Migration to VLAN-segmented network

guw · January 23, 2025, 8:29pm

Hi there,

trying to introduce some VLANs to my not yet subnetted network. I am using VyOS 1.5 rolling.

My starting interface configuration is:

interfaces {
    bridge br0 {
        address 192.168.1.2/24
        description "LAN bridge interface"
        member {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            interface eth5 {
            }
        }
    }
    ethernet eth0 {
        address 192.168.2.151/24
        description mgmt
    }
    ethernet eth1 {
        address dhcp
        description WAN
    }
    ethernet eth2 {
        description LAN-DIRECT
    }
    ethernet eth3 {
        description LAN
    }
    ethernet eth4 {
        description LAN
    }
    ethernet eth5 {
        description VM-LAN
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        listen-interface br0
        shared-network-name vlan10 {
            description Trust
            subnet 192.168.1.0/24 {
                lease 86400
                option {
                    default-router 192.168.1.2
                    name-server 192.168.1.3
                }
                range scope1 {
                    start 192.168.1.150
                    stop 192.168.1.250
                }
                subnet-id 10
            }
        }
    }
}
firewall {
    global-options {
        all-ping enable
        broadcast-ping disable
        ip-src-route disable
        log-martians enable
        receive-redirects disable
        send-redirects enable
        source-validation disable
        syn-cookies enable
        twa-hazards-protection disable
    }
    group {
        network-group inside-nets {
            network 192.168.1.0/24
        }
    }
    ipv4 {
        name lan-local-v4 {
            default-action drop
            default-log
            description "LAN to This Router IPv4"
            rule 1 {
                action accept
                destination {
                    port 22
                }
                protocol tcp
                source {
                    group {
                        network-group inside-nets
                    }
                }
            }
            rule 2 {
                action accept
                description "explicit allow dhcp"
                destination {
                    port 67-68
                }
                protocol udp
                source {
                    port 67-68
                }
            }
            rule 3 {
                action accept
                description "default allow from known nets to router"
                destination {
                    address-mask 0.0.0.0
                }
                source {
                    group {
                        network-group inside-nets
                    }
                }
            }
        }
        name lan-wan-v4 {
            default-action drop
            default-log
            description "LAN to WAN IPv4"
            rule 1 {
                action accept
            }
        }
        name local-lan-v4 {
            default-action drop
            default-log
            description "This Router to LAN IPv4"
            rule 2 {
                action accept
                description "allow dhcp"
                destination {
                    port 67-68
                }
                protocol udp
                source {
                    port 67-68
                }
            }
            rule 3 {
                action accept
                description "default allow from known nets to router"
                destination {
                    address-mask 0.0.0.0
                }
                source {
                    group {
                        network-group inside-nets
                    }
                }
            }
        }
        name local-wan-v4 {
            default-action drop
            default-log
            description "This Router to WAN IPv4"
            rule 1 {
                action accept
            }
        }
        name wan-lan-v4 {
            default-action drop
            default-log
            description "WAN to LAN IPv4"
            rule 1 {
                action accept
                state established
                state related
            }
            rule 2 {
                action drop
                state invalid
            }
        }
        name wan-local-v4 {
            default-action drop
            default-log
            description "WAN to This Router IPv4"
            rule 1 {
                action accept
                state established
                state related
            }
            rule 2 {
                action drop
                state invalid
            }
            rule 3 {
                action accept
                description "DHCPv4 replies"
                destination {
                    port 67,68
                }
                protocol udp
                source {
                    port 67,68
                }
            }
        }
    }
    zone lan {
        default-action drop
        from local {
            firewall {
                name local-lan-v4
            }
        }
        from wan {
            firewall {
                name wan-lan-v4
            }
        }
        interface eth0
        interface br0
    }
    zone local {
        default-action drop
        from lan {
            firewall {
                name lan-local-v4
            }
        }
        from wan {
            firewall {
                name wan-local-v4
            }
        }
        local-zone
    }
    zone wan {
        default-action drop
        from lan {
            firewall {
                name lan-wan-v4
            }
        }
        from local {
            firewall {
                name local-wan-v4
            }
        }
        interface eth1
    }
}

I would now like to add a VLAN with ID 90 and subnet 192.168.90.0/24 with the following commands:

set interfaces bridge br0 enable-vlan
set interfaces bridge br0 stp

delete interfaces bridge br0 address '192.168.1.2/24'
set interfaces bridge br0 vif 10 address '192.168.1.2/24' 
set interfaces bridge br0 vif 10 description 'Native VLAN (untagged)'

set interfaces bridge br0 vif 90 address 192.168.90.1/24
set interfaces bridge br0 vif 90 description 'Guest VLAN'

set interfaces bridge br0 member interface eth2 native-vlan '10'
set interfaces bridge br0 member interface eth3 native-vlan '10'
set interfaces bridge br0 member interface eth4 native-vlan '10'
set interfaces bridge br0 member interface eth5 native-vlan '10'

set interfaces bridge br0 member interface eth2 allowed-vlan '10-90'
set interfaces bridge br0 member interface eth3 allowed-vlan '10-90'
set interfaces bridge br0 member interface eth4 allowed-vlan '10-90'
set interfaces bridge br0 member interface eth5 allowed-vlan '10-90'

However, when commit-confirming the changes I lose connection to the router.

