[LARTC] Forwarding between untagged vlans

[LARTC] Forwarding between untagged vlans

["C. Bergström"]

I'm trying to implement simple untagged vlans on our switch and have
misconfigured something..

ISP gw is on the default vlan1 (untagged)

Router
    eth1 is setup on the switch with default vlan1 and member of vlan4.
    eth0 is default vlan4 which connects to the clients that are all
default members of vlan4


eth0 is x.x.x.86/28 This is what clients are connecting to as their gw..
(no nat)
eth1 is x.x.x.82/26

default route is .65/26 dev eth1

If client is default vlan4, but a member of vlan1 then it all works.. 
As soon as I remove client from being a member of vlan1.. The router
stops forwarding.  Is this to be expected and how can I correct this?

I've tried adding a rule like this for the test client which is on .87
# Trying to fix vlan
iptables -A FORWARD -i ${WAN} -d x.x.x.87 -o ${LAN} -j ACCEPT
iptables -A FORWARD -i ${LAN} -s x.x.x.87 -o ${WAN} -j ACCEPT

I see the packets from the lan trying to get out, but on ingress I don't
see them..

Thanks in advance.

Christopher
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Forwarding between untagged vlans

[Michael Alger]

On Tue, May 01, 2007 at 12:39:59PM +0300, "C. Bergström" wrote:
> I'm trying to implement simple untagged vlans on our switch and
> have misconfigured something..
> 
> ISP gw is on the default vlan1 (untagged)
> 
> Router
>     eth1 is setup on the switch with default vlan1 and member of vlan4.
>     eth0 is default vlan4 which connects to the clients that are all
> default members of vlan4

Just to clarify, are the VLANs configured on your switch or are you
doing some funny thing on the router?

This reply is assuming it's the switch which handles VLANs.

> eth0 is x.x.x.86/28 This is what clients are connecting to as their gw..
> (no nat)
> eth1 is x.x.x.82/26
> 
> default route is .65/26 dev eth1
> 
> If client is default vlan4, but a member of vlan1 then it all works.. 
> As soon as I remove client from being a member of vlan1.. The router
> stops forwarding.  Is this to be expected and how can I correct this?
> 
> I've tried adding a rule like this for the test client which is on .87
> # Trying to fix vlan
> iptables -A FORWARD -i ${WAN} -d x.x.x.87 -o ${LAN} -j ACCEPT
> iptables -A FORWARD -i ${LAN} -s x.x.x.87 -o ${WAN} -j ACCEPT
> 
> I see the packets from the lan trying to get out, but on ingress I don't
> see them..

Your WAN interface shouldn't need to be able to see both VLANs; the
point of the router is to move packets between two different
networks.

Are the hosts on the WAN side using your router's eth1 (.82/26) as
their gateway to your LAN network (/28)? It sounds like they're
directly sending replies to the clients, rather than via the router.

Just to clarify, this is what I think you're doing:

1. You have an internal network connected to a switch, along with a
router which is their default gateway, also connected to the same
switch.

2. This router has a second interface, connected to a different
switch, which has some stuff connected to it; in particular, your
ISP's default gateway is connected to this switch. (Possibly you
have other servers in a DMZ type setup or something?)

3. Since you're using VLANs, they're actually the same physical
switch; but the ports used by the internal network belong to one
VLAN, and the ports used by eth1 and the upstream gateway are on a
different VLAN. Same thing, different technology. (VLAN-hopping
exploits notwithstanding.)

So, check the following to verify your configuration is as above:

1. Clients can ping router eth0 IP.
2. Router has forwarding enabled (/proc/sys/net/ipv4/ip_forward).
3. Router can ping upstream gateway via eth1.
4. Something upstream can ping your router's eth1 IP.
5. Change a client's IP address to put it on the same subnet as your
   upstream gateway, and verify that it's not able to ping it (or
   even get an ARP response from it). If it's able to communicate
   with it, then your VLANs aren't segregating the traffic properly.

With all that, you should be set.

One question: is the LAN segment known by your upstream, i.e. are
they routing traffic to your /28 via .82/26? If not, you'll need
to use NAT on your router so upstream only sees its IP address.

Also, what kind of switch is it? Someone might be able to provide a
simple configuration.

