As long as you control or know how tagged packets are handled on the WAN 
interface, using a VLAN (eth0.10) is the most straightforward method.  As a 
test issue "arp-scan -lI eth0.10" to make sure the VLAN is isolated as you 
expect.

If a VLAN does not work for you, creating a dummy network device is possible 
with a /mnt/kd/rc.elocal script. For example:

Create /mnt/kd/rc.elocal ...
-- /mnt/kd/rc.elocal --
#!/bin/sh

. /etc/rc.conf

add_dummy_network_device()
{
  local DEVNAME="$1" DEV_IF="$2" DEV_IP="$3" DEV_NM="$4"

  ## Create a dummy network device DEVNAME
  if [ -n "$DEVNAME" ]; then
    modprobe dummy numdummies=0
    ip link add name $DEVNAME type dummy

    ## Bring up DEV_IF interface if there is a matching DEVNAME interface
    if [ "$DEVNAME" = "$DEV_IF" -a -n "$DEV_IP" -a -n "$DEV_NM" ]; then
      ip addr add $DEV_IP/$DEV_NM brd + dev $DEV_IF
      ip link set dev $DEV_IF up
    fi
  fi
}

## Add "ipsec" interface using "2nd LAN Interface" from Network tab
add_dummy_network_device ipsec "$INT2IF" "$INT2IP" "$INT2NM"
--

Set executable permissions ...
chmod 700 /mnt/kd/rc.elocal

Reboot, the "ipsec" interface will be created, but you then need to set "ipsec" 
to the "2nd LAN Interface" in the Network tab with appropriate IPv4 
configuration.  Reboot once again. Feel free to use any "LAN Interface" with 
the appropriate changes to the called add_dummy_network_device arguments in the 
script.  Feel free to change the "ipsec" interface name as well.

As such, the "ipsec" interface is connected to the firewall and forwarding is 
enabled.


BTW, creating a "loopback address" as the subject suggests will not work as 
packets can not be forwarded on a loopback interface.

Hope this helps.

Lonnie



> On Oct 4, 2024, at 4:01 AM, Michael Knill <michael.kn...@ipcsolutions.com.au> 
> wrote:
> 
> Thanks Lonnie. Yes I did think about doing that. I guess I cant see any 
> reason why it shouldnt work but I do feel a little uncomfortable that its 
> sitting on the WAN interface which is on an Ethernet segment shared by all 
> the other systems.
> 
> Is there any way to create a Loopback interface?
> 
> Regards
> Michael KnillFrom: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
> Sent: Friday, 4 October 2024 10:21 AM
> To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net>
> Subject: Re: [Astlinux-users] Creating a loopback address on Astlinux
>  You could make a LAN as a VLAN off the WAN (eth0) interface.
> 
> ie. eth0.10 as the LAN, define a private network, and do as Michael described.
> 
> Lonnie
> 
> 
> > On Oct 3, 2024, at 5:59 PM, Michael Knill 
> > <michael.kn...@ipcsolutions.com.au> wrote:
> > 
> > Thanks Michael but the Astlinux side in my case does not have a LAN e.g. 
> > just a WAN interface
> > 
> > Regards
> > Michael KnillFrom: Michael Keuter <li...@mksolutions.info>
> > Sent: Thursday, 3 October 2024 10:14 PM
> > To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net>
> > Subject: Re: [Astlinux-users] Creating a loopback address on Astlinux
> >  Update
> > 
> > Michael
> > 
> > http://www.mksolutions.info
> > 
> > 
> > > Am 03.10.2024 um 13:59 schrieb Michael Keuter <li...@mksolutions.info>:
> > > 
> > > Hi Michael,
> > > 
> > > I have a customer that connects his company to his home (AVM Fritzbox 
> > > router). You don't need another interface.
> > > Here is the relevant part of the config (both sides have DynDNS):
> > > 
> > > ----
> > > ipsec.conf:
> > > 
> > > conn customer-home
> > > left=customername.dyndns.com     # local Astlinux DNS
> > > leftsubnet=192.168.2.0/24              # customer Astlinux LAN
> > > leftid=@customername.dyndns.com
> > > right=customer-home.dyndns.com # remote DNS
> > > rightid=@customer-home.dyndns.com
> > > rightsubnet=192.168.1.0/24.          # remote (home) LAN
> > 
> > rightsubnet=192.168.1.0/24
> > 
> > the dot at the end was a typo!
> > 
> > > --
> > > 
> > > ipsec.secrets - strongSwan IPsec secrets file
> > > 
> > > @customername.dyndns.com @customer-home.dyndns.com       : PSK "+xyz123"
> > > ----
> > > 
> > > https://doc.astlinux-project.org/userdoc:tt_ipsec_vpn_strongswan
> > > 
> > >> Am 03.10.2024 um 05:27 schrieb Michael Knill 
> > >> <michael.kn...@ipcsolutions.com.au>:
> > >> 
> > >> Hi Group
> > >> 
> > >> I have Strongswan working from a remote router (That doesnt support 
> > >> Wireguard or OpenVPN) and it seems to work well in the lab.
> > >> At the moment however I have set up a separate LAN interface allocated 
> > >> to 'leftsubnet' in ipsec.conf.
> > >> As I dont really want to add a separate VM interface, I would like to 
> > >> set up a loopback interface in Astlinux and not sure of the best way to 
> > >> do this.
> > >> 
> > >> Also wondering if the 'leftsubnet' could be the WAN IP Address which 
> > >> means I dont need another interface at all?
> > >> 
> > >> Thanks all.
> > >> Regards
> > >> Michael Knill
> > >> Managing Director
> > >> D: +61 2 6189 1360
> > >> P: +61 2 6140 4656
> > >> E: michael.kn...@ipcsolutions.com.au
> > >> W: ipcsolutions.com.au
> > >> <Outlook-hdjfh1gy.png>Smarter Business Communications
> > > 
> > > 
> > > Michael
> > > 
> > > http://www.mksolutions.info
> > > 
> > > 
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Astlinux-users mailing list
> > > Astlinux-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> > > 
> > > Donations to support AstLinux are graciously accepted via PayPal to 
> > > pay...@krisk.org.
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Astlinux-users mailing list
> > Astlinux-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> > 
> > Donations to support AstLinux are graciously accepted via PayPal to 
> > pay...@krisk.org.
> > _______________________________________________
> > Astlinux-users mailing list
> > Astlinux-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> > 
> > Donations to support AstLinux are graciously accepted via PayPal to 
> > pay...@krisk.org.
> 
> 
> 
> 
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.




_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to