Dario Somoza
asked on
How to setup Inter-VLAN routing with DD-WRT
I have the topology described in the attached image. In particular I have created a couple of Port-based VLAN and I need to setup Inter-VLAN routing but I don't get how to do it even after having read many articles. I'm pretty sure I'll have to use an external router due to the fact that the switch I'm using has no routing capabilites.
My questions are:
1) Can I achieve this by using a basic router with DD-WRT as in the diagram?
2) How should I setup the routing table for achieve Inter-VLAN routing?
3) As far as I know, this is "legacy inter-vlan routing" instead of "router-on-a-stick" approach. Is this correct?
4) Is there any consideration to keep in mind (for instance...where to plug cables)
Any advice would be appreciated
Thanks
Topology.png
My questions are:
1) Can I achieve this by using a basic router with DD-WRT as in the diagram?
2) How should I setup the routing table for achieve Inter-VLAN routing?
3) As far as I know, this is "legacy inter-vlan routing" instead of "router-on-a-stick" approach. Is this correct?
4) Is there any consideration to keep in mind (for instance...where to plug cables)
Any advice would be appreciated
Thanks
Topology.png
ASKER
Thanks for your detailed response. I understand that I wasn't clear on my objective. I've updated my diagram to express it from a conceptual perspective.
Some clarifications:
1) I'm building a Networking LAB for testing purposes. I can change whatever on the LAB environment, but the rest of the network environment is not supposed to be changed.
2) I want to create different VM's on each VLAN and allow interaction between VM's in different VLANs to emulate a DMZ+Corporate network environment. I accomplished that by creating 2 VLAN's and connected each of them to different NIC's in host, however, I don't know how to link both VLANs to allow access from segment 192.168.1.x to 192.168.2.x on the router.
Please let me know if I'm clear.
Thanks.
Topology2.png
Some clarifications:
1) I'm building a Networking LAB for testing purposes. I can change whatever on the LAB environment, but the rest of the network environment is not supposed to be changed.
2) I want to create different VM's on each VLAN and allow interaction between VM's in different VLANs to emulate a DMZ+Corporate network environment. I accomplished that by creating 2 VLAN's and connected each of them to different NIC's in host, however, I don't know how to link both VLANs to allow access from segment 192.168.1.x to 192.168.2.x on the router.
Please let me know if I'm clear.
Thanks.
Topology2.png
To be able to communicate between VLANs hosts need to have configured IP address of router's interface assigned to VLAN as default gateway.
So if on router's interface vlan1 IP address (address of physical interface on router connected to VLAN1) is 192.168.1.1 than that should be default gateway of your VM hosts in your vlan1 (the same is for VLAN2 - if interface IP address is 192.168.2.1 - that IP should be configured as default gateway of VMs in VLAN2). In that case traffic from VMs will be forwarded to router, and router will be able to forward traffic between VLANs - that's all you need to do (if everything is properly configured on router) to enable interVLAN traffic.
But other pieces of network should fit in the picture, it can be build as you draw it, but it is complicated... and complicated network usually means - that it is not good way to build it. :)
So if on router's interface vlan1 IP address (address of physical interface on router connected to VLAN1) is 192.168.1.1 than that should be default gateway of your VM hosts in your vlan1 (the same is for VLAN2 - if interface IP address is 192.168.2.1 - that IP should be configured as default gateway of VMs in VLAN2). In that case traffic from VMs will be forwarded to router, and router will be able to forward traffic between VLANs - that's all you need to do (if everything is properly configured on router) to enable interVLAN traffic.
But other pieces of network should fit in the picture, it can be build as you draw it, but it is complicated... and complicated network usually means - that it is not good way to build it. :)
Please refer this tutorial - http://elmaskubilay.blogspot.in/2013/12/create-vlan-with-dd-wrt-based-routers.html
I interpret your picture, that you want to separate a LAB environment from a PROD environment.
The reasons for separation may be security, load and routing logic.
For security and access control, you need more a firewall than only a router. Especially if it is a DMZ. A DMZ is either realized by a 3 tier firewall or two firewalls (one internal, one external), and if you use one single switch both both, you can separate the ports of the switch into two separate vlans.
Host NIC1 - SWITCH VLAN 1 - internal network.
Host NIC2 - SWITCH VLAN 2 - DMZ
- SWITCH VLAN 3 - external Network.
assumed, all virtual servers connected to the networks are running on one Host
One firewall connects VLAN1 + VLAN2
One firewall connects VLAN2 + VLAN3
or
One three tier firewall connects to VLAN1 + VLAN2 + VLAN3
A quick and dirty picture, where all three servers are on one VM host and the switches are separate switches or one switch, which is divided into 3 VLAN groups.
Firewall_VLAN.jpg
The reasons for separation may be security, load and routing logic.
For security and access control, you need more a firewall than only a router. Especially if it is a DMZ. A DMZ is either realized by a 3 tier firewall or two firewalls (one internal, one external), and if you use one single switch both both, you can separate the ports of the switch into two separate vlans.
Host NIC1 - SWITCH VLAN 1 - internal network.
Host NIC2 - SWITCH VLAN 2 - DMZ
- SWITCH VLAN 3 - external Network.
assumed, all virtual servers connected to the networks are running on one Host
One firewall connects VLAN1 + VLAN2
One firewall connects VLAN2 + VLAN3
or
One three tier firewall connects to VLAN1 + VLAN2 + VLAN3
A quick and dirty picture, where all three servers are on one VM host and the switches are separate switches or one switch, which is divided into 3 VLAN groups.
