[Firehol-support] Routing between virtual interfaces

Carlos Rodrigues cefrodrigues at gmail.com
Fri Jan 23 23:22:56 GMT 2009


On Fri, Jan 23, 2009 at 10:13 PM, M. O. <mofog at hotmail.com> wrote:
> Thanks for the hint! I had a first look at how to run VLANs in Debian.
>
> There are conflicting information about how to do this. For example you say
> it can be done by using this notation: "eth0.1". However, this doesn't seem
> to work for me. I have to do it this way: "vlan2" and add a "vlan_raw_device
> eth0" line. However, afterwards I cannot reach any components on the VLANs.
> Am I right that this whole thing only works with special hardware, like
> VLAN-enabled switches and so on?

Yes, you can only have _multiple_ VLANs in a link if both ends of the
cable understand VLANs. But if your switches have management of some
kind (even if only a web interface) chances are they already support
VLANs. But even then you will have to make changes at the network
level (splitting those different subnets into different VLANs).

Now, as far as the Debian configuration as concerned, "ethX.Y" and
"vlanY; vlan_raw_device ethX" are synonyms. (BTW, "1" is not a valid
VLAN ID. When there are multiple VLANs in a link, ID "2" and above
means the ethernet frames have a tag with the VLAN ID added to it,
while ID "1" means they are regular untagged frames).

> If setting up a VLAN environment should turn out to be too complicated, I
> think I will just merge all networks into one -- granted: it's just avoiding
> and not solving the problem.

>From a security standpoint, you actually have one network already...
:) And, provided you have VLAN-enabled switches, configuring VLANs
should be about as much work as renumbering your multiple subnets into
one.

If you cannot go the VLAN way, the only way to deal with this is just
do your configuration using just "eth0". You can have a route where
the in and out interfaces are the same, and you can control the flow
of traffic between subnets using "src" and "dst" with the "route"
commands.

Regards,

-- 
Carlos Rodrigues




More information about the Firehol-support mailing list