Cannot get internet on vlan

himurae · August 27, 2023, 10:56am

hello
i am am struggling with vlans in vyos the native lan 192.168.5.1 is fine but the vlan 20 has no internet i have 1.33 version
i have 1 wan,1 lan and vlan on the same port as lan
one interface where you use both directly the interface (without VLAN) and a VLAN on the same interface.

    all-ping enable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name OUTSIDE-IN {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    name OUTSIDE-LOCAL {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description OUTSIDE
        duplex auto
        firewall {
            in {
                name OUTSIDE-IN
            }
            local {
                name OUTSIDE-LOCAL
            }
        }
        hw-id 00:e2:69:52:85:be
        offload {
            gro
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.5.1/24
        description INSIDE
        duplex auto
        hw-id 00:e2:69:52:85:bf
        offload {
            gro
        }
        speed auto
        vif 20 {
            address 10.255.20.1/24
            description "VLAN 20"
        }
    }
    ethernet eth2 {
        hw-id 00:e2:69:52:85:c0
        offload {
            gro
        }
    }
    ethernet eth3 {
        hw-id 00:e2:69:52:85:c1
        offload {
            gro
        }
    }
}
nat {
    source {
        rule 100 {
            outbound-interface eth0
            source {
                address 192.168.5.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name LAN {
            subnet 192.168.5.0/24 {
                default-router 192.168.5.1
                domain-name vyos.net
                lease 86400
                name-server 192.168.5.1
                range 0 {
                    start 192.168.5.9
                    stop 192.168.5.254
                }
            }
        }
        shared-network-name VLAN20 {
            subnet 10.255.20.0/24 {
                default-router 10.255.20.1
                name-server 10.255.20.1
                range 0 {
                    start 10.255.20.10
                    stop 10.255.20.254
                }
            }
        }
    }
    dns {
        forwarding {
            allow-from 192.168.5.0/24
            cache-size 0
            listen-address 192.168.5.1
            listen-address 10.255.20.1
        }
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 200
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    name-server eth0
}


// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
// Release version: 1.3.3

himurae · August 27, 2023, 10:57am

i have really had to learn lot of concepts compared to opnsense but i am sure i will manage just need some guidance since documentation is very very limited

Apachez · August 27, 2023, 3:25pm

The config of eth1 (INSIDE) looks ok to me:

set interfaces ethernet eth1 address 'xxx.xxx.5.1/24'
set interfaces ethernet eth1 description 'INSIDE'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:bf'
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth1 vif 20 address 'xxx.xxx.20.1/24'

That is untagged xxx.xxx.5.1/24 and tagged (VLAN20) xxx.xxx.20.1/24.

How is the rest of your network setup?

I assume something like this is:

Internet ↔ VyOS ↔ switch ↔ client(s)

If so can the client on VLAN20 ping xxx.xxx.20.1?
Does the client on VLAN20 see the arp of xxx.xxx.20.1 in its arp table?
Does the VyOS see the arp of the client(s) at VLAN20 in its arp table?

If everything looks ok for above you could try to remove all firewall rules (leave the NAT in place) and set default-action:accept (along with allow established and related) for all chains.

For example I think you manually need to add rules to make the DHCP- and DNS-requests to work from client(s) to VyOS but also the replies in the other direction so as troubleshooting I would just do “default-action:accept” (that NAT will protect you from connections arriving from OUTSIDE) to verify routing and other settings and once they are verified continue by changing firewall to “default-action:drop” for all chains and start adding needed rules to allow the flows that should be allowed.

himurae · August 27, 2023, 3:58pm

Thanks for your reply i was presently checking on my windows 11 laptop by configuring vlan 20 id in ethernet adapter i could connect with dhcp ,but no internet ,but on lan network everything is fine
i had not pasted correct config earlier i corrected it can u please check
My set up is internet to metal box with4 nics running vyos eth0 is dhcp ,eth 1 is connected
to laptop later i will have connect unif aps running 2 vlan

Apachez · August 27, 2023, 10:22pm

So on VLAN20 can you ping the VyOS box or not and can the VyOS box ping your windows box or not and whats the result in the arp tables after the ping attempts?

himurae · August 28, 2023, 5:49am

yes vlan can ping and vice versa also i tried with unifi access points they all connect to VLAN 20 via dhcp but no internet something is blocking internet on vlan cant figure out


```vyos@vyos:~$ show arp interface eth1
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.5.11             ether   60:22:32:ae:1f:a5   C                     eth1
192.168.5.10             ether   a0:8c:fd:2e:73:6f   C                     eth1
vyos@vyos:~$ show arp interface eth1.20
Address                  HWtype  HWaddress           Flags Mask            Iface
10.255.20.12             ether   a0:8c:fd:2e:73:6f   C                     eth1.20
10.255.20.11             ether   0a:45:d2:77:7b:39   C                     eth1.20

I-n-d-y · August 28, 2023, 10:27am

If I am not wrong, but don’t you need a nat rule for VLAN20 as well? Your current config only matches your nativ VLAN.

himurae · August 28, 2023, 10:29am

can u tell me what rules i need in nat for vlan some examples


C:\Users\Akil>tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  10.255.20.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5

I-n-d-y · August 28, 2023, 10:53am

I don’t have access to my routers at the moment as I am on vacation, so regarding the docs I think a second source nat rule with VLAN20 as source should help.

set nat source rule 110 outbound-interface eth0
set nat source rule 110 source address 10.255.20.0/24
set nat source rule 110 translation address masquerade

himurae · August 28, 2023, 10:55am

WTF u r my man thanks a ton bro!!!

Apachez · August 28, 2023, 12:29pm

Or replace the nat rule 100 so it uses source network-group and then append your ranges to be SNATed to that network-group.

Besides, how come interface and interface-group doesnt exist as available source?

himurae · August 28, 2023, 12:31pm

Please if you dont mind some examples…

Apachez · August 28, 2023, 1:01pm

Im thinking something like this:

set firewall group network-group LAN network '192.168.5.0/24'
set firewall group network-group LAN network '10.255.20.0/24'

set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source group network-group 'LAN'
set nat source rule 100 translation address 'masquerade'

Then for the next VLAN you configure at LAN aka eth1 interface you just append its IP-range to the set firewall group network-group LAN network.

Of course you can select a better name than “LAN”.

himurae · August 28, 2023, 4:31pm

Wow thanks you guys you make it sound easy and i thought vyos was only for core linux guys

Apachez · August 28, 2023, 6:37pm

Did my example work for your case?

You will of course need to clean away some other config you had there since this example will replace that.

himurae · August 29, 2023, 5:25am

Thanks for the insight now all is good here

system · September 6, 2023, 3:57pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.