I am a Noob begging for help. My current setup is as follows; I have a server running Nethserver 7.3 acting as Firewall, DHCP, DNS and Net Filtering. I have many users and 1 SQL Database Server all connected to a Cisco Small Business Managed Switch.
I have decided to do port based VLANs on the switch to separate each end user as a form of security, and have it set so that each switch port belong to a different VLAN and can only see themselves and the port for the Nethserver Machine port.
Now my issue is that each user must also communicate with the database on the SQL Server but i would prefer not to have them communicate directly to the server (by adding them to the Server VLAN), but would prefer to have all traffic routed through the Nethserver machine on which I will set up firewall rules to allow only specific network ports for each user.
Is this even possible, I have been researching on the internet for over a week now and i cannot get it to work, getting really frustrated and almost giving up on the port based VLAN dream.
Thanks, i am using Nethserver as gateway. I have already set up the switch and have them only able to see the gateway. But no matter what i do the devices cannot see each other, i have allowed all on the firewall but still no luck.
I am relatively new to VLANs, and only got this far with a lot of googling and days of trial-and-error. Would i need to do something on Nethserver to allow traffic to pass. Since both machines can see the gateway and browse the internet i assume that they are configured properly, i think i am mixing up the tagged vs untagged settings, really not sure, or maybe i need to do something special on nethserver so that the packets get forwarded correctly.
Not sure if this is really to do with Nethserver Community but i have received good help here before, and hopefully someone has already accomplished what i am trying to do now.
I do think you will prefer a “Router on a stick” setup instead of using a single interface for each VLAN (which is also quite expensive if you have more than 4 VLANs). So, let’s assume the following:
You have interface eth0 from NS to the switch port 1;
VLAN 1 will be the “Management” VLAN (e.g. 192.168.1.x/24);
NS would be your gateway for any VLANs on .254 address (e.g. 192.168.1.254);
We will use class C networks for the VLANs with the third octet being the VLAN ID (e.g. 192.168.40.x/24 for the VLAN 40);
On port 2 of the switch you have the connection to the DB, VLAN 20, its IP address would be 192.168.20.1;
From port 3 to port 8 you have the clients, each one in a single VLAN (port 3 -> VLAN 30).
So the configuration on the switch with 802.11q (and not port based VLAN) is the following:
Give to the switch a management IP address on vlan interface 1 (e.g. 192.168.1.1);
Port 1: mode trunk, native vlan 1, all other VLAN will be passed as tagged;
Port 2 to 8 will be each assigned in access mode (untagged) to each VLAN (port 2 to VLAN ID 20, port 3 to VLAN ID 30 etc.).
On NS side:
Interface eth0 would be configured as role red, IP address 192.168.1.254 mask 255.255.255.0;
Add a virtual interface with VLAN support for each VLAN you defined on the switch (excepted the 1, of course), using each VLAN ID;
Configure each eth0.<vlanid> interface with address 192.168.<vlanid>.254, netmask 255.255.255.0 (but you may also use a /30 network, since one client for one VLAN) with role red (or blue). DO NOT indicate the default gateway address for these interfaces;
Optionally, configure DHCP on each VLAN so your clients would receive an IP address automatically;
Optionally, configure a DNS entry for the DB server (to simplify access by using DNS names);
Insert a NAT rule for the DB: origin port 3306, destination port 3306, create a host for the DB Server, Allow only from: 192.168.0.0/16 (summarizing each VLAN).
Aaaand you should be done. It should be more or less half an hour of configuration.
This will impose that the IP address of the DB server will be the gateway itself.
On second tought and if you want a pure routing environment (better), you may do something better creating instead a firewall rule, permitting 192.168.0.0/16 CIDR network to the DB Server on port 3306.
I still could not get it to work, really frustrating, went over your instructions about 10 times and still could not get it to work. For some reason I can only ping between the NS machine and the DB Server if i use static ip but for the initial NS gateway DB=192.168.1.25 (not the ones with VLAN IDs i.e. 192.168.20.25). Which i think means they are all on the native VLAN.
Thanks again for responding and for your patience.
Yes, I do think this is a VLAN interface assignment issue. Try defining all the DHCP pools you need for each virtual interface (also one for the Management VLAN, ID 1) so you can simply check which VLAN the client sees (third octet of IP address = untagged VLAN on the switch port).
It all depends on the switch configuration, at this point. I don’t know the Cisco switch you are using, but it sounds strange to me (usually Cisco does not speak of “tagged” and “untagged”, they do speak of access vs trunk mode of a port, at least on enterprise switch). I do suspect you leaved the VLAN ID 1 as native everywhere (it is really native only on port 1, else VLAN 1 has not to be forwarded from the other switch ports).
Unfortunately I believe I cannot help you anymore without seeing the interface on which you assign the VLAN to the ports on the switch.
Sorry for being a real bother but i am still stuck, I can’t get the VLAN to function any at all between Nethserver and My Switch / Device.
I am using Nethserver 7, with my VLAN on br0 set to 25 (br0.25).
If i connect machine to port on switch with DHCP enabled i get an IP from the PVID 1 dhcp server and not 25, and if i disable dhcp on primary network i do not get any ip at all. Even if i set static ip of 10.0.5.25 i cannot ping the server nor can i pring the machine from the server. Please see screenshots for my configs of my Switch (Cisco Small Business SG200) and Nethserver.
I am using port 1 as management for switch and Port 2 for connection between switch and Nethserver, i currently have the server plugged into port 13, have also tried most of the other ports.
Thanks David, i tried setting the client ports to Access mode and still no go. The thing is that any device that i connect to ports in the 25 vlan can communicate with each other successfully, its just the communication to the Nethserver in VLAN 25 that does not work.
I forgot to mention that this Nethserver is running as a Virtual Machine (VMWare Workstation 12) which is beginning to lead me to believe that this has something to do with it. Is there any special configuration that i need to do with the LAN in VMware so that it works with VLANS or should it work out of the box?
VLAN25 uses an interface. Logical or phisical (by NethServer perspective). In which zone is located this interface? Is IP address in the same subnet of the devices?
Firewall allow the connection of services to this interface?
I never used vlans with vmware workstation but i think the machine hosting the vm also needs to have a vlan capable nic with the right driver in that case
You could try to portmirror the switch port your NS is on and see if any traffic is being received on vlan 25 with wireshark perhaps to confirm that
