:be:ef:40
I have a dual NIC. One port is dedicated for my internet connection (i.e. red0). The other port has all the virtual subnets on it.
-Michael
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
Hi @ all,
i have checked the /etc/init.d/network-vlans Script and become following messages: Invalid action
The dubug output says:
(/var/ipfire/ethernet):/etc/init.d/network-vlans
- CONFIG_FILE=/var/ipfire/ethernet/vlans
- '[' -e /var/ipfire/ethernet/vlans ']'
++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
- eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
- action=
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=
- VLAN_ID=
- MAC_ADDRESS=
- case "${action}" in
- echo 'Invalid action: '
Invalid action:
- exit 1
Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans to start and stop the virtual interfaces.
-Michael
Hi Michael,
Please run /etc/init.d/network-vlans start
thanks. beginner error :-)
Here my document for vlan:
I configure my fire with the setup modus and change from green+red to green+red+organge+blue
I setting up the network-ip's for blue & orange, then i became by the end from the setup a message: orange device cant configure not devivce found or so. Because it does not let me finish the setupmode i have cloesed the console-connection.
I check my /var/ipfire/ethernet/settings and all information from my change in the setup-menu was written there.
for example one snipp:
BLUE_ADDRESS=192.168.2.1 BLUE_NETMASK=255.255.255.0 BLUE_NETADDRESS=192.168.2.0 BLUE_BROADCAST=192.168.2.255
but, no MAC-Address and no DEV was in there.
The ifconfig says nothing to blue or orange. Okay then the next step. I configure my /var/ipfire/ethernet/vlans as follows:
BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300 BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0 ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
Without "" for _PARENT_DEV="device1" and the _MAC_ADDRESS="11:22:33:..."
Then i do /etc/init.d/network-vlan start, this was my messages-output:
/etc/init.d/network-vlans start + CONFIG_FILE=/var/ipfire/ethernet/vlans + '[' -e /var/ipfire/ethernet/vlans ']' ++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans + eval BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300 BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0 ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40 ++ BLUE_PARENT_DEV=green0 ++ BLUE_VLAN_ID=300 ++ BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ++ ORANGE_PARENT_DEV=green0 ++ ORANGE_VLAN_ID=400 ++ ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40 + action=start + for interface in green0 blue0 orange0 + case "${interface}" in + PARENT_DEV= + VLAN_ID= + MAC_ADDRESS= + case "${action}" in + '[' -z '' ']' + continue + for interface in green0 blue0 orange0 + case "${interface}" in + PARENT_DEV=green0 + VLAN_ID=300 + MAC_ADDRESS=00:22:4D:84:A5:30 + case "${action}" in + '[' -z green0 ']' + '[' -d /sys/class/net/blue0 ']' + '[' '!' -d /sys/class/net/green0 ']' + '[' -z 300 ']' + echo 'Creating VLAN interface blue0...' Creating VLAN interface blue0... + vconfig add green0 300 Added VLAN with VID == 300 to IF -:green0:- + ip link set green0.300 name blue0 + '[' -n 00:22:4D:84:A5:30 ']' + ip link set blue0 address 00:22:4D:84:A5:30 + ip link set green0 up + for interface in green0 blue0 orange0 + case "${interface}" in + PARENT_DEV=green0 + VLAN_ID=400 + MAC_ADDRESS=00:22:4D:84:A5:40 + case "${action}" in + '[' -z green0 ']' + '[' -d /sys/class/net/orange0 ']' + '[' '!' -d /sys/class/net/green0 ']' + '[' -z 400 ']' + echo 'Creating VLAN interface orange0...' Creating VLAN interface orange0... + vconfig add green0 400 Added VLAN with VID == 400 to IF -:green0:- + ip link set green0.400 name orange0 + '[' -n 00:22:4D:84:A5:40 ']' + ip link set orange0 address 00:22:4D:84:A5:40 + ip link set green0 up
Yeah! The finale countdown ;-)
So, i checket my ifconfig and only the device with no IP was displayed:
blue0 Link encap:Ethernet HWaddr 00:22:4D:84:A5:30 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (0 Kb) TX bytes: (0 Kb)
WTF? okay. I configure my /var/ipfire/ethernet/settings once again as described here:
BLUE_DEV=blue0 BLUE_MACADDR=00:22:4d:84:a5:30 BLUE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network Connection"' BLUE_DRIVER=e1000e BLUE_ADDRESS=192.168.2.1 BLUE_NETMASK=255.255.255.0 BLUE_NETADDRESS=192.168.2.0 BLUE_BROADCAST=192.168.2.255
Next step - reboot firewall! then the result from ifconfig said:
blue0 Link encap:Ethernet HWaddr 00:22:4D:84:A5:30 inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (0 Kb) TX bytes: (0 Kb)
BUT - my firewall droped my DNS and HTTP requests. I tried to change the rules with the firewall-mode from 1 to 0 and in the WUI by mode 1 to set rules for wireless to allow this connections. Without success!
