Multiple VLAN on the LAN port, how?

[eramoli]

Hi all,

I would like to have two separate netwokrs at home but my ISP only give me one public IP adress. My thinking on how to solve this was to add a VLAN on the B3 LAN port and have a switch divide the networks.

I created the VLAN using by adding the following to /etc/network/interfaces

Code: Select all

auto eth1.20
iface eth1.20 inet static
        address 10.69.20.1
        netmask 255.255.255.0

After a restart the ifconfig command gave my this output

Code: Select all

eth1.20   Link encap:Ethernet  HWaddr 00:22:02:00:15:55  
          inet addr:10.69.20.1  Bcast:10.69.20.255  Mask:255.255.255.0
          inet6 addr: fe80::222:2ff:fe00:1555/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:152 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:27462 (26.8 KiB)

To enable DHCP on the new interface I also updated the /etc/dnsmasq.conf with the following line

Code: Select all

dhcp-range=10.69.20.50,10.69.20.100,12h

and then restarted dnsmasq using

Code: Select all

/etc/init.d/dnsmasq restart

In the switch I split the networks on two different port, when connecting my computer to the "eth1" port I get DHCP from my B3 and I have internet connection. When connecting to the "eth1.20" port I do not get any IP adress assigen to me.

What is missing to get this working?

I have checked and doubble checked my switch configuration and it looks correct. Should I continute checking the switch configuration or is there something more that needs to be done to enable DHCP on the VLAN interface?

Edit: Firewall.
I Now also made the following additions to the Firewall configuration (guessing wild)

Code: Select all

-A INPUT -i eth1.20 -j ACCEPT
-A FORWARD -i eth1.20 -j ACCEPT 

And then run the command

Code: Select all

iptables-restore < firewall.conf

No difference
Best Regards,
Morgan

[Gordon]

I think that is a known issue with dnsmasqs dhcp server, tagged as very low priority. I do assume that your vlas work as expected when manually assigning IP addresses?

[eramoli]

Hi Gordon,

I think that is a known issue with dnsmasqs dhcp server, tagged as very low priority. I do assume that your vlas work as expected when manually assigning IP addresses?

No, I tried setting the IP to 10.69.20.5 and then pinging 10.69.20.1 (from Mac to B3) and no response

/Morgan

[eramoli]

I think that is a known issue with dnsmasqs dhcp server, tagged as very low priority. I do assume that your vlas work as expected when manually assigning IP addresses?

The only vlan related bug I could find is this one and it does not look related to my issue.

https://bugs.launchpad.net/ubuntu/+sour ... ug/1006898

Gordon: Do you have any other leads to the bug?

/Morgan

[eramoli]

Hi again,

Does the fact that eth1 is bridged with wlan0 into br0 make any difference for this?

/Morgan

[Gordon]

No, I tried setting the IP to 10.69.20.5 and then pinging 10.69.20.1 (from Mac to B3) and no response

I think your first objective should be to fix that first then. Did you tell the switch to untag the port that you dedicated to vlan 20 (access mode)? And is the port that the B3 is connected to in fact configured to receive vlan headers (trunk mode)?

[eramoli]

Hi,

Did you tell the switch to untag the port that you dedicated to vlan 20 (access mode)?

Yes

And is the port that the B3 is connected to in fact configured to receive vlan headers (trunk mode)?

Yes, but it is not called trunk mode on my HP1810-8G V2 switch. They call it participation/tagging. For each port on the switch I can say if a specific VLAN should be excluded, tagged, or untagged.

The B3 port have the VLAN 10 (eth1) untagged and VLAN 20 (eth1.20) tagged. VLAN 10 and 20 are also on two other ports (one on each) and both untagged.

/Morgan

[Gordon]

Yeah, it would have been nice if manufacturers could have agreed on common naming conventions. I'm out of pitfalls that I can think of though, so I'm afraid you'll have to do some more digging on your own.

