Hi all,
I have the BLUE zone configured as VLAN on the same Nic used by the GREEN zone. I want to use the BLUE zone as wifi guest network. Therefore I disabled the MAC address filtering according
To have the access from the BLUE zone to the wui restricted I followed the steps shown in the chapter “Deny blue clients access to the IPFire web interface” under the link mentioned above.
The problem now is, I can still reach the wui out of the BLUE zone?
Any hints how to restrict the BLUE zone, that connected clients can reach the internet only and nothing else like GREEN network etc. ?
Premise, I am an hobbyist and I have very little experience with anything outside the very basic topics. Never used a VLAN system, I just know what it is, more or less. Having said that, there is one thing I do not understand in your config.
My understanding of a VLAN system is the following: you have a switch that is capable of tagging the ethernet frames with different tags according to the different ports of the switch. Therefore, in your case I would guess that if you connect the access point say to port 1, it will be tagged VLAN 66 which you attribute to the the blue network, and all the other ports (2-7) of the switch will receive the tag (e.g.) VLAN 65 which have to be sorted for the green network. Then, you have port 8 that is the trunk that goes form the switch to the green interface of your router. If this premise is correct, then in the config you should set the green network not to native but to VLAN 65.
Again, I am just reasoning with my limited knowledge. I hope someone more knowledgeable can step in and help you out. Good luck.
EDIT, reading the forum I realized that my premise is wrong. IPFire allows only one VLAN, so setting green to native is correct. Maybe there was a problem during the setup? However, this tutorial that I found seems to assign 2 VLAN: Install IPFire on a box with single NIC using VLAN - Avinesh Singh
As I said, I hope someone more knowledgeable would clarify this issue.
EDIT2, the wiki clarifies that only 1 VLAN per zone can be configured, therefore maybe I was right in the first place and you have to set green to a different VLAN and not to native.
Dont worry, I’m an hobbiest as well.
To my understanding it should be possible to add multiple vlans to 1 nic. Timo Eissler shows it in this video
Accordingly multiple vlans can be configured via the console only, but as long as you have 1 unused zone available it is possible to configure it via the webinterface.
From my point of view my configuration seems to work, my client can handle the VLAN tag and get an IP from the dhcp server associated to the blue zone, but only the separation between the zones is strange?
I think at this point we need an expert to get this one solved.
That talk is very old. Maybe it is not anymore valid? The wiki does not include that limitation, at least I do not see it.
Quote:
Please note that:
* Due to backwards compatibility reasons, you can't assign more than one VLAN to a zone
* One NIC can't be accessed natively by more than one zone
* You can't use the same VLAN tag more than once per NIC
* A NIC that is assigned to RED can't be accessed by any other zone if RED is in PPP mode
If I were you, I would try to put two VLANs and see what happens.
What is the switch you are using to separate out the vlans? Also I would make the green vlan tagged as well and make sure the switch will keep the packets tagged, and not just Un tag them, another thing to look at is your routes and make sure that there are no routes in either ipfire or the switch, I would check the routing table on the pc when it Is on the blue as well as a traceroute to find out where the route is and remove that, as for the web interface for the ipfire you can just remove the blue network from the web proxy list as well as checking the box “Disable internal proxy access to Green from other subnets:” also in the web proxy page under the network page
Any information you can provide about the setup would be great, I work in IT so hopefully I can be of some help
Hi Will,
thanks for your reply. The problem seems to be little more complicated as I thought as the first glance, so I think I should describe my network and intentions in few words:
My infrastructure looks like this: Modem - IPFire - 24-port Switch (Green Network) - LAN & WLAN APs (APs running OpenWRT which is able to handle VLANs).
The GREEN Network is distributed via inhouse LAN connectors and WLAN APs. My intention is to have the BLUE Network (it should work as a guest network therefore it has to be separated from the GREEN network with internet access only) distributed the same way but as a tagged VLAN.
The switch works as a switch only, there’s nothing configured concerning VLANs neither tagged nor untagged, it just distributes the signal to the LAN connectors and WLAN APs. At my point of view this should work cause the network signal is just distributed by the switch (it should not add or remove any VLAN tags or am I wrong?) all the VLAN stuff is handled by IPFire and OpenWRT or the clients if connected to a LAN connector. The GREEN and BLUE network has a different IP subnet and each zone has its own DHCP server running.
Due to the fact that I can ping the GREEN work out of the BLUE and vice versa there seems to be “NAT” functionality between both subnets somewhere.
To exclude a misconfiguration on OpenWRT I disconnected the APs and connected my laptop to a LAN connector directly, but the problem is still existing. The next step will be to disconnect my switch completely and connect my laptop to the GREEN port of IPFire directly. To do that I have to wait till nobody is using the network, hopefully this evening I’ll have a chance.
Reading through your description, I believe your problem might be related to the fact that you have Green set as native and Blue set as VLAN.
I believe a native interface will just accept all data and will ignore any VLAN tags while a VLAN interface will only accept packets that have a VLAN tag that matches that set for the interface.
I believe that for what you are looking for Green and Blue on the same nic but separated into two subnets you need to have both of them set to VLAN with different tags. Then you need to set up your network to have everything defined as either belonging to the Green VLAN or Blue VLAN.
Reading the wiki, I believe that this should work but it is not explicitly specified. I would need to read through the perl source code to see if it is set up to do that.
Hi Adolf,
thanks for your reply.
User Will and cfusco suggested to use different VLANs for GREEN and BLUE as well. The reason why I haven’t tried it yet is that’s not possible to assign 2 VLANs with the help of the wui. According to this post Multiple VLANs on Green Interface it possible to assign only one VLAN to a NIC.
Reading through the zone config page in the wiki I found the following:
You can’t use the same VLAN tag more than once per NIC
That suggests you can have two vlan tags per nic as long as they have different numbers. If you have two zones on the same nic then each should be able to have a different vlan number.
That was what made me say what I did. However I am not certain that my interpretation is correct.
I will try and find some time to have a scan through the perl code and see if I can confirm one way or the other and come back in a few days.
Hi Adolf,
I tried to set the VLAN for the GREEN network, but on the page where to configure the zones I can choose “VLAN” from the dropdown menu but I can’ set the ID, it’s greyed out? I cross-checked it with my IPFire for testing puposes running as a VM, there I can change the ID.
I just went through the perl code and could only find that you could only have one vlan tag per zone. I could not find anything that prevented having two different vlan tag numbers on a nic each with a different zone.
So I just set up a test case in my vm testbed to try it out and as far as I can see it all worked.
The two different vlan tags are set per green and blue and both are linked to the Green Parent Dev mac address and each have their own new mac address for the vlan.
This all looks like it has set up correctly.
I just can’t test it any further as I would have to completely rebuild my virtual testbed network and I use it for testing purposes.
Adolf Belka is correct, when it comes to segregated networks you generally only have one vlan per network regardless if it is ipfire or not, in this case ipfire’s zones are an independent network and so each zone can only have 1 vlan.
Is your switch a managed or unmanaged one? If it is managed you can easily configure the ports to handel the vlan tagging, on top of that like Adolf said assign blue and green with different vlan tags on the same nic, for example my network I have a 48port managed switch with port 1 vlan10 tagged to go to the fiber ont, port 2 vlan 10 untagged going to the Wan port of ipfire, ports 3-36 vlan 20 untagged (green),ports 37- 42 vlan 30 untagged blue, and then 43-48 vlan 40 untagged orange,
Native actually means vlan1
The difference between tagged and untagged is that tagged means that the device plugged into that port must send and receive the correct vlan ID, where as untagged means it will accept all incoming packets and it will Untag any outgoing packets, but inside the switch for example all the packets are treated as tagged.
so If your switch was a managed switch the I would set say port 1 to vlan 26 tagged and vlan 26 tagged and set the associated green, blue to these and then port 2-24, if it is unmanaged then it can be a little different because most unmanaged switches don’t support vlan tagging and can be hit or miss on how the packets go, If all of the things plugged into an unmanaged switch are on the same vlan you won’t have an issue but when it comes to multiple vlans on a switch it should be a managed switch
Are you able to advise me on the model number of your switch is?
Hi Adolf, hi Will
thanks a lot for your work to review the code and the hints your are providing.
The weird thing is I can’t set the VLAN for the GREEN zone on my IPFire, on the contrary to my IPFire VM I sat up for testing purposes, there it is possible without any problems.
On my “native” IPFire I can select “VLAN” from the dropdown menu but it’s not possible to set the ID, it looks like this
Succesfully changed the VLAN settings for the GREEN zone.
I switched from my laptop to the PC, from there it was possible to change the VLAN settings. Don’t ask me why, it looks really weird to me?
