my setup:
the network cables are routed through a 24 port switch to three 8 port switches, where I have set up VLANs on the switches for red and green, the flags are removed on handover to the ipfire in the middle. Data exchange between the switches is done over two redudante ports where flagged traffic goes through.
For the simple reason that the modem is in another room and I could not lay a long cable at once. So on two switches one port belongs to another VLAN leading to the red network card, all other free ports are assigned to the green network in a second VLAN.
I use two Acesspoints (5GHz&2.4GHz) for WLAN which I attach to the green network. A separate blue network is the WLAN network card of the Ipfire. On the Ipfire runs the OpenVPN server. Any access from outside to green is done via VPN.
Now my plan:
Set up a Raspi Pi as a server, accessible from the Internet DynDNS is set up, already because of the VPN server.
Is it possible to set up a virtual DMZ, which gets its own VLAN, but at the network card of the green network, where I can then run the Raspi in the DMZ?
The limitations concerning the VLAN and ZONE topology are the following:
A zone can have at most one VLAN assigned to it.
Each Network Interface Card (NIC) can only be accessed natively by a single zone.
The same VLAN tag cannot be used more than once for a given NIC.
If the RED zone is in PPP mode, no other zone can access a NIC assigned to RED.
As of Core Update 156, macvtap support has been discontinued. Use the Bridge mode instead.
From what I understand of your description, I do not see any of the above limitations preventing you from having green and orange in two VLANs assigned to the same NIC.
@cfusco
Ok, i checked the wiki, but i see a problem, because my Green Network is a VLAN too, without the Ipfire knowing about it, the flags are removed. If I now configure a new VLAN on the switches and make the tags known to Ipfire, it will still reject the VLAN from Green, or not?
As I understood VLAN, the ports are marked accordingly and thus separated from the other ports. So that I do not have to use a separate cable for each VLAN, I use flags to mark the packets, so I can now send multiple VLANs through one cable to the next switch.
For Ipfire to accept the packets on the green network card, the flags have to be removed.
The port 8 and the port 17 in VLAN 4 is my WAN cable.
Ports 1 and 2 are the connections from the switches.
All the rest is VLAN 1 and so green network.
So the ipfire does not know of this VLANs.
Now when I set up a DMZ as a VLAN, the packets must be marked to green.
How can I tell Ipfire that the green network has a different VLAN?
I think you can leave green as NATIVE and apply to orange the right VLAN ID. You can use this guide, exchanging BLUE with ORANGE and not doing the DHCP part for blue. Read the guide carefully, you need to go to the SETUP phase twice.
But I believe it doesnt work if I use the configuration as it is, to unflag the VLANs at the port that goes to the green network card, because how should the Ipfire know which packets comes from which VLAN without the flag? I would say i must set green also VLAN und do not unflag the packets at this port...thats how i understand the VLANs… but we will see…i will know reboot and have a look where in the setup i find the orange@green interface for orange and reboot again…
So I tried it as mentioned but I did not get an orange@green network card but a interface its called unknown ??? with MAC address, after reboot nothing changed … after run setup again orange network has no network card…so i will do it again, but seems so that this trick does not work with the Orange network … or how can i test it? any advise?
after the first reboot, did you assign to the same NIC, green as native and Orange as VLAN with the correct ID? This is the original tutorial. Also, this post form the same thread.
I would say not good. Should be orange0@green0, as in the ip address show command from the @bonnietwin post I linked above. I wish I could be more useful, but my entire knowledge is based on that thread and my effort to understand this topic, but I have 0 practical experience.
I appreciate your words, and I thank you for that. However the real merit of the good documentation we have now on VLANs comes from @bonnietwin He did the hard work of punting all the pieces together.
I now have a Linux operating system on the server that is supposed to be in the DMZ, but I don’t have Internet there.
What must be entered there?
host I have left on localhost
and DNS name is simply local
I set static IP 192.168.99.2 mask 255.255.255.0 and gateway 192.168.99.1
DNS server 9.9.9.9
It does not get connection to update…
pings fail to 9.9.9.9 as well as to 192.168.99.1
Can it be that I was right with the assumption, that because of the tags of the VLAN, the packets are not correctly passed through, because so it looks to me.
Edit: Yes this was the issue, like I told before, I had to set the green Network from native to VLAN,too.
On switch the connected Port must tag the packets both green and orange VLAN.
Now I can ping from ipfire to DMZ Server and backwards.
only in setup it is called unknown