iptables and vlan tagging

iptables and vlan tagging

[Nikolai Lusan]

[-- Attachment #1: Type: text/plain, Size: 449 bytes --]

Hi,
I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
(vlan2) with non-private IP addresses, and I want to remove the vlan
tags before sending vlan2 packets out over my internet link and add them
back before sending packets from the internet to vlan2. Should this be
done in the iptbales mangle table? or do I need to use ebtables? And
exactly how should I go doing this?

Thanks
-- 
Nikolai Lusan <nikolai@lusan.id.au>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: iptables and vlan tagging

[SamLT]

On Tue, Jul 10, 2012 at 05:04:15PM +1000, Nikolai Lusan wrote:
> Hi,
> I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
> (vlan2) with non-private IP addresses, and I want to remove the vlan
> tags before sending vlan2 packets out over my internet link and add them
> back before sending packets from the internet to vlan2. Should this be
> done in the iptbales mangle table? or do I need to use ebtables? And
> exactly how should I go doing this?

I'm not really sure to understand your question. Viewing the commands
you used to set this up would certainly help.

anyway, assuming you configured this with iproute: eg:
ip link add link eth0 eth0.10 type vlan id 10
...

Then the tagging depends on your routing:
   * If it has to go out from eth0.10 -> tagging
   * If it has to go out from eth0 -> no tagging


HTH


> 
> Thanks
> -- 
> Nikolai Lusan <nikolai@lusan.id.au>

Re: iptables and vlan tagging

[Humberto Jucá]

Hi,

I can be wrong, but I believe that this will bring Layer2 problems - i
cant see logic in this way!
From what was written, we can conclude that you don't want a VLAN segmentation.

I don't know how to do this, but...
I think this doesn't work on L2.



2012/7/10 Nikolai Lusan <nikolai@lusan.id.au>:
> Hi,
> I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
> (vlan2) with non-private IP addresses, and I want to remove the vlan
> tags before sending vlan2 packets out over my internet link and add them
> back before sending packets from the internet to vlan2. Should this be
> done in the iptbales mangle table? or do I need to use ebtables? And
> exactly how should I go doing this?
>
> Thanks
> --
> Nikolai Lusan <nikolai@lusan.id.au>

Re: iptables and vlan tagging

[Nikolai Lusan]

[-- Attachment #1: Type: text/plain, Size: 2803 bytes --]

On Tue, 2012-07-10 at 12:13 +0200, SamLT wrote: 
> On Tue, Jul 10, 2012 at 05:04:15PM +1000, Nikolai Lusan wrote:
> > Hi,
> > I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
> > (vlan2) with non-private IP addresses, and I want to remove the vlan
> > tags before sending vlan2 packets out over my internet link and add them
> > back before sending packets from the internet to vlan2. Should this be
> > done in the iptbales mangle table? or do I need to use ebtables? And
> > exactly how should I go doing this?
> 
> I'm not really sure to understand your question. 

My main concern is that I have packets that will end up in the forward
chain and exit out my ADSL link onto the internet with their vlan
tagging in place.


> Viewing the commands
> you used to set this up would certainly help.

The config (on the server/firewall) is done in the
Debian /etc/network/interfaces file:

auto dsl-provider
iface dsl-provider inet ppp
   pre-up /sbin/ifconfig eth0 up
   provider dsl-provider

auto
iface bond0 inet static
   address 10.XXX.XXX.XXX
   netmask 255.255.255.0
   broadcast 10.XXX.XXX.255
   bond-slaves eth1 eth2 eth3
   bond-mode 4
   bond-miimon 100
   bond-lacp-rate 1
   mtu 9000
   bond-primary eth1 eth2 eth3
   

auto vlan2
iface vlan2 inet static
   vlan-raw-device bond0
   address 150.XXX.XXX.XXX
   netmask 255.255.255.248
   broadcast 150.XXX.XXX.XXX


A similar method is used on the clients, so all the instances of the
"vlan2" interface on machines are tagged vlans on the 150.XXX.XXX.XXX/29
subnet.


> anyway, assuming you configured this with iproute: eg:
> ip link add link eth0 eth0.10 type vlan id 10
> Then the tagging depends on your routing:
>    * If it has to go out from eth0.10 -> tagging
>    * If it has to go out from eth0 -> no tagging
> 

The routing table looks like this on the firewall:

# ip route list
default dev ppp0  scope link 
10.XX.XX.0/24 dev bond0  proto kernel  scope link  src 10.XX.XX.XX 
150.XX.XX.XX dev ppp0 proto kernel scope link src 59.XX.XX.XX 
150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX 
192.168.XX.0/24 dev eth0  proto kernel  scope link  src 192.168.XX.XX 


on the network hosts that need to be routed it looks like this

# ip route list
default via 10.XX.XX.XX dev eth0 
10.XX.XX.0/24 dev eth0  proto kernel  scope link  src 10.XX.XX.XX 
150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX 


So, I guess the question is twofold: 
1) Do I need to worry about tagged packets leaking onto the internet?
2) If so how do I use the netfilter toolset to stop this from happening?

Thanks
-- 
Nikolai Lusan

Email:     nikolai@lusan.id.au
Phone(H):  (07) 3136 3065
Phone(M):  0425 661 620

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

AW: iptables and vlan tagging

[Thomas Bätzler]

Nikolai Lusan asked:
> I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
> (vlan2) with non-private IP addresses, and I want to remove the vlan
> tags before sending vlan2 packets out over my internet link and add them
> back before sending packets from the internet to vlan2. Should this be
> done in the iptbales mangle table? or do I need to use ebtables? And
> exactly how should I go doing this?

