From: Tyler <tylera@privatedemail.net>
Subject: [alpine-user] Help configuring VLANs on my router & switch
To: alpine-user@lists.alpinelinux.org
Message-ID: <8063b07e-311a-78ff-6257-b4e2d2a9aeb6@privatedemail.net>
Date: Sun, 17 Jun 2018 23:26:53 +0930
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: list

Hi,

I decided to use an old Raspberry Pi I had as a Linux Router. I followed 
a article on the wiki 
https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#VPN_Tunnel_on_specific_subnet 
and decided that I wanted to improve upon it by implementing VLANs 
instead of a single interface with multiple IP aliases, as I have a 
managed switch and that author did not.

My network currently works as such, based on routing rules and iptables 
filters on the router:

Traffic from 192.168.2.0/24 hosts destined to go out ppp0
Traffic from 192.168.3.0/24 hosts destined to go out of tun0
Traffic from 192.168.4.0/24 hosts not to be forwarded.

The only difference will be now I want to have 3 VLAN tunnels (VID 2, 3, 
4) that contain traffic between my router and managed switch. All 
traffic between those two points will be tagged. The hosts on my network 
will continue to send un-tagged packets to the switch.

I had looked at this article https://wiki.alpinelinux.org/wiki/Vlan

I set up the VLANs on the switch https://i.imgur.com/hDBLc8G.png as you 
can see only Port 1 (the port to my router) is tagged for VLAN 2, 3, 4 
the rest are un-tagged.

Q1) Do I need any routing rules in the switch? Will the switch know what 
to do with traffic from 192.168.3.55 in port 8? Will it know to send it 
tagged with VLAN ID 3 to port 1? I have a  Ubiquiti EdgeSwitch 
ES-16-150W https://www.ubnt.com/edgemax/edgeswitch/


Q2) When I configured my interfaces on my Alpine Linux router I noticed 
these ugly errors when booting:

* Starting networking ...
* lo ...
* eth0 ...
* eth0.2 ...
* vlan2 ...
RTNETLINK answers: File exists
run-parts: /etc/network/if-pre-up.d/vlan: exit status 2
* eth0.3 ...
RTNETLINK answers: File exists
run-parts: /etc/network/if-pre-up.d/vlan: exit status 2
* vlan3 ...
RTNETLINK answers: File exists
run-parts: /etc/network/if-pre-up.d/vlan: exit status 2
* eth0.4 ...
RTNETLINK answers: File exists
run-parts: /etc/network/if-pre-up.d/vlan: exit status 2
* vlan4 ...
RTNETLINK answers: File exists
run-parts: /etc/network/if-pre-up.d/vlan: exit status 2
* eth1 ...
... rest of boot sequence


My /etc/network/interfaces:

# Loopback interfaces
auto lo
iface lo inet loopback
   address 127.0.0.1
   netmask 255.0.0.0

# Used for Unbound DNS
iface lo:1 inet static
   address 127.0.0.2
   netmask 255.0.0.0


auto eth0
iface eth0 inet manual

# VLAN 2 - ISP
allow-hotplug eth0.2
auto eth0.2
iface eth0.2 inet static
   address 192.168.2.1
   netmask 255.255.255.0
   broadcast 192.168.2.255
   post-up /etc/network/fwmark_rules

auto vlan2
iface vlan2 inet static
   address 192.168.2.1
   netmask 255.255.255.0
   vlan-raw-device eth0


# VLAN 3 - VPN
allow-hotplug eth0.3
auto eth0.3
iface eth0.3 inet static
   address 192.168.3.1
   netmask 255.255.255.0
   broadcast 192.168.3.255

auto vlan3
iface vlan3 inet static
   address 192.168.3.21
   netmask 255.255.255.0
   vlan-raw-device eth0

iface eth0.3 inet6 static
   address fde4:8dba:e21c:3::1
   netmask 64


# VLAN 4 - LAN ONLY
allow-hotplug eth0.4
auto eth0.4
iface eth0.4 inet static
   address 192.168.4.1
   netmask 255.255.255.0
   broadcast 192.168.4.255
   post-up /etc/network/route_LAN

auto vlan4
iface vlan4 inet static
   address 192.168.4.21
   netmask 255.255.255.0
   vlan-raw-device eth0

iface eth0.4 inet6 static
   address fde4:8dba:e21c:4::1
   netmask 64


# External Interface to Modem
allow-hotplug eth1
auto eth1
iface eth1 inet static
   address 192.168.0.2
   netmask 255.255.255.252
   broadcast 192.168.0.3
   pre-up /sbin/ip link set eth1 up
   up ifup ppp0=service
   down ifdown ppp0=service
   post-down /sbin/ip link set eth1 up

# Link to ISP
iface service inet ppp
   provider service

Those two post-up routing rules are here:
https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#.2Fetc.2Fnetwork.2Ffwmark_rules
https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#.2Fetc.2Fnetwork.2Froute_LAN

I noticed that removing the sections under "auto vlanX" and the sections 
under the inet6 interfaces seemed to silence those errors. That however 
defeats the purpose of me doing this entire task which is to implement 
VLANs for IPv6 compatibility.

The idea is that VLAN2's IPv6 interface is configured via SLAAC. Ie my 
/etc/radvd.conf grabs the relevant prefix from my ISP and configures 
that interface:

   prefix 2001:0db8:1234:0002::/64 {
     AdvOnLink on;
     AdvAutonomous on; ## SLAAC based on EUI
     AdvRouterAddr on;

and dhcpcd.conf configures it ie:

# Use the interface connected to WAN
interface ppp0
   ipv6rs # enable routing solicitation get the default IPv6 route
   iaid 1
   ia_pd 1/::/64 eth0.2/2/64

eth0.3 and eth0.4 will be configured differently:

With eth0.3: There is no prefix delegation from the VPN so I am planning 
to route a ULA fde4:8dba:e21c:3::1 and SNAT on the ULA IP on my tun0 
interface.

With eth0.4 won't be routed out so I won't have to worry about 
configuring NAT for that. Hosts on fde4:8dba:e21c:4::/64 will be able to 
talk to each other on IPv6 though.

Any help or advice would really be appreciated.

--
Tyler


---
Unsubscribe:  alpine-user+unsubscribe@lists.alpinelinux.org
Help:         alpine-user+help@lists.alpinelinux.org
---