Michael Alger wrote: > On Tue, May 01, 2007 at 12:39:59PM +0300, "C. Bergström" wrote: > >> I'm trying to implement simple untagged vlans on our switch and >> have misconfigured something.. >> >> ISP gw is on the default vlan1 (untagged) >> >> Router >> eth1 is setup on the switch with default vlan1 and member of vlan4. >> eth0 is default vlan4 which connects to the clients that are all >> default members of vlan4 >> > > Just to clarify, are the VLANs configured on your switch or are you > doing some funny thing on the router? > Nope all vlans were configured on the switch. > This reply is assuming it's the switch which handles VLANs. > > >> eth0 is x.x.x.86/28 This is what clients are connecting to as their gw.. >> (no nat) >> eth1 is x.x.x.82/26 >> >> default route is .65/26 dev eth1 >> >> If client is default vlan4, but a member of vlan1 then it all works.. >> As soon as I remove client from being a member of vlan1.. The router >> stops forwarding. Is this to be expected and how can I correct this? >> >> I've tried adding a rule like this for the test client which is on .87 >> # Trying to fix vlan >> iptables -A FORWARD -i ${WAN} -d x.x.x.87 -o ${LAN} -j ACCEPT >> iptables -A FORWARD -i ${LAN} -s x.x.x.87 -o ${WAN} -j ACCEPT >> >> I see the packets from the lan trying to get out, but on ingress I don't >> see them.. >> > > Your WAN interface shouldn't need to be able to see both VLANs; the > point of the router is to move packets between two different > networks. > > Are the hosts on the WAN side using your router's eth1 (.82/26) as > their gateway to your LAN network (/28)? It sounds like they're > directly sending replies to the clients, rather than via the router. > Yeah.. they were sending packets directly, but it what was throwing me off was the Cisco gw wasn't in ip show neighbors.. So I assumed it was working and going through my middle-man router. > Just to clarify, this is what I think you're doing: > > 1. You have an internal network connected to a switch, along with a > router which is their default gateway, also connected to the same > switch. > Correct > 2. This router has a second interface, connected to a different > switch, which has some stuff connected to it; in particular, your > ISP's default gateway is connected to this switch. (Possibly you > have other servers in a DMZ type setup or something?) > 2nd interface is connected to the same switch. 2nd interface = (WAN) Rest is correct. There will be a slight change next week though in that everything is moving off the default vlan and going behind this router once configured correctly. > 3. Since you're using VLANs, they're actually the same physical > switch; but the ports used by the internal network belong to one > VLAN, and the ports used by eth1 and the upstream gateway are on a > different VLAN. Same thing, different technology. (VLAN-hopping > exploits notwithstanding.) > > So, check the following to verify your configuration is as above: > > 1. Clients can ping router eth0 IP. > yes > 2. Router has forwarding enabled (/proc/sys/net/ipv4/ip_forward). > yes > 3. Router can ping upstream gateway via eth1. > yes > 4. Something upstream can ping your router's eth1 IP > yes > 5. Change a client's IP address to put it on the same subnet as your > upstream gateway, and verify that it's not able to ping it (or > even get an ARP response from it). If it's able to communicate > with it, then your VLANs aren't segregating the traffic properly. > yes.. I wasn't.. and when I started to. that's when it broke > With all that, you should be set. > > One question: is the LAN segment known by your upstream, i.e. are > they routing traffic to your /28 via .82/26? If not, you'll need > to use NAT on your router so upstream only sees its IP address. > I'm getting .65/26 and then trying to break it down into smaller networks (ie .80/28) I remember trying with a 192.168 (rfc1918) ip + with NAT/masquerading and it all worked. (There's a ton of online examples for that online...) , but these servers need world routable IPs and when I was masqurading the packets. Things like SSH stopped working for obvious reasons. I'm doing this all remotely and the pos switch's web interface crashed on me.. So my 'keys' are currently locked in the car. I needed a couple days break from it and we just bought an HP ProCurve 2650 that should be in the colo next week. I'm pretty sure I can setup the untagged vlans on the switch correctly, but maybe I was missing something simple with the iptables rules.. Am I mistaken or nat doesn't play with non rfc1918 ips? Thanks a lot for your help Christopher _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc