| View previous topic :: View next topic |
| Author |
Message |
flickerfly
l33t
Joined: 08 Nov 2002
Posts: 677
Location: Lanham, MD
|
 Posted: Sat Nov 13, 2004 4:47 am Post subject: |
 |
|
| tecknojunky wrote: | Bummer, another tile fell on my head.  iptables do not support aliases or vlans. So, I've put in a second nic.
The downside is that it's connected to the same switch, so I'm using two ports. Kinda dumb when you know the switch and Linux can both talk vlan.
It would seem that iptables2 could do that, but it looked radically different in terms of commands, and I need a router now, not in two months. |
Really! I've been using it a little with iptables. Granted, I haven't gone into it extensively, but it seems to be doing as I request. I've just been specifying the eth1.1 or whatever NIC and it seems to work fine. What draws you to this conclusion? That would change some of my plans also.
_________________
An Evil Genious' Guide to Sheeple and How To Avoid Becoming One | 0x4C9EF4A |
|
| Back to top |
|
 |
gtsquirrel
Tux's lil' helper
Joined: 21 Nov 2002
Posts: 85
Location: San Jose, CA
|
| Posted: Sat Nov 13, 2004 5:48 am Post subject: |
|
|
I know that at least iptables 1.2.11 supports VLANs. Example:
| Code: | aeryn root # iptables -A INPUT -i eth1.5 -j ACCEPT
aeryn root # iptables -L -v
Chain INPUT (policy ACCEPT 31 packets, 2332 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1.5 any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16 packets, 1632 bytes)
pkts bytes target prot opt in out source destination |
Voila! Just make sure you set the switch properly. For a Catalyst 2950:
| Code: | switch(config)#interface FastEthernet0/24
switch(config-if)#switchport mode trunk
switch(config-if)#spanning-tree portfast trunk
switch(config-if)#no shutdown |
That's working just fine on my box here. If you need specific help with IOS, shoot me an e-mail. |
|
| Back to top |
|
|
tecknojunky
Veteran
Joined: 19 Oct 2002
Posts: 1937
Location: Montréal
|
| Posted: Sat Nov 13, 2004 7:48 am Post subject: |
|
|
Oh!  I was specifying eth0:0, just like in ifconfig  . I will have to try that when I get back to the lab on monday.
| gtsquirrel wrote: | | If you need specific help with IOS, shoot me an e-mail. |
I will definitly accept the offer. I still haven't configure the switch yet. For now, it still operates as a flat switch. It's a SMC b.t.w. It talks Cisco dialect.
_________________
(7 of 9) Installing star-trek/species-8.4.7.2::talax. |
|
| Back to top |
|
|
gtsquirrel
Tux's lil' helper
Joined: 21 Nov 2002
Posts: 85
Location: San Jose, CA
|
| Posted: Sat Nov 13, 2004 8:34 am Post subject: |
|
|
| Quote: | | Oh! Shocked I was specifying eth0:0, just like in ifconfig Embarassed . I will have to try that when I get back to the lab on monday. |
Yes, this does not work. I had a little discussion on the iptables mailing list last month about using alias interfaces. As it turns out, the kernel thinks anything inbound to ethX:Y actually comes from interface ethX (where X and Y are totally arbitrary values). As such, the proper way to write iptables rules for this is as follows, using eth0:1 as 192.168.1.1 and eth0:2 as 192.168.2.1:
| Code: | iptables -P INPUT DROP
iptables -A INPUT -i eth0 -d 192.168.1.1 -p tcp -j ACCEPT
iptables -A INPUT -i eth0 -d 192.168.2.1 -p udp -j ACCEPT |
Sometimes in my firewall scripts I abstract the -i eth0 -d 192.168.1.1 part into a simple variable like ${eth0_1}. Just makes things easier. 
| Quote: | | I will definitly accept the offer. I still haven't configure the switch yet. For now, it still operates as a flat switch. It's a SMC b.t.w. It talks Cisco dialect. |
FYI, though, most new Cisco switches come pre-configured with all their ports in trunk mode, which means you do have to configure them to work as a plain switch. The Dell PowerConnects and some other vendors' switches use an IOS-like CLI (command line interface), but there are distinctive differences. I'll give as much advice as possible, but at some point you may just have to consult the documentation. 
