Firewalls and Vlans for a linux router

I'm currently running a DIY Ubuntu 18.04 router that's set up for a specific local ISP. They use a seperate port from the ONT for IPTV, connected to a dumb switch. Its literally an x86 box with 4 intel I211 ethernet controllers running Ubuntu 18.04, firewalld (UFW is unsuitable for use as a router), /networks/interfaces (netplan had a bug that made it unfit for purpose) and dnsmasq for DHCP and DNS.

I'm switching ISPs, and My new ISP appears to use vlans to seperate out traffic, with vlan10 for regular traffic and vlan20 for IPTV. Some folks suggest throwing a smart switch in front of the router, but I do actually have spare ports, and this seems neater. I've found an example of the settings for a "normal" router, which indicates which vlans, priority and that tagging is needed, and this seems consistent with settingsI found elsewhere

Essentially this is what I want

+-----------------------------------------+
|                                         |
|      WAN     LAN      LAN     VLAN20    |
|      +-----+ +-----+ +-----+ +-----+    |
|      |     | |     | |     | |     |    |
|      |     | |     | |     | |     |    |
|      +-----+ +-----+ +-----+ +-----+    |
|                                         |
|                                         |
+-----------------------------------------+

Currently - (and you can find a detailed writeup here of my setup here)

I have my interfaces set up with enp1s0 as my primary port on its own, and the other interfaces bridged.

I'm then using firewalld to do port masquerading - the rules are basically iptables rules.

I figure I could pull one or more ports from the bridge then set it up on the new vlan.

How do I set up vlan 20 for a specific port, and do I need to explicitly set vlan 10 for the rest?

networking

Journeyman Geek

Posted 2019-05-01T03:00:53.113

Reputation: 119 122

Answers

This answer will be assuming you're using ifupdown and /etc/network/interfaces, where it's thankfully fairly easy to set up VLAN interfaces. Taking the interfaces from the linked blog post as a starting point:

#primary interface, to internet
auto enp1s0
iface enp1s0 inet dhcp

#3x secondary interfaces and wifi. On bridge 

auto br0
iface br0 inet static
address 192.168.2.1
netmask 24
bridge_ports enp2s0 enp3s0 enp4s0 wlp5s0

We end up with this instead:

# raw primary interface to allow auto to work on vlans
auto enp1s0
iface enp1s0 inet manual

# primary interface, to internet
auto enp1s0.10
iface enp1s0.10 inet dhcp

# iptv bridge
auto br1
iface br1 inet manual
    bridge_ports enp1s0.20 enp4s0
    bridge_maxwait 0

# 2x secondary interfaces and wifi. On bridge 
auto br0
iface br0 inet static
    address 192.168.2.1
    netmask 24
    bridge_ports enp2s0 enp3s0 wlp5s0

You may need to install a vlan package.

The 8021q kernel module also needs to be enabled, though I believe it is by default on modern systems.

This leaves you with enp1s0.10 as your "internet" interface, br0 as your "everything else" bridge and br1 as your IPTV bridge. You can now route/NAT/whatever between enp1s0.10 and br0 just as you did before.

How does this work? Let's start with how you can define vlan interfaces in /etc/network/interfaces. There are two ways:

You can name the interface vlan#, where # is the VLAN ID. You will then need to specify a vlan-raw-device. The VLAN ID is inferred from the interface name.
Alternatively, you can name the interface ethA.#, where ethA is the raw interface and # is the VLAN ID. The raw device and VLAN ID are inferred from the interface name.

For brevity, I use the latter approach.

Let's break it down into sections.

First, the raw interface is marked as auto with no configuration. This is done because Linux will detect hotplug on the raw interface and when it's brought it, the VLANs on it will be brought up too. But just VLANs without the raw interface defined apparently will not have hotplug support.

A slight change to the "internet" interface makes it use VLAN 10 tagged frames on enp1s0, rather than untagged frames. This is fairly straightforward. You will need to update any other network configs that previously used enp1s0, and use enp1s0.10 instead.

Next, a bridge is defined between the VLAN 20 tagged enp1s0.20 and untagged enp4s0. manual means no IP configuration is done; we just need a layer 2 bridge (an anonymous bridge).

Finally, your original br0 is mostly left as-is, just with enp4s0 removed as it is now the IPTV port.

Bob

Posted 2019-05-01T03:00:53.113

Reputation: 51 526

Your router is a PC?

Incoming traffic from your ISP is vlan tagged?

I'm assuming you have at least 2 NICs in this PC, one for WAN/ISP, the other for your local network.

Sounds like you have more than 2 NICs, one is the WAN/ISP, the others are bridged and essentially acting as a switch.

I don't have a lot of experience with Linux and VLANs, but ...

So what you really want to do is have 2 WAN interfaces, one for vlan10 and one for vlan20. Then use iptables or whatever to move traffic where you want it.

You can make a few iptables rules that basically throw any traffic coming in from your ethwan.vlan20 to one of your LAN NICs. Then treat ethwan.vlan10 as your previous WAN NIC.

If your WAN NIC has hardware VLAN support and it's supported by Linux vconfig might help you (here is more info) - it will make interfaces for a VLAN that can be treated like normal hardware interfaces.

If your WAN NIC doesn't have hardware VLAN support - one issue is that VLANs are a layer 2 thing and iptables works on layer 3. Looks like separating traffic by VLANs would involve ebtables or trickery like described here.

Conceptual overview:

LawrenceC

Posted 2019-05-01T03:00:53.113

Reputation: 63 487

Reorganised the post so folks don't have to read midway through the post to get my setup. By 2 interfaces, do we mean 2 "virtual" interfaces one for each vlan on the physical wan controller? – Journeyman Geek – 2019-05-01T03:47:44.323

Yep, two virtual interfaces. You probably could get away with bridging the vlan20 virtual interface and the LAN-facing NIC you want to use for it. – LawrenceC – 2019-05-01T03:51:14.260

@lawrencec dont you mean bridging wan interface vlan20 and the physical LAN interface to be used for IPTV? – davidgo – 2019-05-01T09:17:28.230