VLan help on Cisco 870 to Linux vlan

spide21 · 07-28-2009, 11:35 PM

Hi all,

I am new to VLANs and I'd like to try to setup a router on linux on which will include a firewall a many other goodies that linux offers to the out world.

My problem is that my ISP assigned me some WAN IPs through a Cisco 870 and after digging on it I found:

interface FastEthernet4
description !!MY-ISP-TEXT-HERE!!
ip address 10.10.30.110 255.255.255.252
duplex auto
speed auto

The above tells me that My Isp is sending all the WAN IPs through their LAN routers, but in order to implement the routers on the linux box (with two ethernet cards, eth0 and eth1) I need the WAN IPs, having the Cisco 870 this config:

------------------------------------------------
interface FastEthernet4
description !!MY-ISP-TEXT-HERE!!
ip address 10.10.30.110 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
description !!My-SPACE-WAN-SEGMENT!!
ip address x.x.x.57 255.255.255.248 (FIRST WAN IP, THAT SERVES AS GATEWAY)
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.30.109
-----------------------------------------

After googling about vlans, I did this on the linux box trying to emulate the same config as on Cisco 870:

1- setup the first interface WAN and LAN
ifconfig eth0 10.10.30.110 netmask 255.255.255.252
route add default gateway 10.10.30.109
vconfig eth0 1
ifconfig eth0.1 x.x.x.57 (WAN IP on Cisco) netmask 255.255.255.248

Set up the LAN interface

ifconfig eth1 172.16.0.1 netmask 255.255.255.0

2- Did some tcpdump on interface eth0 and I could see everything camming to the WAN-IPs from other ips like yahoo mail server for example, I do not see any Vlan tags or 802.1Q, only IP protocols.

3- Did some pings to google.com and it failed.
4- Did some traceroutes to google.com and it failed.
5- I could ping the LAN gateway of my ISP only.

But if I ping google from a laptop connected to the cisco router with x.x.x.57 as my default gateway and x.x.x.58 as my laptor IP(with the correct DNS servers), I received responses from google.com

Is my setup wrong?.

Please need some help or guide.

Thanks in advanced.

Carlos.

sigey · 07-29-2009, 04:57 AM

VLAN is a way to segment your LAN and is a pure layer2 functionality. Layer3 devices like ur cisco router and linux box is a mechanism to route between different vlans (inter-vlan routing).

I think your setup shud look something like this.

Cisco_800Router< -----access-link-no-trunk--->layer2-switch-supporting-dot1Q<------dot1Q-trunk----->ur-LinuxBox

and on switch u created VLANs like this and assign the to ports:

VLAN2 - for userGroup2
VLAN3 - for userGroup3

(not a very good idea to use VLAN1 as most vendor use it for MGMT purposes)

connect your linux box to the switch and make that port a trunk port (pref. 802.1Q)
connect the 2nd interface on ur linux box to the switch non-trunk port (maybe on vlan1 o no vlan at all), connect ur cisco box to the switch and make sure its non-trunk (it shd be the same as the port connected to 2nd int. of ur linux box)

assign them IP addr as u like, but they shud be on the same subnet (test before u go ahead with next step)

create vlan interfaces on ur linux box for the VLANs that were created on the switch, eg:

vconfig eth0 2
vconfig eth0 3

and then use ur preferred IP addr scheme. maybe like
192.168.2.1 for vlan2
192.168.3.1 for vlan3

now connect ur users to the swich and put them on vlan2 or 3 and their default gateways will be 192.168.2.1 and 192.168.3.1 respectively ... ofcourse u wud need some form of NAT to make sure they go outside (Internet), IPTABLES or IP NAT overide configs on Cisco can help.

Hope this helps you and gets u going.
thanks.

spide21 · 07-29-2009, 04:26 PM

Thanks sigey for replying.

What I'd like to emulate is using this scenario:

Fist of all This is what I got:

1- I receive my ISP connection via FO (Fiber Optic)
2- The FO connector goes to a Transceiver and this one convert FO signal to ethernet.
3- There is one utp cable that goes from the Transceiver to the FastEthernet 4 on the Cisco Router 870.

