LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-15-2010, 03:36 PM   #1
feloniousj
LQ Newbie
 
Registered: Nov 2008
Posts: 12

Rep: Reputation: 1
Iptables + Forwarding + Vlan + OpenVPN & L2 junk switch /L3 extreme networks switch


OK here is my topology. I have two silicon mechanics servers running debian linux (Lenny 5.0) with keepalived for redundancy and iptables for routing, (I have enabled packet forwarding, nat, and default routes) I have two ExtremeNetworks Summit x450a L3 switches. I have 10 tagged vlans. Tagged vlan 100, 103, and native vlan 1, Work fine over the vpn. Openvpn pushes my routes to the client
(Route 1 id 100 172.16.100.0/24,
Route 2 id NA, *.*.*.*/24 public class c,
route 3 id 101, 192.168.100.0/24)
route 4 id 103, 10.10.0.0/16)
and the client can ping the servers and hosts on the other side which are also using vlan tagging at the endpoint (Sun link aggregate taqgged vlan devs), and can ping other hosts on my class C public network which is setup on native vlan 1 on all ports, these are not using tagged endpoints.

The problem: Sun iLom network settings do not support vlan tagging so I connected a layer2 switch to all of my netmng ports on the sun servers where the ilom is. I cascaded that switch to switch port 6 on my EN switch and removed tagging from that port, so port 6 is member of vlan id 101 untagged. The routers have interfaces attached to tagged vlan 101, on the same subnet 192.168.100.0/24, and from the routers I can ping and connect to the iloms over the L2 and L3 switch with this configuration. But I cannot over the vpn. From the vpn I can ping the gateway ip 192.168.100.3 (from vpn client network 10.15.0.6) I cannot ping however anything past the gateway on that one network, the switch vlan is setup with an ip of 192.168.100.1, and that is where I set the default gateway in the L2 config, and I turned on packet forwarding at the switch to forward to the router, but still no go.

TCP dump shows the pings coming in from the vpn on the correct interface but no response from destination host, though it should be getting there, I think its just not coming back correctly.

PLEASE HELP, lol

|Open VPN client assigned vip 10.15.0.1|
------------------------------------
|
------------
Router ----->> eth0.101 ip 192.168.100.3 -- tun0 10.15.0.1
------------
|
------------
EN Switch tagged vlan 101 ip 192.168.100.1
------------
| (switch port 6 untagged native) and assigned to vlan 101
------------
L2 switch (no tagging) linksys junk
------------
|
------------
Host ilom adapter (no tagging) 192.168.100.103/24 Default GW 192.168.100.1
-------------

iptables:

#!/bin/sh

/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -Z

/sbin/iptables -A INPUT -i tun0 -j ACCEPT
/sbin/iptables -A OUTPUT -o tun0 -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -j ACCEPT

/sbin/iptables -A FORWARD -i eth0 -o eth0.100 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.100 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FORWARD -i eth0 -o eth0.101 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.101 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth0.103 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.103 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0.100 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.100 -o tun0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0.101 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.101 -o tun0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0.103 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0.103 -o tun0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE



iptables -L -v:

Chain INPUT (policy ACCEPT 10578 packets, 1243K bytes)
pkts bytes target prot opt in out source destination
4048 248K ACCEPT all -- tun0 any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
278 23352 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- eth0 eth0.100 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.100 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0.101 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.101 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0.103 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.103 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0.100 anywhere anywhere state RELATED,ESTABLISHED
2 168 ACCEPT all -- eth0.100 tun0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0.101 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.101 tun0 anywhere anywhere state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0.103 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0.103 tun0 anywhere anywhere state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 18445 packets, 2282K bytes)
pkts bytes target prot opt in out source destination
3656 875K ACCEPT all -- any tun0 anywhere anywhere

Kernel Routes (route):

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.15.0.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.100.0 * 255.255.255.0 U 0 0 0 eth0.101
172.16.101.0 * 255.255.255.0 U 0 0 0 eth0.201
172.16.100.0 * 255.255.255.0 U 0 0 0 eth0.100
172.16.103.0 * 255.255.255.0 U 0 0 0 eth0.200
172.16.102.0 * 255.255.255.0 U 0 0 0 eth0.202
192.168.200.0 * 255.255.255.0 U 0 0 0 eth0.102
208.###.###.### * 255.255.255.0 U 0 0 0 eth0
10.15.0.0 10.15.0.2 255.255.255.0 UG 0 0 0 tun0
10.10.0.0 * 255.255.0.0 U 0 0 0 eth0.103
default 208.86.167.1 0.0.0.0 UG 0 0 0 eth0
 
Old 03-15-2010, 05:28 PM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Can you run tcpdump on destination computer?
What IP will it show?
 
Old 03-15-2010, 09:56 PM   #3
feloniousj
LQ Newbie
 
Registered: Nov 2008
Posts: 12

Original Poster
Rep: Reputation: 1
Well I have been having some trouble compiling. Solaris 10 build 5. I guess I should put some more effort into that. But It seems I just figured out it is definately a routing issue because I went ahead and added an aggregate vlan device on the offending vlan on the server directly and I still cannot ping it from the vpn either and it is directly attached to the extreme networks switch on the tagged vlan. I can access from the router but not the vpn. I don't understand why though as you can see above my routing for vlan 100 is the same as vlan 101 and I can access 100 from the vpn just fine.
 
Old 03-15-2010, 10:27 PM   #4
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
As I understand - VPN, act like router, remote gateway, and can easily change IP. When you do ping packets should go back by the same way. Can you telnet something through VPN on your server.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Layer 2 Switch - use linux as VLAN router to network towme Linux - Networking 11 09-16-2009 01:25 PM
VLAN Configuration with Avaya Switch scottgutman Linux - Networking 1 08-25-2009 03:05 PM
Setting up vLAN Switch kool_kid Linux - Networking 8 02-28-2008 03:37 PM
Linux Bridge Vlan Query switch SNMP christopherccv Linux - Networking 2 05-15-2006 11:12 PM
Port Forwarding w/2 Machines & 1 Switch TastyWheat Linux - Networking 0 02-27-2004 12:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration