Hi,
For background FWIW I had another go yesterday at segregating a lot of my noisy IoT home wifi devices. Ubiqiti has a nice feature - maybe it’s standard - where different wireless SSIDs can be assigned to different VLANs, so that’s instantly a win. But I don’t have any managed switches and I don’t have an extra NIC on my ipfire box, only one each for red and green. And so setup pretty immediately complains I can’t run RED/GREEN/BLUE because there aren’t enough NICs.
But I don’t quite understand this because a single physical NIC is often capable of doing a lot, with multiple MACs etc, exposed as subinterfaces in the OS.
So I just added a udev rule on network hotplug to spot when the green interface appears and give it a subinterface.
#!/bin/sh
PARENT=green0
VLAN=20
MACADDR=02:ca:fe:ca:fe:20
# exit if we already exist
ip link | grep -q $MACADDR && exit 0
# exit if green0 isn't here yet
ip link show $PARENT >/dev/null 2>&1 || exit 0
# Create the subinterface
ip link add link $PARENT name ao0 type vlan id $VLAN
ip link set ao0 address $MACADDR
That’s really all that seemed to be needed, setup then is pacified because there is a third interface, and I think we proceed roughly as normal. I was a little sad to see that the zone configuration webpage only lists the true physical parent NICs, but rather than dig into why yet I just repeated the VLAN config here, defining blue to operate on VLAN 20 of green’s interface. That seems wrong but like it might work anyway, since it’s basically redundant.
And everything seems to work great! But it became likely as I traced the code that ipfire already has everything necessary to support what I’m doing, but wants to forbid it. I don’t see any reason why setup demands that the zones go to physical NICs, and yet it does. Am I missing a big problem with what I’m doing? I’m happy with the result, I no longer have Amazon Alexa advertising itself as an IPv6 router to all my servers. To my mind, it would be great if this config were supported, but perhaps there is something flawed with the concept.
That’s a huge help, thank you!! It reassures me that I’m not aiming at something entirely supported, as well as saying it could be easier than I made it.
My main trouble I believe started here, in src/setup/networking.c:
sprintf(message, _("Select the network configuration for %s. "
"The following configuration types list those interfaces which have ethernet attached. "
"If you change this setting, a network restart will be required, and you will have to "
"reconfigure the network driver assignments."), NAME);
rc = newtWinMenu(_("Network configuration type"), message, 50, 5, 5,
6, configtypenames, &choise, _("OK"), _("Cancel"), NULL);
if ( configtypecards[choise] > found ) {
sprintf(message, _("Not enough netcards for your choice.\n\nNeeded: %d - Available: %d\n"),
configtypecards[choise], found);
errorbox(message);
}
Per this logic, I couldn’t select RED+GREEN+BLUE because I only have two physical cards, as /usr/bin/probenic.sh determined. So I failed right at step 1 of the tutorial! I was scratching my head as to how everyone else managed, but looking now I see the Error box is a paper tiger, one can actually set the config type freely successfully and just ignore the message. So then it becomes easy, or much easier than I made it anyway, I allowed myself to get confused by believing the error message and not noticing the change had worked fine.
I still remain slightly puzzled why only physical nics appear as rows in the Zone Configuration page, but I guess now this is ipfire trying to be helpful, since the page is actually acting as a screen to create VLANs on the phy nics. It does look like this UI design might make it harder to run bridge mode across different VLANs. But whatever, my problem is solved. I might only suggest this error check above should be removed from the code, there is no value in telling anyone trying to configure blue/orange that they don’t have enough physical NICs, because that is an irrelevant metric.