Inter-VLAN issues VLAN interface not able to ping itself, route or NAT to internet Topic is solved

Having issues with your DietPi installation, or, found a bug? Post it here.
dpsguard
Posts: 43
Joined: Mon Aug 03, 2020 12:48 am

Inter-VLAN issues VLAN interface not able to ping itself, route or NAT to internet

Post by dpsguard »

Hello everyone,

I am hoping someone already ran into inter vlan routing issues and resolved it and I can get to know the fix or missing configuration.


1. RPI 4B running latest dietPi version. Have wireless disabled, so only eth0 is working. Usual stuff like Pi-hole and PiVPN works as well. DHCP scope thru the Pi-Hole works as well.

2. Added a subinterface (VLAN) eth.120 and corresponding dhcp scope via dnsmasq to listen to this tagged dhcp request on vlan 120. This works as well. Client connected to this vlan ( via a wireless AP with SSID mapped to this vlan 120) obtains the IP address from this vlan 120 dhcp scope set up on the RPi.

3. default route is thru the eth0 to get to internet. VLAN interface has only IP and subnet mask.

Here are the steps that I followed for this vlan part:

apt install vlan
echo 8021q >> /etc/modules

lsmod | grep 8021q (checks out good)

nano /etc/sysctl.conf

remove comment from (this is already done on my box as I am using IP forwarding for VPN client to be able to traverse the RPi and get to inside network, but listing here for completeness of vlan setup)

#net.ipv4.ip_forward=1

save

nano /etc/network/interfaces.d/vlans

add below

auto eth0.120
iface eth0.120 inet static
address 10.10.120.1
netmask 255.255.254.0
vlan-raw-device eth0

Save

service networking restart

verify presence of new interface and IP via following:

Hostname -I
ifconfig

route -n (shows default route thru eth0 and two connected routes for eth0 and eth0.120 subnet as should be the case).

Add dhcp scope via dnsmasq

nano /etc/dnsmasq.d/120-vlan-dhcp.conf

dhcp-range=set:120,10.10.120.2,10.10.121.254,255.255.254.0,20m
dhcp-option=tag:120,option:router,10.10.120.1
dhcp-option=tag:120,6,192.168.2.34

save

At this time, I attach RPi to a managed VLAN switch with switch port set to tag vlan 120 and untag on default vlan 1 (default vlan 1 is where the main eth0 IP of RPi is). I then create another similar port on switch and connect the Wireless AP. Wireless AP obtains dhcp IP address from the vlan 1 and comes online. I then create a SSID on the AP with the egress traffic mapped to vlan 120. The client connects to this SSID and is successful in getting IP address in vlan 120 from dhcp scope for this vlan set up on the RPi. So we know VLANs are working.

Then I try to do some pings:

ping 192.168.2.34 (works and this is the RPI eth0 / vlan 1 untagged Ip address).

ping 10.10.120.1 (works and this is the RPI eth0.120 / vlan ip address)

ping -I eth0 192.168.2.34 ( works of course)

ping -I eth0.120 10.10.120.1 (does not work).

The client gets ip address in 10.10.120.0/23 subnet but also cannot ping its gateway 10.10.120.1.

So something is broken that client on the same subnet / vlan cannot ping the gateway and the router (RPi) itself cannot ping its own vlan interface.

I have ufw firewall installed but is disabled for now.

My next step after making this local (inter vlan) routing / forwarding work is to then approach the NAT side via ufw / iptables masquerading. eth0.120 will be the LAN side and eth0 will be acting as WAN / Internet side to which 10.10.120.x traffic will be natted.

@MichaIng and @Joulinar , your expertise is needed here please.

Thanks and very best
Last edited by dpsguard on Sun Sep 27, 2020 5:36 am, edited 1 time in total.
dpsguard
Posts: 43
Joined: Mon Aug 03, 2020 12:48 am

Re: Inter-VLAN issues VLAN interface not able to ping itself, route or NAT to internet

Post by dpsguard »

Just looked at this document and everything is set up correctly in my RPi.

https://www.sbprojects.net/projects/ras ... i/vlan.php
User avatar
Joulinar
Posts: 2277
Joined: Sat Nov 16, 2019 12:49 am

Re: Inter-VLAN issues VLAN interface not able to ping itself, route or NAT to internet

Post by Joulinar »

Hi,

sorry I never used VLAN's or have any hardware that is capable to do so. Therefore I don`t have enough knowledge on this :roll:
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
dpsguard
Posts: 43
Joined: Mon Aug 03, 2020 12:48 am

Re: Inter-VLAN issues VLAN interface not able to ping itself, route or NAT to internet

Post by dpsguard »

Thanks @Joulinar . I have two of Dlink DGS VLAN managed switches at home. They are DGS-1100-05 and I have 3 VLANs that I use. There is a 802.1Q trunk between the two. Look for this low cost on the eBay. I purchased open box from ebay these for only 25 Canadian dollars each. There is also a DGS-1100-8. I can help fund purchase of one for you for DietPi development. Lots of applications for VLANs for segregation and isolation of traffic for things like Guest, IOT devices, users and servers, storage etc.