Also, some of the readers of this posting might be interested in my exploits with Cisco's EtherChannel. There is another thread open under the Networking section for that particular subtopic. |
|
| Back to top |
|
|
tecknojunky
Veteran
Joined: 19 Oct 2002
Posts: 1937
Location: Montréal
|
| Posted: Sun Nov 14, 2004 8:28 am Post subject: |
|
|
I'm new to this. I'm still using ipfwadm on an old 486 to do all the firewalling/NAT-routing on my home LAN. Here, I wish to finally go to for the higher level  with iptables. So I learn there is iproute2 that use the ip command.... way too much for little me right now. I have a cluster to build
_________________
(7 of 9) Installing star-trek/species-8.4.7.2::talax. |
|
| Back to top |
|
|
gtsquirrel
Tux's lil' helper
Joined: 21 Nov 2002
Posts: 85
Location: San Jose, CA
|
| Posted: Sun Nov 14, 2004 9:45 am Post subject: |
|
|
| One day, grasshopper ... |
|
| Back to top |
|
|
drakkan
Apprentice
Joined: 21 Jun 2004
Posts: 232
|
| Posted: Fri Nov 26, 2004 8:21 am Post subject: |
|
|
Hi,
I have some trouble with 3c905B driver and vlan, can you suggests wath chip do you use?
thanks
drakkan |
|
| Back to top |
|
|
drakkan
Apprentice
Joined: 21 Jun 2004
Posts: 232
|
| Posted: Fri Nov 26, 2004 10:21 am Post subject: |
|
|
| drakkan wrote: | Hi,
I have some trouble with 3c905B driver and vlan, can you suggests wath chip do you use?
thanks
drakkan |
I have now tested an intel pro 100 and works fine, instead with 3c905B when I attempt to transfer a file there is a timeout, this is my lspci:
0000:00:00.0 Host bridge: VIA Technologies, Inc. VT82C693A/694x [Apollo PRO133x] (rev c4)
0000:00:01.0 PCI bridge: VIA Technologies, Inc. VT82C598/694x [Apollo MVP3/Pro133x AGP]
0000:00:07.0 ISA bridge: VIA Technologies, Inc. VT82C686 [Apollo Super South] (rev 40)
0000:00:07.1 IDE interface: VIA Technologies, Inc. VT82C586A/B/VT82C686/A/B/VT823x/A/C PIPC Bus Master IDE (rev 06)
0000:00:07.2 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 1a)
0000:00:07.4 SMBus: VIA Technologies, Inc. VT82C686 [Apollo Super ACPI] (rev 40)
0000:00:07.5 Multimedia audio controller: VIA Technologies, Inc. VT82C686 AC97 Audio Controller (rev 50)
0000:00:09.0 Ethernet controller: Intel Corp. 82557/8/9 [Ethernet Pro 100] (rev 0c)
0000:00:0a.0 Ethernet controller: 3Com Corporation 3c905B 100BaseTX [Cyclone] (rev 24)
0000:00:0c.0 Ethernet controller: 3Com Corporation 3c905B 100BaseTX [Cyclone] (rev 64)
0000:01:00.0 VGA compatible controller: S3 Inc. Savage 4 (rev 04)
and my ifconfig -a with working vlan on intel pro100:
eth0 Link encap:Ethernet HWaddr 00:A0:24:50:E5:B2
inet addr:10.88.44.20 Bcast:10.88.44.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1317 errors:0 dropped:0 overruns:0 frame:0
TX packets:19 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:104071 (101.6 Kb) TX bytes:1474 (1.4 Kb)
Interrupt:10 Base address:0xc800
eth1 Link encap:Ethernet HWaddr 00:50:04:42:FD:D6
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:2
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:1180 (1.1 Kb)
Interrupt:11 Base address:0xc400
eth2 Link encap:Ethernet HWaddr 00:02:B3:2B:03:DB
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:537297 errors:0 dropped:0 overruns:0 frame:0
TX packets:160686 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:779506973 (743.3 Mb) TX bytes:11253068 (10.7 Mb)
eth2.2 Link encap:Ethernet HWaddr 00:02:B3:2B:03:DB
inet addr:10.88.22.254 Bcast:10.88.22.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:537249 errors:0 dropped:0 overruns:0 frame:0
TX packets:160686 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:771978530 (736.2 Mb) TX bytes:11253068 (10.7 Mb)
eth2.3 Link encap:Ethernet HWaddr 00:02:B3:2B:03:DB
inet addr:10.88.11.254 Bcast:10.88.11.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:471 (471.0 b) TX bytes:0 (0.0 b)
gre0 Link encap:UNSPEC HWaddr 00-00-00-00-FF-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
there is a workaroud for 3c905B ?
