VLAN's bridges or not for intervlan communication?

etnicor · October 13, 2023, 6:05am

Hello,
am reading docs to understand howto setup vlans but I am confused by reading from forums, considering running vyos 1.4. I will have 2 nics eth0 and eth1. eth0 is WAN and eth1 is LAN.

I want to pass 9 tagged vlans and one untagged on eth1. Do I need to make vlan aware bridges for each vlan to make this work with inter-vlan communication over eth1?

Also where would I put the firewall rules like for example blocking all RFC1918 communication except for ssh on each vlan?

Source of my confusion:
This topic says to use bridges

Another topic where bridges are not used.

j.landicho · October 14, 2023, 3:55pm

Base on you requirement, I think you can use vlan aware bridge.

Sample configuration would be

set interfaces bridge br0 description 'LAN'
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth1 allowed-vlan '2-10
set interfaces bridge br0 member interface eth1 native-vlan '1'
set interfaces bridge br0 vif X address '192.168.2.1/24'
set interfaces bridge br0 vif X description 'VLANX'

As for the firewall configuration, it depends on what exact version you are using. Starting from VyOS 1.4-rolling-202308040557 there is a new firewall structure.

16again · October 14, 2023, 4:18pm

Why not use a real switch for passing VLANs, and use dedicated ports on the switch to hook up the L3 interfaces of VyOS ?

etnicor · October 14, 2023, 4:38pm

Hello,
well I do not think I need a bridge I was just confused by the post about bridges which I linked and thought you had to use bridges…
Yes I have a managed switch which I will use.

Have gotten inter vlan communication to work by using.

set interfaces ethernet eth1 vif 2 address 192.168.102.1/24
set interfaces ethernet eth1 vif 3 address 192.168.103.1/24

Now I am trying to get default block to work, but so far unsuccessful.
Rule 10 is ignored or never happens =/

      - set firewall ipv4 name VLAN_DEFAULT description 'Default Firewall Rules for from VLANS'
      - set firewall ipv4 name VLAN_DEFAULT default-action return
      - set firewall ipv4 name VLAN_DEFAULT enable-default-log

      # Do not allow Inter VLAN
      - set firewall ipv4 name VLAN_DFAULT rule 10 action 'drop'
      - set firewall ipv4 name VLAN_DFAULT rule 10 destination group network-group RFC1918

      - set firewall ipv4 forward filter rule 50 inbound-interface interface-name eth1.*
      - set firewall ipv4 forward filter rule 50 action jump
      - set firewall ipv4 forward filter rule 50 jump-target VLAN_DEFAULT