[Gordon]

Hi Morgan,

I've been wanting to replace my ISP router because of its back door anyway, so I got myself a pair of VLAN aware Netgear GS108E switches and started experimenting. Used one to split the inbound VLANs for ITV and internet and dedicated the rest of the ports for LAN use. Moved the second one to my work space two floors up to try split up my LAN with a dedicated segment for Squeezebox devices - those things spit a shipload of broadcast messages over the network, causing serious performance issues with other devices that do not need to receive those messages but will evaluate them.

Here's my (working!) setup:

/etc/hostapd/hostapd.conf:

Code: Select all

interface=wlan0
bssid=02:xx:xx:xx:xx:x0
...
ssid=gordon
channel=5
wpa=3
wpa_passphrase=ExtremelySecret
...
bss=wlan0_0
ssid=squeezeplay

bss=wlan0_1
ssid=guest

For explanation of bssid visit http://wiki.stocksy.co.uk/wiki/Multiple ... th_hostapd. I use no password on the secondary SSID's. I'll explain further on.

/etc/network/interfaces:

Code: Select all

...
# Wireless LAN
iface wlan0 inet static
        address 192.168.57.254
        netmask 255.255.255.0
        pre-up /sbin/ifconfig wlan0 hw ether 02:xx:xx:xx:xx:x0
# 57 = "W"

# Squeezeplay
iface wlan0_0 inet manual
        pre-up /sbin/ifconfig wlan0 up

iface eth1.1311 inet manual

iface br0 inet static
        address 10.13.11.1
        netmask 255.255.255.248
        bridge_ports eth1.1311 wlan0_0
# 0x1311 = "SQ" - "@@" (can't use 5351 > 4096)

# Guest network
iface wlan0_1 inet static
        address xyz.xyz.xyz.1
        netmask 255.255.255.248
        pre-up /sbin/ifconfig wlan0 up

Netmask for both Squeezebox and the Guest network allow for 5 clients to connect (range 0-7 where 0 is the net number, 7 the broadcast address and 1 the server)

/etc/dnsmasq.d/squeezeplay.conf:

Code: Select all

interface=br0
dhcp-range=br0,10.13.11.2,10.13.11.6,15m

# Assign fixed addresses and DNS names to the Squeezebox devices
dhcp-host=00:04:20:xx:xx:xx,10.13.11.2,assurancetourix
dhcp-host=00:04:20:xx:xx:xx,10.13.11.3,maestria
dhcp-host=00:04:20:xx:xx:xx,10.13.11.4,kakofonix
dhcp-host=00:04:20:xx:xx:xx,10.13.11.5,squeezeremote

# Dummy host to block the one remaining address in this segment
dhcp-host=02:04:20:xx:xx:x0,10.13.11.6

Note the prepending of 'br0' to the value of dhcp-range. I made a similar change to the existing file /etc/dnsmasq.d/bubba.conf where I inserted 'eth1' in that line.

Relevant portion of /etc/network/firewall.conf:

Code: Select all

:SQUEEZEPLAY - [0:0]
-A INPUT -i br0 -j SQUEEZEPLAY
-A FORWARD -i br0 -j SQUEEZEPLAY
-A SQUEEZEPLAY -d 10.0.0.0/8 -p tcp -m tcp --dport 80 -j REJECT
-A SQUEEZEPLAY -d 172.12.0.0/12 -p tcp -m tcp --dport 80 -j REJECT
-A SQUEEZEPLAY -d 192.168.0.0/16 -p tcp -m tcp --dport 80 -j REJECT
-A SQUEEZEPLAY -p tcp -m multiport --dports 3483,9000,9090,80 -j ACCEPT
-A SQUEEZEPLAY -p udp -m multiport --dports 3483,67,68,53,17784 -j ACCEPT
-A SQUEEZEPLAY -d 224.0.0.0/24 -j ACCEPT
-A SQUEEZEPLAY -j REJECT

(this gives access to local/remote LMS, dhcp, dns and remote http - required for internet radio)

The fixed assignments in the DHCP server will prevent anyone to receive an IP when they attach to the Squeezeplay network. The strict firewall will further prevent real damage from someone spoofing a valid MAC address and I save CPU power by not needing to cipher the audio streams.