Discussion:
[Shorewall-users] A FAQ: Please explain how to define and use VLAN interfaces
Răzvan Sandu
2016-06-13 13:25:43 UTC
Permalink
Hello,

Please explain (in a piece of documentation similar to
http://shorewall.net/Shorewall_and_Aliased_Interfaces.html) how to
*correctly* define and use VLAN interfaces with shorewall.

This seems to be an entirely different situation than aliased
interfaces, because of their (desired) complete separation at the OSI 2
level.

Defining VLAN interfaces on Red Hat/Fedora distros is explained here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Configure_802_1Q_VLAN_Tagging_Using_the_Command_Line.html

However, in practice, simply creating virtual interfaces ethX.100 and
ethX.200, assigning IP addreses to them and putting them in different
firewall zones seems not to work. This is especially the case when one
of the VLANs is the default one (VLAN1, on ethX.1), because some
returning frames seems to be treated by the parent interface ethX
instead of ethX.1 (VLAN1), despite being tagged with VID1, not untagged.


Thanks a lot,
Răzvan
Tom Eastep
2016-06-13 18:31:59 UTC
Permalink
Post by Răzvan Sandu
Hello,
Please explain (in a piece of documentation similar to
http://shorewall.net/Shorewall_and_Aliased_Interfaces.html) how to
*correctly* define and use VLAN interfaces with shorewall.
This seems to be an entirely different situation than aliased
interfaces, because of their (desired) complete separation at the OSI 2
level.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Configure_802_1Q_VLAN_Tagging_Using_the_Command_Line.html
However, in practice, simply creating virtual interfaces ethX.100 and
ethX.200, assigning IP addreses to them and putting them in different
firewall zones seems not to work. This is especially the case when one
of the VLANs is the default one (VLAN1, on ethX.1), because some
returning frames seems to be treated by the parent interface ethX
instead of ethX.1 (VLAN1), despite being tagged with VID1, not untagged.
I have no direct experience with VLANs, so I am not a candidate to write
such an article. But your symptoms sound like a switch configuration issue.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Damiano Verzulli
2016-06-13 19:13:39 UTC
Permalink
Post by Răzvan Sandu
Hello,
Please explain (in a piece of documentation similar to
http://shorewall.net/Shorewall_and_Aliased_Interfaces.html) how to
*correctly* define and use VLAN interfaces with shorewall.
With VLANs properly configured, shorewall does **NOT** need any
particular configuration at all.
As for shorewall, a properly configured "VLAN-interface" is nothing more
than a "common"/"ordinary" phisical interface.
Post by Răzvan Sandu
This seems to be an entirely different situation than aliased
interfaces, because of their (desired) complete separation at the OSI
2 level.
That's true. Despite the similar naming (eg.: eth0.2 vs. eth0:2) they are
_TOTALLY_ different.
Post by Răzvan Sandu
However, in practice, simply creating virtual interfaces ethX.100 and
ethX.200, assigning IP addreses to them and putting them in different
firewall zones seems not to work.
Are you sure this is a "shorewall" issue? I bet not.
Post by Răzvan Sandu
This is especially the case when one of the VLANs is the default one
(VLAN1, on ethX.1), because some returning frames seems to be treated
by the parent interface ethX instead of ethX.1 (VLAN1), despite being
tagged with VID1, not untagged.
Dealing with "default VLAN" and, expecially, TAGging the default-VLAN is
definitely a _*NO*_*NO*_! Don't do it!

We're using plenty of VLANs (we have a shorewall firewall dealing with
more than 80 VLANs spanning more than 250 swiches) and we have no issue.
_NEVER_ had an issue!

Anyway, as soon as you start TAGging VLAN 1 (on your switches, providing
that them give you such a possibility) and/or start "forcing" the linux
networking layer to TAG VLAN 1 than.... something strange start happening.

So, again:

- - please, check your VLAN configuration (Linux _AND_ switches) and
_AVOID_ TAGging VLAN 1. Best, _AVOID_ using default VLAN at all;

- - when everything works (externally to shorewall) than, enter the
shorewall configuration, treating the VLAN-interface as "ordinary"
interfaces;

- - if problems persist, please get back here, with more details about your
topology and problems.

Bye,
DV


- --
Damiano Verzulli
e-mail: ***@verzulli.it
- ---
possible?ok:while(!possible){open_mindedness++}
- ---
"Technical people tend to fall into two categories: Specialists
and Generalists. The Specialist learns more and more about a
narrower and narrower field, until he eventually, in the limit,
knows everything about nothing. The Generalist learns less and
less about a wider and wider field, until eventually he knows
nothing about everything." - William Stucke - AfrISPA
http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
Damiano Verzulli
2016-06-14 19:04:26 UTC
Permalink
[...] I just want to be 100% sure that I define VLAN interfaces
correctly in shorewall [...]
Sorry, Răzvan, if I'm repeating myself... but the key point, here, is:

--as for shorewall, there's _NO_ "VLAN interface" concept--

As for shorewall point of view, what you're referring as a "VLAN
interface" is.... a _NORMAL_ interface.

So this imply that, as for shorewall, there's _NO_NEED_ to specify
anything... as everything has been already described about "interfaces".
that's why I kindly ask the shorewall developers for a piece of
documentation adressing this
At best, IMHO, this could be addressed in the FAQ:

http://shorewall.net/FAQ.htm

probably adding a Q&A item like this:

- ----------------------------
Q: One of my physical interface is an 802.1q/VLAN trunk configured to
transport several VLANs. I need to bind each of this VLANs to a related
Shorewall ZONE. What are the key-points that I need to be aware of?

A: As for Shorewall point-of-view, there's no VLAN concept. Once
VLAN-interfaces are properly configured within the underlying OS, they
can be referenced within "interface" file as with any other normal,
non-vlan interfaces.
There are several issues that could arise, under some particular
conditions (eg.: bridging different VLAN interface; relying on the
'untagged'/'native' VLAN of a 'trunk' interface; filtering based on MAC
address; etc.) but, in general, the key-point is that a properly
configured and running VLAN interface, looks to shorewall exactly like a
"normal" interface.
- ----------------------------

Obviously, it's only a proposal.

HTH.

Bye,
DV


- --
Damiano Verzulli
e-mail: ***@verzulli.it
- ---
possible?ok:while(!possible){open_mindedness++}
- ---
"Technical people tend to fall into two categories: Specialists
and Generalists. The Specialist learns more and more about a
narrower and narrower field, until he eventually, in the limit,
knows everything about nothing. The Generalist learns less and
less about a wider and wider field, until eventually he knows
nothing about everything." - William Stucke - AfrISPA
http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
Loading...