Trying to understand how a tech configured my vlans

hello, I’m kind of lost on how a tech in town I hire from time to time configured my vlans. I tried to look but the normal places I would see a configuration file is not the same.

Is there a link to where I can find these files?

Here is what he did, It all works but I don’t understand it

# bridge -compressvlans vlan show
port              vlan-id  
green0p0          2-4094
green0p1          1-4094
blue0p0           1 PVID Egress Untagged
blue0p1           1 PVID Egress Untagged
orange0p0         1 PVID Egress Untagged
orange0p1         1 PVID Egress Untagged
                  101-301
green0            1 PVID Egress Untagged
orange0           1 PVID Egress Untagged
blue0             1 PVID Egress Untagged
vlan0             4094 PVID Egress Untagged

Why vlans to begin with… it uses up CPU and is unnecessary. I know partitions are nice but does your network really need it. Is it a small business?

The normal way that vlans are set on IPFire is via the WUI menu Network - Zone Configuration.

Here is an example with the blue and orange networks set with a vlan id.

The settings for this page are defined in the file
/var/ipfire/ethernet/vlans

and these give the following vlan configurations

2: red0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:f6:6f:1e brd ff:ff:ff:ff:ff:ff
inet 192.168.26.200/24 brd 192.168.26.255 scope global dynamic noprefixroute red0
valid_lft 863933sec preferred_lft 755933sec
3: green0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:87:52:9b brd ff:ff:ff:ff:ff:ff
inet 192.168.200.254/24 scope global green0
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:16:41:73 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:e0:57:39 brd ff:ff:ff:ff:ff:ff
6: blue0@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 02:04:b5:7c:bc:3c brd ff:ff:ff:ff:ff:ff
inet 192.168.220.254/24 scope global blue0
valid_lft forever preferred_lft forever
7: orange0@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 02:4f:3e:0d:12:1f brd ff:ff:ff:ff:ff:ff
inet 192.168.240.254/24 scope global orange0
valid_lft forever preferred_lft forever

As your vlan settings have the syntax of blue0px and the syntax for IPFire should be blue0@ethx it looks like your technician set up those vlans via the command line in a different way to how IPFire would do it. To understand what he did and why your best bet would be to ask the tech to explain it.

As the tech set things up via the command line which is not how things are set up in IPFire, which uses the WUI menu system, you also need to be careful not to change and save anything on that WUI Zone Configuration menu otherwise it could end up changing your existing setup as it is configured in a different way to the normal IPFire way of defining vlans.

You need to be careful not to create a hole that ends up bypassing the firewall protection.

It needs to be remembered that IPFire is not a firewall setup on top of some existing Operating System. IPFire is its own OS/Distribution and it has been configured and setup to meet the requirements of the IPFire firewall system.

3 Likes

You can get the p0 ending if the zone is setup in Bridge mode instead of Default mode.

Then the network interfaces look like the following

2: red0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 08:00:27:f6:6f:1e brd ff:ff:ff:ff:ff:ff
3: green0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 08:00:27:87:52:9b brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 08:00:27:16:41:73 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 08:00:27:e0:57:39 brd ff:ff:ff:ff:ff:ff
6: blue0p0@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master blue0 state UP mode DEFAULT group default qlen 1000
link/ether 02:04:b5:7c:bc:3c brd ff:ff:ff:ff:ff:ff
7: orange0p0@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master orange0 state UP mode DEFAULT group default qlen 1000
link/ether 02:4f:3e:0d:12:1f brd ff:ff:ff:ff:ff:ff
8: blue0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 02:93:32:74:84:e6 brd ff:ff:ff:ff:ff:ff
9: orange0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 02:24:9a:88:51:46 brd ff:ff:ff:ff:ff:ff

However in IPFire-2.x you are limited to one vlan per zone.
https://www.ipfire.org/docs/configuration/network/zoneconf

The details that the networking stack has for the vlans that have been setup are to be found in the files

/proc/net/vlan/blue0p0 and /proc/net/vlan/orange0p0

for the example above and the network stack summary for all vlans setup is shown in the file

/proc/net/vlan/config

I think you definitely need to find out how the tech set things up and what was done to ensure that the vlans that were set up would have their traffic filtered through the firewall iptables rules and the Intrusion Prevention System and the IP Block List.

1 Like

I don’t know how he did it, because the zone configuration page looks exactly like how it looks when I installed it myself.

The guy does a really good job building computers for me and he did get all the network up, but I made a service call to KT Connections to look at the network.

I did give him a call and asked what he did, but I accidentally let him know that I asked the forum, and I don’t want to repeat what he said. Also, I noticed that his account is suspended here.

When I remove the wire from one of the unassigned interfaces in the web page, that run that goes to a few manage switches, that part of it loses internet access. But can still network to the computers and the shared folders on them.

A company I hired did that (which they are now out of business) and that guy who programmed ipfire for this new router server told me I didn’t need 408 VLANs and only need 6 that are not connected to ipfire.

Well after spending a little over $350 I found out that he did setup ipfire to the network and KT Connections said that the programmer was correct about reducing VLANs and of course shot me a quote on reprogramming the network.

I think it would help much, if you could describe what shall be achieved.
What is your physical and logical network architecture?

Answers to this questions can be given, if we know what the local network is.
Also we can analyse the config files to give a solution based on WUI configuration.

I don’t think the tech will give you enough information about the realisation, so the description of the problem will give some solution by the community.

2 Likes

Before I met David Mikeska, I used other commercial people for tech work and I hired a local telephone company that is now out of business that extended their services to networking and burglar and fire alarm installation. They put every camera, every ethernet device into vlans. I bought a NAS server recently and the Cisco router that the telephone company sold me died I decided to turn the NAS server I haven’t set up into an IPFire router to replace it. Now, I am talking to David at his shop that is down the street. I decided to let him redo it since he told me I just need the wifi access points isolated from the computers and wire the cameras into the NVR instead of over the network.. He told me once he rewires everything I will not need any VLANS. Is that correct?

That sound ok to me.
Do you need access to your NVR / CCTV remotely?

Not usually, but when I did I just VPN into the clinic when I needed to..

I got Dr. Daniel fixed up. I’m sure they were interested how I had to temporarily patch it with that mess of VLANs the other guys configured.

But he back to a standard networking configuration.