-1

I have been trying to run my router/firewall as a vm in my vmware host for a while now but I hit the following wall: I want to plug in my modem in my switch so as to enable my router to vmotion through my hosts and still work. The idea is as follows:

Physical: Internet -> Modem -> Managed switch (Dell 6248) -> Rest of the network (computers, and servers)

Logical: Internet -> Modem -> VLAN 2 (WAN) -> UTM VM -> VLAN 3 (LAN) -> Rest of the network (Computers and servers)

But no matter what I do or what I tried, I can't get any device plugged into my Dell switch to communicate with the internet. I tried various combinations:

  • Laptop plugged into modem (works)
  • Laptop plugged into dumb switch, modem plugged into same (works)
  • Laptop plugged into simple DLink router, modem plugged into same (works)
  • Laptop plugged into Dell switch, modem plugged into same, in same VLAN (does not work)

I ran Wireshark on my connection and noticed the following: my laptop executes the DHCP requests correctly and obtains an IP from my ISP. But when it tries to do an ARP request for the ISP's gateway's MAC, it never gets an answer.

Ex: Who has 27.161.25.1, tell 27.161.25.106 (Not my actual ip)

It does that over and over again, never getting an answer. My main culprit would be the dell switch, but I don't know what to do. I toyed around with several settings, and nothing helped. Thank you.

Edit: Here are some screencaps of my switch's configuration

VLAN membership for VLAN 2: Vlan Membership

VLAN Port configuration for port 1 and 2 (they're identical as of writing these lines): Port 1 and 2 config

Ports 47 and 48 are a LAG that acts as a trunk between VLANs 2 and 3 and go to the hypervisor.

Chapeau
  • 1
  • 2
  • Is your modem actually only a modem or a router with a running DHCP server? Are you sure the IP your laptop receives the DHCP from the ISP or is it from the virtual router? When you write "gateway", do you mean the modem or next router on the ISP site? Because ARP doesn't apply in the internet, it only applies for local networks. – Broco Sep 19 '16 at 16:56
  • Damn couldn't edit, I understand your question wrong. I think your main problem is your VLAN configuration. Your Modem can't speak VLAN, remember that. You have to tag/untag the VLAN-tags correctly. Also, why do you want to use a VLAN? WAN and LAN are 2 different networks already, why would you use VLAN on top of that? I can understand if you want to split your local network in 2 or more VLANS but the WAN? – Broco Sep 19 '16 at 17:03

1 Answers1

1

Ah damn it, I post it as an answer now:

I screwed up understanding your question. I get it now, you want to prevent other devices to speak with the WAN before the routing/firewall is done.

Remember that VLAN-tags are not understood by network devices that don't speak VLAN. You can define rules for tagging/untagging port based on your switch (most can be configured by web interface or by COM/USB port) and the port connected to your modem should always remove VLAN tags (untag).

Let's say you have plugged your modem into port 1 on the Dell switch, you have to configure it so port 1 is in VLAN-2 but define UNTAG for it. So the switch dynamically adds VLAN tags to the packets as they enter port 1 but removes it when they leave the port, so your modem understands it.

Let's assume your computer with your router-VM running on it is plugged into port 2; you have to configure this port to be in VLANs 2 and 3 but NOT untag and configure your router for VLAN 2 and 3 (including routing, DHCP, NAT, etc.). Remember that your router must understand VLAN tags to do so, you have to configure VLAN interfaces for each VLAN.

If you want all other ports to be VLAN 3 you basically have to do the same you did for them modem port, set all the physical ports to be member of VLAN 3 but apply UNTAG to them.

Basically all physical connections between devices that speak VLAN have to keep the VLAN tag, all others have to be marked to untag but assigned to the VLAN they should be in.

Broco
  • 1,919
  • 12
  • 21
  • I will check it out as soon as I can. I'll keep you informed. So if I get you correctly, I need to make sure that my switch untags packets as they exit to the modem, otherwise it could not understand the added layer and malfunction? – Chapeau Sep 19 '16 at 19:38
  • I added some details about the switch's configuration in the main post. It was already configured as such, with port 1 operating in untagged mode (same thing for port 2, with which I did my tests by plugging in my laptop.) – Chapeau Sep 19 '16 at 21:43
  • Yes, the modem port has to be untagged, also the laptop port unless your laptop speaks VLAN. If your laptop speaks VLAN you have to configure a VLAN interface with the same VLAN ID on your laptop. – Broco Sep 20 '16 at 08:53
  • The laptop and modem ports are untagged, but to no avail. No reply from... whatever is supposed to reply to my ARP request. Port 1 and 2 are in Access mode, untagged, assigned to VLAN 2 (WAN). Modem and laptop plugged in the same one and I still can't get a reply to the damned ARP request. – Chapeau Sep 20 '16 at 14:45
  • Well it's definitely the switch configuration which causes this. As you said, it works with a dumb switch and given your configuration it should work. Did you set the correct PVID for both ports? Also try General mode with untagged. – Broco Sep 20 '16 at 14:54