Re: [LARTC] Forwarding between untagged vlans

From: Michael Alger <lartc@mm.quex.org>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Forwarding between untagged vlans
Date: Fri, 04 May 2007 13:45:46 +0000	[thread overview]
Message-ID: <20070504134546.GA22302@morose.quex.org> (raw)
In-Reply-To: <46370AEF.7030305@netsyncro.com>

On Tue, May 01, 2007 at 12:39:59PM +0300, "C. Bergström" wrote:
> I'm trying to implement simple untagged vlans on our switch and
> have misconfigured something..
> 
> ISP gw is on the default vlan1 (untagged)
> 
> Router
>     eth1 is setup on the switch with default vlan1 and member of vlan4.
>     eth0 is default vlan4 which connects to the clients that are all
> default members of vlan4

Just to clarify, are the VLANs configured on your switch or are you
doing some funny thing on the router?

This reply is assuming it's the switch which handles VLANs.

> eth0 is x.x.x.86/28 This is what clients are connecting to as their gw..
> (no nat)
> eth1 is x.x.x.82/26
> 
> default route is .65/26 dev eth1
> 
> If client is default vlan4, but a member of vlan1 then it all works.. 
> As soon as I remove client from being a member of vlan1.. The router
> stops forwarding.  Is this to be expected and how can I correct this?
> 
> I've tried adding a rule like this for the test client which is on .87
> # Trying to fix vlan
> iptables -A FORWARD -i ${WAN} -d x.x.x.87 -o ${LAN} -j ACCEPT
> iptables -A FORWARD -i ${LAN} -s x.x.x.87 -o ${WAN} -j ACCEPT
> 
> I see the packets from the lan trying to get out, but on ingress I don't
> see them..

Your WAN interface shouldn't need to be able to see both VLANs; the
point of the router is to move packets between two different
networks.

Are the hosts on the WAN side using your router's eth1 (.82/26) as
their gateway to your LAN network (/28)? It sounds like they're
directly sending replies to the clients, rather than via the router.

Just to clarify, this is what I think you're doing:

1. You have an internal network connected to a switch, along with a
router which is their default gateway, also connected to the same
switch.

2. This router has a second interface, connected to a different
switch, which has some stuff connected to it; in particular, your
ISP's default gateway is connected to this switch. (Possibly you
have other servers in a DMZ type setup or something?)

3. Since you're using VLANs, they're actually the same physical
switch; but the ports used by the internal network belong to one
VLAN, and the ports used by eth1 and the upstream gateway are on a
different VLAN. Same thing, different technology. (VLAN-hopping
exploits notwithstanding.)

So, check the following to verify your configuration is as above:

1. Clients can ping router eth0 IP.
2. Router has forwarding enabled (/proc/sys/net/ipv4/ip_forward).
3. Router can ping upstream gateway via eth1.
4. Something upstream can ping your router's eth1 IP.
5. Change a client's IP address to put it on the same subnet as your
   upstream gateway, and verify that it's not able to ping it (or
   even get an ARP response from it). If it's able to communicate
   with it, then your VLANs aren't segregating the traffic properly.

With all that, you should be set.

One question: is the LAN segment known by your upstream, i.e. are
they routing traffic to your /28 via .82/26? If not, you'll need
to use NAT on your router so upstream only sees its IP address.

Also, what kind of switch is it? Someone might be able to provide a
simple configuration.

Sorry if I've missed something. Your setup sounds pretty straight
forward so there's probably something simple that was overlooked.
Or, there's more to the situation than I've understood.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc