LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-25-2014, 10:32 AM   #1
gmjs
LQ Newbie
 
Registered: Feb 2010
Location: UK
Distribution: Debian, CentOS, ArchLinux
Posts: 18

Rep: Reputation: 0
Why would a client on a VLAN be able to reach the gateway of another VLAN?


Hello,

In order to learn more about VLANs in Linux, I'm trying to configure a Debian 7 server as a router/DHCP server. The server has two network cards, one connected to the Internet (via two NAT routers, not shown) and the other to a VLAN-capable L2 switch:

Code:
 (      )                        [   Debian 7   ]
( INTERNET ) --------------eth0--[  Router and  ]--eth1------------------[L2 8021q Switch]
  (     )          192.168.1.10  [  DHCP Server ]  (eth1.2) 10.0.2.1/24     |         |
                                                   (eth1.3) 10.0.3.1/24     |         |
                                                   (eth1.4) 10.0.4.1/24     |         |
                                                                            |         |
                                                                         <vlan2>   <vlan3>
                                                                            |         |
                                                                            |         |
                                                                      [client-a]  [client-b]
The DHCP server is working--client-a gets an address in VLAN2 and client-b gets an address in VLAN3. The gateway for the client is the address of the appropriate virtual lan interface (10.0.2.1 and 10.0.3.1). Subnet masks are all "255.255.255.0".

My next job was going to be configuring the routing between VLANS, but it turns out that some routing is already happening.

Both client-a and client-b can reach all the virtual lan interfaces eth1.2, eth1.3 and eth1.4. They can also reach eth0 (192.168.1.10).

My problem is that I don't know why. I wanted to have to configure inter-vlan routing, but it appears to be happening already. If I enable forwarding from eth0 to eth1, all vlan2 clients can communicate with all vlan3 clients.

This is what I want eventually, but I don't know why it's happening without additional configuration.


I'd like the VLANs to be segregated initially, as I thought would be achieved by creating them in the first place. Can anyone help me by suggesting why this is happening?

Many thanks.

Last edited by gmjs; 08-25-2014 at 11:06 AM.
 
Old 08-25-2014, 11:38 AM   #2
netnix99
Member
 
Registered: Jun 2011
Distribution: redhat, CentOS, OpenBSD
Posts: 298

Rep: Reputation: 99
gmjs,

The reason that your inter-vlan routing is happening is that all vlans are originating in the same device (your router), and IP FORWARDING is turned on. Your router is designed to move traffic between networks. When a packet comes into the router on eth1.2 destined for eth 1.3, the router already knows BOTH networks, so it automatically knows where the traffic needs to go. Now, if you were to stop ip-forwarding on your Linux machine (router), the movement of traffic between vlans would stop. This is the same principle if you were creating this setup on a layer 3 switch. You can create the vlans, but unitl you turn on IP ROUTING, the switch will not route traffic. The problem you will find; however, is that if you turn off IP FORWARDING on your Linux box, you will also loose access to the internet from everything except the Debian 7 box, itself, at the same time.

Make sense??

HTH....

Last edited by netnix99; 08-25-2014 at 11:39 AM.
 
Old 08-25-2014, 11:56 AM   #3
gmjs
LQ Newbie
 
Registered: Feb 2010
Location: UK
Distribution: Debian, CentOS, ArchLinux
Posts: 18

Original Poster
Rep: Reputation: 0
Hi netnix99,

Thanks for your answer. If IP forwarding was turned on, I'd be very happy with what's happening! As far as I can tell however, it isn't:

Code:
root@router:~# cat /proc/sys/net/ipv4/ip_forward
0
Is there another way to enable IP forwarding that I don't know about? (It's a clean install of Debian 7, save for the vlan and isc-dhcp-server packages I added after installation.)

I expected that enabling IP forwarding would result in what's already happening (routing from one "card" to another from the client's point of view). I was then planning on creating static routes (or some fancier routing with Quagga perhaps) to make the entire subnet available.

What is happening is probably correct, but it's not what I expected (and I'm interested as this is more of a learning exercise for me that a practical problem that I need to solve).

I've got a couple of crossover cables, so I think I'll try without VLANs (and the switch) to see if a client connected to one card can reach the other card on a different subnet without forwarding enabled.
 
Old 08-25-2014, 12:18 PM   #4
netnix99
Member
 
Registered: Jun 2011
Distribution: redhat, CentOS, OpenBSD
Posts: 298

Rep: Reputation: 99
I cannot answer the question of why it's working with ip forwarding NOT being enabled. It shouldn't. What is the ouptut when you run the
Code:
route
command on your Linux box? Also, do you have any forwarding rules set up in IPTABLES already?
 
