* iptables and vlan tagging
@ 2012-07-10 7:04 Nikolai Lusan
2012-07-10 10:13 ` SamLT
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Nikolai Lusan @ 2012-07-10 7:04 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 449 bytes --]
Hi,
I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
(vlan2) with non-private IP addresses, and I want to remove the vlan
tags before sending vlan2 packets out over my internet link and add them
back before sending packets from the internet to vlan2. Should this be
done in the iptbales mangle table? or do I need to use ebtables? And
exactly how should I go doing this?
Thanks
--
Nikolai Lusan <nikolai@lusan.id.au>
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: iptables and vlan tagging
2012-07-10 7:04 iptables and vlan tagging Nikolai Lusan
@ 2012-07-10 10:13 ` SamLT
2012-07-10 11:46 ` Nikolai Lusan
2012-07-10 11:14 ` Humberto Jucá
2012-07-10 11:51 ` AW: " Thomas Bätzler
2 siblings, 1 reply; 6+ messages in thread
From: SamLT @ 2012-07-10 10:13 UTC (permalink / raw)
To: netfilter
On Tue, Jul 10, 2012 at 05:04:15PM +1000, Nikolai Lusan wrote:
> Hi,
> I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
> (vlan2) with non-private IP addresses, and I want to remove the vlan
> tags before sending vlan2 packets out over my internet link and add them
> back before sending packets from the internet to vlan2. Should this be
> done in the iptbales mangle table? or do I need to use ebtables? And
> exactly how should I go doing this?
I'm not really sure to understand your question. Viewing the commands
you used to set this up would certainly help.
anyway, assuming you configured this with iproute: eg:
ip link add link eth0 eth0.10 type vlan id 10
...
Then the tagging depends on your routing:
* If it has to go out from eth0.10 -> tagging
* If it has to go out from eth0 -> no tagging
HTH
>
> Thanks
> --
> Nikolai Lusan <nikolai@lusan.id.au>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: iptables and vlan tagging
2012-07-10 7:04 iptables and vlan tagging Nikolai Lusan
2012-07-10 10:13 ` SamLT
@ 2012-07-10 11:14 ` Humberto Jucá
2012-07-10 11:51 ` AW: " Thomas Bätzler
2 siblings, 0 replies; 6+ messages in thread
From: Humberto Jucá @ 2012-07-10 11:14 UTC (permalink / raw)
To: netfilter
Hi,
I can be wrong, but I believe that this will bring Layer2 problems - i
cant see logic in this way!
From what was written, we can conclude that you don't want a VLAN segmentation.
I don't know how to do this, but...
I think this doesn't work on L2.
2012/7/10 Nikolai Lusan <nikolai@lusan.id.au>:
> Hi,
> I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
> (vlan2) with non-private IP addresses, and I want to remove the vlan
> tags before sending vlan2 packets out over my internet link and add them
> back before sending packets from the internet to vlan2. Should this be
> done in the iptbales mangle table? or do I need to use ebtables? And
> exactly how should I go doing this?
>
> Thanks
> --
> Nikolai Lusan <nikolai@lusan.id.au>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: iptables and vlan tagging
2012-07-10 10:13 ` SamLT
@ 2012-07-10 11:46 ` Nikolai Lusan
2012-07-10 22:17 ` Humberto Jucá
0 siblings, 1 reply; 6+ messages in thread
From: Nikolai Lusan @ 2012-07-10 11:46 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 2803 bytes --]
On Tue, 2012-07-10 at 12:13 +0200, SamLT wrote:
> On Tue, Jul 10, 2012 at 05:04:15PM +1000, Nikolai Lusan wrote:
> > Hi,
> > I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
> > (vlan2) with non-private IP addresses, and I want to remove the vlan
> > tags before sending vlan2 packets out over my internet link and add them
> > back before sending packets from the internet to vlan2. Should this be
> > done in the iptbales mangle table? or do I need to use ebtables? And
> > exactly how should I go doing this?
>
> I'm not really sure to understand your question.
My main concern is that I have packets that will end up in the forward
chain and exit out my ADSL link onto the internet with their vlan
tagging in place.
> Viewing the commands
> you used to set this up would certainly help.
