LQ Newbie
Registered: Nov 2008
Posts: 12
Rep:
|
Iptables + Forwarding + Vlan + OpenVPN & L2 junk switch /L3 extreme networks switch
OK here is my topology. I have two silicon mechanics servers running debian linux (Lenny 5.0) with keepalived for redundancy and iptables for routing, (I have enabled packet forwarding, nat, and default routes) I have two ExtremeNetworks Summit x450a L3 switches. I have 10 tagged vlans. Tagged vlan 100, 103, and native vlan 1, Work fine over the vpn. Openvpn pushes my routes to the client
(Route 1 id 100 172.16.100.0/24,
Route 2 id NA, *.*.*.*/24 public class c,
route 3 id 101, 192.168.100.0/24)
route 4 id 103, 10.10.0.0/16)
and the client can ping the servers and hosts on the other side which are also using vlan tagging at the endpoint (Sun link aggregate taqgged vlan devs), and can ping other hosts on my class C public network which is setup on native vlan 1 on all ports, these are not using tagged endpoints.
The problem: Sun iLom network settings do not support vlan tagging so I connected a layer2 switch to all of my netmng ports on the sun servers where the ilom is. I cascaded that switch to switch port 6 on my EN switch and removed tagging from that port, so port 6 is member of vlan id 101 untagged. The routers have interfaces attached to tagged vlan 101, on the same subnet 192.168.100.0/24, and from the routers I can ping and connect to the iloms over the L2 and L3 switch with this configuration. But I cannot over the vpn. From the vpn I can ping the gateway ip 192.168.100.3 (from vpn client network 10.15.0.6) I cannot ping however anything past the gateway on that one network, the switch vlan is setup with an ip of 192.168.100.1, and that is where I set the default gateway in the L2 config, and I turned on packet forwarding at the switch to forward to the router, but still no go.
TCP dump shows the pings coming in from the vpn on the correct interface but no response from destination host, though it should be getting there, I think its just not coming back correctly.
PLEASE HELP, lol
|Open VPN client assigned vip 10.15.0.1|
------------------------------------
|
------------
Router ----->> eth0.101 ip 192.168.100.3 -- tun0 10.15.0.1
------------
|
------------
EN Switch tagged vlan 101 ip 192.168.100.1
------------
| (switch port 6 untagged native) and assigned to vlan 101
------------
L2 switch (no tagging) linksys junk
------------
|
------------
Host ilom adapter (no tagging) 192.168.100.103/24 Default GW 192.168.100.1
-------------
iptables:
#!/bin/sh
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -A INPUT -i tun0 -j ACCEPT
/sbin/iptables -A OUTPUT -o tun0 -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth0.100 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.100 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth0.101 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.101 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth0.103 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.103 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0.100 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.100 -o tun0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0.101 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.101 -o tun0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0.103 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.103 -o tun0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -L -v:
Chain INPUT (policy ACCEPT 10578 packets, 1243K bytes)
pkts bytes target prot opt in out source destination
4048 248K ACCEPT all -- tun0 any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
278 23352 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- eth0 eth0.100 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.100 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0.101 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.101 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0.103 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.103 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0.100 anywhere anywhere state RELATED,ESTABLISHED
2 168 ACCEPT all -- eth0.100 tun0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0.101 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.101 tun0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0.103 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.103 tun0 anywhere anywhere state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 18445 packets, 2282K bytes)
pkts bytes target prot opt in out source destination
3656 875K ACCEPT all -- any tun0 anywhere anywhere
Kernel Routes (route):
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.15.0.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.100.0 * 255.255.255.0 U 0 0 0 eth0.101
172.16.101.0 * 255.255.255.0 U 0 0 0 eth0.201
172.16.100.0 * 255.255.255.0 U 0 0 0 eth0.100
172.16.103.0 * 255.255.255.0 U 0 0 0 eth0.200
172.16.102.0 * 255.255.255.0 U 0 0 0 eth0.202
192.168.200.0 * 255.255.255.0 U 0 0 0 eth0.102
208.###.###.### * 255.255.255.0 U 0 0 0 eth0
10.15.0.0 10.15.0.2 255.255.255.0 UG 0 0 0 tun0
10.10.0.0 * 255.255.0.0 U 0 0 0 eth0.103
default 208.86.167.1 0.0.0.0 UG 0 0 0 eth0
|