for example: Jul 1 21:23:10 ipfw kernel: DROP_WirelessinputIN=blue0 OUT= MAC=00:22:4d:84:a5:30:7c:61:93:16:2f:82:08:00 SRC=192.168.2.10 DST=192.168.2.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=25514 DF PROTO=UDP SPT=1083 DPT=53 LEN=4
Any idea?
BG, Thomas
Am 01.07.2013 11:53, schrieb Michael Tremer:
On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
Hi @ all,
i have checked the /etc/init.d/network-vlans Script and become following messages: Invalid action
The dubug output says:
(/var/ipfire/ethernet):/etc/init.d/network-vlans
- CONFIG_FILE=/var/ipfire/ethernet/vlans
- '[' -e /var/ipfire/ethernet/vlans ']'
++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
- eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
- action=
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=
- VLAN_ID=
- MAC_ADDRESS=
- case "${action}" in
- echo 'Invalid action: '
Invalid action:
- exit 1
Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans to start and stop the virtual interfaces.
-Michael
Hi,
nobody any idea?
good night, Thomas
On 07/02/2013 12:14 AM, Thomas Berthel wrote:
Hi Michael,
Please run /etc/init.d/network-vlans start
thanks. beginner error :-)
Here my document for vlan:
I configure my fire with the setup modus and change from green+red to green+red+organge+blue
I setting up the network-ip's for blue & orange, then i became by the end from the setup a message: orange device cant configure not devivce found or so. Because it does not let me finish the setupmode i have cloesed the console-connection.
I check my /var/ipfire/ethernet/settings and all information from my change in the setup-menu was written there.
for example one snipp:
BLUE_ADDRESS=192.168.2.1 BLUE_NETMASK=255.255.255.0 BLUE_NETADDRESS=192.168.2.0 BLUE_BROADCAST=192.168.2.255
but, no MAC-Address and no DEV was in there.
The ifconfig says nothing to blue or orange. Okay then the next step. I configure my /var/ipfire/ethernet/vlans as follows:
BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300 BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0 ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
Without "" for _PARENT_DEV="device1" and the _MAC_ADDRESS="11:22:33:..."
Then i do /etc/init.d/network-vlan start, this was my messages-output:
/etc/init.d/network-vlans start
- CONFIG_FILE=/var/ipfire/ethernet/vlans
- '[' -e /var/ipfire/ethernet/vlans ']'
++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
- eval BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300
BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0 ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40 ++ BLUE_PARENT_DEV=green0 ++ BLUE_VLAN_ID=300 ++ BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ++ ORANGE_PARENT_DEV=green0 ++ ORANGE_VLAN_ID=400 ++ ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
- action=start
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=
- VLAN_ID=
- MAC_ADDRESS=
- case "${action}" in
- '[' -z '' ']'
- continue
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=green0
- VLAN_ID=300
- MAC_ADDRESS=00:22:4D:84:A5:30
- case "${action}" in
- '[' -z green0 ']'
- '[' -d /sys/class/net/blue0 ']'
- '[' '!' -d /sys/class/net/green0 ']'
- '[' -z 300 ']'
- echo 'Creating VLAN interface blue0...'
Creating VLAN interface blue0...
