Re: [Shorewall-users] VLAN martians

Fri, 26 Nov 2010 11:40:23 -0800 


On 11/25/2010 1:54 PM, Stephen Brown wrote:

Thanks Michael, I'll admit I'm quite a newbie with this, but I'm doing it self 
educate so I have an understanding of how this is expected to work.


To give you an idea of my goal as well as network topology, it consists of this:


 Shorewall box with two network cards, eth0 is on a Comcast Business class 
modem with 5 public IP's. eth1 serves the local network and (hopefully at some 
point) vlan2, and maybe a 3rd vlan in the future. eth1 is cabled to port 24 on 
a Netgear GS724T-300 gigabit switch, which to the best of my knowledge is 
setup as a trunk port. 


You should not have both tagged and untagged traffic on the same port

Set your eth1 i/f to have no address (ifcfg-eth1 on a CentOS/ES/fedora box)

# less /etc/sys*/ne*s/ifcfg-eth1

DEVICE=eth1
BOOTPROTO=none
HWADDR=00:19:B9:33:2F:18
ONBOOT=yes
HOTPLUG=no
TYPE=Ethernet
USERCTL=no
IPV6INIT=no

and your VLANs

# less /etc/sys*/ne*s/ifcfg-eth1.2

VLAN=yes
DEVICE=eth1.2
BOTPROTO=static
TYPE=ethernet
ONBOOT=yes
IPADDR=10.1.16.1
NETMASK=255.255.255.0


ifconfig should show something like...

eth1      Link encap:Ethernet  HWaddr 00:19:B9:33:2F:18
          inet6 addr: fe80::219:b9ff:fe33:2f18/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:101331737 errors:0 dropped:0 overruns:0 frame:0
          TX packets:91661042 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3499614384 (3.2 GiB)  TX bytes:2212290220 (2.0 GiB)
          Interrupt:169 Memory:dfaf0000-dfb00000

eth1.2    Link encap:Ethernet  HWaddr 00:19:B9:33:2F:18
          inet addr:10.1.16.1  Bcast:10.1.16.255  Mask:255.255.255.0
          inet6 addr: fe80::219:b9ff:fe33:2f18/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23834555 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18793985 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4126991039 (3.8 GiB)  TX bytes:1402899934 (1.3 GiB)

eth1.3    Link encap:Ethernet  HWaddr 00:19:B9:33:2F:18
          inet addr:10.1.17.2  Bcast:10.1.17.255  Mask:255.255.255.0
          inet6 addr: fe80::219:b9ff:fe33:2f18/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18962305 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23276939 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1201558859 (1.1 GiB)  TX bytes:87667030 (83.6 MiB)

Set up port 24 on your netgear switch as a tagged VLAN port carrying VLANs 2 
and 3


Set up the other ports as untagged ports carrying whichever VLAN you want to 
show up on that particular port.



I'm not familiar with the Netgear switch so it may differ in the details.  The 
units we use have the IP address and management functions associated with a 
particular VLAN so be careful you don't disable access to that.



Your martian attack is from eth1 or vlan2 seeing the mixed untagged and tagged 
traffic.


Hope this helps.

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to