Segregate one VLAN from rest of network

I managed to get some time today to do an install of red green and blue on 2 nics on my vm testbed.

I was able to successfully end up with a green network and a blue vlan network on the same network interface and ended up with both red and green dhcp options.

Screenshot_2022-09-28_15-05-15973×343 22.4 KB

Screenshot_2022-09-28_15-09-56968×738 54.2 KB

The process I used was as follows.

Set up a vm with 2 nics. Ran install from CU170 iso.

Selected red, green and blue network type.

Assigned green and red to the two interfaces, selected ignore for the fact that blue flagged as not being assigned.

System booted and I went into the WUI.

The dhcp page only had the green option.
On the Zone Configuration page I added the Blue zone as a VLAN with an VLAN ID and pressed save. It then said to reboot which I did.

Then I went into the console and ran setup again and this time when selecting blue it had an interface available, which is the blue0 on green0 vlan shown as blue0@green0 interface on the ip address show output.

Having selected blue to the new interface I then exited from setup and went back to the WUI and now on the dhcp page I had both green and blue dhcp options. I then added in the blue dynamic range and enabled it.

Then rebooted again just to be certain and everything stayed with green and blue on dhcp and zone configuration with green and blue on vlan and ip address show giving the same output.

Bridge or default?

this is possibly the crucial step that was missing by the OP,

This tutorial form @bonnietwin should be made in a wiki page, considering how many thread we get for VLAN configuration.

I set it to Default. See the zone configuration screenshot

My stupid brain sometimes ignore things that are gigantic. My apologies.

Don’t worry about it. I have done the same thing myself.
It’s better to ask than to miss something important.

I would defintely second adding that to the wiki… I haven’t seen any mention of needing to go back into setup anywhere online.

However, in my screenshot above, I’m definitely not getting the blue0@green0 device after configuring the blue zone to vlan in the WUI, nor am I able to select it when re-running setup. The only difference is that I have a wlan0 device that I’m not using… Since I don’t need it I’ll try physically removing the device and see if that makes a difference, to eliminate any potential for a device detection bug involving it.

After you selected blue to vlan did you press save. You need to press save and then you need to reboot before going into setup.

I was about to tell you that I did, but I rebooted just to make sure I had before, and the interface did show up after that.

I’m still testing, but I do believe the worst is behind me now!

EDIT: And all is good! @bonnietwin 's post is the holy grail solution to zoned VLAN routing on IPFire!

• At initial setup, set the Blue zone to None, and Ignore the warning about it.
• In the WUI, set the Blue zone to Default, and VLAN, on the same NIC as your green network.
• Reboot
• Go back into setup in the console, and re-assign the Blue zone to the newly created hybrid interface (blue0@green0 in my case)
• Back in the WUI, you’ll now have access to the Blue DHCP server, which you can configure as you see fit.

A HUGE thank you to everyone who helped with this!

***I definitely think we need to add this information to the various wikis; I had studied the documentation and forums quite a bit before asking and I for sure didn’t see any mention of having to go through an extra round of console setup in order to get a VLAN running along side a native NIC. This will be quite a boon to the many users who ask about VLAN setup in the forums.

@darkhand First, congratulations on your success. I commend the way you acted in troubleshooting your system. This thread is very important as it will help other users of IPFire to learn to use a feature that has a sizeable request level and is very poorly documented. For that you and @bonnietwin did a very good thing. If @jon agrees, I will write a new entry on the wiki condensing all the info that have emerged in this thread.

As a curiosity, can I ask if /var/ipfire/ethernet/settings now has an entry like BLUE_DEV=blue0@green0? Any other change in that file and in /var/ipfire/ethernet/vlans?

Thanks @cfusco !

I actually don’t see a reference to blue0@green0 in either of the files, only when I run ip a. Might there be another setting file? The strange Blue MAC address from before is still present however, probably a randomized virtual MAC.

