InterVLAN Routing Problems

ctark · October 21, 2023, 7:11pm

Hello All,

I’m currently using VyOS 1.3-rolling-202310152034 and have a problem that I can’t seem to solve but I’m sure is pretty easy.

I have a vyos instance up with 2 interfaces: eth1 (WAN) and eth2 (LAN)

For my eth2 interface, I want to setup some vlans, lets call them vlan 101, 110, and I would like for all sections on my eth2 LAN to be able to communicate with each other, but also be able to stop select vlans (for the example lets say vlan 110) from accessing the eth1 (WAN)

Ive read so many different threads and I’m confused what the best way to go about this is.
Currently I only have a firewall for my eth1 (WAN) OUT and LOCAL, no firewall on my LAN side.

My topology is vyos eth2 → Unifi Switch (will be replaced with a mikrotik switch after I figure this out). All devices connect to the Unifi Switch, and on that I am tagging the ports with what vlan I want them to be on.

interfaces{
     ethernet eth2 {
         address 192.168.100.1/24
         vif 101 {
             address 192.168.1.1/24
         }
         vif 110 {
             address 192.168.10.1/24
         }
     }
}
 service {
     dhcp-server {
         shared-network-name LAN {
             subnet 192.168.1.0/24 {
                 default-router 192.168.1.1
                 name-server 192.168.1.1
                 range 0 {
                     start 192.168.1.50
                     stop 192.168.1.150
                 }
             }
             subnet 192.168.10.0/24 {
                 default-router 192.168.10.1
                 name-server 192.168.10.1
                 range 0 {
                     start 192.168.10.50
                     stop 192.168.10.150
                 }
             }
             subnet 192.168.100.0/24 {
                 default-router 192.168.100.1
                 name-server 192.168.100.1
                 range 0 {
                     start 192.168.100.50
                     stop 192.168.100.150
                 }
             }
         }
      }

Ive read that vlan aware bridges could be used, but also some situations that wasn’t the right thing to use. I also read that routing from different subnets should be automatic as long as you pointed the gateway to the vyos ip, but that doesn’t seem to be the case.

I also believe I have to setup DNS forwarding, but honestly I’ll cross that bridge when I get there.

ishan · October 21, 2023, 7:51pm

You need distinct interfaces for each vlan to apply firewall rules on them or you can do this exclusively with source/destination address/network groups.

You can use pseudo-ethernet interface to create distinct interfaces for all of them.

To get inspiration on writing firewall rules for this purpose, see my config in another post Home vyos configuration review & feedback - #7 by ishan

Since you have a single trunk port connected to a switch, you don’t need to use bridges in vyos. I had to use it because I have multiple ports on the router(connected to different switches)

ctark · October 22, 2023, 2:38am

Hello again all,

I thought I had built the 1.3.3 LTS but it seems I was on the 1.3 Rolling.
I rebuilt against 1.3.4LTS, and after re-setting up the config, it seems inter-vlan routing is working!

Long live the LTS.
-Ctark

Apachez · October 22, 2023, 3:36am

By pseudo-ethernet interface you mean the veth thingy?

How does that affect performance if you have physical ↔ brX ↔ veth ↔ interface-group and then setup firewallrules based on interface-group?

Does nft convert that internally to the actual interface or will it perform additional lookups each time a packet is evaluated?

Also in your case you use br0 for all vlans, how does that differ from configure the vlans (vif) on the interface itself?

Im thinking brX is needed if you want to do linkaggregation, correct?

ishan · October 23, 2023, 11:00am

By pseudo-ethernet interface you mean the veth thingy?

Yes. Vyos has virtual ethernet(veth interfaces) and pseudo ethernet(peth interfaces).
I didn’t see any setting to specify underlying interface in veth interface and I do see that in peth interfaces.

How does that affect performance if you have physical ↔ brX ↔ veth ↔ interface-group and then setup firewallrules based on interface-group?

I have not done any tests to give you any good information here. I would like to correct you, If you are using a bridge, you won’t need a veth/peth interface. It would be a a interface on the bridge like br0.<vlan-id>

Does nft convert that internally to the actual interface or will it perform additional lookups each time a packet is evaluated?