thanks
drakkan |
|
| Back to top |
|
|
flickerfly
l33t
Joined: 08 Nov 2002
Posts: 677
Location: Lanham, MD
|
|
| Back to top |
|
|
masterbrian
Guru
Joined: 13 Feb 2004
Posts: 461
|
| Posted: Fri Dec 17, 2004 7:35 pm Post subject: |
|
|
| flickerfly wrote: |
Try the old config. It's best on a stable system and be sure of 802.1q trunking vs Cisco's proprietary ISL(I think in the name)
| Code: | iface_eth1="0.0.0.0"
iface_eth1_vlans="1 2 3"
iface_eth1_1="10.0.20.254 broadcast 10.0.20.255 netmask 255.255.255.0"
iface_eth1_2="dhcp"
iface_eth1_3="dhcp" |
|
Thank you four your howto. this is exactly what I'm looking for.
But at this moment I'm unable to use it even with old style configuration under stable environment. In this moment I'm trying to upgrade my baselayour, but I'm not to happy about this, because I'm working on a production server.
With stable environment I'm unable to start vlan interfaces when net.eth1 start, and I don't understain why. net.eth1 starts well, but I get no even a error for vlan interfaces ... |
|
| Back to top |
|
|
masterbrian
Guru
Joined: 13 Feb 2004
Posts: 461
|
| Posted: Fri Dec 17, 2004 7:53 pm Post subject: |
|
|
| Good!!! under unstable environment it works! I hope it isn't too much unstable... what about your experiences? |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6738
Location: Blighty
|
| Posted: Mon Dec 20, 2004 10:57 am Post subject: |
|
|
Aside from a few teething problems, baselayout-1.11.8 is fairly stable - there's still a few gotchas, but patches have been posted to bugzilla if you encounter one.
If not, let us know so we can fix it |
|
| Back to top |
|
|
flickerfly
l33t
Joined: 08 Nov 2002
Posts: 677
Location: Lanham, MD
|
|
| Back to top |
|
|
addlema
n00b
Joined: 27 Apr 2004
Posts: 3
Location: Bloomington, IN
|
| Posted: Fri Jan 14, 2005 4:42 pm Post subject: |
|
|
So I have the 802.1Q in my kernel as built in.. but i dont have the /proc/net/vlan/ directory?
What did i do wrong? Can someone post what should be in there and Ill create in manually?
root@magnus linux # grep CONFIG_VLAN_8021Q /usr/src/linux/.config
CONFIG_VLAN_8021Q=y
root@magnus linux #
root@magnus net # ls
arp dev_mcast ip_conntrack_expect ip_tables_names mcfilter packet rpc sockstat tcp
arp_tables_names igmp ip_queue ip_tables_targets netlink raw rt_cache softnet_stat udp
dev ip_conntrack ip_tables_matches ipt_recent netstat route snmp stat unix
root@magnus net # |
|
| Back to top |
|
|
flickerfly
l33t
Joined: 08 Nov 2002
Posts: 677
Location: Lanham, MD
|
|
| Back to top |
|
|
tekn0mage
n00b
Joined: 10 Sep 2003
Posts: 47
|
| Posted: Sun Jan 16, 2005 3:02 am Post subject: |
|
|
I have read this document thoroughly, and can get VLAN's going while using 'vconfig' manually. Then setting each if_vid manually with ifconfig works beautifully.
When I try to launch it with the /etc/init.d/net.eth1 script, the only interface that appears is eth1 (with no ip address assigned).
Here is a copy of my conf.d/net file:
| Code: |
# /etc/conf.d/net:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/conf.d/net,v 1.7 2002/11/18 19:39:22 azarah Exp $
# Global config file for net.* rc-scripts
# This is basically the ifconfig argument without the ifconfig $iface
#
iface_eth0="xx.xx.xx.xx broadcast xx.xx.xx.xx netmask 255.255.255.248"
ifconfig_eth1="0.0.0.0"
vlans_eth1="1 201 210"
ifconfig_eth1_1="10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0"
ifconfig_eth1_201="10.0.1.1 broadcast 10.0.1.255 netmask 255.255.255.0"
ifconfig_eth1_210="10.0.2.1 broadcast 10.0.2.255 netmask 255.255.255.0"
|
I even tried replacing 'ifconfig' with 'iface' and the same thing happens.
Any ideas?