You need to have a vlan tagged subinterface on the link that connects to your switch. This will "remove" the VLAN tag on incoming packets and add one on outgoing packets.

Assuming that's eth1, you'd create a subinterface like this:

 # vconfig add eth1 <vland2-id>

Note that your distro might have fancier ways to set up vlan tagged interfaces.

Apart from that you really didn't tell us quite enough about your setup.

If vlan2 needs to be routed (i.e. it's a different net from what is on eth0), then 

 # ifconfig eth1.<vlan2-id> <gw-address-in-network> netmask ... broadcast ...
 # echo "1" > /proc/sys/net/ipv4/ip_forward

should do the trick once you have routing set up properly - i.e. hosts in vlan2 need to use the tagged subinterface's ip as gateway; external hosts need to know that they can reach hosts on the vlan2 network via eth0 of your box.

If, on the other hand, vlan2 needs to be bridged (i.e. it's same network as on eth0), then you need to setup a bridge

 # brctl addbr br0
 # brctl addif br0 eth0
 # brctl addif br0 eth1.<vlan2-id>
 # ifconfig eth0 0.0.0.0 promisc up
 # ifconfig eth1.<vlan2-id> promisc up
 # ifconfig br0 <former-eth0-ip> netmask <former-eth0-netmask> broadcast <former-eth0-broadcast>
 # route add default gw <former-default-gateway>

Once again your distro might have a more convenient way to setup a bridge.

All totally OTTOH so YMMV ;-)

HTH,
Thomas

Re: iptables and vlan tagging

[Humberto Jucá]

Hi,

The treatment of VLAN Tags is done in L2, you dont need worry about it
- that is solved with routing.
You only have to worry about configuring the VLAN interface on the
firewall and the switch port.

- If you make VLAN configuration on the firewall interface, configure
the Tag in switch port too.
- The switch configuration must be in accordance with firewall
configuration, so when you configure an interface with a VLAN tag and
other without (pvid 1, for example), the switch port must be "hybrid".
It's the setting that determines how the marking is done (tagging or
removing).

When the packet is forwarded, the interface VLAN configuration
determines whether should be tagged or not.


2012/7/10 Nikolai Lusan <nikolai@lusan.id.au>:
> On Tue, 2012-07-10 at 12:13 +0200, SamLT wrote:
>> On Tue, Jul 10, 2012 at 05:04:15PM +1000, Nikolai Lusan wrote:
>> > Hi,
>> > I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged
>> > (vlan2) with non-private IP addresses, and I want to remove the vlan
>> > tags before sending vlan2 packets out over my internet link and add them
>> > back before sending packets from the internet to vlan2. Should this be
>> > done in the iptbales mangle table? or do I need to use ebtables? And
>> > exactly how should I go doing this?
>>
>> I'm not really sure to understand your question.
>
> My main concern is that I have packets that will end up in the forward
> chain and exit out my ADSL link onto the internet with their vlan
> tagging in place.
>
>
>> Viewing the commands
>> you used to set this up would certainly help.
>
> The config (on the server/firewall) is done in the
> Debian /etc/network/interfaces file:
>
> auto dsl-provider
> iface dsl-provider inet ppp
>    pre-up /sbin/ifconfig eth0 up
>    provider dsl-provider
>
> auto
> iface bond0 inet static
>    address 10.XXX.XXX.XXX
>    netmask 255.255.255.0
>    broadcast 10.XXX.XXX.255
>    bond-slaves eth1 eth2 eth3
>    bond-mode 4
>    bond-miimon 100
>    bond-lacp-rate 1
>    mtu 9000
>    bond-primary eth1 eth2 eth3
>
>
> auto vlan2
> iface vlan2 inet static
>    vlan-raw-device bond0
>    address 150.XXX.XXX.XXX
>    netmask 255.255.255.248
>    broadcast 150.XXX.XXX.XXX
>
>
> A similar method is used on the clients, so all the instances of the
> "vlan2" interface on machines are tagged vlans on the 150.XXX.XXX.XXX/29
> subnet.
>
>
>> anyway, assuming you configured this with iproute: eg:
>> ip link add link eth0 eth0.10 type vlan id 10
>> Then the tagging depends on your routing:
>>    * If it has to go out from eth0.10 -> tagging
>>    * If it has to go out from eth0 -> no tagging
>>
>
> The routing table looks like this on the firewall:
>
> # ip route list
> default dev ppp0  scope link
> 10.XX.XX.0/24 dev bond0  proto kernel  scope link  src 10.XX.XX.XX
> 150.XX.XX.XX dev ppp0 proto kernel scope link src 59.XX.XX.XX
> 150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX
> 192.168.XX.0/24 dev eth0  proto kernel  scope link  src 192.168.XX.XX
>
>
> on the network hosts that need to be routed it looks like this
>
> # ip route list
> default via 10.XX.XX.XX dev eth0
> 10.XX.XX.0/24 dev eth0  proto kernel  scope link  src 10.XX.XX.XX
> 150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX
>
>
> So, I guess the question is twofold:
> 1) Do I need to worry about tagged packets leaking onto the internet?
> 2) If so how do I use the netfilter toolset to stop this from happening?
>
> Thanks
> --
> Nikolai Lusan
>
> Email:     nikolai@lusan.id.au
> Phone(H):  (07) 3136 3065
> Phone(M):  0425 661 620