InterVLANs with Aruba Layer3 Switch and IPFire and LTE Router

aruba_newbie · 24 January 2025 19:23

Hello to all specialists,
I would need your help, I am new to the forum and would like to welcome everyone.

My IpFire 2.29 Core190 has 2 LAN interfaces RED & GREEN and was newly installed, currently with 2 static routes (return routes to the Aruba L3 switch gateway) AND ONLY for testing purposes with firewall rule ANY ANY ACCEPT.

First of all, I am a newbie to ARUBA-5406R Layer 3 and have uploaded a network plan with my configuration (with example IPs).

There are four InterVLANs with associated gateways on the switch side - VLAN 10 & 40 should/may access the Internet via port B1.

VLAN10: 10.10.77.0/24 GW: 10.10.77.1 (Ports A1-A6)
VLAN20: 10.20.77.0/24 GW: 10.20.77.1 (Ports A7-A12)
VLAN30: 10.30.77.0/24 GW: 10.30.77.1 (Ports A13-A18)
VLAN40: 10.40.77.0/24 GW: 10.40.77.1 (Ports (A19-A24)

With multiple access lists e.g.:

#VLAN10 is not allowed to communicate with VLAN40, but with all other networks (VLANs and Internet)
ip access-list extended “ACL-10”
10 deny ip 10.10.77.0 0.0.0.255 10.40.77.0 0.0.0.255
40 permit ip 10.10.77.0 0.0.0.255 0.0.0.0 255.255.255.255
exit

On the LAN side, I tested the access lists with various PINGs and so far everything works - but I can’t get onto the Internet via the IPFire firewall and LTE router.
For your information:
My LTE router is running in bridge mode and the provider STATIC IP is directly on the RED interface.
The static return routes on the IpFire work (the computers in the VLANs with a set return route can access the Internet).

Unfortunately only with one firewall rule: SOURCE ANY —> DESTINATION ANY - ACCEPT

Various changes or fine-tuning of the firewall rule lead to the VLANs 10 & 40 on the Aruba can no longer access the Internet (unfortunately, this can only be due to my lack of knowledge).

I can access the ARUBA switch (SSH) and the IPFire web interface (network 10.100.100.x) remotely using OpenVPN, which is fine.

It is not absolutely necessary but it would be nice if I could also access various VLANs via VPN for control/configuration.

Static routes (rules) from the OpenVPN network to the VLAN gateways (Aruba) are probably missing again.

Perhaps you have some tips.

Regards Aruba_newbie

hvacguy · 24 January 2025 21:07

your first problem is IPFire only supports
1 wan and 3 other networks (Green, Blue, and Orange DMZ)
so 3 Network zones or VLANs max
there are default firewall rule for these Network Zones.

xperimental · 25 January 2025 01:53

In my opinion this has nothing to do with ipfire. Your L3 Switch Port B1 is not a switch port, but a routing port and ipfire does not know anything about clients and VLAN behind that. Your switch does the routing.

You need to block communication of VLAN20/30 to Port B1 with your Switch configuration.

aruba_newbie · 25 January 2025 15:28

Yes, port B1 is a routing port - it should be a transfer VLAN or coupling network to the Internet/firewall (IpFire).
I can block VLAN20/30 using ACLs, no problem.
It is interesting if I replace the IpFire with a FritzBox LTE to isolate the error and set static routes in the FritzBox for VLAN10/40 (10.10.77.0 255.255.255.0 10.100.100.254 and 10.40.77.0 255.255.255.0 10.100.100.254), after that everything works perfectly.

What would be better, operating the Aruba switch in layer 2 mode or perhaps changing the firewall (pfsense/opnsense) or do all pure firewalls with (LTE) modems have the problem of not knowing any VLANs behind a routing L3 switch.

Many thanks for further information