VLANs in Helium Beta


#1

Hi All,

I’ve got an almost working setup using the Helium beta with KVM. The issue I’m running into involves using VLAN interfaces. With the non-VLAN interfaces everything works fine and I can hit all the ports that I’ve allowed via the ACLs on eth1. With the VLAN interface (eth2.1000), I can get an IP via DHCP but I can’t get much else to work. No ping, no nothing. I’ve applied the same rule set to both interfaces just for testing purposes. Any ideas?

tia

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN1-OUTSIDE {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 15 {
            action accept
            protocol icmp
        }
        rule 20 {
            action accept
            destination {
                port 25,80,443
            }
            protocol tcp
            state {
                new enable
            }
        }
    }
    name OUTSIDE-IN {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        firewall {
            in {
                name OUTSIDE-IN
            }
        }
        hw-id XX:XX:XX:ce:0d:83
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address xxx.xxx.12.1/24
        description LAN1
        duplex auto
        firewall {
            in {
                name LAN1-OUTSIDE
            }
        }
        hw-id XX:XX:XX:8a:62:b3
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        hw-id XX:XX:XX:06:c8:44
        smp_affinity auto
        speed auto
        vif 1000 {
            address xxx.xxx.32.1/24
            description VLAN1000
            firewall {
                in {
                    name LAN1-OUTSIDE
                }
            }
        }
    }
    ethernet eth3 {
        duplex auto
        hw-id XX:XX:XX:95:64:c4
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
nat {
    source {
        rule 100 {
            outbound-interface eth0
            source {
                address xxx.xxx.12.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name xxxxxx {
            authoritative disable
            subnet xxx.xxx.12.0/24 {
                default-router xxx.xxx.12.1
                dns-server xxx.xxx.12.1
                domain-name xxxxxx
                lease 3600
                start xxx.xxx.12.2 {
                    stop xxx.xxx.12.12
                }
            }
        }
        shared-network-name xxxxxx {
            subnet xxx.xxx.32.0/24 {
                default-router xxx.xxx.32.1
                dns-server xxx.xxx.32.1
                domain-name xxxxxx
                lease 3600
                start xxx.xxx.32.2 {
                    stop xxx.xxx.32.12
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 2000
            listen-on eth1
            listen-on eth2
            listen-on eth3
            listen-on eth2.1000
        }
    }
    https {
        http-redirect enable
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name xxxxxx
    login xxxxxx
        user xxxxxx {
            authentication {
                encrypted-password xxxxxx
            }
            level admin
        }
    }
    ntp {
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password xxxxxx
            url http://packages.vyos.net/vyos
            username xxxxxx
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}

#2

I don’t see a NAT rule for your VLAN


#3

Thanks for catching that.

Well, ping works now. When I traceroute however, it appears that traffic isn’t making it past the VLAN interface’s default GW. In a browser test, I get “Connection was reset”. I’m thinking this may be an issue with passing VLAN tagged packets over an empty bridge in KVM. I’ll have to test this config on dedicated hardware when I can get my hands on some and then I’ll report back.

Cheers.