VLAN network segmentation

[IT-Abteilung]

Dear FreeBSD Community,

we would like to do IPv6 network segmentation within several VLANs, but fail in the implementation.

The server is connected to all VLANs via trunc port and can see them. All network segments should be reachable via it.

freebsd-version

13.2-RELEASE-p2


/etc/rc.conf


# intern VLAN10 via eth0
ifconfig_eth0="inet 192.168.14.254 netmask 255.255.224.0"
defaultrouter="192.168.1.254"

########## second IPv6 networkinterface #################
ifconfig_eth1="up"

########## implement VLANs #################
#if_vlan_load="YES"
cloned_interfaces="vlan1168 vlan1184 vlan1200 vlan1216"
vlans_eth1="vlan1168 vlan1184 vlan1200 vlan1216"

########## configure VLAN1168 #################
ifconfig_vlan1168="vlan 1168 vlandev eth1"
ifconfig_vlan1168="inet6 201:abc:def0:a1::fffe prefixlen 64 accept_rtadv no_radr vlan 1168 vlandev eth1"

########## configure VLAN1184 #################
ifconfig_vlan1184="vlan 1184 vlandev eth1"
ifconfig_vlan1184="inet6 201:abc:def0:b1::fffe prefixlen 64 vlan 1184 vlandev eth1"

########## configure VLAN1200 #################
ifconfig_vlan1200="vlan 1200 vlandev eth1"
ifconfig_vlan1200="inet6 201:abc:def0:c1::fffe prefixlen 64 vlan 1200 vlandev eth1"

########## configure VLAN1216 #################
ifconfig_vlan1216="vlan 1216 vlandev eth1"
ifconfig_vlan1216="inet6 201:abc:def0:d1::fffe prefixlen 64 vlan 1216 vlandev eth1"

########## Alias IPv6 adresses in in separate networksegments #################
ifconfig_vlan1168_alias0="inet6 add 201:abc:def0:a2::fffe/64 alias"
ifconfig_vlan1184_alias0="inet6 add 201:abc:def0:b2::fffe/64 alias"
ifconfig_vlan1200_alias0="inet6 add 201:abc:def0:c2::fffe/64 alias"
ifconfig_vlan1216_alias0="inet6 add 201:abc:def0:d2::fffe/64 alias"

########## activate alias communication #################

#static_routes="vlan1168 vlan1184 vlan1200 vlan1216"
#route_vlan1168="-net 201:abc:def0:a2::/64 201:abc:def0:a2::fffe"
#route_vlan1184="-net 201:abc:def0:b2::/64 201:abc:def0:b2::fffe"
#route_vlan1200="-net 201:abc:def0:c2::/64 201:abc:def0:c2::fffe"
#route_vlan1216="-net 201:abc:def0:d2::/64 201:abc:def0:d2::fffe"

ipv6_activate_all_interfaces="YES"
ipv6_gateway_enable="YES"
ipv6_ip4mapping="YES" # Dual Stack erlauben
ipv6_network_interfaces="eth1 vlan1168 vlan1184 vlan1200 vlan1216"

ifconfig_eth0_accept_rtadv="YES"
ifconfig_eth0_no_radr="YES"
ifconfig_eth1_accept_rtadv="YES"
ifconfig_eth1_no_radr="YES"
ifconfig_vlan1168_accept_rtadv="YES"
ifconfig_vlan1168_no_radr="YES"

rtsold_enable="YES"
rtsold_flags="-a -l eth1"

Can anyone give us a hint on this, what we are doing wrong? Can I use alias addresses to announce multiple prefixes in one VLAN?

We would be very happy about any suggestions. Otherwise we have to create a separate VLAN for each segment.

 

[SirDice]

One way, assuming em0 is the physical interface:

vlans_em0="1184 1200"
ifconfig_em0="up"
ifconfig_em0_1184="inet 1.1.1.1 netmask 255.255.255.0"
ifconfig_em0_1184_ipv6="inet6 dead:beaf:f00d::1 prefixlen 64"

ifconfig_em0_1200="inet ...."
ifconfig_em0_1200_ipv6="inet6 ...."

Another way:

vlans_em0="vlan1184 vlan1200"
create_args_vlan1184="vlan 1184"
create_args_vlan1200="vlan 1200"

ifconfig_em0="up"

ifconfig_vlan1184="inet 1.1.1.1 netmask 255.255.255.0"
ifconfig_vlan1184_ipv6="inet6 dead:beaf:f00d::1 prefixlen 64"

ifconfig_vlan1200="inet ...."
ifconfig_vlan1200_ipv6="inet6 ...."

The first, 'dotted', notation is the preferred one, so em0.1184 refers to the vlan(4) interface with VLAN ID 1184.

 

[IT-Abteilung]

I was probably too imprecise. The em0 interface is connected to the internal IPv4 network via VLAN10. It remains unaffected by the configuration.

The em1 interface is connected to a trunc port. Several network segments are now to be set up in the unused VLANs 1168, 1184, 1200 and 1216 contained therein. These should be able to communicate with each other via this router.

Diagram:

Thank you and best regards..

 

[SirDice]

I was probably too imprecise.

I probably wasn't clear enough it was an example of how to configure a vlan(4) interface, with both IPv4 and IPv6 addresses.

 

[IT-Abteilung]

Sorry, I still need to add the network segments in the Diagram.

 

[IT-Abteilung]

Okay, with the 'create_args' option it worked now.

Here is the solution of the eth1 interface:

ifconfig_em1="up"

if_vlan_load="YES"
vlans_em1="vlan1 vlan2 vlan3 vlan4"

create_args_vlan1="vlan 1"
create_args_vlan2="vlan 2"
create_args_vlan3="vlan 3"
create_args_vlan4="vlan 4"

ifconfig_vlan1_ipv6="inet6 2001:abc:def:a1::fffe prefixlen 64"
ifconfig_vlan2_ipv6="inet6 2001:abc:def:b1::fffe prefixlen 64"
ifconfig_vlan3_ipv6="inet6 2001:abc:def:c1::fffe prefixlen 64"
ifconfig_vlan4_ipv6="inet6 2001:abc:def:d1::fffe prefixlen 64"

ifconfig_vlan1_alias0="inet6 add 2001:abc:def:a3::fffe prefixlen 64 alias"
ifconfig_vlan2_alias0="inet6 add 2001:abc:def:b2::fffe prefixlen 64 alias"
ifconfig_vlan3_alias0="inet6 add 2001:abc:def:c2::fffe prefixlen 64 alias"
ifconfig_vlan4_alias0="inet6 add 2001:abc:def:d2::fffe prefixlen 64 alias"

ipv6_activate_all_interfaces="YES"
ipv6_gateway_enable="YES"
ipv6_ip4mapping="YES"

Many thanks for the help. We appreciate it!