- vconfig add green0 300
Added VLAN with VID == 300 to IF -:green0:-
- ip link set green0.300 name blue0
- '[' -n 00:22:4D:84:A5:30 ']'
- ip link set blue0 address 00:22:4D:84:A5:30
- ip link set green0 up
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=green0
- VLAN_ID=400
- MAC_ADDRESS=00:22:4D:84:A5:40
- case "${action}" in
- '[' -z green0 ']'
- '[' -d /sys/class/net/orange0 ']'
- '[' '!' -d /sys/class/net/green0 ']'
- '[' -z 400 ']'
- echo 'Creating VLAN interface orange0...'
Creating VLAN interface orange0...
- vconfig add green0 400
Added VLAN with VID == 400 to IF -:green0:-
- ip link set green0.400 name orange0
- '[' -n 00:22:4D:84:A5:40 ']'
- ip link set orange0 address 00:22:4D:84:A5:40
- ip link set green0 up
Yeah! The finale countdown ;-)
So, i checket my ifconfig and only the device with no IP was displayed:
blue0 Link encap:Ethernet HWaddr 00:22:4D:84:A5:30 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (0 Kb) TX bytes: (0 Kb)
WTF? okay. I configure my /var/ipfire/ethernet/settings once again as described here:
BLUE_DEV=blue0 BLUE_MACADDR=00:22:4d:84:a5:30 BLUE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network Connection"' BLUE_DRIVER=e1000e BLUE_ADDRESS=192.168.2.1 BLUE_NETMASK=255.255.255.0 BLUE_NETADDRESS=192.168.2.0 BLUE_BROADCAST=192.168.2.255
Next step - reboot firewall! then the result from ifconfig said:
blue0 Link encap:Ethernet HWaddr 00:22:4D:84:A5:30 inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (0 Kb) TX bytes: (0 Kb)
BUT - my firewall droped my DNS and HTTP requests. I tried to change the rules with the firewall-mode from 1 to 0 and in the WUI by mode 1 to set rules for wireless to allow this connections. Without success!
for example: Jul 1 21:23:10 ipfw kernel: DROP_WirelessinputIN=blue0 OUT= MAC=00:22:4d:84:a5:30:7c:61:93:16:2f:82:08:00 SRC=192.168.2.10 DST=192.168.2.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=25514 DF PROTO=UDP SPT=1083 DPT=53 LEN=4
Any idea?
BG, Thomas
Am 01.07.2013 11:53, schrieb Michael Tremer:
On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
Hi @ all,
i have checked the /etc/init.d/network-vlans Script and become following messages: Invalid action
The dubug output says:
(/var/ipfire/ethernet):/etc/init.d/network-vlans
- CONFIG_FILE=/var/ipfire/ethernet/vlans
- '[' -e /var/ipfire/ethernet/vlans ']'
++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
- eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
- action=
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=
- VLAN_ID=
- MAC_ADDRESS=
- case "${action}" in
- echo 'Invalid action: '
Invalid action:
- exit 1
Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans to start and stop the virtual interfaces.
-Michael
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Hi,
you will have to grant access to every host on the blue network in the WUI. Please go to Firewall -> Blue Access and do that over there.
-Michael
On Sun, 2013-07-21 at 22:35 +0200, Thomas Berthel wrote:
Hi,
nobody any idea?
good night, Thomas
On 07/02/2013 12:14 AM, Thomas Berthel wrote:
Hi Michael,
Please run /etc/init.d/network-vlans start
thanks. beginner error :-)
Here my document for vlan:
I configure my fire with the setup modus and change from green+red to green+red+organge+blue
I setting up the network-ip's for blue & orange, then i became by the end from the setup a message: orange device cant configure not devivce found or so. Because it does not let me finish the setupmode i have cloesed the console-connection.
I check my /var/ipfire/ethernet/settings and all information from my change in the setup-menu was written there.
for example one snipp:
BLUE_ADDRESS=192.168.2.1 BLUE_NETMASK=255.255.255.0 BLUE_NETADDRESS=192.168.2.0 BLUE_BROADCAST=192.168.2.255
but, no MAC-Address and no DEV was in there.
The ifconfig says nothing to blue or orange. Okay then the next step. I configure my /var/ipfire/ethernet/vlans as follows:
BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300 BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0 ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
Without "" for _PARENT_DEV="device1" and the _MAC_ADDRESS="11:22:33:..."
