Beginner question - connecting VLANs

Hi,

I didn’t consider myself too much of an amateur until not being able to connect my VLANs together using VyOS…

I’m looking to switch over from Untangle, I have a separate VLAN 50 for IoT devices. For testing I created a test VLAN 100, but double-checked with using VyOS in my non-tagged network.

So I have an IP in my normal network to access VyOS, the 100 VLAN is the testing zone where I have another VM on the same to checkout if DHCP / internet etc works, 50 is the existing IoT VLAN. The whole thing is a VM with PCI passthrough network card, so I’m pretty confident the switch is configured correctly as booting up an Untangle VM with the same card works fine.

My config:

     ethernet eth1 {
         address 192.168.1.200/24
         duplex auto
         hw-id 00:0e:b6:87:38:0d
         smp-affinity auto
         speed auto
         vif 50 {
             address 192.168.50.200/24
             description "VLAN 50"
         }
         vif 100 {
             address 192.168.100.1/24
             description "VLAN TEST"
         }
     }

I didnt set up any firewall or routes or anything, my ip route output looks like this:

default via 192.168.9.1 dev eth0 proto static metric 20 
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.200 
192.168.9.0/24 dev eth0 proto kernel scope link src 192.168.9.3 
192.168.50.0/24 dev eth1.50 proto kernel scope link src 192.168.50.200 
192.168.100.0/24 dev eth1.100 proto kernel scope link src 192.168.100.1 

The test VM gets an IP through the VyOS dhcp, can connect to the internet just fine, but CANNOT connect to anything on VLAN 50 (e.g. curl 192.168.50.12)
VyOS itself can just fine.

Now I’m probably missing something really obvious and I just love how much half-baked network knowledge I apparently have. Whats missing here?

Do I understand correctly that the test VM in VLAN 100 can’t communicate with the device in VLAN 50?

Correct. VyOS itself can though.

It is good to start with dump traffic. Send please ping from VM to host in vlan 50 and check the packets.

monitor traffic interface eth1.50 filter "-nnt"

If my understanding is correct, I think you may need a similar auxiliary configuration to complete the inter-VLAN routing:

set interfaces bridge br1 address 192.168.50.200/24
set interfaces bridge br1 member interface eth1.50
set interfaces bridge br2 address 192.168.100.1/24
set interfaces bridge br2 member interface eth1.100
set interfaces bridge br2 member interface <The physical interface of your virtual machine output>

Thanks, I’m seeing the ICMP traffic:

19:04:07.249040 IP 192.168.100.100 > wzdome: ICMP echo request, id 806, seq 1, length 64 
19:04:08.274283 IP 192.168.100.100 > wzdome: ICMP echo request, id 806, seq 2, length 64

The gateway of the target device is not the test VyOS VM, but the production firewall.
So I assume this is why there are no replies. D’oh.

Maybe you should consider using a network bridge to connect different VLANs and lower-level interfaces (under 1.3 and below, it is best to use the old way of writing to establish a bridge for each VLAN. In 1.4, there is a new way of writing, called VLAN-aware network Bridge, see the document Bridge — VyOS 1.4.x (sagitta) documentation for details)

Thanks Jack, will look into it. Although I’m not entirely sure what the benefit would be of using bridges?

I just added another test VM to the IoT VLAN, configured with VyOS as the gateway and voila it works as expected. Learned how to monitor traffic in VyOS, check.

Thanks for the help

VLAN 50 and VLAN 100 are on the same upstream interface. Unless you want to deploy a single-arm VLAN, this configuration is incorrect!

@jack9603301

He’s using VLANs. I don’t see why you keep suggesting bridging, that’s not good advice at all I’m sorry.

It’s perfectly valid to do what he’s doing and then have a switch below with those VLANs. Yes he’s doing “router on a stick” as such, all traffic comes in and then goes out the same physical interface, but that’s a decision he’s obviously made in the first post.

Telling people their configuration is incorrect if, technically, it’s incorrect, is fine. Telling them it’s incorrect because it’s not how you’d do it isn’t fair. Router-in-a-stick is a very common configuration, especially in smaller home-lab setups. Edit: I was wrong here - leaving it here for reference though. Please see comments below.
Realise you’re just trying to help though, and that’s appreciated by all.

@mathias Did you get it working? It doesn’t look like a Vyos config problem from what you’ve posted thus far.

This would have been my guess since what you posted looks correct. Did changing the gateway on the target device fix it?

From the topology analysis, the router connects two vlans, means that routers must maintain at least two isolated switching network, such as from upstream of the VLAN 50 and connected to the downstream VLAN 100, unless it is in the single-arm routing configuration, otherwise, should not all VLAN configuration under the same interface, in fact, before 1.4, I have been using the oldest method configuration VLAN routing exchange network, communication is normal, I think this is his configuration and topology is not consistent (configuration errors), rather than vyos appeared some bugs.

Because the old configuration method needs to maintain a separate bridge for each VLAN, and the professional equipment is far from the same, in 1.4, I implemented the support for VLAN-aware bridges, which makes VyOS close to professional equipment on VLANs Characteristics

Unless it is a single-arm routing, under single-arm routing, the upstream router connected to the port of eth1 has realized the isolated switching of VLAN 50 and VLAN 100, but there is no gateway for layer three switching, then in the case, only need A communication line is connected to the single-arm router, and the routing gateway between VLANs is configured on the interface. This method is called single-arm routing. If it is not configured for single-arm routing, then it can be considered that there is an error in his configuration.