Physical network:

VyOS router as VM with eth1-4 passed through
eth0 bridged on hypervisor
eth5 bridged on hypervisor to connect other VMs
Router trunk-connected to switch
3 access points with different SSIDs which ultimately should tag the traffic (e.g., VLAN ID 90 for guests)

Any pointers to what is going wrong appreciated!

son · January 24, 2025, 12:10am

The issue might be caused by removing the IP from the bridge before the new VLAN is fully configured. Try adding the VLAN IP first, then removing the old one from the bridge interface.

16again · January 25, 2025, 9:24pm

mgmt interrface eth0 remains unchanged, so management access should still work.
I noticed you enabled STP on bridge, that could cause neighboring switch to block attached port. (when switch port uses bpdu-guard)

0lzi · January 26, 2025, 10:49am

@16again makes a good point, where are your eth2-5 connected to physically, and if stp is enabled on these it could be causing a loop and stop disables the port on one end

guw · January 27, 2025, 4:25pm

Thanks everyone for the pointers!

Got it working - deleting the address on the bridge was the culprit and some mixup in the firewalls.

The following config now works - sharing for reference:

VLAN:

set interfaces bridge br0 enable-vlan
set interfaces bridge br0 stp

# Not deleting the br0 address as it is used for the native vlan resp. untagged traffic
set interfaces bridge br0 member interface eth2 native-vlan '1'
set interfaces bridge br0 member interface eth3 native-vlan '1'
set interfaces bridge br0 member interface eth4 native-vlan '1'
set interfaces bridge br0 member interface eth5 native-vlan '1'

set interfaces bridge br0 member interface eth2 allowed-vlan '90'
set interfaces bridge br0 member interface eth3 allowed-vlan '90'
set interfaces bridge br0 member interface eth4 allowed-vlan '90'
set interfaces bridge br0 member interface eth5 allowed-vlan '90'

set interfaces bridge br0 vif 90 address '192.168.90.1/24'
set interfaces bridge br0 vif 90 description 'Guest VLAN'

Results in:

$ bridge vlan show
port              vlan-id  
eth5              1 PVID Egress Untagged
                  90
eth2              1 PVID Egress Untagged
                  90
eth3              1 PVID Egress Untagged
                  90
eth4              1 PVID Egress Untagged
                  90
br0               1 PVID Egress Untagged
                  90

DHCP is also working and configured like:

set service dhcp-server vlan90 authoritative

set service dhcp-server shared-network-name vlan90 description 'VLAN ID 90 Guest DHCP'
set service dhcp-server shared-network-name vlan90 subnet 192.168.90.0/24 lease '86400'
set service dhcp-server shared-network-name vlan90 subnet 192.168.90.0/24 option default-router '192.168.90.1'
set service dhcp-server shared-network-name vlan90 subnet 192.168.90.0/24 option name-server '192.168.1.3'
set service dhcp-server shared-network-name vlan90 subnet 192.168.90.0/24 range 0 start '192.168.90.100'
set service dhcp-server shared-network-name vlan90 subnet 192.168.90.0/24 range 0 stop '192.168.90.200'
set service dhcp-server shared-network-name vlan90 subnet 192.168.90.0/24 subnet-id '90'

Creating a zone-based firewall for all VLAN/zone combinations (will likely simplify in the future) to avoid n^2-n firewall names.

Zones to create firewall names for:

lan (native VLAN ID 1)
guest (VLAN ID 90)
local
wan

NAT and Firewall:

# NAT
set nat source rule 200 description 'NAT for Guest VLAN 90'
set nat source rule 200 outbound-interface eth1
set nat source rule 200 source address 192.168.90.0/24
set nat source rule 200 translation address masquerade

# Additional guest firewall rules
set firewall group network-group inside-nets network '192.168.90.0/24'

# Create a new firewall zone for Guests
set firewall zone guest default-action 'drop'
set firewall zone guest interface 'br0.90'

