Solved

Linux Networking- Gateway + VLan's

Posted on 2009-05-04
14
1,062 Views
Last Modified: 2013-12-23
I'd like to setup 3x /24's on a 1-NIC Fedora/Centos/Ubuntu (take your pick of *nix flavor), basically a the 2.6 kernel. Use 10.0.1.x 10.0.2.x and 10.0.3.x subnets. I've read about how to do the vlan+trunking portions but I've not managed to enable routing properly I think...
Again the linux box will be the router for these 3 vlan's and they will have to be trunked to a hp2524 (I can handle the switch portion)
Thanks!
0
Comment
Question by:Rich Rumble
  • 8
  • 2
  • 2
  • +1
14 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 24294982
You have to check if your netcard supports VLAN taging.
Can you route one subnet without VLAN?
0
 
LVL 38

Author Comment

by:Rich Rumble
ID: 24295075
I'm setting up a test network, and I need the vlans to emulate the real environment, no extra money for routers so I have to use a PC. So I need the pc to have vlans, which for me isn't the hard part, it's the setup of 3 subnets on the linux box. How do I make the linux box the default gatewayS/router for 3 subnets basically and use only one NIC. I assume it's like other networking, dot1q trunk on the nic with 3 vlans encapsulated in the 1q to the switch.
-rich
0
 
LVL 38

Author Comment

by:Rich Rumble
ID: 24295166
Well, that is I need 3 separate vlans for the 3 separate subnets, 1 for each. Tagging is fine as long as the nic gets trunked.
-rich
0
 
LVL 61

Expert Comment

by:gheist
ID: 24297218
Ping hosts from router, then ping past router.
check routing tables.
0
 
LVL 38

Author Comment

by:Rich Rumble
ID: 24297574
Ahem... I have a linux PC. I need to make that linux pc INTO a router. That PC( that is now a router) must have 3 subnets that it routes. There used to be the LRP (linuxrouter.org/) but it doesn't exist anymore.
Maybe I'll try this: http://www.vmware.com/appliances/directory/292
But I know linux can do routing, I can't find anyone that knows how to make a linux pc into a router.
-rich
0
 
LVL 7

Expert Comment

by:droyden
ID: 24297612
install iproute2 - you can then easily manipulate the routing tables with that.
0
 
LVL 7

Accepted Solution

by:
droyden earned 400 total points
ID: 24297624
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 38

Author Comment

by:Rich Rumble
ID: 24297650
That looks like a winner, I'll let you know!
-rich
0
 
LVL 7

Assisted Solution

by:diepes
diepes earned 100 total points
ID: 24308294
If you put a ip on each vlan interface for the aplicable subnet, you just need to enable the routing and it is done

Check if routing is enabled with
#cat /proc/sys/net/ipv4/ip_forward

if not enable with
#echo 1 > /proc/sys/net/ipv4/ip_forward
0
 
LVL 38

Author Comment

by:Rich Rumble
ID: 24310639
Yep I think I've just about got it, I'll update shortly.
-rich
0
 
LVL 38

Author Comment

by:Rich Rumble
ID: 24329329
Ok I figured it out, and here is a step by step for prosparity. I ended up using two NIC's instead of one, and used a cisco 3524 because I didn't understand the hp procurve 2524 well enough.
Using vconfig and ifconfig to add the vlans/subinterfaces is ok but I didn't know how to make the change permanent. So I went and redid everything a little different:
My setup is like this:

Servers ---> Switch_1 <----(eth0) Linux_PC (eth1)---->Switch_2 <---Firewall ---> Internets
The servers have 192.168.0.x, 192.168.1.x and 192.168.2.x ip's. The linux box has 3 subinterfaces configured with static ip's and VLAN=yes in their files, see below. I copied my ifcfg-eth0 file to ifcfg-eth0.1, and added the static ip, networkmask etc... and most importantly VLAN=yes.Repeat that for the other vlans and gateways I was creating.
I modified (vi'd) /etc/sysctrl.conf and changed net.ipv4.ip_forward=0 to a 1 so that upon reboot IP-Forwarding would be enabled.

If I don't want anything on the 192.168.0-2.xxx subnets  to be able to talk to anything past the linux box via eth1, I'm all set. If I do want to allow whatever is behind eth0 and it's subinterfaces to talk to the network that eth1 is on I enabled nat/masquerading.
I manually configured the iptables files (probably not the best idea) /etc/sysconfig/iptables
Added this at the top
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
And this near the bottom
-A INPUT -i eth0 -j ACCEPT

Setting VLAN=yes seems to enable 8021q without the need to use modprobe 8021q manually or via a startup script like rc.local for example. Thanks for everyones help in pointing me to the right places!
-rich
#ETH0.1 (vlan 1)

DEVICE=eth0.1

HWADDR=00:ee:ee:8e:cf:72

IPADDR=192.168.0.1

NETMASK=255.255.255.0

NETWORK=192.168.0.0

BROADCAST=192.168.0.255

ONBOOT=yes

BOOTPROTO=none

TYPE=Ethernet

USERCTL=yes

PEERDNS=yes

IPV6INIT=no

NM_CONTROLLED=yes

VLAN=yes

-------------

#ETH0.2 (vlan2)

DEVICE=eth0.2

HWADDR=00:ee:ee:8e:cf:72

IPADDR=192.168.1.1

NETMASK=255.255.255.0

NETWORK=192.168.1.0

BROADCAST=192.168.1.255

ONBOOT=yes

BOOTPROTO=none

TYPE=Ethernet

USERCTL=yes

PEERDNS=yes

IPV6INIT=no

NM_CONTROLLED=yes

VLAN=yes

Open in new window

0
 
LVL 38

Author Comment

by:Rich Rumble
ID: 24329757
Forgot one line in the iptables... see below for the corrected version
(appended -A FORWARD -j eth0)
Any corrections or suggestion are still appreciated!
-rich
#Note these are the only additions I made

#Your IPTABLES should have more than just this in them

#These are ONLY the changes needed for NAT

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A POSTROUTING -o eth1 -j MASQUERADE

COMMIT

-A INPUT -i eth0 -j ACCEPT

-A FORWARD -i eth0

COMMIT

Open in new window

0
 
LVL 7

Expert Comment

by:diepes
ID: 24330717
for the record, debian has a network config file /etc/network/interfaces

#to add a vlan interface
auto eth0.66
iface eth0.66 inet static
      vlan-raw-device eth0
        address 10.1.1.1
      netmask 255.255.255.200

0
 
LVL 38

Author Comment

by:Rich Rumble
ID: 24335167
Is that persistent after reboot? I could of used a script to do the vconfig and ifconfig as well as the ip_forward and modprobe 8021q, but it was just as good for my purposes to write them in config files so they would be there upon reboot. Thanks for sharing, if there are other flavors or linux out there that differ in their commands like this I think this would be a good place to put them.
-rich
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now