To use single-arm routing in time, upstream routers need to maintain two VLAN bridges. In VLAN applications, bridges seem to be necessary (but the device is different). Single-arm routing still needs to be configured with VLAN sub-interfaces in upstream routers. , And use the corresponding interface as a member of a specific bridge, then one-arm routing can provide inter-VLAN routing services for it

Unless I understand it wrong, so I added a sentence: “If there is no problem with my understanding”

Thank you for your explanation, and please accept my apologies for my comments above. It seemed to me you saying his config was wrong without having given it much thought, but I can see now that I was wrong.

It doesn’t matter. In technical communication, some misunderstandings are unavoidable.

Yes, I introduced another test VM that’s configured with the VyOS test machine as gateway. In hindsight, obvious mistake and definitely not an issue with VyOS or its configuration.

Thanks for taking the time to type this out. I’m not sure I fully understand, so I’ll describe my network in more detail. That said, I fully understand if you don’t want to spend even more time explaining something someone with more network background would probably understand easily.

#######          #################
# WAN # <-eth0-> # Untangle/VyOS # 
#######          #################
                    |        |
                  eth1      eth1.50
                ##########################       ###########
                # Main/L2 Managed Switch # <---> # WiFi AP #
                ##########################       ###########

The AP has 2 networks, one native for all devices BUT IoT who are on the 2nd network that I mapped to VLAN 50.

So any device that is wired and I deem “IoT” I map the specific port on the main switch to VLAN 50, with the wireless devices I use the 2nd wireless network.

For testing out VyOS I used VLAN 100 as a testbed instead of my normal (native) network, I didn’t want DHCP etc to mess with my normal set up.

My goal is fence of those devices from both the rest of my network as well as the Internet. Since I’m using a L2 switch my (albeit limited) understanding is I need a firewall/router to handle that.

Looking at the config you posted:

set interfaces bridge br1 address 192.168.50.200/24
set interfaces bridge br1 member interface eth1.50
set interfaces bridge br2 address 192.168.100.1/24
set interfaces bridge br2 member interface eth1.100
set interfaces bridge br2 member interface <The physical interface of your virtual machine output>

Maybe an obvious question, but how would br1 and br2 talk to each other? Based on the docs I assumed I can link 2 interfaces in one bridge, effectively connecting them but you are creating 2 different bridges?

As long as there is an IP address between the bridges, they can complete Layer 3 forwarding with each other

To complete the inter-VLAN routing, the device must be a three-tier device, such as a three-tier switch or router (VyOS happens to be a router)

Sure, br1 and br2 will have routes set up like eth1.100 and eth1.50 in my example above.

I guess the 2 things I don’t understand are:

• why create br1 at all if it’s only member is eth1.50? What is the benefit of using it instead of the ethernet interface directly?
• br2 bridges a VLAN with the non-VLAN traffic on L2 - correct?

why create br1 at all if it’s only member is eth1.50? What is the benefit of using it instead of the ethernet interface directly?

Yes, you can choose to only create a bridge for VLAN 100, because on the router, VLAN 50 is only a unique member, namely eth1.50, but if you want to set a member of VLAN 50 on the router Port, then you need to create a separate bridge for VLAN 50

br2 bridges a VLAN with the non-VLAN traffic on L2 - correct?

br2 is the bridge of VLAN 100, and eth1.100 should be bridged with all interfaces of the router that are set as members of VLAN 100

I just gave you a general example. You may need the assistance of a network bridge to complete the bridging of eth1.100 and vlan 100 member interfaces. If you understand this configuration, you can modify it according to your ideas

Suppose that the router or switch connected by eth1 implements VLAN 50 and VLAN 100, and the this router needs to provide eth2 as VLAN 100. The configuration may be as follows:

set interfaces ethernet eth1 address 192.168.1.200/24
set interfaces ethernet eth1 vif 50 address 192.168.50.200/24
set interfaces ethernet eth1 vif 50 description "VLAN 50"
set interfaces ethernet eth1 vif 100
set interfaces etherner eth2
set interfaces bridge br1 address 192.168.100.1/24
set interfaces bridge br1 member interface eth1.100
set interfaces bridge br1 member interface eth2

Suppose that the router or switch connected by eth1 implements VLAN 50, and the this router needs to provide eth2 as VLAN 100. The configuration may be as follows:

set interfaces ethernet eth1 address 192.168.1.200/24
set interfaces ethernet eth1 vif 50 address 192.168.50.200/24
set interfaces ethernet eth1 vif 50 description "VLAN 50"
set interfaces etherner eth2
set interfaces bridge br1 address 192.168.100.1/24
set interfaces bridge br1 member interface eth2

or

set interfaces ethernet eth1 address 192.168.1.200/24
set interfaces ethernet eth1 vif 50 address 192.168.50.200/24
set interfaces ethernet eth1 vif 50 description "VLAN 50"
set interfaces etherner eth2 address 192.168.100.1/24

The above configuration only focuses on the interface. If multi router routing and routing problems are involved, it is recommended to activate OSPF or set static routing