Do More With Less: 802.1Q VLANs with Voyage Linux
We've covered a lot of ground in the first three parts of this series. Today we stride down that last mile: setting up 802.1Q VLANs, and making configurations permanent. This is the part where you might regret going with an inexpensive smart switch like our example Netgear GS108T. It supports creating 802.1Q VLANs, but at a rather Spartan level. Higher-end switches give you more options, such as VLAN routing built into the switch, and options for other types of VLANs such as IP-address and MAC-address based.
Client configuration is always the same, but switches and routers vary. I'll show you how it's done on the cheap, with a low-end smart switch and an inexpensive, but powerful router built with Voyage Linux on a PC Engines WRAP board.
This is similar to the way it's done with port-based VLANs, but you have a few more hoops to jump through. Let's go back to our network diagrams from part 2, and rework one of them:
broadband modem | router/firewall | | VLAN5 VLAN6 VLAN1 1238 4568 78
This shows our 8-port smart switch divided into three VLANs:
- VLAN5 is 192.168.5.0/24
- VLAN6 is 192.168.6.0/24
- VLAN1 is 192.168.1.0/24
- The PVID of ports 1, 2, and 3 is 5
- The PVID of ports 4, 5, and 6 is 6
- The PVID of ports 7 and 8 is 1
- Port 7 is the management port. This is one that the ace network admin connects to for administering the switch
- All switch ports are tagged
Switch port 8 connects to the router. The router is a combination iptables firewall, router, and Dnsmasq server. Dnsmasq provides a local caching resolver and LAN DNS.
Voyage Linux comes with vconfig, so we can quickly set up our new VLANs temporarily for testing. In this example eth0 is the LAN interface on the router that is connected to switch port 8:
# vconfig add eth0 5 # vconfig add eth0 6 # ip addr add 192.168.5.1/24 brd + dev eth0.5 # ip addr add 192.168.6.1/24 brd + dev eth0.6 # ip link set eth0.5 up # ip link set eth0.6 up
brd + is a shortcut for setting the broadcast address, which ip calculates from the netmask. You can verify your new addresses with ifconfig or ip addr show. I made the VLAN IDs and subnet numbers the same because it's less confusing for me. You can use whatever numbering scheme suits you.
Now we'll configure a client in VLAN5. We'll assign an empty base IP address to the interface to keep things simple while we're testing:
# ip addr add 0.0.0.0 dev eth0 # vconfig add eth0 5 # ip addr add 192.168.5.25/24 brd + dev eth0.5 # ip route add default via 192.168.5.1
Now you can ping back and forth between the router and client:
$ ping 192.168.5.1
PING 192.168.5.1 (192.168.5.1) 56(84) bytes of data.
64 bytes from 192.168.5.1: icmp_seq=1 ttl=64 time=1.07 ms
64 bytes from 192.168.5.1: icmp_seq=2 ttl=64 time=0.462 ms
Getting Name Services
Pinging is only fun for a little while. You probably want to be able to use your local nameserver, so you need to add these three iptables rules to your existing ruleset:
# iptables -A INPUT -p udp -i eth0.5 -s 192.168.5.0/24 --dport 53 -j ACCEPT
# iptables -A INPUT -p tcp -i eth0.5 -s 192.168.5.0/24 --dport 53 -j ACCEPT
# iptables -A INPUT -p udp -i eth0.5 --dport 67 -j ACCEPT
Now, assuming your name services were already set up and working correctly, you can ping your router by its name:
$ ping router1
PING router1.alrac.net (192.168.1.50) 56(84) bytes of data.
64 bytes from router1.alrac.net (192.168.1.50): icmp_seq=1 ttl=64 time=0.564 ms
Notice how it returns the base address of its LAN interface, rather than the VLAN address. Because the VLAN address has not been configured in the nameserver. If you want your VLAN clients to get their network information from DHCP, you'll need to add your VLAN networks to your DHCP server. This example shows one way to do it in Dnsmasq:
This creates a pool of 100 addresses with 12 hour leases, assigns a default gateway of 192.168.5.1, and points to the DNS server also at 192.168.5.1. If these were on different boxes, then you would use different addresses. Dnsmasq also makes it easy to incorporate static addressing; see Resources.
If you want VLAN5 to have Internet, you're going to need yet more new iptables rules on the router. These example rules allow unfettered outgoing traffic, and restrict incoming traffic to established sessions only. You'll need to substitute the name of your own WAN interface:
# iptables -A FORWARD -i [wan_interface] -o eth0.5 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i eth0.5 -o [wan_interface] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Now you can surf the Web from your test client.
Routing Between VLANs
Suppose you want some of your VLANs to have access to each other- no problem, again it's just a matter of using iptables. This is a simple example to allow traffic to flow between VLAN5 and VLAN6 with no restrictions:
# iptables -A FORWARD -i eth0.6 -o eth0.5 -j ACCEPT
# iptables -A FORWARD -i eth0.5 -o eth0.6 -j ACCEPT
You'll probably want to put your rules in a script, and you can add various refinements, such as defining source and destination addresses, restricting certain ports and protocols, and so forth.
Permanent VLAN Client Configurations
Naturally, every danged Linux distribution has its own pet method for configuring network interfaces. A pox on all of them. Fortunately, the majority are either Debian-derivatives or Red Hat offspring, so we can cover a lot of distributions with examples from those two. Your favorite graphical network configurator may not let you do VLANs, so here is how we do it the old-fashioned way.
Debian is easy- there is a single configuration file, /etc/network/interfaces. I know, the hot new trend is to take even the simplest configurations and split them among a half-dozen widely-scattered and undocumented configuration files, to maximize unpredictable behavior and user confusion, but fortunately Debian has resisted this trend. So far. This is what a single VLAN interface looks like.
auto eth0 iface eth0 static 0.0.0.0 up vconfig add eth0 5 auto eth0.5 iface eth0.5 inet dhcp
Or you might want a static address:
auto eth0 iface eth0 static 0.0.0.0 up vconfig add eth0 5 auto eth0.5 iface eth0.5 inet static address 192.168.5.25 netmask 255.255.255.0 network 192.168.5.0 broadcast 192.168.5.255 gateway 192.168.5.1
You can add as many more as you want on the same interface, and you can use a non-zero address on the base interface if you want.
Red Hat put the B in Byzantine network interface configuration, and Fedora, CentOS, PCLinuxOS, and hordes of others follow suit. This shows a static address. You'll configure two files:
#/etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 ONBOOT=no TYPE=Ethernet #/etc/sysconfig/network-scripts/ifcfg-eth0.5 DEVICE=eth0.5 HWADDR=00:BB:6A:FE:77:EE IPADDR=192.168.5.25 NETMASK=255.255.255.0 VLAN=yes ONBOOT=yes BOOTPROTO=none
This shows how to configure DHCP:
#/etc/sysconfig/network-scripts/ifcfg-eth0.5 DEVICE=eth0.5 BOOTPROTO=dhcp HWADDR=00:BB:6A:FE:77:EE ONBOOT=yes TYPE=Ethernet VLAN=yes
And don't forget /etc/sysconfig/network, which is where you set the default gateway and other global network information:
NETWORKING=yes HOSTNAME=vlanqueen GATEWAY=192.168.5.1 DOMAINNAME=foobeer.net GATEWAYDEV=eth0.5
More Switches! More!
OK then. Now for the final burning basic 802.1Q question: What about adding more switches? Easy. Just plug the suckers together, and remember to uplink them using tagged ports. You can create VLANs that span switches and still use a single router, so check your switch documentation for details. For troubleshooting use ping, mtr, route, and tcpdump or Wireshark.