the network cables are routed through a 24 port switch to three 8 port switches, where I have set up VLANs on the switches for red and green, the flags are removed on handover to the ipfire in the middle. Data exchange between the switches is done over two redudante ports where flagged traffic goes through.
For the simple reason that the modem is in another room and I could not lay a long cable at once. So on two switches one port belongs to another VLAN leading to the red network card, all other free ports are assigned to the green network in a second VLAN.
I use two Acesspoints (5GHz&2.4GHz) for WLAN which I attach to the green network. A separate blue network is the WLAN network card of the Ipfire. On the Ipfire runs the OpenVPN server. Any access from outside to green is done via VPN.
Now my plan:
Set up a Raspi Pi as a server, accessible from the Internet DynDNS is set up, already because of the VPN server.
Is it possible to set up a virtual DMZ, which gets its own VLAN, but at the network card of the green network, where I can then run the Raspi in the DMZ?
Ok, i checked the wiki, but i see a problem, because my Green Network is a VLAN too, without the Ipfire knowing about it, the flags are removed. If I now configure a new VLAN on the switches and make the tags known to Ipfire, it will still reject the VLAN from Green, or not?
As I understood VLAN, the ports are marked accordingly and thus separated from the other ports. So that I do not have to use a separate cable for each VLAN, I use flags to mark the packets, so I can now send multiple VLANs through one cable to the next switch.
For Ipfire to accept the packets on the green network card, the flags have to be removed.
The port 8 and the port 17 in VLAN 4 is my WAN cable.
Ports 1 and 2 are the connections from the switches.
All the rest is VLAN 1 and so green network.
So the ipfire does not know of this VLANs.
Now when I set up a DMZ as a VLAN, the packets must be marked to green.
How can I tell Ipfire that the green network has a different VLAN?
I think you can leave green as NATIVE and apply to orange the right VLAN ID. You can use this guide, exchanging BLUE with ORANGE and not doing the DHCP part for blue. Read the guide carefully, you need to go to the SETUP phase twice.
But I believe it doesnt work if I use the configuration as it is, to unflag the VLANs at the port that goes to the green network card, because how should the Ipfire know which packets comes from which VLAN without the flag? I would say i must set green also VLAN und do not unflag the packets at this port...thats how i understand the VLANs… but we will see…i will know reboot and have a look where in the setup i find the orange@green interface for orange and reboot again…
So I tried it as mentioned but I did not get an orange@green network card but a interface its called unknown ??? with MAC address, after reboot nothing changed … after run setup again orange network has no network card…so i will do it again, but seems so that this trick does not work with the Orange network … or how can i test it? any advise?
I would say not good. Should be orange0@green0, as in the ip address show command from the @bonnietwin post I linked above. I wish I could be more useful, but my entire knowledge is based on that thread and my effort to understand this topic, but I have 0 practical experience.
I now have a Linux operating system on the server that is supposed to be in the DMZ, but I don’t have Internet there.
What must be entered there?
host I have left on localhost
and DNS name is simply local
I set static IP 192.168.99.2 mask 255.255.255.0 and gateway 192.168.99.1
DNS server 188.8.131.52
It does not get connection to update…
pings fail to 184.108.40.206 as well as to 192.168.99.1
Can it be that I was right with the assumption, that because of the tags of the VLAN, the packets are not correctly passed through, because so it looks to me.
Edit: Yes this was the issue, like I told before, I had to set the green Network from native to VLAN,too.
On switch the connected Port must tag the packets both green and orange VLAN.
Now I can ping from ipfire to DMZ Server and backwards.