Meanwhile, to test the RPi for vlans, you can use any linux PC / laptop by using the exact same configuration for its NIC (to add vlans) as I did for eth0 of RPi and you can see if you get IP address on the vlan interface and if you can ping. I have to go to work and I am going to test later today the whole thing on a Ubuntu machine.
User avatar
Joulinar
Posts: 2277
Joined: Sat Nov 16, 2019 12:49 am

Re: Inter-VLAN issues VLAN interface not able to ping itself, route or NAT to internet

Post by Joulinar »

let's see if @MichaIng has an idea on this.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
trendy
Posts: 133
Joined: Tue Feb 25, 2020 2:54 pm

Re: Inter-VLAN issues VLAN interface not able to ping itself, route or NAT to internet

Post by trendy »

Make sure that nothing is blocking traffic

Code: Select all

iptables-save -c
I don't believe it is a routing issue, but it doesn't hurt to verify with tcpdump that echo requests reach the interface, but no reply is sent back.

Code: Select all

tcpdump -i any -evn icmp
dpsguard
Posts: 43
Joined: Mon Aug 03, 2020 12:48 am

Re: Inter-VLAN issues VLAN interface not able to ping itself, route or NAT to internet

Post by dpsguard »

@trendy and @Joulinar , you folks are very correct. There was no issue with the configuration or the routing. I had flawed test switch. I was using a Mikrotik managed switch 250GS and I was reading the documentation for 260GS and there is subtle difference between the two and 250GS was a bad design, that they fixed in 260GS. The 250GS does not support any untagged / native vlans on the trunks (260GS does support it) and I was trying to set up traditional way with an untagged vlan that was also then used for the eth0 (my design does require it). So i replaced that with my home lab Dlink router and everything started working, Results with 250GS were weired, making me believe that VLAN interface is working as attached laptop will get correct Ip address (and Pihole will show it as a lease, even if it is not set up as a scope under main pi-hole provided scope). This scope defined out of bound of the pi-hole, makes it survive any change into the Pi-hole settings and allows changing the lease time to less than 1 hour ( in my example, I used 20 minutes).

For the benefit of others, who may try to use VLANs (and thus making the RPi as a router on a stick), I will like to add that in the dhcp scope configuration in my original post, I forgot to add DNS server. I will update that post also, but under /etc/dnsmasq.d/120-vlan-dhcp.conf, we need to add , dhcp-option=tag:120,6,<ip-of-pihole-dns-eth0>. option number 6 is for a custom DNS server address(es).

I am out of town tomorrow and I will test in a day and two to add the masquerade rule in iptables for this subinterface / vlan for its traffic to get to the internet. and then come back here to probably add the configuration for that portion.

@trendy , will you recommend changing the firewall rules using ufw or directly touching the tables and chains? My RPi is behind the home router and I need to just have iptables rules just for isolating the guest traffic to internet and to NAT the traffic to the uplink (eth0) interface which then goes into home network.
User avatar
Joulinar
Posts: 2277
Joined: Sat Nov 16, 2019 12:49 am

Re: Inter-VLAN issues VLAN interface not able to ping itself, route or NAT to internet

Post by Joulinar »

@dpsguard
if you have time and mood, you could create a small how-to on our tutorial section. It might help other dealing with this topic as it's quite specific and not that common :)
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
dpsguard
Posts: 43
Joined: Mon Aug 03, 2020 12:48 am

Re: Inter-VLAN issues VLAN interface not able to ping itself, route or NAT to internet

Post by dpsguard »

Great idea @Joulinar . I will sure write few tutorials based on my experience. Hopefully start putting it up in a day or two.
User avatar
trendy
Posts: 133
Joined: Tue Feb 25, 2020 2:54 pm

Re: Inter-VLAN issues VLAN interface not able to ping itself, route or NAT to internet

Post by trendy »

dpsguard wrote: Sun Sep 27, 2020 5:33 am @trendy , will you recommend changing the firewall rules using ufw or directly touching the tables and chains? My RPi is behind the home router and I need to just have iptables rules just for isolating the guest traffic to internet and to NAT the traffic to the uplink (eth0) interface which then goes into home network.
It depends how comfortable you are with direct iptables rules.
ufw is a failsafe choice in this case.
Post Reply