Hi, The treatment of VLAN Tags is done in L2, you dont need worry about it - that is solved with routing. You only have to worry about configuring the VLAN interface on the firewall and the switch port. - If you make VLAN configuration on the firewall interface, configure the Tag in switch port too. - The switch configuration must be in accordance with firewall configuration, so when you configure an interface with a VLAN tag and other without (pvid 1, for example), the switch port must be "hybrid". It's the setting that determines how the marking is done (tagging or removing). When the packet is forwarded, the interface VLAN configuration determines whether should be tagged or not. 2012/7/10 Nikolai Lusan <nikolai@xxxxxxxxxxx>: > On Tue, 2012-07-10 at 12:13 +0200, SamLT wrote: >> On Tue, Jul 10, 2012 at 05:04:15PM +1000, Nikolai Lusan wrote: >> > Hi, >> > I have a 2 vlans, 1 untagged with private IP's (vlan1) and 1 tagged >> > (vlan2) with non-private IP addresses, and I want to remove the vlan >> > tags before sending vlan2 packets out over my internet link and add them >> > back before sending packets from the internet to vlan2. Should this be >> > done in the iptbales mangle table? or do I need to use ebtables? And >> > exactly how should I go doing this? >> >> I'm not really sure to understand your question. > > My main concern is that I have packets that will end up in the forward > chain and exit out my ADSL link onto the internet with their vlan > tagging in place. > > >> Viewing the commands >> you used to set this up would certainly help. > > The config (on the server/firewall) is done in the > Debian /etc/network/interfaces file: > > auto dsl-provider > iface dsl-provider inet ppp > pre-up /sbin/ifconfig eth0 up > provider dsl-provider > > auto > iface bond0 inet static > address 10.XXX.XXX.XXX > netmask 255.255.255.0 > broadcast 10.XXX.XXX.255 > bond-slaves eth1 eth2 eth3 > bond-mode 4 > bond-miimon 100 > bond-lacp-rate 1 > mtu 9000 > bond-primary eth1 eth2 eth3 > > > auto vlan2 > iface vlan2 inet static > vlan-raw-device bond0 > address 150.XXX.XXX.XXX > netmask 255.255.255.248 > broadcast 150.XXX.XXX.XXX > > > A similar method is used on the clients, so all the instances of the > "vlan2" interface on machines are tagged vlans on the 150.XXX.XXX.XXX/29 > subnet. > > >> anyway, assuming you configured this with iproute: eg: >> ip link add link eth0 eth0.10 type vlan id 10 >> Then the tagging depends on your routing: >> * If it has to go out from eth0.10 -> tagging >> * If it has to go out from eth0 -> no tagging >> > > The routing table looks like this on the firewall: > > # ip route list > default dev ppp0 scope link > 10.XX.XX.0/24 dev bond0 proto kernel scope link src 10.XX.XX.XX > 150.XX.XX.XX dev ppp0 proto kernel scope link src 59.XX.XX.XX > 150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX > 192.168.XX.0/24 dev eth0 proto kernel scope link src 192.168.XX.XX > > > on the network hosts that need to be routed it looks like this > > # ip route list > default via 10.XX.XX.XX dev eth0 > 10.XX.XX.0/24 dev eth0 proto kernel scope link src 10.XX.XX.XX > 150.XX.XX.XX/29 dev vlan2 proto kernel scope link src 150.XX.XX.XX > > > So, I guess the question is twofold: > 1) Do I need to worry about tagged packets leaking onto the internet? > 2) If so how do I use the netfilter toolset to stop this from happening? > > Thanks > -- > Nikolai Lusan > > Email: nikolai@xxxxxxxxxxx > Phone(H): (07) 3136 3065 > Phone(M): 0425 661 620 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