Then i do /etc/init.d/network-vlan start, this was my messages-output:
/etc/init.d/network-vlans start
- CONFIG_FILE=/var/ipfire/ethernet/vlans
- '[' -e /var/ipfire/ethernet/vlans ']'
++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
- eval BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300
BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0 ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40 ++ BLUE_PARENT_DEV=green0 ++ BLUE_VLAN_ID=300 ++ BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ++ ORANGE_PARENT_DEV=green0 ++ ORANGE_VLAN_ID=400 ++ ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
- action=start
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=
- VLAN_ID=
- MAC_ADDRESS=
- case "${action}" in
- '[' -z '' ']'
- continue
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=green0
- VLAN_ID=300
- MAC_ADDRESS=00:22:4D:84:A5:30
- case "${action}" in
- '[' -z green0 ']'
- '[' -d /sys/class/net/blue0 ']'
- '[' '!' -d /sys/class/net/green0 ']'
- '[' -z 300 ']'
- echo 'Creating VLAN interface blue0...'
Creating VLAN interface blue0...
- vconfig add green0 300
Added VLAN with VID == 300 to IF -:green0:-
- ip link set green0.300 name blue0
- '[' -n 00:22:4D:84:A5:30 ']'
- ip link set blue0 address 00:22:4D:84:A5:30
- ip link set green0 up
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=green0
- VLAN_ID=400
- MAC_ADDRESS=00:22:4D:84:A5:40
- case "${action}" in
- '[' -z green0 ']'
- '[' -d /sys/class/net/orange0 ']'
- '[' '!' -d /sys/class/net/green0 ']'
- '[' -z 400 ']'
- echo 'Creating VLAN interface orange0...'
Creating VLAN interface orange0...
- vconfig add green0 400
Added VLAN with VID == 400 to IF -:green0:-
- ip link set green0.400 name orange0
- '[' -n 00:22:4D:84:A5:40 ']'
- ip link set orange0 address 00:22:4D:84:A5:40
- ip link set green0 up
Yeah! The finale countdown ;-)
So, i checket my ifconfig and only the device with no IP was displayed:
blue0 Link encap:Ethernet HWaddr 00:22:4D:84:A5:30 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (0 Kb) TX bytes: (0 Kb)
WTF? okay. I configure my /var/ipfire/ethernet/settings once again as described here:
BLUE_DEV=blue0 BLUE_MACADDR=00:22:4d:84:a5:30 BLUE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network Connection"' BLUE_DRIVER=e1000e BLUE_ADDRESS=192.168.2.1 BLUE_NETMASK=255.255.255.0 BLUE_NETADDRESS=192.168.2.0 BLUE_BROADCAST=192.168.2.255
Next step - reboot firewall! then the result from ifconfig said:
blue0 Link encap:Ethernet HWaddr 00:22:4D:84:A5:30 inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (0 Kb) TX bytes: (0 Kb)
BUT - my firewall droped my DNS and HTTP requests. I tried to change the rules with the firewall-mode from 1 to 0 and in the WUI by mode 1 to set rules for wireless to allow this connections. Without success!
for example: Jul 1 21:23:10 ipfw kernel: DROP_WirelessinputIN=blue0 OUT= MAC=00:22:4d:84:a5:30:7c:61:93:16:2f:82:08:00 SRC=192.168.2.10 DST=192.168.2.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=25514 DF PROTO=UDP SPT=1083 DPT=53 LEN=4
Any idea?
BG, Thomas
Am 01.07.2013 11:53, schrieb Michael Tremer:
On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
Hi @ all,
i have checked the /etc/init.d/network-vlans Script and become following messages: Invalid action
The dubug output says:
(/var/ipfire/ethernet):/etc/init.d/network-vlans
- CONFIG_FILE=/var/ipfire/ethernet/vlans
- '[' -e /var/ipfire/ethernet/vlans ']'
++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
- eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
- action=
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=
- VLAN_ID=
- MAC_ADDRESS=
- case "${action}" in
- echo 'Invalid action: '
Invalid action:
- exit 1
Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans to start and stop the virtual interfaces.
-Michael
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Hi Michael,
thats it! :) A long way for me. But, its done. I write my documentation new. It is so easy, if you know what you're doing ;-)
One question to Firewall Mode 2. I would take a new enable rule for outgoing Port.
