InterVLANs with Aruba Layer3 Switch and IPFire and LTE Router

Hello to all specialists,
I would need your help, I am new to the forum and would like to welcome everyone.

My IpFire 2.29 Core190 has 2 LAN interfaces RED & GREEN and was newly installed, currently with 2 static routes (return routes to the Aruba L3 switch gateway) AND ONLY for testing purposes with firewall rule ANY ANY ACCEPT.

First of all, I am a newbie to ARUBA-5406R Layer 3 and have uploaded a network plan with my configuration (with example IPs).

There are four InterVLANs with associated gateways on the switch side - VLAN 10 & 40 should/may access the Internet via port B1.

VLAN10: 10.10.77.0/24 GW: 10.10.77.1 (Ports A1-A6)
VLAN20: 10.20.77.0/24 GW: 10.20.77.1 (Ports A7-A12)
VLAN30: 10.30.77.0/24 GW: 10.30.77.1 (Ports A13-A18)
VLAN40: 10.40.77.0/24 GW: 10.40.77.1 (Ports (A19-A24)

With multiple access lists e.g.:

#VLAN10 is not allowed to communicate with VLAN40, but with all other networks (VLANs and Internet)
ip access-list extended “ACL-10”
10 deny ip 10.10.77.0 0.0.0.255 10.40.77.0 0.0.0.255
40 permit ip 10.10.77.0 0.0.0.255 0.0.0.0 255.255.255.255
exit

On the LAN side, I tested the access lists with various PINGs and so far everything works - but I can’t get onto the Internet via the IPFire firewall and LTE router.
For your information:
My LTE router is running in bridge mode and the provider STATIC IP is directly on the RED interface.
The static return routes on the IpFire work (the computers in the VLANs with a set return route can access the Internet).

Unfortunately only with one firewall rule: SOURCE ANY —> DESTINATION ANY - ACCEPT

Various changes or fine-tuning of the firewall rule lead to the VLANs 10 & 40 on the Aruba can no longer access the Internet (unfortunately, this can only be due to my lack of knowledge).

I can access the ARUBA switch (SSH) and the IPFire web interface (network 10.100.100.x) remotely using OpenVPN, which is fine.

It is not absolutely necessary but it would be nice if I could also access various VLANs via VPN for control/configuration.

Static routes (rules) from the OpenVPN network to the VLAN gateways (Aruba) are probably missing again.

Perhaps you have some tips.

Regards Aruba_newbie

LTE-IPFire-ARUBA 202501241341×894 38 KB

your first problem is IPFire only supports
1 wan and 3 other networks (Green, Blue, and Orange DMZ)
so 3 Network zones or VLANs max
there are default firewall rule for these Network Zones.

In my opinion this has nothing to do with ipfire. Your L3 Switch Port B1 is not a switch port, but a routing port and ipfire does not know anything about clients and VLAN behind that. Your switch does the routing.

You need to block communication of VLAN20/30 to Port B1 with your Switch configuration.

Yes, port B1 is a routing port - it should be a transfer VLAN or coupling network to the Internet/firewall (IpFire).
I can block VLAN20/30 using ACLs, no problem.
It is interesting if I replace the IpFire with a FritzBox LTE to isolate the error and set static routes in the FritzBox for VLAN10/40 (10.10.77.0 255.255.255.0 10.100.100.254 and 10.40.77.0 255.255.255.0 10.100.100.254), after that everything works perfectly.

What would be better, operating the Aruba switch in layer 2 mode or perhaps changing the firewall (pfsense/opnsense) or do all pure firewalls with (LTE) modems have the problem of not knowing any VLANs behind a routing L3 switch.

Many thanks for further information

Its because Linux does not use an ip address that ends with 0.

But using vlans as zones is a bad concept from the beginning.

Pfsense and opensense runs on BSD instead of Linux and has a few zero day flaws and one of them was a hack with ip addresses ending at 0. Linux fixed their distros by making it invalid where that zero day flaw can occur. BSD never did fixed it as far as I know.