The config (on the server/firewall) is done in the
Debian /etc/network/interfaces file:
auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth0 up
provider dsl-provider
auto
iface bond0 inet static
address 10.XXX.XXX.XXX
netmask 255.255.255.0
broadcast 10.XXX.XXX.255
bond-slaves eth1 eth2 eth3
bond-mode 4
bond-miimon 100
bond-lacp-rate 1
mtu 9000
bond-primary eth1 eth2 eth3
auto vlan2
iface vlan2 inet static
vlan-raw-device bond0
address 150.XXX.XXX.XXX
netmask 255.255.255.248
broadcast 150.XXX.XXX.XXX
A similar method is used on the clients, so all the instances of the
"vlan2" interface on machines are tagged vlans on the 150.XXX.XXX.XXX/29
subnet.
> anyway, assuming you configured this with iproute: eg:
> ip link add link eth0 eth0.10 type vlan id 10
> Then the tagging depends on your routing:
> * If it has to go out from eth0.10 -> tagging
> * If it has to go out from eth0 -> no tagging
>
The routing table looks like this on the firewall:
# ip route list
default dev ppp0 scope link
10.XX.XX.0/24 dev bond0 proto kernel scope link src 10.XX.XX.XX
150.XX.XX.XX dev ppp0 proto kernel scope link src 59.XX.XX.XX
150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX
192.168.XX.0/24 dev eth0 proto kernel scope link src 192.168.XX.XX
on the network hosts that need to be routed it looks like this
# ip route list
default via 10.XX.XX.XX dev eth0
10.XX.XX.0/24 dev eth0 proto kernel scope link src 10.XX.XX.XX
150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX
So, I guess the question is twofold:
1) Do I need to worry about tagged packets leaking onto the internet?
2) If so how do I use the netfilter toolset to stop this from happening?
Thanks
--
Nikolai Lusan
Email: nikolai@lusan.id.au
Phone(H): (07) 3136 3065
Phone(M): 0425 661 620
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* AW: iptables and vlan tagging
2012-07-10 7:04 iptables and vlan tagging Nikolai Lusan
2012-07-10 10:13 ` SamLT
2012-07-10 11:14 ` Humberto Jucá
@ 2012-07-10 11:51 ` Thomas Bätzler
2 siblings, 0 replies; 6+ messages in thread
From: Thomas Bätzler @ 2012-07-10 11:51 UTC (permalink / raw)
To: netfilter
Nikolai Lusan asked:
> I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
> (vlan2) with non-private IP addresses, and I want to remove the vlan
> tags before sending vlan2 packets out over my internet link and add them
> back before sending packets from the internet to vlan2. Should this be
> done in the iptbales mangle table? or do I need to use ebtables? And
> exactly how should I go doing this?
You need to have a vlan tagged subinterface on the link that connects to your switch. This will "remove" the VLAN tag on incoming packets and add one on outgoing packets.
Assuming that's eth1, you'd create a subinterface like this:
# vconfig add eth1 <vland2-id>
Note that your distro might have fancier ways to set up vlan tagged interfaces.
Apart from that you really didn't tell us quite enough about your setup.
If vlan2 needs to be routed (i.e. it's a different net from what is on eth0), then
# ifconfig eth1.<vlan2-id> <gw-address-in-network> netmask ... broadcast ...
# echo "1" > /proc/sys/net/ipv4/ip_forward
should do the trick once you have routing set up properly - i.e. hosts in vlan2 need to use the tagged subinterface's ip as gateway; external hosts need to know that they can reach hosts on the vlan2 network via eth0 of your box.
If, on the other hand, vlan2 needs to be bridged (i.e. it's same network as on eth0), then you need to setup a bridge
# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1.<vlan2-id>
# ifconfig eth0 0.0.0.0 promisc up
# ifconfig eth1.<vlan2-id> promisc up
# ifconfig br0 <former-eth0-ip> netmask <former-eth0-netmask> broadcast <former-eth0-broadcast>
# route add default gw <former-default-gateway>
Once again your distro might have a more convenient way to setup a bridge.
All totally OTTOH so YMMV ;-)
HTH,
Thomas
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: iptables and vlan tagging
2012-07-10 11:46 ` Nikolai Lusan
@ 2012-07-10 22:17 ` Humberto Jucá
0 siblings, 0 replies; 6+ messages in thread
From: Humberto Jucá @ 2012-07-10 22:17 UTC (permalink / raw)
To: Nikolai Lusan; +Cc: netfilter
Hi,
The treatment of VLAN Tags is done in L2, you dont need worry about it
- that is solved with routing.