I set on Wireless (blue) as defination with port XYZ he dont work - When I put the ruleset on green works. Is this normal?
greetings, Thomas
Am 22.07.2013 10:37, schrieb Michael Tremer:
Hi,
you will have to grant access to every host on the blue network in the WUI. Please go to Firewall -> Blue Access and do that over there.
-Michael
On Sun, 2013-07-21 at 22:35 +0200, Thomas Berthel wrote:
Hi,
nobody any idea?
good night, Thomas
On 07/02/2013 12:14 AM, Thomas Berthel wrote:
Hi Michael,
Please run /etc/init.d/network-vlans start
thanks. beginner error :-)
Here my document for vlan:
I configure my fire with the setup modus and change from green+red to green+red+organge+blue
I setting up the network-ip's for blue & orange, then i became by the end from the setup a message: orange device cant configure not devivce found or so. Because it does not let me finish the setupmode i have cloesed the console-connection.
I check my /var/ipfire/ethernet/settings and all information from my change in the setup-menu was written there.
for example one snipp:
BLUE_ADDRESS=192.168.2.1 BLUE_NETMASK=255.255.255.0 BLUE_NETADDRESS=192.168.2.0 BLUE_BROADCAST=192.168.2.255
but, no MAC-Address and no DEV was in there.
The ifconfig says nothing to blue or orange. Okay then the next step. I configure my /var/ipfire/ethernet/vlans as follows:
BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300 BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0 ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
Without "" for _PARENT_DEV="device1" and the _MAC_ADDRESS="11:22:33:..."
Then i do /etc/init.d/network-vlan start, this was my messages-output:
/etc/init.d/network-vlans start
- CONFIG_FILE=/var/ipfire/ethernet/vlans
- '[' -e /var/ipfire/ethernet/vlans ']'
++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
- eval BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300
BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0 ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40 ++ BLUE_PARENT_DEV=green0 ++ BLUE_VLAN_ID=300 ++ BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ++ ORANGE_PARENT_DEV=green0 ++ ORANGE_VLAN_ID=400 ++ ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
- action=start
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=
- VLAN_ID=
- MAC_ADDRESS=
- case "${action}" in
- '[' -z '' ']'
- continue
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=green0
- VLAN_ID=300
- MAC_ADDRESS=00:22:4D:84:A5:30
- case "${action}" in
- '[' -z green0 ']'
- '[' -d /sys/class/net/blue0 ']'
- '[' '!' -d /sys/class/net/green0 ']'
- '[' -z 300 ']'
- echo 'Creating VLAN interface blue0...'
Creating VLAN interface blue0...
- vconfig add green0 300
Added VLAN with VID == 300 to IF -:green0:-
- ip link set green0.300 name blue0
- '[' -n 00:22:4D:84:A5:30 ']'
- ip link set blue0 address 00:22:4D:84:A5:30
- ip link set green0 up
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=green0
- VLAN_ID=400
- MAC_ADDRESS=00:22:4D:84:A5:40
- case "${action}" in
- '[' -z green0 ']'
- '[' -d /sys/class/net/orange0 ']'
- '[' '!' -d /sys/class/net/green0 ']'
- '[' -z 400 ']'
- echo 'Creating VLAN interface orange0...'
Creating VLAN interface orange0...
- vconfig add green0 400
Added VLAN with VID == 400 to IF -:green0:-
- ip link set green0.400 name orange0
- '[' -n 00:22:4D:84:A5:40 ']'
- ip link set orange0 address 00:22:4D:84:A5:40
- ip link set green0 up
Yeah! The finale countdown ;-)
So, i checket my ifconfig and only the device with no IP was displayed:
blue0 Link encap:Ethernet HWaddr 00:22:4D:84:A5:30 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (0 Kb) TX bytes: (0 Kb)
WTF? okay. I configure my /var/ipfire/ethernet/settings once again as described here:
BLUE_DEV=blue0 BLUE_MACADDR=00:22:4d:84:a5:30 BLUE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network Connection"' BLUE_DRIVER=e1000e BLUE_ADDRESS=192.168.2.1 BLUE_NETMASK=255.255.255.0 BLUE_NETADDRESS=192.168.2.0 BLUE_BROADCAST=192.168.2.255
Next step - reboot firewall! then the result from ifconfig said:
blue0 Link encap:Ethernet HWaddr 00:22:4D:84:A5:30 inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (0 Kb) TX bytes: (0 Kb)
BUT - my firewall droped my DNS and HTTP requests. I tried to change the rules with the firewall-mode from 1 to 0 and in the WUI by mode 1 to set rules for wireless to allow this connections. Without success!
