IPFW tag/tagged/untag

Ofloo

Active Member

Thanks: 7
Messages: 242

#1
I want to tag specific mac addresses to specific vlan, .. from what I gather this can be accomplished with ipfw. Although I'm not quite sure on the syntax does anyone have any syntax sample for this?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,335
Messages: 27,504

#2
I think you're misunderstanding IPFW and/or VLANs. Tagging within IPFW has to do with queues (traffic shaping) and general filtering, it has nothing to do with VLAN tagging.

In order to prevent an XY problem, what are you trying to accomplish?
 
OP
OP
O

Ofloo

Active Member

Thanks: 7
Messages: 242

#3
I've setup WP2+TLS AP and I'm trying to put specific wireless clients into a specific vlan. Since I can't figur out how to make hostapd work with dynamic vlan on freebsd, I figured I'd try macvlan, tagging specific mac addresses into a specific vlan.

What I basically want is to add a vlan tag to specific clients.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,335
Messages: 27,504

#4
Does the rest of you network support VLANs? I mean, your switch has to support VLANs too. Most of the "simple" unmanaged SOHO switches don't support VLANs. You will need a trunk and a couple of vlan(4) interfaces in order for this to work at all.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,335
Messages: 27,504

#6
I don't think you can put individual hosts in a VLAN. It's more common to see a whole Wifi network put behind a VLAN. So you would need to create more Wifi networks, each on their own VLAN. So, SSID1 is on VLAN1, SSID2 is on VLAN2, etc. That's the way it's done on my LAPAC1750Pro for example.
 
OP
OP
O

Ofloo

Active Member

Thanks: 7
Messages: 242

#7
sure you can https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf

Code:
# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN
# is used for the stations. This information is parsed from following RADIUS
# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN),
# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value
# VLANID as a string). Optionally, the local MAC ACL list (accept_mac_file) can
# be used to set static client MAC address to VLAN ID mapping.
# 0 = disabled (default)
# 1 = option; use default interface if RADIUS server does not include VLAN ID
# 2 = required; reject authentication if RADIUS server does not include VLAN ID
#dynamic_vlan=0
Enterprise Wi-Fi authentication also enables advanced features such asputting users dynamically into a specific VLAN (e.g. separate guest andstaff logins into different IP networks even though being on the sameSSID), and dynamic ACLs
http://wiki.freeradius.org/guide/Enterprise WiFi

of course you don't leave it default otherwise it's easier to just bridge.
Code:
DEFAULT NAS-Port-Type == Wireless-802.11
        Tunnel-Type = 13,
        Tunnel-Medium-Type = 6,
        Tunnel-Private-Group-Id = "700"
And it tries to do so only it can't create the vlan on the wlan interface.



output hostapd

Code:
wlan0: RADIUS Received 186 bytes from RADIUS server
wlan0: RADIUS Received RADIUS message
wlan0: STA cc:fa:00:x:x:x RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
RADIUS packet matching with station cc:fa:00:x:x:x
wlan0: STA cc:fa:00:x:x:x RADIUS: VLAN ID 700
VLAN: vlan_add_dynamic(vlan_id=700 ifname=wlan0.#)
wlan0: STA cc:fa:00:x:x:x IEEE 802.11: could not add dynamic VLAN interface for vlan_id=700
wlan0: STA cc:fa:00:x:x:x IEEE 802.1X: decapsulated EAP packet (code=3 id=87 len=4) from RADIUS server: EAP Success
EAP: EAP entering state AAA_RESPONSE
EAP: getId: id=87
EAP: EAP entering state SEND_REQUEST2
EAP: EAP entering state IDLE2
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: cc:fa:00:x:x:x BE_AUTH entering state REQUEST
wlan0: STA cc:fa:00:x:x:x IEEE 802.1X: Sending EAP Packet (identifier 87)
IEEE 802.1X: cc:fa:00:x:x:x - (EAP) retransWhile --> 0
EAP: EAP entering state RETRANSMIT2
EAP: EAP entering state IDLE2
EAP: retransmit timeout 6 seconds (from dynamic back off; retransCount=1)
IEEE 802.1X: cc:fa:00:x:x:x BE_AUTH entering state REQUEST
wlan0: STA cc:fa:00:x:x:x IEEE 802.1X: Sending EAP Packet (identifier 87)
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,335
Messages: 27,504

