iptables multiple interfaces same subnet to multiple vlan interfaces
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables multiple interfaces same subnet to multiple vlan interfaces
In our lab network we are running multiple virtual routers and want to replace them with iptables. I am not sure if this setup will be possible nor not sure where to start.
The new setup will be a 10G connection for all the traffic. The idea is to have multiple eth0 alias all on the same subnet. eth0:120, eth0:121, eth0:122, eth0:123 ....... eth0:210. Each will have an ip address on the same 255.255.252.0. The default gateway for these will be 10.1.0.1.
Then there will be tagged alias as well eth0.120 to eth0.210 with ip address of 192.168.0.1/24
Is it possible to use iptables to forward all traffic (including icmp/ping) from 10.1.1.120 on eth0:120 to ip 192.168.0.23 on eth0.120 and 10.1.1.121 on eth0:121 to 192.168.0.23 on eth0.121
I know that forwarding, arp announce (2), arp ignore(1), arp filter (0 or 2) in sysctl.
I'm not sure what you are actually trying to achieve. In principle, you can do vlans in linux. Their principle advantage is that of isolating traffic from other traffic that might be on the same piece of cat5. Example might be an office on 2 levels of a building with accounts, sales, research, and management all with their own vlans on the single wired connection between them. You can route them with routing protocols, but it's not for the faint hearted. I lose you when you start talking about using iptables and vlans to replace virtual routers. You will hardly achieve it with a few mouse clicks.
Can you sketch your idea and hang it up somewhere?
See picture as you read this
when someone is on the computer and enters in IP address 10.1.1.120 (address of eth0.120) ALL the traffic will be forwarded out eth0:120 to IP address 192.168.0.23.
The idea is to be able to constantly remove units but we don't have to change the IP address.
Another way to look at it is port forwarding but will ALL ports
10.1.1.120 (eth0.120) forwarded to interface eth0:120 (192.168.0.1) to IP address 192.168.0.23
We are using openwrt with port forwarding on VMs but the quality of VMs are becoming unstable.
From a physical perspective, you don't seem to need vlans at all, but you do need a clever and expensive switch that understands vlans. And I don't think a box will automagically expect a vlan. You will have to program or set that and it's routes explicitly.
As all this is going on inside VMs, I am going to stop offering advice, as I do not consider myself sufficiently knowledgeable on VMs. If you replaced all of your vlans with plain IPs, this would get a lot simpler. To trouble another VM, one of your unstable VMs would have to address it by it's IP and hack it there. A simple firewall on the vm should stop that.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.