for example: Jul 1 21:23:10 ipfw kernel: DROP_WirelessinputIN=blue0 OUT= MAC=00:22:4d:84:a5:30:7c:61:93:16:2f:82:08:00 SRC=192.168.2.10 DST=192.168.2.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=25514 DF PROTO=UDP SPT=1083 DPT=53 LEN=4
Any idea?
BG, Thomas
Am 01.07.2013 11:53, schrieb Michael Tremer:
On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
Hi @ all,
i have checked the /etc/init.d/network-vlans Script and become following messages: Invalid action
The dubug output says:
(/var/ipfire/ethernet):/etc/init.d/network-vlans
- CONFIG_FILE=/var/ipfire/ethernet/vlans
- '[' -e /var/ipfire/ethernet/vlans ']'
++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
- eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
- action=
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=
- VLAN_ID=
- MAC_ADDRESS=
- case "${action}" in
- echo 'Invalid action: '
Invalid action:
- exit 1
Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans to start and stop the virtual interfaces.
-Michael
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Sorry i meant Firewall Modus 1 ;-) Not 2.
greetings, Thomas
Am 08.08.2013 20:12, schrieb Thomas Berthel:
Hi Michael,
thats it! :) A long way for me. But, its done. I write my documentation new. It is so easy, if you know what you're doing ;-)
One question to Firewall Mode 2. I would take a new enable rule for outgoing Port.
I set on Wireless (blue) as defination with port XYZ he dont work - When I put the ruleset on green works. Is this normal?
greetings, Thomas
Am 22.07.2013 10:37, schrieb Michael Tremer:
Hi,
you will have to grant access to every host on the blue network in the WUI. Please go to Firewall -> Blue Access and do that over there.
-Michael
On Sun, 2013-07-21 at 22:35 +0200, Thomas Berthel wrote:
Hi,
nobody any idea?
good night, Thomas
On 07/02/2013 12:14 AM, Thomas Berthel wrote:
Hi Michael,
Please run /etc/init.d/network-vlans start
thanks. beginner error :-)
Here my document for vlan:
I configure my fire with the setup modus and change from green+red to green+red+organge+blue
I setting up the network-ip's for blue & orange, then i became by the end from the setup a message: orange device cant configure not devivce found or so. Because it does not let me finish the setupmode i have cloesed the console-connection.
I check my /var/ipfire/ethernet/settings and all information from my change in the setup-menu was written there.
for example one snipp:
BLUE_ADDRESS=192.168.2.1 BLUE_NETMASK=255.255.255.0 BLUE_NETADDRESS=192.168.2.0 BLUE_BROADCAST=192.168.2.255
but, no MAC-Address and no DEV was in there.
The ifconfig says nothing to blue or orange. Okay then the next step. I configure my /var/ipfire/ethernet/vlans as follows:
BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300 BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0 ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
Without "" for _PARENT_DEV="device1" and the _MAC_ADDRESS="11:22:33:..."
Then i do /etc/init.d/network-vlan start, this was my messages-output:
/etc/init.d/network-vlans start
- CONFIG_FILE=/var/ipfire/ethernet/vlans
- '[' -e /var/ipfire/ethernet/vlans ']'
++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
- eval BLUE_PARENT_DEV=green0 BLUE_VLAN_ID=300
BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ORANGE_PARENT_DEV=green0 ORANGE_VLAN_ID=400 ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40 ++ BLUE_PARENT_DEV=green0 ++ BLUE_VLAN_ID=300 ++ BLUE_MAC_ADDRESS=00:22:4D:84:A5:30 ++ ORANGE_PARENT_DEV=green0 ++ ORANGE_VLAN_ID=400 ++ ORANGE_MAC_ADDRESS=00:22:4D:84:A5:40
- action=start
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=
- VLAN_ID=
- MAC_ADDRESS=
- case "${action}" in
- '[' -z '' ']'
- continue
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=green0
- VLAN_ID=300
- MAC_ADDRESS=00:22:4D:84:A5:30
- case "${action}" in
- '[' -z green0 ']'
- '[' -d /sys/class/net/blue0 ']'
- '[' '!' -d /sys/class/net/green0 ']'
- '[' -z 300 ']'
- echo 'Creating VLAN interface blue0...'