No clue about this either. I see vyos generates nftables rules that use iifname or oifname. I am not quite sure how/when nftables resolves these groups.

ip saddr @N_not_in_internet iifname @I_WAN counter packets 0 bytes 0 drop comment "ipv4-FWD-filter-9"

I_WAN here is a interface group.

Also in your case you use br0 for all vlans, how does that differ from configure the vlans (vif) on the interface itself?

In mikrotik depending on the device you have, you may not get hardware acceleration on the ethernet ports (for fasttracking inter/intra vlan traffic) if you configure vlans on the ethernet interfaces vs creating a bridge and then configuring vlans on the bridge. I was using mikrotik before and that habit of creating a bridge and configuring vlans on the bridge has stuck.

Second, I also believe creating a single bridge with all the ethernet interfaces and configure vlans on the bridge is easier to manage. If at some place you can only specify a interface name and you need to specify vlan 10, you can just say br0.10 than writing out separate rules for eth2.10, eth3.10 and so on.

Im thinking brX is needed if you want to do linkaggregation, correct?

No not really. You can use 802.3ad or some thing else for that. Bridges are needed if you have multiple trunk/hybrid/access ports in LAN that terminate at the router(vs the alternative more popular in bsd/pfsense/opnsense land where the router has fewer ports, some for wan and a single port/multiple ports in lagg that terminate at a switch and then every thing is connected to the switch).
You need a bridge to connect these ports together at layer 2.

Apachez · October 25, 2023, 1:48am

But wouldnt it be the same thing as configure ethx.vif123 on two or more physical interfaces so the one with “no ip address” would just layer2 switch the packets towards the one who do have an IP-adress configured?

Im comparing towards regular switches and routers out there of other brands.

Like there is a choice to either define a vlan with vlan interface (where the IP is configured) and then use switchport to define which physical interfaces will have this vlan untagged vs tagged.

OR you can do the same thing directly on the interface where a “subinterface” will be the tagged edition with the same result. Where the later configdesign is whats usually is being used on routers while the former is the one used on L3-switches.

But since both L3-switches and routers converge nowadays the syntax is equal.

ishan · October 26, 2023, 9:41am

But wouldnt it be the same thing as configure ethx.vif123 on two or more physical interfaces so the one with “no ip address” would just layer2 switch the packets towards the one who do have an IP-adress configured?

No. Multiple eth{0,1,2,3,4}.vif<vid> interfaces with the same vid on a host does not mean they’ll start forwarding l2 traffic to each other. You still need a bridge to connect them(the vlan interface on each ethernet interface) together.

But your broader point is right. You can bridge ethernet interfaces and then define vlans on the bridge or you can defined vlans on each ethernet interface and then bridge those vlan interfaces.

I prefer the first approach because it’s a little bit cleaner for the reasons previously mentioned. However in vyos we just have the cli interface so all the other useless vlan interfaces will not get in your way (except in auto completions) but with a GUI interface they do get in your way since you end up with 4-5-6 veth<if>.<vid> instead of a single br0.<vid>

Also, This probably doesn’t apply to vyos but in some mikrotik devices, you do actually have to be careful about the option you pick. Since the switch chip on the device may be able to do HW acceleration in 1 situation but not in the other situation.

Apachez · October 27, 2023, 2:47pm

And for the Mikrotik case I guess its random which method is prefered by the switchchip to do proper HW offloading/acceleration?

ishan · October 27, 2023, 3:02pm

It’s not random

Generally, you should define vlans on the bridge and use bridge vlan filtering if hardware supports l3 hw offloading and configure vlans using switch port if it doesn’t support l3 hw offloading.

In latter, vlans can still be defined on the bridge or individual interfaces but you shouldn’t be using bridge vlan filtering because that’ll disable hardware acceleration on all bridge ports.

Apachez · October 27, 2023, 4:24pm

But if it doesnt support hw offloading then there is nothing to be disabled if using vlans on the bridge for both cases or am I missing something here?

ishan · October 27, 2023, 6:20pm

But if it doesnt support hw offloading then there is nothing to be disabled

There is two different types of hw offloading in mikrotik. The device I was using RB450GX4 did not support l3 hw offloading(I don’t know what you call the other one it did support) but I could still tag vlans with switchport settings and retain hw acceleration on bridged interfaces.

system · November 26, 2023, 6:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.