The contents of my /var/ipfire/ethernet/settings file after everything:

BLUE_STP=
BLUE_NETADDRESS=192.168.2.0
RED_DHCP_FORCE_MTU=
GREEN_ADDRESS=192.168.1.1
GREEN_NETADDRESS=192.168.1.0
GREEN_MODE=
GREEN_DRIVER=r8169
ORANGE_SLAVES=
BLUE_SLAVES=
GREEN_MACADDR=00:01:2e:xx:xx:xx
GREEN_NETMASK=255.255.255.0
GREEN_STP=
RED_DHCP_HOSTNAME=router
RED_NETADDRESS=0.0.0.0
RED_DRIVER=e1000e
GREEN_SLAVES=
BLUE_MODE=
RED_DEV=red0
RED_DESCRIPTION='"pci: Intel Corporation Ethernet Connection I219-LM (rev 21)"'
GREEN_DEV=green0
BLUE_ADDRESS=192.168.2.1
RED_MODE=
GREEN_DESCRIPTION='"pci: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 0c)"'
RED_NETMASK=0.0.0.0
ORANGE_MODE=
RED_MACADDR=00:01:2e:xx:xx:xx
DEFAULT_GATEWAY=0.0.0.0
RED_TYPE=DHCP
RED_ADDRESS=0.0.0.0
RED_STP=
ORANGE_MACADDR=
CONFIG_TYPE=3
BLUE_MACADDR=02:5b:8b:xx:xx:xx
BLUE_NETMASK=255.255.255.0
RED_SLAVES=
ORANGE_STP=
BLUE_DEV=blue0
BLUE_DESCRIPTION='"???: Unknown Network Interface (blue0)"'
BLUE_DRIVER='Unknown Network Interface (blue0)'

Contents of /var/ipfire/ethernet/vlans:

ORANGE_VLAN_ID=
RED_MAC_ADDRESS=
BLUE_MAC_ADDRESS=02:5b:8b:xx:xx:xx
GREEN_MAC_ADDRESS=
RED_VLAN_ID=
GREEN_PARENT_DEV=
RED_PARENT_DEV=
ORANGE_MAC_ADDRESS=
GREEN_VLAN_ID=
BLUE_VLAN_ID=2
ORANGE_PARENT_DEV=
BLUE_PARENT_DEV=00:01:2e:xx:xx:xx

[root@router ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: green0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether 00:01:2e:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 scope global green0
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc cake state DOWN group default qlen 1000
    link/ether 0c:54:15:xx:xx:xx brd ff:ff:ff:ff:ff:ff
4: blue0@green0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether 02:5b:8b:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 scope global blue0
       valid_lft forever preferred_lft forever
5: red0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether 00:01:2e:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 24.1.xxx.xxx/22 brd 255.255.255.255 scope global dynamic noprefixroute red0
       valid_lft 211128sec preferred_lft 167928sec

yes. I agree.

@jon Where this tutorial should go in the wiki?

How about under the Zone Config page:

https://wiki.ipfire.org/configuration/network/zoneconf/vlan2nic

Thank you for documenting this!

EDIT: and thank you for creating the fcron wiki page. looks good!

@jon I created the page with that link. However, right now it is orphaned. I am not sure where to link it. Can I have your opinion? Thank you Jon.

I added it above the spanning tree section:

This has been a very helpful resource and so far I am liking IPFire. May I make a suggestion though about the VLAN guide? Since the suggestion is to use GREEN-RED-BLUE, there probably needs to be a section that mentions that by default, BLUE has a MAC filter turned on and that it would need to be disabled or each DHCP recipient to be approved. I spent over an hour trying to figure this out and finally came across the section about the Blue zone info. Overall great product and I am super excited to get to know IPFire, I am a long time pfSense user, but wanted to try something different.

done!

a note was added on the " Configuring three zones" wiki page.

I recognize this is a solved topic, but can I make a case to include something at the top of the Zone Config page to include the table from this page (wiki.ipfire.org - Step 5: Network Setup) that outlines what each zone is intended for?

done. a brief note was added to the zone config page.

Thank you very much