Actually, addresses ending in 0 can be valid. 192.168.1.0 is a valid, usable address in 192.168.0.0/23 network. What is not valid is the network base address. In my example the base address is 192.168.0.0. Similarly the base address for 1.2.3.88/29 is 1.2.3.88 and is not valid for use but is not ending in .0.

But bind doesn’t work the same way.

An entry ending with 0 in bind9 Linux can only be bound to the loopback interface and assumes you are binding 0/24 to the loopback if not specified.

That is why it has to end in 1-255 when routing to something else.

So you are telling me that if I have a /16 subnet in a larger network, I cannot use any of the addresses ending in .0 in that subnet and that any DHCP server will be clever enough not to hand out these addresses. Sorry, but I believe you are wrong.

Its not the logical routing, as it has to do with hardware connections. As you can’t use an ip address ending with 0 as the ending point of the firewall. Just like you can’t use an ip address that ends with 0 for the green network zone which is a firewall zone ending point.

If you say so.
I have just configured IPF with a Green NIC of 172.17.5.0/23 and DHCP to hand out that address as DNS and NTP server and it is happy.

Its not the same thing I am thinking about. Maybe I need to rephrase this differently…

Its the concept of using a vlan as a firewall zone inside a firewall zone which isn’t working.

Because you use the color zones and define their rules accordingly, then extend them as Vlans over a common interface.

So in your example, you have 4 zones to service. Ipfire has 3 inside firewall zones.
So, you should run setup again at a root terminal on ipfire and add the two zone networks.
So you will have Green, Blue and Orange

So in the zone config screen you would assign Orange vlan10, green vlan20, and blue Vlan 40 And get rid of Vlan 30 and add them to VLAN 20 (green network) and apply firewall rules accordingly.

I would get rid of vlan 20 as well and just run a native green network.
The it would be Green (native) Orange (Vlan10) Blue (VLAN 40).

Doesn’t IPFire block out of network traffic.
If Green is 192.168.1.0/24
This is the only traffic allowed in that zone.?

A simple router would not care about some other IP like 192.168.68.0/24
And send it on its way.

Yes for the zone, but the Ethernet port can be assigned multiple zones, but just one native by default.

I’m sure there is a possibility to service 4 VLANS with 3 Zones, however, I would have to explain how to add a sub network to the interface and a vlan, then resolve the routing in firewall rules for any communications beyond that network branch the ethernet port is associated with. But what I find in alot of installs VLANs are being is applied as firewall zones instead of extending a network. Like this example which is like most of them, can be simplified down to 3 zones.

I think posting a change to add more color firewall zones so it can service more VLANs might be needing to be reviewed. Because the system is definitely capable of servicing more zones. Just that it has to make sense to do this and other’s paradigms of their installation are preserved might be the excuse.

Ultimately, what is the reasons behind the VLANs in the first place?

Because most are using them because their routers don’t provide firewall zones.

Hello guys
I haven’t configured any VLANs on my Ipfire.
My InterVLANs are on the switch (Layer 3/Router), Port B1 (routing port 10.100.100.254/24) is connected to the Ipfire Interface Green (10.100.100.1/24).
In the Ipfire, 2 static routes 10 & 40 (10.10.77.0/24 & 10.40.77.0/24) to the Aruba Gateway (10.100.100.254) are defined.
In addition, a firewall rule is defined: Source Vlan 10 & 40 Subnets - ANY - Destination ANY.
The static routes & firewall rule work well and the VLANs 10 & 40 have Internet access.
I define additional ACLs for all VLANs among each other on the Layer 3 Aruba Switch.

Terry-xperimental has correctly identified that Ipfire does not know the clients in the InterVlans.
OK, but how can I route to the InterVlans with OpenVPN in order to communicate with some clients?

Well, if its just openvpn to vlan, its a simple iptable command. replace 10.10.10.1 with the vlan ip :

iptables -t nat -A PREROUTING -p udp --dport 1194 -i red0 -j DNAT --to-destination 10.10.10.1 

If you want to also access the VLANs as well as the LAN from OpenVPN, then you will want to push additional routes to your VLAN subnets - www.ipfire.org - Advanced server options.