You only have to worry about configuring the VLAN interface on the
firewall and the switch port.
- If you make VLAN configuration on the firewall interface, configure
the Tag in switch port too.
- The switch configuration must be in accordance with firewall
configuration, so when you configure an interface with a VLAN tag and
other without (pvid 1, for example), the switch port must be "hybrid".
It's the setting that determines how the marking is done (tagging or
removing).
When the packet is forwarded, the interface VLAN configuration
determines whether should be tagged or not.
2012/7/10 Nikolai Lusan <nikolai@lusan.id.au>:
> On Tue, 2012-07-10 at 12:13 +0200, SamLT wrote:
>> On Tue, Jul 10, 2012 at 05:04:15PM +1000, Nikolai Lusan wrote:
>> > Hi,
>> > I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
>> > (vlan2) with non-private IP addresses, and I want to remove the vlan
>> > tags before sending vlan2 packets out over my internet link and add them
>> > back before sending packets from the internet to vlan2. Should this be
>> > done in the iptbales mangle table? or do I need to use ebtables? And
>> > exactly how should I go doing this?
>>
>> I'm not really sure to understand your question.
>
> My main concern is that I have packets that will end up in the forward
> chain and exit out my ADSL link onto the internet with their vlan
> tagging in place.
>
>
>> Viewing the commands
>> you used to set this up would certainly help.
>
> The config (on the server/firewall) is done in the
> Debian /etc/network/interfaces file:
>
> auto dsl-provider
> iface dsl-provider inet ppp
> pre-up /sbin/ifconfig eth0 up
> provider dsl-provider
>
> auto
> iface bond0 inet static
> address 10.XXX.XXX.XXX
> netmask 255.255.255.0
> broadcast 10.XXX.XXX.255
> bond-slaves eth1 eth2 eth3
> bond-mode 4
> bond-miimon 100
> bond-lacp-rate 1
> mtu 9000
> bond-primary eth1 eth2 eth3
>
>
> auto vlan2
> iface vlan2 inet static
> vlan-raw-device bond0
> address 150.XXX.XXX.XXX
> netmask 255.255.255.248
> broadcast 150.XXX.XXX.XXX
>
>
> A similar method is used on the clients, so all the instances of the
> "vlan2" interface on machines are tagged vlans on the 150.XXX.XXX.XXX/29
> subnet.
>
>
>> anyway, assuming you configured this with iproute: eg:
>> ip link add link eth0 eth0.10 type vlan id 10
>> Then the tagging depends on your routing:
>> * If it has to go out from eth0.10 -> tagging
>> * If it has to go out from eth0 -> no tagging
>>
>
> The routing table looks like this on the firewall:
>
> # ip route list
> default dev ppp0 scope link
> 10.XX.XX.0/24 dev bond0 proto kernel scope link src 10.XX.XX.XX
> 150.XX.XX.XX dev ppp0 proto kernel scope link src 59.XX.XX.XX
> 150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX
> 192.168.XX.0/24 dev eth0 proto kernel scope link src 192.168.XX.XX
>
>
> on the network hosts that need to be routed it looks like this
>
> # ip route list
> default via 10.XX.XX.XX dev eth0
> 10.XX.XX.0/24 dev eth0 proto kernel scope link src 10.XX.XX.XX
> 150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX
>
>
> So, I guess the question is twofold:
> 1) Do I need to worry about tagged packets leaking onto the internet?
> 2) If so how do I use the netfilter toolset to stop this from happening?
>
> Thanks
> --
> Nikolai Lusan
>
> Email: nikolai@lusan.id.au
> Phone(H): (07) 3136 3065
> Phone(M): 0425 661 620
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-07-10 22:17 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-10 7:04 iptables and vlan tagging Nikolai Lusan
2012-07-10 10:13 ` SamLT
2012-07-10 11:46 ` Nikolai Lusan
2012-07-10 22:17 ` Humberto Jucá
2012-07-10 11:14 ` Humberto Jucá
2012-07-10 11:51 ` AW: " Thomas Bätzler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.