# Firewall Rules for guest Zone: Allow outbound internet traffic
# and block access to internal subnets:

# guest -> lan
set firewall ipv4 name guest-lan-v4 default-action 'drop'
set firewall ipv4 name guest-lan-v4 default-log
set firewall ipv4 name guest-lan-v4 description 'guest to lan IPv4'

set firewall ipv4 name guest-lan-v4 rule 100 action 'accept'
set firewall ipv4 name guest-lan-v4 rule 100 state 'established'
set firewall ipv4 name guest-lan-v4 rule 100 state 'related'

set firewall ipv4 name guest-lan-v4 rule 200 action 'accept'
set firewall ipv4 name guest-lan-v4 rule 200 description 'Allow DNS'
set firewall ipv4 name guest-lan-v4 rule 200 destination address '192.168.1.3'
set firewall ipv4 name guest-lan-v4 rule 200 destination port '53'
set firewall ipv4 name guest-lan-v4 rule 200 protocol 'tcp_udp'
set firewall ipv4 name guest-lan-v4 rule 200 log

set firewall ipv4 name guest-lan-v4 rule 300 action 'accept'
set firewall ipv4 name guest-lan-v4 rule 300 description 'Allow ICMP'
set firewall ipv4 name guest-lan-v4 rule 300 destination address '192.168.1.3'
set firewall ipv4 name guest-lan-v4 rule 300 protocol 'icmp'
set firewall ipv4 name guest-lan-v4 rule 300 log

set firewall ipv4 name guest-lan-v4 rule 400 action 'drop'
set firewall ipv4 name guest-lan-v4 rule 400 state 'invalid'


# lan -> guest
set firewall ipv4 name lan-guest-v4 default-action 'drop'
set firewall ipv4 name lan-guest-v4 default-log
set firewall ipv4 name lan-guest-v4 description 'lan to guest IPv4'

set firewall ipv4 name lan-guest-v4 rule 100 action 'accept'

# guest -> local
set firewall ipv4 name guest-local-v4 default-action 'drop'
set firewall ipv4 name guest-local-v4 default-log
set firewall ipv4 name guest-local-v4 description 'guest to Router IPv4'

set firewall ipv4 name guest-local-v4 rule 200 action accept
set firewall ipv4 name guest-local-v4 rule 200 description 'Explicit allow dhcp'
set firewall ipv4 name guest-local-v4 rule 200 destination port '67-68'
set firewall ipv4 name guest-local-v4 rule 200 protocol 'udp'
set firewall ipv4 name guest-local-v4 rule 200 source port '67-68'


# guest -> wan
set firewall ipv4 name guest-wan-v4 default-action 'drop'
set firewall ipv4 name guest-wan-v4 default-log
set firewall ipv4 name guest-wan-v4 description 'guest to wan IPv4'

set firewall ipv4 name guest-wan-v4 rule 100 action 'accept'


# local -> guest
set firewall ipv4 name local-guest-v4 default-action 'drop'
set firewall ipv4 name local-guest-v4 default-log
set firewall ipv4 name local-guest-v4 description 'Router to guest IPv4'

set firewall ipv4 name local-guest-v4 rule 200 action 'accept'
set firewall ipv4 name local-guest-v4 rule 200 description 'allow dhcp'
set firewall ipv4 name local-guest-v4 rule 200 destination port '67-68'
set firewall ipv4 name local-guest-v4 rule 200 protocol 'udp'
set firewall ipv4 name local-guest-v4 rule 200 source port '67-68'

set firewall ipv4 name local-guest-v4 rule 300 action 'accept'
set firewall ipv4 name local-guest-v4 rule 300 description 'default allow from router to known nets'
set firewall ipv4 name local-guest-v4 rule 300 destination address-mask '0.0.0.0'
set firewall ipv4 name local-guest-v4 rule 300 source group network-group 'inside-nets'


# WAN -> guests (allow established / related)
set firewall ipv4 name wan-guest-v4 default-action 'drop'
set firewall ipv4 name wan-guest-v4 default-log
set firewall ipv4 name wan-guest-v4 description 'WAN to guest IPv4'

set firewall ipv4 name wan-guest-v4 rule 100 action 'accept'
set firewall ipv4 name wan-guest-v4 rule 100 state 'established'
set firewall ipv4 name wan-guest-v4 rule 100 state 'related'

set firewall ipv4 name wan-guest-v4 rule 200 action 'drop'
set firewall ipv4 name wan-guest-v4 rule 200 state 'invalid'


# Zone connections
set firewall zone guest default-action 'drop'
set firewall zone guest from lan firewall name 'lan-guest-v4'
set firewall zone guest from local firewall name 'local-guest-v4'
set firewall zone guest from wan firewall name 'wan-guest-v4'
set firewall zone guest member interface 'br0.90'

set firewall zone lan from guest firewall name 'guest-lan-v4'
set firewall zone wan from guest firewall name 'guest-wan-v4'
set firewall zone local from guest firewall name 'guest-local-v4'

system · January 29, 2025, 4:25pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.