On Tue, 2012-07-10 at 12:13 +0200, SamLT wrote: > On Tue, Jul 10, 2012 at 05:04:15PM +1000, Nikolai Lusan wrote: > > Hi, > > I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged > > (vlan2) with non-private IP addresses, and I want to remove the vlan > > tags before sending vlan2 packets out over my internet link and add them > > back before sending packets from the internet to vlan2. Should this be > > done in the iptbales mangle table? or do I need to use ebtables? And > > exactly how should I go doing this? > > I'm not really sure to understand your question. My main concern is that I have packets that will end up in the forward chain and exit out my ADSL link onto the internet with their vlan tagging in place. > Viewing the commands > you used to set this up would certainly help. The config (on the server/firewall) is done in the Debian /etc/network/interfaces file: auto dsl-provider iface dsl-provider inet ppp pre-up /sbin/ifconfig eth0 up provider dsl-provider auto iface bond0 inet static address 10.XXX.XXX.XXX netmask 255.255.255.0 broadcast 10.XXX.XXX.255 bond-slaves eth1 eth2 eth3 bond-mode 4 bond-miimon 100 bond-lacp-rate 1 mtu 9000 bond-primary eth1 eth2 eth3 auto vlan2 iface vlan2 inet static vlan-raw-device bond0 address 150.XXX.XXX.XXX netmask 255.255.255.248 broadcast 150.XXX.XXX.XXX A similar method is used on the clients, so all the instances of the "vlan2" interface on machines are tagged vlans on the 150.XXX.XXX.XXX/29 subnet. > anyway, assuming you configured this with iproute: eg: > ip link add link eth0 eth0.10 type vlan id 10 > Then the tagging depends on your routing: > * If it has to go out from eth0.10 -> tagging > * If it has to go out from eth0 -> no tagging > The routing table looks like this on the firewall: # ip route list default dev ppp0 scope link 10.XX.XX.0/24 dev bond0 proto kernel scope link src 10.XX.XX.XX 150.XX.XX.XX dev ppp0 proto kernel scope link src 59.XX.XX.XX 150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX 192.168.XX.0/24 dev eth0 proto kernel scope link src 192.168.XX.XX on the network hosts that need to be routed it looks like this # ip route list default via 10.XX.XX.XX dev eth0 10.XX.XX.0/24 dev eth0 proto kernel scope link src 10.XX.XX.XX 150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX So, I guess the question is twofold: 1) Do I need to worry about tagged packets leaking onto the internet? 2) If so how do I use the netfilter toolset to stop this from happening? Thanks -- Nikolai Lusan Email: nikolai@xxxxxxxxxxx Phone(H): (07) 3136 3065 Phone(M): 0425 661 620
Attachment:
signature.asc
Description: This is a digitally signed message part
