Linux As Vlan Switch
For physical servers, it is best to define a VLAN on your network / infra-structure.Furthermore if you define a VLAN at interface level on your servers they won't be able to talk with your router to leave that network as the router won't be part of that VLAN. That is as you are defining a Virtual LAN, only the elements that belong to that Virtual LAN are able to exchange data between them.For creating VLANs, the network infra-structure will have also to support VLANs (e.g. Your switch). Some cheaper/domestic equipments do not support VAN tagging (802.1Q).Put simply, usually in a physical situation like yours, VLANs are defined at the switch level. Normally all the switch ports where the servers that take part of that VLAN are connected and their router (if not dealing with a switch layer 3 e.g.
If you only have one switch, then you can use VLANs to do the same thing. A: Many drivers in Linux kernels before version 3.3 had VLAN-related bugs.
OK so I've never had a need to setting up VLANs in Linux before, but I do now. I am running Debian 8 primarily as a OpenVPN server. I have a bridged VPN working fine at the moment with OpenVPN bridge scripts creating the tap adapter and bridge interfaces and bridging the NIC and tap adapter under the bridge interface.What I would like to do in my giant plan is have multiple OpenVPN instances running all on their own bridged adapter so that an AD server can hand out the DHCP leases and update the AD DNS, I do not want to use tunneling and use the OpenVPN server as a router.Now I have one external interface, and one internal interface to the LAN. I want to tag VLAN traffic on the internal interface connected to a Catalyst 2960 and then bridge those VLAN interfaces to TAP adapters and create multiple bridges. (Perhaps someone can think of a better way to do these bridged VPNs with OpenVPN, please suggest if you ahve a better idea)Anyways I followed the steps to create a tagged VLAN interface in Debian using the /etc/network/interfaces file, and have also configured the CISCO switch already for trunking on that port, as well as the Native VLAN for any untagged traffic.
The interfaces come up fine, but when trying to network using the VLAN interface I get no connectivity to the LAN at all, and the firewall seems to block all traffic (even allowed traffic) to the external interface, although I can get out to the Internet from the box.I tried changing the MAC address of teh VLAN interface (as per a post where this resolved someone's issue) but it did not work. Could anyone guide me through setting these up or make a suggestion as to where it might be going wrong or how to diagnose what the issue might be?(Cross posted to Linuxquestions.org ). Your interface file looks OK. I might not use the firewall settings until I was sure it worked on a routing level. I think initially I would just disable iptables all together.I also agree with Rivitir to ensure the vlan module is loaded. You should be able to confirm with lsmod grep 802Does ip show link so the command ip link show eth0.1 show the link being up?Oops just saw something. Your native vlan is 1.
That is sent untagged to the linux box. But your linux box is expected to see vlan 1 tagged. If you want to use the native vlan 1 you need to finish configuring eth0 or start tagging vlan 1. You can prove this by setting up a second vlan like eth0.2, then try pinging it from a device connected to an access port attached to vlan 2.
Text /etc/network/interfacesauto eth0allow-hotplug eth0iface eth0 inet manualauto eth0.1 #Internal Interfaceallow-hotplug eth0.1iface eth0.1 inet static#pre-up ifconfig NIC hw ether 99:54:AE:54:1D:AF #Fake MAC in an attempt to get VLAN workingpost-up iptables-restore. Text /etc/network/interfacesauto eth0allow-hotplug eth0iface eth0 inet manualauto eth0.1 #Internal Interfaceallow-hotplug eth0.1iface eth0.1 inet static#pre-up ifconfig NIC hw ether 99:54:AE:54:1D:AF #Fake MAC in an attempt to get VLAN workingpost-up iptables-restore. Your interface file looks OK. I might not use the firewall settings until I was sure it worked on a routing level.
I think initially I would just disable iptables all together.I also agree with Rivitir to ensure the vlan module is loaded. You should be able to confirm with lsmod grep 802Does ip show link so the command ip link show eth0.1 show the link being up?Oops just saw something. Your native vlan is 1.
That is sent untagged to the linux box. But your linux box is expected to see vlan 1 tagged. If you want to use the native vlan 1 you need to finish configuring eth0 or start tagging vlan 1. You can prove this by setting up a second vlan like eth0.2, then try pinging it from a device connected to an access port attached to vlan 2.
Rivitir.the 8021q module is loaded and added to modules for load on boot.No particular reason I limited them at this time, though eventually I will want to, because it won't need all of them, actually it only needs two of the ones I've allowed at the moment.Georgelsmod does show the module loaded. Though I've reverted the config back to non tagged at the moment when I was testing it did show as up. I was wondering if the native vlan being set to 1 and trying to tag it might cause an issue.-I'm actually attacking this differently at this point, though I may still need help. I am going to use one bridge and leave eth0 alone I'm going to tag the tap adapters since those are what OpenVPN actually binds to.
Hopefully the native vlan was just screwing things up. I'll let you know when I get to some more testing. OK, so some changes and testing. I have created a tap adapter with VLAN tagging, and I can see the it's seeing traffic via the bridge on it using tshark. If I filter tshark on vlan tag 30 (the vlan I want the tap adapter on) I can see traffic on VLAN 30 I can see this traffic whether I am watching the bridge or the new VLAN tap adapter. What I don't see is the adapter communicating at all. If I capture dhcp traffic on vlan 30 and do a dhclient to renew an IP on the VLAN adapter I get nothing in tshark, nothing whatsoever shows up.
Here is come more output, maybe you can see someting I am missing. You can see below that there is tagged traffic and that the interface definitely is identified as tagged and it can see the traffic, but it's not working, seems to not be transmitting.
Linux As Vlan Switch Download
YOu can see when I request a lease there is no traffic on VLAN 30 from the adapter. BASH ifup tapvpn0.30Set name-type for VLAN subsystem. Guess all that gobbeldygook didn't spur anything for anyone.I've done some more tests today with some packet captures and analysis in Wireshark on my PC. I can say that from the packet captures when I monitor the vlan tap device I can see the traffic (untagged) the traffic does not show up on the bridge tagged or untagged.
I can see all traffic on the bridge if I monitor the vlan tap interface as I would expect in promiscuous mode. I can also see all the traffic on the bridge monitoring the bridge device, but as I said nothing at all from the vlan adapter. I verified this by searching for MAC address in the packet captures.So the questions are 1) Why isn't it propagating across the bridge, which it is a member of and I know is functioning because I can see other traffic and 2) Why isn't the traffic tagged (this may not be an issue from what I read, it may be getting tagged at the physical adapter.Any thoughts? OK, well I'm be a monkey's Uncle.
Linux Vlan Switch Configuration
Linux As Vlan Switch System
I'm still not sure why VLAN tagged traffic isn't propagating over the bridge form a VLAN tap adapter, however, George was right, it was the vlan 1 tag causing the issue. As a test I set a VLAN interface to the physical adapter on another VLAN, and it immediately worked, testing again using VLAN 1 on the physical adapter failed again.So you learn something new everyday, don't tag vlan 1 in Linux, and apparently you can't VLAN tap adapters. At least not on bridges.