Sorry if I've missed something. Your setup sounds pretty straight
forward so there's probably something simple that was overlooked.
Or, there's more to the situation than I've understood.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Forwarding between untagged vlans

["C. Bergström"]

Michael Alger wrote:
> On Tue, May 01, 2007 at 12:39:59PM +0300, "C. Bergström" wrote:
>   
>> I'm trying to implement simple untagged vlans on our switch and
>> have misconfigured something..
>>
>> ISP gw is on the default vlan1 (untagged)
>>
>> Router
>>     eth1 is setup on the switch with default vlan1 and member of vlan4.
>>     eth0 is default vlan4 which connects to the clients that are all
>> default members of vlan4
>>     
>
> Just to clarify, are the VLANs configured on your switch or are you
> doing some funny thing on the router?
>   
Nope all vlans were configured on the switch.
> This reply is assuming it's the switch which handles VLANs.
>
>   
>> eth0 is x.x.x.86/28 This is what clients are connecting to as their gw..
>> (no nat)
>> eth1 is x.x.x.82/26
>>
>> default route is .65/26 dev eth1
>>
>> If client is default vlan4, but a member of vlan1 then it all works.. 
>> As soon as I remove client from being a member of vlan1.. The router
>> stops forwarding.  Is this to be expected and how can I correct this?
>>
>> I've tried adding a rule like this for the test client which is on .87
>> # Trying to fix vlan
>> iptables -A FORWARD -i ${WAN} -d x.x.x.87 -o ${LAN} -j ACCEPT
>> iptables -A FORWARD -i ${LAN} -s x.x.x.87 -o ${WAN} -j ACCEPT
>>
>> I see the packets from the lan trying to get out, but on ingress I don't
>> see them..
>>     
>
> Your WAN interface shouldn't need to be able to see both VLANs; the
> point of the router is to move packets between two different
> networks.
>
> Are the hosts on the WAN side using your router's eth1 (.82/26) as
> their gateway to your LAN network (/28)? It sounds like they're
> directly sending replies to the clients, rather than via the router.
>   
Yeah.. they were sending packets directly, but it what was throwing me
off was the Cisco gw wasn't in ip show neighbors.. So I assumed it was
working and going through my middle-man router.
> Just to clarify, this is what I think you're doing:
>
> 1. You have an internal network connected to a switch, along with a
> router which is their default gateway, also connected to the same
> switch.
>   
Correct
> 2. This router has a second interface, connected to a different
> switch, which has some stuff connected to it; in particular, your
> ISP's default gateway is connected to this switch. (Possibly you
> have other servers in a DMZ type setup or something?)
>   
2nd interface is connected to the same switch.  2nd interface = (WAN)
Rest is correct.  There will be a slight change next week though in that
everything is moving off the default vlan and going behind this router
once configured correctly.
> 3. Since you're using VLANs, they're actually the same physical
> switch; but the ports used by the internal network belong to one
> VLAN, and the ports used by eth1 and the upstream gateway are on a
> different VLAN. Same thing, different technology. (VLAN-hopping
> exploits notwithstanding.)
>
> So, check the following to verify your configuration is as above:
>
> 1. Clients can ping router eth0 IP.
>   
yes
> 2. Router has forwarding enabled (/proc/sys/net/ipv4/ip_forward).
>   
yes
> 3. Router can ping upstream gateway via eth1.
>   
yes
> 4. Something upstream can ping your router's eth1 IP
>   
yes
> 5. Change a client's IP address to put it on the same subnet as your
>    upstream gateway, and verify that it's not able to ping it (or
>    even get an ARP response from it). If it's able to communicate
>    with it, then your VLANs aren't segregating the traffic properly.
>   
yes.. I wasn't.. and when I started to. that's when it broke
> With all that, you should be set.
>
> One question: is the LAN segment known by your upstream, i.e. are
> they routing traffic to your /28 via .82/26? If not, you'll need
> to use NAT on your router so upstream only sees its IP address.
>   
I'm getting .65/26 and then trying to break it down into smaller
networks (ie .80/28)


I remember trying with a 192.168 (rfc1918) ip + with NAT/masquerading
and it all worked.  (There's a ton of online examples for that online...)

, but these servers need world routable IPs and when I was masqurading
the packets. Things like SSH stopped working for obvious reasons.  I'm
doing this all remotely and the pos switch's web interface crashed on
me.. So my 'keys'  are currently locked in the car.  I needed a couple
days break from it and we just bought an HP ProCurve 2650 that should be
in the colo next week.  I'm pretty sure I can setup the untagged vlans
on the switch correctly, but maybe I was missing something simple with
the iptables rules..  Am I mistaken or nat doesn't play with non rfc1918
ips?


Thanks a lot for your help

Christopher
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc