We've covered a lot of ground in the first three parts of this series. Today we stride down that last mile: setting up 802.1Q VLANs, and making configurations permanent. This is the part where you might regret going with an inexpensive smart switch like our example Netgear GS108T. It supports creating 802.1Q VLANs, but at a rather Spartan level. Higher-end switches give you more options, such as VLAN routing built into the switch, and options for other types of VLANs such as IP-address and MAC-address based.
Client configuration is always the same, but switches and routers vary. I'll show you how it's done on the cheap, with a low-end smart switch and an inexpensive, but powerful router built with Voyage Linux on a PC Engines WRAP board.
This is similar to the way it's done with port-based VLANs, but you have a few more hoops to jump through. Let's go back to our network diagrams from part 2, and rework one of them:
broadband modem | router/firewall | | VLAN5 VLAN6 VLAN1 1238 4568 78
This shows our 8-port smart switch divided into three VLANs:
- VLAN5 is 192.168.5.0/24
- VLAN6 is 192.168.6.0/24
- VLAN1 is 192.168.1.0/24
- The PVID of ports 1, 2, and 3 is 5
- The PVID of ports 4, 5, and 6 is 6
- The PVID of ports 7 and 8 is 1
- Port 7 is the management port. This is one that the ace network admin connects to for administering the switch
- All switch ports are tagged
Switch port 8 connects to the router. The router is a combination iptables firewall, router, and Dnsmasq server. Dnsmasq provides a local caching resolver and LAN DNS.
Voyage Linux comes with vconfig, so we can quickly set up our new VLANs temporarily for testing. In this example eth0 is the LAN interface on the router that is connected to switch port 8:
# vconfig add eth0 5 # vconfig add eth0 6 # ip addr add 192.168.5.1/24 brd + dev eth0.5 # ip addr add 192.168.6.1/24 brd + dev eth0.6 # ip link set eth0.5 up # ip link set eth0.6 up
brd + is a shortcut for setting the broadcast address, which ip calculates from the netmask. You can verify your new addresses with ifconfig or ip addr show. I made the VLAN IDs and subnet numbers the same because it's less confusing for me. You can use whatever numbering scheme suits you.
Now we'll configure a client in VLAN5. We'll assign an empty base IP address to the interface to keep things simple while we're testing:
# ip addr add 0.0.0.0 dev eth0 # vconfig add eth0 5 # ip addr add 192.168.5.25/24 brd + dev eth0.5 # ip route add default via 192.168.5.1
Now you can ping back and forth between the router and client:
$ ping 192.168.5.1
PING 192.168.5.1 (192.168.5.1) 56(84) bytes of data.
64 bytes from 192.168.5.1: icmp_seq=1 ttl=64 time=1.07 ms
64 bytes from 192.168.5.1: icmp_seq=2 ttl=64 time=0.462 ms
Getting Name Services
Pinging is only fun for a little while. You probably want to be able to use your local nameserver, so you need to add these three iptables rules to your existing ruleset:
# iptables -A INPUT -p udp -i eth0.5 -s 192.168.5.0/24 --dport 53 -j ACCEPT
# iptables -A INPUT -p tcp -i eth0.5 -s 192.168.5.0/24 --dport 53 -j ACCEPT
# iptables -A INPUT -p udp -i eth0.5 --dport 67 -j ACCEPT
Now, assuming your name services were already set up and working correctly, you can ping your router by its name:
$ ping router1
PING router1.alrac.net (192.168.1.50) 56(84) bytes of data.
64 bytes from router1.alrac.net (192.168.1.50): icmp_seq=1 ttl=64 time=0.564 ms
Notice how it returns the base address of its LAN interface, rather than the VLAN address. Because the VLAN address has not been configured in the nameserver. If you want your VLAN clients to get their network information from DHCP, you'll need to add your VLAN networks to your DHCP server. This example shows one way to do it in Dnsmasq:
This creates a pool of 100 addresses with 12 hour leases, assigns a default gateway of 192.168.5.1, and points to the DNS server also at 192.168.5.1. If these were on different boxes, then you would use different addresses. Dnsmasq also makes it easy to incorporate static addressing; see Resources.
If you want VLAN5 to have Internet, you're going to need yet more new iptables rules on the router. These example rules allow unfettered outgoing traffic, and restrict incoming traffic to established sessions only. You'll need to substitute the name of your own WAN interface:
# iptables -A FORWARD -i [wan_interface] -o eth0.5 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i eth0.5 -o [wan_interface] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Now you can surf the Web from your test client.
Routing Between VLANs
Suppose you want some of your VLANs to have access to each other- no problem, again it's just a matter of using iptables. This is a simple example to allow traffic to flow between VLAN5 and VLAN6 with no restrictions:
# iptables -A FORWARD -i eth0.6 -o eth0.5 -j ACCEPT
# iptables -A FORWARD -i eth0.5 -o eth0.6 -j ACCEPT
You'll probably want to put your rules in a script, and you can add various refinements, such as defining source and destination addresses, restricting certain ports and protocols, and so forth.