Mail archive
alpine-user

[alpine-user] Help configuring VLANs on my router & switch

From: Tyler <tylera_at_privatedemail.net>
Date: Sun, 17 Jun 2018 23:26:53 +0930

Hi,

I decided to use an old Raspberry Pi I had as a Linux Router. I followed
a article on the wiki
https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#VPN_Tunnel_on_specific_subnet
and decided that I wanted to improve upon it by implementing VLANs
instead of a single interface with multiple IP aliases, as I have a
managed switch and that author did not.

My network currently works as such, based on routing rules and iptables
filters on the router:

Traffic from 192.168.2.0/24 hosts destined to go out ppp0
Traffic from 192.168.3.0/24 hosts destined to go out of tun0
Traffic from 192.168.4.0/24 hosts not to be forwarded.

The only difference will be now I want to have 3 VLAN tunnels (VID 2, 3,
4) that contain traffic between my router and managed switch. All
traffic between those two points will be tagged. The hosts on my network
will continue to send un-tagged packets to the switch.

I had looked at this article https://wiki.alpinelinux.org/wiki/Vlan

I set up the VLANs on the switch https://i.imgur.com/hDBLc8G.png as you
can see only Port 1 (the port to my router) is tagged for VLAN 2, 3, 4
the rest are un-tagged.

Q1) Do I need any routing rules in the switch? Will the switch know what
to do with traffic from 192.168.3.55 in port 8? Will it know to send it
tagged with VLAN ID 3 to port 1? I have a Ubiquiti EdgeSwitch
ES-16-150W https://www.ubnt.com/edgemax/edgeswitch/


Q2) When I configured my interfaces on my Alpine Linux router I noticed
these ugly errors when booting:

* Starting networking ...
* lo ...
* eth0 ...
* eth0.2 ...
* vlan2 ...
RTNETLINK answers: File exists
run-parts: /etc/network/if-pre-up.d/vlan: exit status 2
* eth0.3 ...
RTNETLINK answers: File exists
run-parts: /etc/network/if-pre-up.d/vlan: exit status 2
* vlan3 ...
RTNETLINK answers: File exists
run-parts: /etc/network/if-pre-up.d/vlan: exit status 2
* eth0.4 ...
RTNETLINK answers: File exists
run-parts: /etc/network/if-pre-up.d/vlan: exit status 2
* vlan4 ...
RTNETLINK answers: File exists
run-parts: /etc/network/if-pre-up.d/vlan: exit status 2
* eth1 ...
... rest of boot sequence


My /etc/network/interfaces:

# Loopback interfaces
auto lo
iface lo inet loopback
   address 127.0.0.1
   netmask 255.0.0.0

# Used for Unbound DNS
iface lo:1 inet static
   address 127.0.0.2
   netmask 255.0.0.0


auto eth0
iface eth0 inet manual

# VLAN 2 - ISP
allow-hotplug eth0.2
auto eth0.2
iface eth0.2 inet static
   address 192.168.2.1
   netmask 255.255.255.0
   broadcast 192.168.2.255
   post-up /etc/network/fwmark_rules

auto vlan2
iface vlan2 inet static
   address 192.168.2.1
   netmask 255.255.255.0
   vlan-raw-device eth0


# VLAN 3 - VPN
allow-hotplug eth0.3
auto eth0.3
iface eth0.3 inet static
   address 192.168.3.1
   netmask 255.255.255.0
   broadcast 192.168.3.255

auto vlan3
iface vlan3 inet static
   address 192.168.3.21
   netmask 255.255.255.0
   vlan-raw-device eth0

iface eth0.3 inet6 static
   address fde4:8dba:e21c:3::1
   netmask 64


# VLAN 4 - LAN ONLY
allow-hotplug eth0.4
auto eth0.4
iface eth0.4 inet static
   address 192.168.4.1
   netmask 255.255.255.0
   broadcast 192.168.4.255
   post-up /etc/network/route_LAN

auto vlan4
iface vlan4 inet static
   address 192.168.4.21
   netmask 255.255.255.0
   vlan-raw-device eth0

iface eth0.4 inet6 static
   address fde4:8dba:e21c:4::1
   netmask 64


# External Interface to Modem
allow-hotplug eth1
auto eth1
iface eth1 inet static
   address 192.168.0.2
   netmask 255.255.255.252
   broadcast 192.168.0.3
   pre-up /sbin/ip link set eth1 up
   up ifup ppp0=service
   down ifdown ppp0=service
   post-down /sbin/ip link set eth1 up

# Link to ISP
iface service inet ppp
   provider service

Those two post-up routing rules are here:
https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#.2Fetc.2Fnetwork.2Ffwmark_rules
https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#.2Fetc.2Fnetwork.2Froute_LAN

I noticed that removing the sections under "auto vlanX" and the sections
under the inet6 interfaces seemed to silence those errors. That however
defeats the purpose of me doing this entire task which is to implement
VLANs for IPv6 compatibility.

The idea is that VLAN2's IPv6 interface is configured via SLAAC. Ie my
/etc/radvd.conf grabs the relevant prefix from my ISP and configures
that interface:

   prefix 2001:0db8:1234:0002::/64 {
     AdvOnLink on;
     AdvAutonomous on; ## SLAAC based on EUI
     AdvRouterAddr on;

and dhcpcd.conf configures it ie:

# Use the interface connected to WAN
interface ppp0
   ipv6rs # enable routing solicitation get the default IPv6 route
   iaid 1
   ia_pd 1/::/64 eth0.2/2/64

eth0.3 and eth0.4 will be configured differently:

With eth0.3: There is no prefix delegation from the VPN so I am planning
to route a ULA fde4:8dba:e21c:3::1 and SNAT on the ULA IP on my tun0
interface.

With eth0.4 won't be routed out so I won't have to worry about
configuring NAT for that. Hosts on fde4:8dba:e21c:4::/64 will be able to
talk to each other on IPv6 though.

Any help or advice would really be appreciated.

--
Tyler
---
Unsubscribe:  alpine-user+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-user+help_at_lists.alpinelinux.org
---
Received on Sun Jun 17 2018 - 23:26:53 GMT