My WLAN-AP has multiple SSID. Each SSID has a separate VLAN-ID. What is to configure at IPFire to handle this VLAN as separate BLUE interfaces? (To allow all devices of a VLAN to reach the I-Net or not.)
I was able to configure the interfaces at the CLI (But how I make this persistent at IPFire?)
But afterwards only the interface selected in ‘Zone Configuration’ gets connected.’
From: www.ipfire.org - Zone Configuration
Due to backwards compatibility reasons, you can’t assign more than one VLAN to a zone
One NIC can’t be accessed natively by more than one zone
You can’t use the same VLAN tag more than once per NIC
As already stated, it is not possible. However I things it’s not necessary at all? I have different SSIDs with a AP mesh network as well and use client isolation (Grandstream APs) to disallow communication of clients between each other or other WLANs of the same AP (there are diiferent implementations for different usecases). I don’t need any VLANs at all.
after creating the IPVLANs’ endpoints, you have to make a firewall network group in Firewall→Firewall Groups→Network
Then define the routing of the IPVLAN in Firewall→Firewall Rules to route it to Red or other networks.
But its not going to show up in a screen. I’m 1/2 way through writing a new zoneconf.cgi to submit, but my time is divided and had to deal with a small flood in my computer lab. Until then you just use the usual commands on the terminal command line.
As far as starting it up, you have to either add the startup script in the network startup scrpit or add a init.d startup script or create a process.
I bet it is possible,
because I use a configuration with 2 or better 3 VLANs on one physical NIC without any conection errors and this about a year now.
Zone configuration must first set in setup screen, after reboot you set the configuration (called below) under zoneconf.cgi. After second reboot it may be necessary to reconfigure the new virtual NiCs in setup mode, but normaly if you did not make a logical mistake, it will run without any connection issue with the configured VLAN switches in the network.
In my setup I did set the green NIC Nativ, which will be even VLAN 01, then added in normal Mode an orange (complete virtual) VLAN 05 on the green NIC and generated a bridge with onboard WLAN card (which is set to nativ) on blue with VLAN 06 at the green NIC.
Try it. It works.
I know its possible, but I have had a few things come up and I haven’t finished submitting my changes to ipfire.
You can add ipvlans of different ip addresses but you have to create a firewall rule to allow them routing to a network zone..
If you add an ipvlan with the same ip address as a color zone, then it will work w/o additional firewall routing and use the existing rules.
What they have in zone confing is what is called a MAC_VLAN which is bounded by the interface instead of the ip network zone and you can only assign one MAC_VLAN of a zone to the interface.
Yes you can also set a seperate bridge too, like you did instead of using a zone in bridge mode.
What my proposed change for vlan is each zone having a vlan set. Similar to what a router has vlans but up to three instances of it (one per zone). So blue would have up to 4094 VLANs, Green a separate set of 4094 VLANs and orange a different set of 4094 VLANs and you set routing from one to the another zone in the firewall rules by the ipvlan address net the vlan is assigned.
ok i am in block all mode so i have to create always a rule, did not noticed this fact thanks.
as with switches, they work in exactly the same way.
Sorry, I’m no pro. But as I understand it, VLANs use a separate marker/info for each device on the data package, and this only matters at each network port through which the data passes. At each port, there are two possibilities when receiving data: VLANs matter or they don’t. If they matter, the data package has the marker. If not, it will be blocked or receive no answer. If it has the marker, it must be the correct one to pass. If the data package receives an answer, it will receive a marker from the port.
If you send a data package, it will get the marker from the sending network port.
Therefore, if you want to send separate VLANs through networks, you must use trunked and untrunked ports. Normally, VLANs need untrunked ports, but if you want to pass two VLANs through one port, you must use trunked ports with a second marker to separate the two VLANs. As soon as the data arrives at an untrunked port, the second marker will be removed.
For example, if you have two switches connected with two ports and cables as a LAG, you can only route trunked VLANs from one switch to the other, and the number of VLANs doesn’t matter; they are all separated.
this works always without routing or firewall rules
normally with a standard router. IPFire is a little different because its a segmented gateway. So each zone is a router with firewall sharing the same ARP table. So for example, VLAN3 on green is not the same as VLAN3 on blue unless they have the same ip and have routing rules set so both will talk to each other. On ordinary routers it is set so it only exit the network or pass through the passive switch, but I’m leaving this default behavior not configured so the vlan could be routed across to another zone or exit to red or both without adding a virtual bridge and only using the zone bridge which should be always turned on but IPFire don’t have it configured that way by default and have to turn that on when you make ipvlan unless you already have it on so multiple ethernet interfaces are configured for the same zone.
A router always routes between different segments, so IPFire is a router.
VLANs are a concept on switch level.
This shouldn’t be mixed up.
Exactly, Ipfire can run without any knowledge of which VLANs have been configured.
I dont know what a firewall should be doing in a VLAN configuration but it did not care, VLAN is a Hardware Networkport feature where a Router can only work with the MAC Adresse by given an IP Adresse. and VLAN can be used to build groups of devices in every IP Range in the Network VLAN are not bindet to IPs they are always hardware bounded, even virtuell network devices..
It is not the same because of the firewall rules of ipfire, if you clear the rules between green and blue network and give a possibility with the ip range to see each other VLAN3 will be the same on green and blue network.
Correct, it should only serve to end points even though with the existing system (MAC_VLAN) there main use is to trunk a whole network through a VLAN instead of providing an endpoint. That is why you can’t use two green MAC_VLANS on the same interface and only one network VLAN on an interface. IP VLAN purpose is to provide an ip address as an endpoint into a network from a vlan network. That the VLAN network can be the same or different ip schema. Ordinary routers have IP VLAN. Demarcation routers have both or just MAC VLAN to trunk connections on a service line.
An ‘ordinary’ router just uses plain IP and routing functions, nothing virtual!
A LAN is just a network connected to an interface with private IP addresses.
VLANs are a concept realized on the ethernet level by switches ( the connectors on the ethernet level ).
Yes, that is why they only have the function of providing an exit node to the firewall. Now there are types tha will configure ports to just have VLAN tagged traffic, but that a different feature and that would be called a vlan router,
I don’t understand what ip vlans are supposed to be?
The default VLAN01 is supposed to connect all ports of all switches as a native VLAN to serve as administration. An additional 4000 VLANs can be assigned in any number to network ports, which in infrastructure management, for example, can mean that syslog, ssh, and SMTP data traffic is separated from other data streams by means of VLAN. Or that two networks are separated by VLAN so that data is never mixed.
The trunk function can be used to determine whether an endpoint is reached with only one untagged VLAN, or whether a selection is made so that only tagged packets are accepted and all untagged packets are discarded. This is useful and is used to distribute VLAN information across multiple switches over one physical connection.
It has a security function, creating a quasi hardware separation in the same IP range or a separation between IP networks that cannot see each other.
It has the power to turn a switch into a managed switch with additional rules as the firewall at OSI level 2. VLAN is MAC-dependent and linked to the network port.
Or do you mean IP VLAN, where a VLAN is assigned to a network area according to the scheme 192.168.10.0/24 VLAN10, 192.168.20.0/24 VLAN20, and 192.168.30.0/24 VLAN30?