I would really like to automate this in case the box dies, I dont want a network outage
Thanks. |
|
| Back to top |
|
|
flickerfly
l33t
Joined: 08 Nov 2002
Posts: 677
Location: Lanham, MD
|
| Posted: Tue Jan 18, 2005 1:39 am Post subject: |
|
|
here's my current working config. The only thing I notice is the ( and ) surrounding the quotes for the value of the various vlan variables. Maybe that will help?
| Code: | ifconfig_eth1=( "0.0.0.0" )
iface_eth1_vlans="1 225 200 300"
ifconfig_eth1_1=( "10.0.25.6 broadcast 10.0.25.255 netmask 255.255.255.0" )
ifconfig_eth1_200=( "10.0.1.15 broadcast 10.0.1.255 netmask 255.255.255.0" )
ifconfig_eth1_300=( "10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0" )
ifconfig_eth1_225=( "10.0.20.1 broadcast 10.0.20.255 netmask 255.255.255.0" )
|
_________________
An Evil Genious' Guide to Sheeple and How To Avoid Becoming One | 0x4C9EF4A |
|
| Back to top |
|
|
SavageMindz
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 87
Location: The bit of hell that has frozen over.
|
| Posted: Mon Jan 31, 2005 5:30 am Post subject: |
|
|
Hi right i think this is basically working now. Thanks for the howto.
Just one thing though. I seem to have trunking going but not in vlan 1. I did a search and because vlan 1 from cisco does not include the header it doesnt seem to work. All the other vlans work as expected though.
Does anyone know a workaround for this (other than just moving all the ports to a different vlan which is what I have done).
Cheers
Savage |
|
| Back to top |
|
|
flickerfly
l33t
Joined: 08 Nov 2002
Posts: 677
Location: Lanham, MD
|
| Posted: Mon Jan 31, 2005 2:24 pm Post subject: |
|
|
VLAN 1 is supposed to be different. Most people seem to say, just doen't use 1 for anything. Problem is that VLAN 1 is apperently the native VLAN and older equipment doesn't allow you to change that. I'd like a workaround also as using VLANs has lost me the ability to manage my switches remotely.
This is due to the fact that VLAN 1 is not used on any network as that is generally considered as security best practice.
_________________
An Evil Genious' Guide to Sheeple and How To Avoid Becoming One | 0x4C9EF4A |
|
| Back to top |
|
|
gargola
n00b
Joined: 18 Feb 2004
Posts: 13
|
| Posted: Fri Feb 18, 2005 1:03 am Post subject: VLAN + bridge + IP6 |
|
|
You need the following before moving on with this POST:
vlan and bridging support compiled in kernel or loaded as modules &
emerge vconfig && emerge bridge-utils
Since I do use all of the above (title), and I could not find a place where it was better explained I wrote the following post just to explain how I figured it out.
I need the following:
1. Establish the VLAN (eth0.1 and eth0.50)
2 Establish a bridge between a NIC an a VLAN interface (br0 = eth0.1 and eth1)
3. Give this bridge a Static IP br0 = ???.???.???.??? and IPv6
I also have another VLAN which is configured with dhcpcd (eth0.50)
/etc/conf.d/net
| Code: |
iface_eth0_vlans="1 50"
iface_eth0_50="dhcp"
dhcpcd_eth0_50="-d -N -R -G"
iface_br0="172.20.46.90 broadcast 172.20.46.255 netmask 255.255.224.0"
|
In my case use a dhcp connection passing some options to the daemon.
Note that there is no configuration parameters for eth0.
/etc/init.d/net.eth0
Due to the fact that I need my vlans to be created before my bridges since I will be bridging eth1 with eth0.1 I need the vlans to be established before the bridges. Therefore I added "before bridge" to /etc/init.d/net.eth0
| Code: |
depend() {
before bridge
use hotplug pcmcia
} |
I also removed (commented out) the first lines of the checkconfig part in /etc/init.d/net.eth0 so that the script does not complain about not any eth0 being initialized (given an IP) as follows:
| Code: |
# if [[ -z "${ifconfig_IFACE}" ]]; then
# eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
# eerror "(or \$iface_$IFACE for old-style configuration)"
# return 1
# fi
|
/etc/init.d/bridge
I also added the following lines to this file just to make sure that the eth0 vlans were made before initialising the bridge: need net.eth0
| Code: |
depend() {
need net.eth0
use modules
}
|
/etc/conf.d/bridge
The bridge configuration:
| Code: |
bridge="br0"
bridge_br0_devices="eth0.1 eth1"
|
This creates a bridge br0 from the two devices eth0.1 and eth1
/etc/init.d/net.br0
I added the need bridge option just to make sure that the bridge is created before an IP Address is assigned to it.
