EFW Support

Support => EFW SMTP, HTTP, SIP, FTP Proxy Support => Topic started by: jrjorro on Thursday 28 July 2011, 11:38:54 pm



Title: VLAN doesn't work with Endian
Post by: jrjorro on Thursday 28 July 2011, 11:38:54 pm
Hi all,


I have a switch dell managed and endian 2.41 and I need to separate vlan for my departments.

On the switch created a VLAN ID 10 and set T (taggled) in door 01.  In 5 to 15 with U (Untaggled).

In the Endian created a VLAN ID 10 on Blue Zone (initially configured with 192.168.10.0/24 - "command line").


Problems:

1. The BLUE network card that was configured with ip 192.168.5.1 no ip is after the creation of vlan. Is that correct?
  2. I dont know how to set the IP address of VLAN 10. (I configured the hand ifconfig 192.168.10.1/24)
  3. I dont know how to enable dhcp via interaface graphical VLAN. (Can?)
  4. I need to activate a module, type the 802q in Endian?
  5. I cannot connect to the machine with ping (workstation).
  5. Tcpump returns me the following:

tcpdump -i eth1.10
Quote
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.10, link-type EN10MB (Ethernet), capture size 96 bytes
19:18:33.834713 IP 192.168.10.5 > 192.168.10.1: icmp 40: echo request seq 57097
19:18:33.835080 arp who-has 192.168.10.5 tell 192.168.10.1
19:18:33.835239 arp reply 192.168.10.5 is-at 00:21:70:6a:d1:43
19:18:34.835073 arp who-has 192.168.10.5 tell 192.168.10.1
19:18:34.835391 arp reply 192.168.10.5 is-at 00:21:70:6a:d1:43
19:18:35.835073 arp who-has 192.168.10.5 tell 192.168.10.1
19:18:35.835391 arp reply 192.168.10.5 is-at 00:21:70:6a:d1:43
19:18:36.817874 IP 192.168.10.5 > 192.168.10.1: icmp 40: echo request seq 57353
19:18:39.334376 IP 192.168.10.5 > 192.168.10.1: icmp 40: echo request seq 57609
19:18:39.335084 arp who-has 192.168.10.5 tell 192.168.10.1
19:18:39.335271 arp reply 192.168.10.5 is-at 00:21:70:6a:d1:43

Can anyone help me with the infrastructure _endian <-> switch <-> machine_?


Title: Re: VLAN doesn't work with Endian
Post by: mrkroket on Friday 29 July 2011, 02:49:21 am
VLAN's works in Endian, I had like 4 VLAN's without problems. If itsn't working for you maybe your NIC doesn't support VLAN's on Linux or your config is incorrect.

Don't  change anything via ifconfig, you must use either Web or the configs in  /var/efw/ethernet.
Usually you need two NICs. Let's say you will use eth0 for VLANS, and eth1 for red:

-On Endian, use eth1 as your temp green.
-Remove any usage of eth0 from any zone. Save config.
-Create vlans on eth0.
-Assing zone to the newly created VLAN's. E.g. eth0.10 to GREEN and eth0.20 to BLUE.
-Assign eth1 to Red.
-Save and restart.

You can do all those configs by editing the config files, but this is a risky workaround. If you are not confident with linux, you could break the interface configs and lost external connection to EFW.

Switch Port must be in trunk mode with Tagged VLAN's for the EFW. The machines must be with untagged VLAN.



Title: Re: VLAN doesn't work with Endian
Post by: jrjorro on Tuesday 02 August 2011, 08:03:47 am
Hi mrkroket!

Thank you so much!

With your help I could create 2 VLAN´s and now everything works, I set up the VLAN´s and DHCP via web.

Now I need your help for another problem. How can I create more than 2 VLANs? In the web interface i can only manage 2 VLANs? Is this right?

Thank you mrkroket.


Title: Re: VLAN doesn't work with Endian
Post by: mrkroket on Wednesday 03 August 2011, 04:11:18 am
Endian supports unlimited VLANs.
The problem? Endian only supports 3 User Zones (Green, Blue and Orange), each one with one DHCP server.
You can have eth0.2, eth0.3 .... eth0.60 assigned to Green, and other vlans assigned to Blue.
But if you want client isolation between eth0.2 and eth0.3 (both on GREEN), you must use an external DHCP server for each VLAN and create interzone FW rules .
Endian as of now can't send different subnets to VLAN's, only to Zones.


Endian should allow to create more user zones. This way it would become terribly flexible.

I am limited for that issue. I have 3 Zones using VLAN (Orange for DMZ, Blue for Wifi Guest and Green for everything else). I'll do client isolation by ACL's on Layer 2/3 switches