LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Iptables + Forwarding + Vlan + OpenVPN & L2 junk switch /L3 extreme networks switch (http://www.linuxquestions.org/questions/linux-networking-3/iptables-forwarding-vlan-openvpn-and-l2-junk-switch-l3-extreme-networks-switch-795585/)

feloniousj 03-15-2010 03:36 PM

Iptables + Forwarding + Vlan + OpenVPN & L2 junk switch /L3 extreme networks switch
 
OK here is my topology. I have two silicon mechanics servers running debian linux (Lenny 5.0) with keepalived for redundancy and iptables for routing, (I have enabled packet forwarding, nat, and default routes) I have two ExtremeNetworks Summit x450a L3 switches. I have 10 tagged vlans. Tagged vlan 100, 103, and native vlan 1, Work fine over the vpn. Openvpn pushes my routes to the client
(Route 1 id 100 172.16.100.0/24,
Route 2 id NA, *.*.*.*/24 public class c,
route 3 id 101, 192.168.100.0/24)
route 4 id 103, 10.10.0.0/16)
and the client can ping the servers and hosts on the other side which are also using vlan tagging at the endpoint (Sun link aggregate taqgged vlan devs), and can ping other hosts on my class C public network which is setup on native vlan 1 on all ports, these are not using tagged endpoints.

The problem: Sun iLom network settings do not support vlan tagging so I connected a layer2 switch to all of my netmng ports on the sun servers where the ilom is. I cascaded that switch to switch port 6 on my EN switch and removed tagging from that port, so port 6 is member of vlan id 101 untagged. The routers have interfaces attached to tagged vlan 101, on the same subnet 192.168.100.0/24, and from the routers I can ping and connect to the iloms over the L2 and L3 switch with this configuration. But I cannot over the vpn. From the vpn I can ping the gateway ip 192.168.100.3 (from vpn client network 10.15.0.6) I cannot ping however anything past the gateway on that one network, the switch vlan is setup with an ip of 192.168.100.1, and that is where I set the default gateway in the L2 config, and I turned on packet forwarding at the switch to forward to the router, but still no go.

TCP dump shows the pings coming in from the vpn on the correct interface but no response from destination host, though it should be getting there, I think its just not coming back correctly.

PLEASE HELP, lol

|Open VPN client assigned vip 10.15.0.1|
------------------------------------
|
------------
Router ----->> eth0.101 ip 192.168.100.3 -- tun0 10.15.0.1
------------
|
------------
EN Switch tagged vlan 101 ip 192.168.100.1
------------
| (switch port 6 untagged native) and assigned to vlan 101
------------
L2 switch (no tagging) linksys junk
------------
|
------------
Host ilom adapter (no tagging) 192.168.100.103/24 Default GW 192.168.100.1
-------------

iptables:

#!/bin/sh

/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -Z

/sbin/iptables -A INPUT -i tun0 -j ACCEPT
/sbin/iptables -A OUTPUT -o tun0 -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -j ACCEPT

/sbin/iptables -A FORWARD -i eth0 -o eth0.100 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.100 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FORWARD -i eth0 -o eth0.101 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.101 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth0.103 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.103 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0.100 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.100 -o tun0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0.101 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.101 -o tun0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0.103 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.103 -o tun0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE



iptables -L -v:

Chain INPUT (policy ACCEPT 10578 packets, 1243K bytes)
pkts bytes target prot opt in out source destination
4048 248K ACCEPT all -- tun0 any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
278 23352 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- eth0 eth0.100 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.100 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0.101 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.101 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0.103 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.103 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0.100 anywhere anywhere state RELATED,ESTABLISHED
2 168 ACCEPT all -- eth0.100 tun0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0.101 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.101 tun0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0.103 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.103 tun0 anywhere anywhere state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 18445 packets, 2282K bytes)
pkts bytes target prot opt in out source destination
3656 875K ACCEPT all -- any tun0 anywhere anywhere

Kernel Routes (route):

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.15.0.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.100.0 * 255.255.255.0 U 0 0 0 eth0.101
172.16.101.0 * 255.255.255.0 U 0 0 0 eth0.201
172.16.100.0 * 255.255.255.0 U 0 0 0 eth0.100
172.16.103.0 * 255.255.255.0 U 0 0 0 eth0.200
172.16.102.0 * 255.255.255.0 U 0 0 0 eth0.202
192.168.200.0 * 255.255.255.0 U 0 0 0 eth0.102
208.###.###.### * 255.255.255.0 U 0 0 0 eth0
10.15.0.0 10.15.0.2 255.255.255.0 UG 0 0 0 tun0
10.10.0.0 * 255.255.0.0 U 0 0 0 eth0.103
default 208.86.167.1 0.0.0.0 UG 0 0 0 eth0

nimnull22 03-15-2010 05:28 PM

Can you run tcpdump on destination computer?
What IP will it show?

feloniousj 03-15-2010 09:56 PM

Well I have been having some trouble compiling. Solaris 10 build 5. I guess I should put some more effort into that. But It seems I just figured out it is definately a routing issue because I went ahead and added an aggregate vlan device on the offending vlan on the server directly and I still cannot ping it from the vpn either and it is directly attached to the extreme networks switch on the tagged vlan. I can access from the router but not the vpn. I don't understand why though as you can see above my routing for vlan 100 is the same as vlan 101 and I can access 100 from the vpn just fine.

nimnull22 03-15-2010 10:27 PM

As I understand - VPN, act like router, remote gateway, and can easily change IP. When you do ping packets should go back by the same way. Can you telnet something through VPN on your server.


All times are GMT -5. The time now is 11:54 AM.