Rich Rumble
asked on
Linux Networking- Gateway + VLan's
I'd like to setup 3x /24's on a 1-NIC Fedora/Centos/Ubuntu (take your pick of *nix flavor), basically a the 2.6 kernel. Use 10.0.1.x 10.0.2.x and 10.0.3.x subnets. I've read about how to do the vlan+trunking portions but I've not managed to enable routing properly I think...
Again the linux box will be the router for these 3 vlan's and they will have to be trunked to a hp2524 (I can handle the switch portion)
Thanks!
Again the linux box will be the router for these 3 vlan's and they will have to be trunked to a hp2524 (I can handle the switch portion)
Thanks!
ASKER
I'm setting up a test network, and I need the vlans to emulate the real environment, no extra money for routers so I have to use a PC. So I need the pc to have vlans, which for me isn't the hard part, it's the setup of 3 subnets on the linux box. How do I make the linux box the default gatewayS/router for 3 subnets basically and use only one NIC. I assume it's like other networking, dot1q trunk on the nic with 3 vlans encapsulated in the 1q to the switch.
-rich
-rich
ASKER
Well, that is I need 3 separate vlans for the 3 separate subnets, 1 for each. Tagging is fine as long as the nic gets trunked.
-rich
-rich
Ping hosts from router, then ping past router.
check routing tables.
check routing tables.
ASKER
Ahem... I have a linux PC. I need to make that linux pc INTO a router. That PC( that is now a router) must have 3 subnets that it routes. There used to be the LRP (linuxrouter.org/) but it doesn't exist anymore.
Maybe I'll try this: http://www.vmware.com/appliances/directory/292
But I know linux can do routing, I can't find anyone that knows how to make a linux pc into a router.
-rich
Maybe I'll try this: http://www.vmware.com/appliances/directory/292
But I know linux can do routing, I can't find anyone that knows how to make a linux pc into a router.
-rich
install iproute2 - you can then easily manipulate the routing tables with that.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
That looks like a winner, I'll let you know!
-rich
-rich
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Yep I think I've just about got it, I'll update shortly.
-rich
-rich
ASKER
Ok I figured it out, and here is a step by step for prosparity. I ended up using two NIC's instead of one, and used a cisco 3524 because I didn't understand the hp procurve 2524 well enough.
Using vconfig and ifconfig to add the vlans/subinterfaces is ok but I didn't know how to make the change permanent. So I went and redid everything a little different:
My setup is like this:
Servers ---> Switch_1 <----(eth0) Linux_PC (eth1)---->Switch_2 <---Firewall ---> Internets
The servers have 192.168.0.x, 192.168.1.x and 192.168.2.x ip's. The linux box has 3 subinterfaces configured with static ip's and VLAN=yes in their files, see below. I copied my ifcfg-eth0 file to ifcfg-eth0.1, and added the static ip, networkmask etc... and most importantly VLAN=yes.Repeat that for the other vlans and gateways I was creating.
I modified (vi'd) /etc/sysctrl.conf and changed net.ipv4.ip_forward=0 to a 1 so that upon reboot IP-Forwarding would be enabled.
If I don't want anything on the 192.168.0-2.xxx subnets to be able to talk to anything past the linux box via eth1, I'm all set. If I do want to allow whatever is behind eth0 and it's subinterfaces to talk to the network that eth1 is on I enabled nat/masquerading.
I manually configured the iptables files (probably not the best idea) /etc/sysconfig/iptables
Added this at the top
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
And this near the bottom
-A INPUT -i eth0 -j ACCEPT
Setting VLAN=yes seems to enable 8021q without the need to use modprobe 8021q manually or via a startup script like rc.local for example. Thanks for everyones help in pointing me to the right places!
-rich
Using vconfig and ifconfig to add the vlans/subinterfaces is ok but I didn't know how to make the change permanent. So I went and redid everything a little different:
My setup is like this:
Servers ---> Switch_1 <----(eth0) Linux_PC (eth1)---->Switch_2 <---Firewall ---> Internets
The servers have 192.168.0.x, 192.168.1.x and 192.168.2.x ip's. The linux box has 3 subinterfaces configured with static ip's and VLAN=yes in their files, see below. I copied my ifcfg-eth0 file to ifcfg-eth0.1, and added the static ip, networkmask etc... and most importantly VLAN=yes.Repeat that for the other vlans and gateways I was creating.
I modified (vi'd) /etc/sysctrl.conf and changed net.ipv4.ip_forward=0 to a 1 so that upon reboot IP-Forwarding would be enabled.
If I don't want anything on the 192.168.0-2.xxx subnets to be able to talk to anything past the linux box via eth1, I'm all set. If I do want to allow whatever is behind eth0 and it's subinterfaces to talk to the network that eth1 is on I enabled nat/masquerading.
I manually configured the iptables files (probably not the best idea) /etc/sysconfig/iptables
Added this at the top
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
And this near the bottom
-A INPUT -i eth0 -j ACCEPT
Setting VLAN=yes seems to enable 8021q without the need to use modprobe 8021q manually or via a startup script like rc.local for example. Thanks for everyones help in pointing me to the right places!
-rich
#ETH0.1 (vlan 1)
DEVICE=eth0.1
HWADDR=00:ee:ee:8e:cf:72
IPADDR=192.168.0.1
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
BOOTPROTO=none
TYPE=Ethernet
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
NM_CONTROLLED=yes
VLAN=yes
-------------
#ETH0.2 (vlan2)
DEVICE=eth0.2
HWADDR=00:ee:ee:8e:cf:72
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
ONBOOT=yes
BOOTPROTO=none
TYPE=Ethernet
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
NM_CONTROLLED=yes
VLAN=yes
ASKER
Forgot one line in the iptables... see below for the corrected version
(appended -A FORWARD -j eth0)
Any corrections or suggestion are still appreciated!
-rich
(appended -A FORWARD -j eth0)
Any corrections or suggestion are still appreciated!
-rich
#Note these are the only additions I made
#Your IPTABLES should have more than just this in them
#These are ONLY the changes needed for NAT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
-A INPUT -i eth0 -j ACCEPT
-A FORWARD -i eth0
COMMIT
for the record, debian has a network config file /etc/network/interfaces
#to add a vlan interface
auto eth0.66
iface eth0.66 inet static
vlan-raw-device eth0
address 10.1.1.1
netmask 255.255.255.200
#to add a vlan interface
auto eth0.66
iface eth0.66 inet static
vlan-raw-device eth0
address 10.1.1.1
netmask 255.255.255.200
ASKER
Is that persistent after reboot? I could of used a script to do the vconfig and ifconfig as well as the ip_forward and modprobe 8021q, but it was just as good for my purposes to write them in config files so they would be there upon reboot. Thanks for sharing, if there are other flavors or linux out there that differ in their commands like this I think this would be a good place to put them.
-rich
-rich
Can you route one subnet without VLAN?