Creating VLAN interface blue0...
- vconfig add green0 300
Added VLAN with VID == 300 to IF -:green0:-
- ip link set green0.300 name blue0
- '[' -n 00:22:4D:84:A5:30 ']'
- ip link set blue0 address 00:22:4D:84:A5:30
- ip link set green0 up
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=green0
- VLAN_ID=400
- MAC_ADDRESS=00:22:4D:84:A5:40
- case "${action}" in
- '[' -z green0 ']'
- '[' -d /sys/class/net/orange0 ']'
- '[' '!' -d /sys/class/net/green0 ']'
- '[' -z 400 ']'
- echo 'Creating VLAN interface orange0...'
Creating VLAN interface orange0...
- vconfig add green0 400
Added VLAN with VID == 400 to IF -:green0:-
- ip link set green0.400 name orange0
- '[' -n 00:22:4D:84:A5:40 ']'
- ip link set orange0 address 00:22:4D:84:A5:40
- ip link set green0 up
Yeah! The finale countdown ;-)
So, i checket my ifconfig and only the device with no IP was displayed:
blue0 Link encap:Ethernet HWaddr 00:22:4D:84:A5:30 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (0 Kb) TX bytes: (0 Kb)
WTF? okay. I configure my /var/ipfire/ethernet/settings once again as described here:
BLUE_DEV=blue0 BLUE_MACADDR=00:22:4d:84:a5:30 BLUE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network Connection"' BLUE_DRIVER=e1000e BLUE_ADDRESS=192.168.2.1 BLUE_NETMASK=255.255.255.0 BLUE_NETADDRESS=192.168.2.0 BLUE_BROADCAST=192.168.2.255
Next step - reboot firewall! then the result from ifconfig said:
blue0 Link encap:Ethernet HWaddr 00:22:4D:84:A5:30 inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes: (0 Kb) TX bytes: (0 Kb)
BUT - my firewall droped my DNS and HTTP requests. I tried to change the rules with the firewall-mode from 1 to 0 and in the WUI by mode 1 to set rules for wireless to allow this connections. Without success!
for example: Jul 1 21:23:10 ipfw kernel: DROP_WirelessinputIN=blue0 OUT= MAC=00:22:4d:84:a5:30:7c:61:93:16:2f:82:08:00 SRC=192.168.2.10 DST=192.168.2.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=25514 DF PROTO=UDP SPT=1083 DPT=53 LEN=4
Any idea?
BG, Thomas
Am 01.07.2013 11:53, schrieb Michael Tremer:
On Sun, 2013-06-30 at 15:37 +0200, Thomas Berthel wrote:
Hi @ all,
i have checked the /etc/init.d/network-vlans Script and become following messages: Invalid action
The dubug output says:
(/var/ipfire/ethernet):/etc/init.d/network-vlans
- CONFIG_FILE=/var/ipfire/ethernet/vlans
- '[' -e /var/ipfire/ethernet/vlans ']'
++ /usr/local/bin/readhash /var/ipfire/ethernet/vlans
- eval '#GREEN_VLAN_ID=20' BLUE_VLAN_ID=300 ORANGE_VLAN_ID=400
- action=
- for interface in green0 blue0 orange0
- case "${interface}" in
- PARENT_DEV=
- VLAN_ID=
- MAC_ADDRESS=
- case "${action}" in
- echo 'Invalid action: '
Invalid action:
- exit 1
Please run /etc/init.d/network-vlans start or /etc/init.d/network-vlans to start and stop the virtual interfaces.
-Michael
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
Documentation mailing list Documentation@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/documentation
documentation@lists.ipfire.org
-
Erik K. -
Michael Tremer -
t.berthel@gmx.net -
Thomas Berthel