4- There is another utp cable that goes from the Cisco Router to a linksys router (WAN port).

5- My ISP assigned me 6 WAN IPs but the Cisco is using the x.x.x.57 (ips from x.x.x.57 to x.x.x.62, broadcast x.x.x.63, segment x.x.x.56) as gateway to be used inside home, so there are 5 ips lefts.

6- Cisco 870 got this config in it:

interface FastEthernet4
description !!MY-ISP-TEXT-HERE!!
ip address 10.10.30.110 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
description !!My-SPACE-WAN-SEGMENT!!
ip address x.x.x.57 255.255.255.248 (FIRST WAN IP, THAT SERVES AS GATEWAY)
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.30.109

7- I got the Linksys router BEFVP41 and assigned a public IP x.x.x.58 and gateway x.x.x.57 and some DNSs, set up the device to do NAT and dhcp service.

8- plug in a laptop to one of the linksys ethernet ports (Lan Ports) and got a LAN IP from the linksys router.

9- Finally I could navigate and pings every where.

What I wanted to do is as follow:

1- Receive my ISP connection via FO (Fiber Optic)
2- The Fiber Optic connector goes to a Transceiver and this one convert FO signal to ethernet.

3- Connect the UTP cable from the Transceiver to the linux box (this linux box have 2 nics, eth0 for WAN and eth1 for Lan)

4- Configure the linux box so it assign the WAN IPs I need and do some NAT on the other side with the eth1 NIC.

5- Connect on Layer2 switch or unmanaged switch to eth1 port.

6- Connect some servers like DNS/DHCP servers for the LAN side switch.

7- Connect my laptop and navigate the net.

But the issue is that I cannot handle very well the vlan things and I waste one WAN IP( x.x.x.57) , where I can used for other purposes like IRC/VPN server or anything else.

See picture please. I hope you understand as I am not a guru on this area.

Thanks for your help.

sigey · 07-30-2009, 05:06 AM

referring to your diagram, (network modified state):

I am guessing your ISP has given you public routable IP addresses :P, i cant imagine that
they wouldnt give your RFC 1918s

Anyway i think you can tackle this problem like this:

Configure your layer2 switch, for example you want to connect Port1 of the L2 switch to the eth1
of the linux box. From your L2 switch configure the Port1 as a trunk (dot1Q).

Create vlans as i said on the last post: for example: vlan2, vlan3 on the switch
on the linux box create the respective vlans on eth1 (eth1.2 eth1.3) - and give private IP addr.
a good idea to use different subnets for different vlans.

configure access ports on your switch and assign them to the vlans u created.
for example port2 (vlan2)... port3 (vlan3) etc...

connect your client devices to the ports on access switch, for example your laptop to port2 (your laptop is gonna be on vlan2,
assign an IP addr for ur laptop from the same subnet as of eth1.2 of ur linux box (the linux box
will be working as a gateway for ur internal clients). Confirm connectivity, with the gateway (the ip addr of linux box eth1.2)

Now u shud do some NAT on the linux box to translate these internal clients to external to reach Internet (ur linux box's eth0 is facing outside right?) -
IPTABLES will do the trick and i am sure u will know how to

One other thing, u can even use ur linux box to give out IP addr. to ur VLAN clients using DHCP - that shud be the next step i guess.
If u still are not able to get this right, give me a pm.

spide21 · 07-30-2009, 08:20 AM

Thanks sigey again for your fast response.

I think you misunderstood what I was trying to explain, I upload a new graphic on which explain my problem.

The main problem reside thar my ISP suppose to give me 6 WAN IPs, but they are encapsulated as VLAN through their static IP 10.10.30.110, I cannot manage how to get the linux box working by having as default gateway 10.10.30.109.

I've worked with linux as router but having only real WAN IPs supplied by another ISP, but this time this is giving me a headach trying to solve this scenario.

Thanks againg to you all.