| Code: | depend() {
need bridge
use modules
}
|
After being done with the conf files I added the initscripts to the default runlevel:
| Quote: | rc-update add net.eth0 default
rc-update add bridge default
rc-update add net.br0 default |
The IPv6 address should work seamlessly due to the fact that you never initialized eth0. |
|
| Back to top |
|
|
dcmwai
n00b
Joined: 26 Mar 2005
Posts: 11
Location: Malaysia
|
| Posted: Fri Apr 01, 2005 3:00 am Post subject: |
|
|
ok Until now the way to make it work is like
** ifconfig_eth1_vlans="1 2 3" **
is the line that causing all my problem.
| Quote: |
ifconfig_eth1=( "0.0.0.0" )
ifconfig_eth1_vlans="1 2 3"
ifconfig_eth1_1=( "10.0.20.254 broadcast 10.0.20.255 netmask 255.255.255.0" )
ifconfig_eth1_2=( "dhcp" )
ifconfig_eth1_3=( "dhcp" )
|
BUT I've problem shutdown them...
Any idea? |
|
| Back to top |
|
|
drakkan
Apprentice
Joined: 21 Jun 2004
Posts: 232
|
| Posted: Fri Jun 24, 2005 7:19 am Post subject: |
|
|
This is the setup for baselayout-1.11.12-r4, now stable
in my setup I have configured vlans on eth1
/etc/con.d/net:
| Code: |
config_eth1=( "null" )
vlans_eth1="2 3 4 5 8"
vconfig_eth1=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
config_vlan2=( "10.88.22.253 netmask 255.255.255.0" )
config_vlan3=( "10.88.11.253 netmask 255.255.255.0" )
config_vlan4=( "10.88.33.253 netmask 255.255.255.0" )
config_vlan5=( "10.88.55.253 netmask 255.255.255.0" )
config_vlan8=( "10.88.66.253 netmask 255.255.255.0" )
|
make the link for net.eth1
| Code: |
ln -s /etc/init.d/net.lo /etc/init.d/net.eth1
|
start eth1
| Code: |
/etc/init.d/net.eth1 start
* Starting eth1
* Bringing up eth1 [ ok ]
* Adding VLAN 2 to eth1 [ ok ]
* Bringing up vlan2
* 10.88.22.253 [ ok ]
* Adding VLAN 3 to eth1 [ ok ]
* Bringing up vlan3
* 10.88.11.253 [ ok ]
* Adding VLAN 4 to eth1 [ ok ]
* Bringing up vlan4
* 10.88.33.253 [ ok ]
* Adding VLAN 5 to eth1 [ ok ]
* Bringing up vlan5
* 10.88.55.253 [ ok ]
* Adding VLAN 8 to eth1 [ ok ]
* Bringing up vlan8
* 10.88.66.253 [ ok ]
|
and finally add to default runlevel
| Code: |
rc-update add net.eth1 default
|
|
|
| Back to top |
|
|
flickerfly
l33t
Joined: 08 Nov 2002
Posts: 677
Location: Lanham, MD
|
|
| Back to top |
|
|
drakkan
Apprentice
Joined: 21 Jun 2004
Posts: 232
|
| Posted: Fri Jun 24, 2005 2:08 pm Post subject: |
|
|
| flickerfly wrote: | | Why link eth1 to lo? What advantage does that give? Maybe stability if eth0 goes down? |
Look at the baselayuot ebuild, I think this is the new way to manage network devices now that baselayout-1.11.12-r4 is stable
from baselayout ebuild:
| Code: |
for f in /etc/init.d/net.eth*; do
[[ -L ${f} ]] && continue
echo
einfo "WARNING: You have older net.eth* files in ${ROOT}/etc/init.d/"
einfo "They need to be converted to symlinks to net.lo. If you haven't"
einfo "made personal changes to those files, you can update with the"
einfo "following command:"
einfo
einfo " # /bin/ls /etc/init.d/net.eth* | xargs -n1 ln -sfvn net.lo"
echo
break
done
|
|
|
| Back to top |
|
|
flickerfly
l33t
Joined: 08 Nov 2002
Posts: 677
Location: Lanham, MD
|
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