#9
Not sure if this is all you need to set but looking through the config you posted I noticed this:
Code:
# Interface where 802.1q tagged packets should appear when a RADIUS server is
# used to determine which VLAN a station is on.  hostapd creates a bridge for
# each VLAN.  Then hostapd adds a VLAN interface (associated with the interface
# indicated by 'vlan_tagged_interface') and the appropriate wireless interface
# to the bridge.
#vlan_tagged_interface=eth0
That should be set to your LAN interface, or whatever interface is trunked to your network.
 
OP
OP
O

Ofloo

Active Member

Thanks: 7
Messages: 242

#10
I'll look into it but at first sight, ..
Code:
Line 975: unknown configuration item 'vlan_tagged_interface'
1 errors found in configuration file '/etc/hostapd.conf'

even when i do manipulate it to be vr0 with /etc/hostapd.vlan

Code:
VLAN: vlan_add_dynamic(vlan_id=700 ifname=vr0.700)
wlan0: STA cc:fa:00:x:x:x IEEE 802.11: could not add dynamic VLAN interface for vlan_id=700
wlan0: STA cc:fa:00:x:x:x IEEE 802.1X: decapsulated EAP packet (code=3 id=87 len=4) from RADIUS server: EAP Success
Code:
VLAN: vlan_add_dynamic(vlan_id=700 ifname=vr0)
wlan0: STA cc:fa:00:x:x:x IEEE 802.11: could not add dynamic VLAN interface for vlan_id=700
wlan0: STA cc:fa:00:x:x:x IEEE 802.1X: decapsulated EAP packet (code=3 id=87 len=4) from RADIUS server: EAP Success
 
OP
OP
O

Ofloo

Active Member

Thanks: 7
Messages: 242

#12
not quite sure what you mean by that both /usr/local/sbin/hostapd and /usr/sbin/hostapd have this error.

Code:
# /usr/local/sbin/hostapd -d /etc/hostapd.conf
Configuration file: /etc/hostapd.conf
ctrl_interface_group=0
Line 975: unknown configuration item 'vlan_tagged_interface'
1 errors found in configuration file '/etc/hostapd.conf'
Failed to set up interface with /etc/hostapd.conf
hostapd_init: free iface 0x2882c000
Failed to initialize interface
Code:
# /usr/sbin/hostapd -d /etc/hostapd.conf
Configuration file: /etc/hostapd.conf
ctrl_interface_group=0
Line 975: unknown configuration item 'vlan_tagged_interface'
1 errors found in configuration file '/etc/hostapd.conf'
Failed to set up interface with /etc/hostapd.conf
hostapd_init: free iface 0x28829000
Failed to initialize interface
 

phoenix

Administrator
Staff member
Administrator
Moderator

Thanks: 1,164
Messages: 3,985

#14
I think what SirDice is trying to get at is that you need to use the port version of hostapd, configure it in /usr/local/etc, and disable the built-in version of hostapd.

Use the RC script installed under /usr/local/etc/rc.d to start/stop it.

Ignore everything hostapd-related from /etc.
 
OP
OP
O

Ofloo

Active Member

Thanks: 7
Messages: 242

#15
It seems that for the time being it is impossible, .. since it requires the wlan interface to able to generate vlans as well. I installed openwrt just to see how it is done there, and openwrt creates a tagged interface on eth0 as well as on wlan0.

I tried doing this on freebsd using ifconfig vlan create however then the mtu changes and not sure why but that doesn't seem to work.
 
Top