VLANs not working

Jim · October 22, 2015, 9:02pm

Hi,

I had set up a Nethserver Firewall/Gateway, on a Dell PowerEdge T110 II.
It has 3 physicals NICs em1, p1pi and p1p2 like this:
Phisycal interface em1: RED 192.168.0.1/24
Physical p1p1: BLUE 10.0.5.1/24, DHCP distribuing 10.0.5.2 - 10.0.5.254 lan0
vlan p1p1:1 GREEN, 192.168.2.1/24, lan1
vlan p1p1:2, GREEN, 192.168.5.1/24, lan3
Physical p1p2: GREEN, 192.168.3.1/24, lan2

The firewall accept all from lan1 to lan 2, and lan2 to lan 1

All green are in trusted network.

All clients conected on physicals network work can connect to internet ( lan0, lan3 )
All clients on vlan can’t connect…

From a client on lan2, I can’t ping anything on lan1.
A client o lan 1 can’t ping nothing,…neither the gateway

It’s seem vlans not work? what’s wrong? Is something missing?

When setting a vlan, i.e p1p1:1
ip: 192.168.2.1
mask 255.255.255.0
Gateway 192.168.2.1 ( is it correct? Or it must be the physical adress ?

islipfd19 · October 22, 2015, 11:26pm

The purpose of a vlan is to have a separate dedicated network, even when “piggy backing” on a physical network. VLAN’s cannot see other networks without explicit direction. You will need to create static routes informing your vlan’s how to connect to the physical network and vice versa.

Jim · October 23, 2015, 12:10am

Thank you @islipfd19, to indicate the direction… To give me the light
But I have one doubt yet:

How to properly do this?

when creating the vlan:
Ipadress : 192.168.2.0
Netmask: 255.255.255.0
Gateway: 10.0.5.1 ( putting the phisical adress here )

Or

Creating the vlan like I did and
In static route
Network adresss 192.168.2.1
Network mask: 255.255.255.0
Router adress: 10.0.5.1 ( putting the physical adress here )

And finally… How to the vice-versa?

islipfd19 · October 23, 2015, 12:19am

This link should help you.

Jim · October 23, 2015, 12:36am

The second way seem cleaner.

Thank you,

I will try next monday

Jim · October 28, 2015, 8:18pm

I had create these static routes:
10.0.5.0/24 via 10.0.5.1
192.168.3.0/24 via 192.168.3.1
192.168.2.0/24 via 10.0.5.1
192.168.5.0/24 via 10.0.5.1

I had create firewall object for each GREEN lan
And create rules for accept any services from Lan1 to lan2 and lan2 to lan1.

After a reboot,
I was able to ping from lan1 to lan 2
I was able to ping from lan2 to lan1.

Each station on lan1 was able to go to internet, ( vlans are ok )

But a station from lan1 was unable to see a share on the server on lan2 !?!?
Why? Any service are accepted.

Jim · December 10, 2015, 4:45pm

I continue my workaround. I have a behavior about vlan I can’t reproduce ( or hardly reproduce)

When Installing NethServer on a CentOS, and configuring wan, lan and vlan with the webgui with the precedent configuration.
The server, on the physical green lan can access internet.
The station on the green vlan can access internet, but can’t access the other green.

When instialing Centos, configuring wan, lan and vlan, and after installing Nethserver and configuring the firewall… The station on vlan can access the server on lan…

Partial conclusion: When configuring the vlan with Nethserver, the vlan not work as expected.

My problem is, when I configure the server at home, my notebook as a station on a vlan, and my Mac to simulate the server… It’s work.
When I take the server, and reconfigure each interface for the real situation ( only change lan and vlan range) it break the lan…It’s not work !!!

Partial conclusion: It look like configuring ( or reconfiguring) the lan on the webgui, t’s break something.

Is someone use Nethserver as gateway with vlan can give me more orientation?

My next plan is to try to make the blue lan as virtual lan, and make the two lan as physical lan, because actually, I’m not sure it’s a lan ( and lan) issue or a shorewall issue with the color rules

Is someone can give me an orientation, an idea, to try to isolate the issue?

robb · December 11, 2015, 11:08am

Just curious: why you introduce VLAN’s when all clients need to be able to see eachother? Is it because there are different locations?

Jim · December 11, 2015, 12:07pm

The server is in a local separate from the hotel reception.
Worst, with telephony, we are not able to have one more cable, no place to do it.

For this reason, we must use one cable for two lan.

It could be really easier and secure to separate the two lan … But it’s simply impossible actually

Edit: Typography correction… The fisrt answer was made from an iphone

NunoRomao · July 24, 2016, 10:42pm

Hello everyone,
I need your help in a matter regarding VLAN on nethserver. Taking this topic, I had the same problem, my cliente machines can’t ping my virtual lans.

My question is, how can I setup VLANs in order for my clientes to communicate only with their VLAN, and the internet.
For example:

Computer on classroom 51 can only communicate with VLAN51, the internet and other orange VLANs.
Is this possible?

Of course, computers on classroom 21, should only be able to communicate with VLAN21, internet and other orange interfaces.

The administrative interface should reach every VLAN/Interface.

My current setup is:

eth0 - RED - DHCP
eth1 - GREEN - 10.1.0.200
eth1.51 - GREEN - 10.1.51.200 (VLAN)
eth1.21 - GREEN - 10.1.21.200 (VLAN)
eth1.80 - ORANGE - 10.1.80.200 (VLAN)

But even if I have a computer in the same network as classroom 51 with the IP address 10.1.51.100, the PC can’t ping the IP address 10.1.51.200, and doesn’t go to the internet, and I don’t know what to do now.

Any advice?
Thanks in advance.

alefattorini · July 25, 2016, 12:42pm

@Jim @islipfd19 @Hunv @dnutan can you help this guy out?

islipfd19 · July 25, 2016, 10:45pm

Can you list all of your firewall rules?

NunoRomao · July 26, 2016, 9:21am

Hi James,

My current firewall rules are as follows

There aren’t many, just for some specific services. And these are not even mandatory.

The picture I posted in my previous post, was only on my test environment, because my “real” firewall will have many more VLANs:

For the time being, we have many Aliases, but each Alias you see in this picture, will be an individual VLAN.

“em1” and “p1p1” are two administrative interfaces.
“em4” is our DMZ for our website and Moodle.
“em3” is for wireless guests

and “em2” is connected to our classrooms.
I created VLAN 99 to do a few tests in our production environment.

I hope this information helps,
Thank you.

islipfd19 · July 26, 2016, 9:53am

Try adding a rule for the segment to talk to the vlan IP in your example of your issue in the first post.