Firewall_VLAN.jpg
ASKER
Bembi, I get your point.
Based on your comment, I've changed the conceptual design to make it simpler, and please let me clarify it in a different way:
1) I have a firewall (192.168.1.1) that holds the Internet connection and acts a default gateway for ALL network clients. I cannot change this, since this is a network that is working fine.
2) I have a switch (192.168.1.45) with no routing capabilities to build a LAB. In this switch I have created 2 Port-based VLANs (VLAN1 and VLAN2).
3) I have an Hyper-V HOST has two NICs:
a) NIC #1 is connected to a VLAN1 port, and is associated with a virtual switch #1
b)NIC #2 is connected to a VLAN2 port, and is associated with a virtual switch #2
This allows me to create VM's in different VLANS, by linking each VM with a specific virtual switch
VMs in VLAN1 will be 192.168.2.X
VMs in VLAN2 will be 192.168.3.X
My objectives are:
a) I would like to be able to access a 192.168.3.x (VLAN2) VM from a 192.168.2.x (VLAN1) VM, while being able to block some ports
b) I would like to be able to access a 192.168.2.x (VLAN1) VM from a 192.168.3.x (VLAN2) VM, while being able to block some ports
c) I THINK that if I want 192.168.2.x and 192.168.3.x VM's to have access to Internet, they should be able to reach my Internet Gateway at 192.168.1.1
So, my conclusions are:
1) I will need to do some INTER-VLAN routing to allow interaction between different VLAN1 and VLAN2
2) I will need to do something to allow interaction between a VLAN (VLAN1/VLAN2) and the existing LAN (192.168.1.x)
3) I will need a firewall to selectively block ports during interaction between VLAN's
Now, let's suppose I buy a firewall+router device, to make it easier and more realistic:
1) How should I setup INTER-VLAN in this case? Do I have to create something like a static routing table?
2) Is it OK to set my 192.168.2.x or 192.168.3.x VM's to gateway 192.168.1.1? What do I need to allow access from VLAN1/VLAN2 to LAN 192.168.1.x?
Please let me if the updated scenario is more clear.
Thanks
Topology3.png
Based on your comment, I've changed the conceptual design to make it simpler, and please let me clarify it in a different way:
1) I have a firewall (192.168.1.1) that holds the Internet connection and acts a default gateway for ALL network clients. I cannot change this, since this is a network that is working fine.
2) I have a switch (192.168.1.45) with no routing capabilities to build a LAB. In this switch I have created 2 Port-based VLANs (VLAN1 and VLAN2).
3) I have an Hyper-V HOST has two NICs:
a) NIC #1 is connected to a VLAN1 port, and is associated with a virtual switch #1
b)NIC #2 is connected to a VLAN2 port, and is associated with a virtual switch #2
This allows me to create VM's in different VLANS, by linking each VM with a specific virtual switch
VMs in VLAN1 will be 192.168.2.X
VMs in VLAN2 will be 192.168.3.X
My objectives are:
a) I would like to be able to access a 192.168.3.x (VLAN2) VM from a 192.168.2.x (VLAN1) VM, while being able to block some ports
b) I would like to be able to access a 192.168.2.x (VLAN1) VM from a 192.168.3.x (VLAN2) VM, while being able to block some ports
c) I THINK that if I want 192.168.2.x and 192.168.3.x VM's to have access to Internet, they should be able to reach my Internet Gateway at 192.168.1.1
So, my conclusions are:
1) I will need to do some INTER-VLAN routing to allow interaction between different VLAN1 and VLAN2
2) I will need to do something to allow interaction between a VLAN (VLAN1/VLAN2) and the existing LAN (192.168.1.x)
3) I will need a firewall to selectively block ports during interaction between VLAN's
Now, let's suppose I buy a firewall+router device, to make it easier and more realistic:
1) How should I setup INTER-VLAN in this case? Do I have to create something like a static routing table?
2) Is it OK to set my 192.168.2.x or 192.168.3.x VM's to gateway 192.168.1.1? What do I need to allow access from VLAN1/VLAN2 to LAN 192.168.1.x?
Please let me if the updated scenario is more clear.
Thanks
Topology3.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great. Thanks for your valuable help.
To connect on VLAN to another, you need a router between them....
1.) In general yes, but the router has to handle the traffic. Usually routers are addressed by the standard gateway of the client. The client sends out a package for the target over its own standard gateway. if this is the "bridge router" this router can decide, if the traffic is routed to the one or to the other VLAN. Following your picture, the host would have the "bridge" router as standard gateway for both NICs (as there are different IP ranges, the default gateway addresses are different so the addresses are no the same but the target is the "bridge" router in both cases and the router decides according to its routing table how to forward the traffic.
You picture is more a physical picture, but nor a logic topology picture so I can not extract the sense of the bridge from the picture.
2.) A routing table is target oriented. As I can not see logical targets in your picture, just a few switches. its not quite easy to follow your intension. But a routing table just determines, to which standard gateway a packet is forwarded depending on its target address.
3.) It depends what to want to realize. The logic is not included in your picture. If both VLANs should go to the internet, than you have to trunk them to the Zykel Router....
4.) I can not follow exactly what you mean. But the switches have a configuration, which port is assigned t which VLAN, so you have to plug the devices into the correct ports.
A route has two ports, one for each logical network as long as they are not trunked as well (see question 3.).
Considerations are more not to create a routing loop.
Its would be easier to understand what is your intension with the VLAN to see a logical picture rather than a physical (device oriented) picture.