1 members found this post helpful.
Old 08-25-2014, 12:36 PM   #5
gmjs
LQ Newbie
 
Registered: Feb 2010
Location: UK
Distribution: Debian, CentOS, ArchLinux
Posts: 18

Original Poster
Rep: Reputation: 0
I've just being playing around without VLANs, but I can get the output from 'route' when I've put it back.

iptables currently has no rules (just ACCEPT default policy).


I configured the NICs as follows:

eth0 10.0.0.1/24 (on-board Intel 10/100 VE PRO)
eth1 10.0.1.1/24 (StarTech 10/100/1000 Realtek)

Then I configured the DHCP server with two subnets:

#eth0
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.50 10.0.0.250;
}

#eth1
subnet 10.0.1.0 netmask 255.255.255.0 {
range 10.0.1.50 10.0.1.250;
}


I then connected a laptop into eth1 (with a crossover cable):

A. It got its address of 10.0.1.50.
B. I pinged 10.0.1.1 and got a reply.
C. I pinged 10.0.0.1 and it could NOT be reached. Good!


But then I connected it to eth0:

A. It got its address of 10.0.0.50.
B. I pinged 10.0.0.1 and got a reply.
C. I pinged 10.0.1.1 ... and GOT A REPLY!


eth0 is an old on-board Intel network port (c.2004) and I'm wondering if either it or the Linux driver supporting it (e100) is ignoring the subnet mask.

I'll try the same with class C addresses and see what happens.


Thanks for your help.
 
Old 08-25-2014, 12:53 PM   #6
gmjs
LQ Newbie
 
Registered: Feb 2010
Location: UK
Distribution: Debian, CentOS, ArchLinux
Posts: 18

Original Poster
Rep: Reputation: 0
With the following addresses:

eth0 192.168.0.1
eth1 192.168.1.1

clients connected to either get a response from the 'other' network card. (I must have done something wrong with the 10.0.0.1 and 10.0.1.1 addresses for the fault earlier).


This must be what's supposed to happen. Because the network cards are in the same device and, therefore, all networks can be reached from the router automatically, it must allow clients connected to any subnet to send and receive traffic from the IP of another card automatically.

I'm just suprised, but it's exactly why I wanted to try this out.


If anyone knows anything different, please let me know!
 
Old 08-25-2014, 01:15 PM   #7
netnix99
Member
 
Registered: Jun 2011
Distribution: redhat, CentOS, OpenBSD
Posts: 298

Rep: Reputation: 99
You should test one last time with this configuration:

eth0 - 192.168.0.1/24
eth1 - 10.0.0.1/24

I'm sure it will end up the same way, but it completely seperates the two networks.
 
Old 08-25-2014, 01:33 PM   #8
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,347

Rep: Reputation: Disabled
Quote:
Originally Posted by gmjs View Post
If IP forwarding was turned on, I'd be very happy with what's happening! As far as I can tell however, it isn't:

Code:
root@router:~# cat /proc/sys/net/ipv4/ip_forward
0
You don't have to enable routing to be able to reach other interfaces on the same host. After all, the host/router doesn't have to route the packet in order to reach itself.

All routers and OSes work like that.
 
1 members found this post helpful.
Old 08-25-2014, 01:49 PM   #9
gmjs
LQ Newbie
 
Registered: Feb 2010
Location: UK
Distribution: Debian, CentOS, ArchLinux
Posts: 18

Original Poster
Rep: Reputation: 0
Thanks for the confirmation Ser Olmy. It sounds as though the situation I'm describing would apply only if I were connecting two routers together (something which I will be trying next).


Thanks Ser Olmy and netnix99 for taking the time to help me.
 
  


Reply

Tags
debian, routing, vlan


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Route non-vlan packet to a vlan interface mic.sed Linux - Networking 2 04-23-2010 02:39 AM
VLan help on Cisco 870 to Linux vlan spide21 Linux - Networking 4 07-30-2009 08:20 AM
DHCP Config for VLAN's using 1NIC and non VLAN router. scottgutman Linux - Networking 1 07-22-2009 01:41 AM
VLAN and default gateway MarioT Linux - Networking 2 10-23-2007 02:18 AM
VLAN configuration - native VLAN and setting PVID kumarwaiting Linux - Networking 0 07-24-2006 02:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration