That talk is very old. Maybe it is not anymore valid? The wiki does not include that limitation, at least I do not see it.
Quote:
Please note that:
* Due to backwards compatibility reasons, you can't assign more than one VLAN to a zone
* One NIC can't be accessed natively by more than one zone
* You can't use the same VLAN tag more than once per NIC
* A NIC that is assigned to RED can't be accessed by any other zone if RED is in PPP mode
If I were you, I would try to put two VLANs and see what happens.
What is the switch you are using to separate out the vlans? Also I would make the green vlan tagged as well and make sure the switch will keep the packets tagged, and not just Un tag them, another thing to look at is your routes and make sure that there are no routes in either ipfire or the switch, I would check the routing table on the pc when it Is on the blue as well as a traceroute to find out where the route is and remove that, as for the web interface for the ipfire you can just remove the blue network from the web proxy list as well as checking the box “Disable internal proxy access to Green from other subnets:” also in the web proxy page under the network page
Any information you can provide about the setup would be great, I work in IT so hopefully I can be of some help
Hi Will,
thanks for your reply. The problem seems to be little more complicated as I thought as the first glance, so I think I should describe my network and intentions in few words:
My infrastructure looks like this: Modem - IPFire - 24-port Switch (Green Network) - LAN & WLAN APs (APs running OpenWRT which is able to handle VLANs).
The GREEN Network is distributed via inhouse LAN connectors and WLAN APs. My intention is to have the BLUE Network (it should work as a guest network therefore it has to be separated from the GREEN network with internet access only) distributed the same way but as a tagged VLAN.
The switch works as a switch only, there’s nothing configured concerning VLANs neither tagged nor untagged, it just distributes the signal to the LAN connectors and WLAN APs. At my point of view this should work cause the network signal is just distributed by the switch (it should not add or remove any VLAN tags or am I wrong?) all the VLAN stuff is handled by IPFire and OpenWRT or the clients if connected to a LAN connector. The GREEN and BLUE network has a different IP subnet and each zone has its own DHCP server running.
Due to the fact that I can ping the GREEN work out of the BLUE and vice versa there seems to be “NAT” functionality between both subnets somewhere.
To exclude a misconfiguration on OpenWRT I disconnected the APs and connected my laptop to a LAN connector directly, but the problem is still existing. The next step will be to disconnect my switch completely and connect my laptop to the GREEN port of IPFire directly. To do that I have to wait till nobody is using the network, hopefully this evening I’ll have a chance.
Reading through your description, I believe your problem might be related to the fact that you have Green set as native and Blue set as VLAN.
I believe a native interface will just accept all data and will ignore any VLAN tags while a VLAN interface will only accept packets that have a VLAN tag that matches that set for the interface.
I believe that for what you are looking for Green and Blue on the same nic but separated into two subnets you need to have both of them set to VLAN with different tags. Then you need to set up your network to have everything defined as either belonging to the Green VLAN or Blue VLAN.
Reading the wiki, I believe that this should work but it is not explicitly specified. I would need to read through the perl source code to see if it is set up to do that.
Hi Adolf,
thanks for your reply.
User Will and cfusco suggested to use different VLANs for GREEN and BLUE as well. The reason why I haven’t tried it yet is that’s not possible to assign 2 VLANs with the help of the wui. According to this post Multiple VLANs on Green Interface it possible to assign only one VLAN to a NIC.
Reading through the zone config page in the wiki I found the following:
You can’t use the same VLAN tag more than once per NIC
That suggests you can have two vlan tags per nic as long as they have different numbers. If you have two zones on the same nic then each should be able to have a different vlan number.
That was what made me say what I did. However I am not certain that my interpretation is correct.
I will try and find some time to have a scan through the perl code and see if I can confirm one way or the other and come back in a few days.
Hi Adolf,
I tried to set the VLAN for the GREEN network, but on the page where to configure the zones I can choose “VLAN” from the dropdown menu but I can’ set the ID, it’s greyed out? I cross-checked it with my IPFire for testing puposes running as a VM, there I can change the ID.
I just went through the perl code and could only find that you could only have one vlan tag per zone. I could not find anything that prevented having two different vlan tag numbers on a nic each with a different zone.
So I just set up a test case in my vm testbed to try it out and as far as I can see it all worked.
The two different vlan tags are set per green and blue and both are linked to the Green Parent Dev mac address and each have their own new mac address for the vlan.
This all looks like it has set up correctly.
I just can’t test it any further as I would have to completely rebuild my virtual testbed network and I use it for testing purposes.
Adolf Belka is correct, when it comes to segregated networks you generally only have one vlan per network regardless if it is ipfire or not, in this case ipfire’s zones are an independent network and so each zone can only have 1 vlan.
Is your switch a managed or unmanaged one? If it is managed you can easily configure the ports to handel the vlan tagging, on top of that like Adolf said assign blue and green with different vlan tags on the same nic, for example my network I have a 48port managed switch with port 1 vlan10 tagged to go to the fiber ont, port 2 vlan 10 untagged going to the Wan port of ipfire, ports 3-36 vlan 20 untagged (green),ports 37- 42 vlan 30 untagged blue, and then 43-48 vlan 40 untagged orange,
Native actually means vlan1
The difference between tagged and untagged is that tagged means that the device plugged into that port must send and receive the correct vlan ID, where as untagged means it will accept all incoming packets and it will Untag any outgoing packets, but inside the switch for example all the packets are treated as tagged.
so If your switch was a managed switch the I would set say port 1 to vlan 26 tagged and vlan 26 tagged and set the associated green, blue to these and then port 2-24, if it is unmanaged then it can be a little different because most unmanaged switches don’t support vlan tagging and can be hit or miss on how the packets go, If all of the things plugged into an unmanaged switch are on the same vlan you won’t have an issue but when it comes to multiple vlans on a switch it should be a managed switch
Are you able to advise me on the model number of your switch is?
Hi Adolf, hi Will
thanks a lot for your work to review the code and the hints your are providing.
The weird thing is I can’t set the VLAN for the GREEN zone on my IPFire, on the contrary to my IPFire VM I sat up for testing purposes, there it is possible without any problems.
On my “native” IPFire I can select “VLAN” from the dropdown menu but it’s not possible to set the ID, it looks like this
Succesfully changed the VLAN settings for the GREEN zone.
I switched from my laptop to the PC, from there it was possible to change the VLAN settings. Don’t ask me why, it looks really weird to me?
Ok, the good things first, I have learned something about VLANs. I configured some VLANs on my switch and got it connected to my AP.
But the problem why I started this thread still exists. When connected to the guest wlan network (BLUE) it is separated from the GREEN. I can’t ping none of the other clients, but the IPFire, it is still possible to connect to it from the BLUE network. The GREEN and BLUE network has different subnets and the IPFire routes between both subnetworks.
Any idea where to check to get the BLUE restricted?
By connecting to the IPFire I take it you mean the WUI.
This is the default situation. You can access the WUI from both Green and Blue, but whoever accessed the WUI would still need to know the password.
However you can prevent all blue accessing the WUI by following the section titled
“Deny blue clients access to the IPFire web interface” near the bottom of this wiki page link.
My understanding is that the firewall.local rules are run before you even get to the WUI rules so any “enabling” rule would have to be earlier than firewall.local.
Somewhere in the wiki there is a diagram showing the order of all the firewall rule chains in IPFire and you can then look at the actual rules in each chain in the WUI under the iptables menu item.
I rechecked both entries for any mistakes, but everything is like in the guide mentioned, of course I changed the IP adresses matching the blue zone.
Yes I reloaded and rebooted the script/IPFire.