Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Differences in Revisions: vlan

Older Revision
August 30 at 3:58 pm
»
Remove deprecated VLAN documentation - this can now be done via the UI
# VLAN with IPFire
 
If the hardware has two physical network ports (NIC) only, e.g. eth0 and eth1 for **Green** & **Red**, additional virtual LANs for **Blue** and **Orange** can be defined and made available. In addition to your IPfire you need a switch, capable of supporting VLANs. The switch has to be configured according the settings in IPfire.
 
## Example Network Map
| Interface | IP Range | physical | virtual |
| --- | --- |:---:|:---:|
|**Red**| PPPOE|X|-|
|**Green**| 192.168.1.0/24|X|-|
|**Blue**| 192.168.2.0/24|-|X|
|**Orange**| 10.0.1.0/24|-|X|
|**OpenVPN**| 10.0.2.0/24|||
 
![](/optimization/vlan/vlan.png)
 
 
## Relevant Files
 
### VLAN HW allocation
```text
# /var/ipfire/ethernet/vlans
```
 
This configuration file allows the definition of VLANs for the ipfire networks **GREEN**, **RED**, **ORANGE** and **BLUE**. You can assign a VLAN-ID (between 2 and 4094) and a MAC address to each VLAN. (ID 0,1 and 4095 are reserved)
 
The parent device (XXX_PARENT_DEV) can be a physical NIC such as eth0 or another interface like green in the following example:
 
```text
BLUE_PARENT_DEV=green0
BLUE_VLAN_ID=300
BLUE_MAC_ADDRESS=00:22:B1:B1:B1:30
ORANGE_PARENT_DEV=green0
ORANGE_VLAN_ID=400
ORANGE_MAC_ADDRESS=00:22:B1:B1:B1:40
```
 
This example will create an untagged green network and tagged orange and blue networks on the physical NIC of the green network. If you need to have tagged packets*only* on the NIC port (some switches cannot handle tagged and untagged on the same port), you will need to use the*physical* NIC (e.g. eth0) as the PARENT_DEV.
 
### VLAN network configuration
 
```text
# /var/ipfire/ethernet/settings
```
 
In this file, we configure the appropriate network ranges for the respective interfaces. This will enable the 4 networks in the WUI, too.
 
```text
CONFIG_TYPE=4
GREEN_DEV=green0
GREEN_MACADDR=00:22:B1:B1:B1:B1
GREEN_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network Connection"'
GREEN_DRIVER=e1000e
RED_DEV=red0
RED_MACADDR=00:22:A1:A1:A1:A1
RED_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network Connection"'
RED_DRIVER=e1000e
GREEN_ADDRESS=192.168.1.1
GREEN_NETMASK=255.255.255.0
GREEN_NETADDRESS=192.168.1.0
GREEN_BROADCAST=192.168.1.255
BLUE_DEV=blue0
BLUE_ADDRESS=192.168.2.1
BLUE_NETMASK=255.255.255.0
BLUE_NETADDRESS=192.168.2.0
BLUE_BROADCAST=192.168.2.225
BLUE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network Connection"'
BLUE_DRIVER=e1000e
ORANGE_DEV=orange0
ORANGE_ADDRESS=10.0.1.1
ORANGE_NETMASK=255.255.255.0
ORANGE_NETADDRESS=10.0.1.0
ORANGE_BROADCAST=10.0.1.225
ORANGE_DESCRIPTION='"pci: Intel Corporation 82574L Gigabit Network Connection"'
ORANGE_DRIVER=e1000e
RED_DHCP_HOSTNAME=ipfw
RED_DHCP_FORCE_MTU=
RED_ADDRESS=0.0.0.0
RED_NETMASK=0.0.0.0
RED_TYPE=PPPOE
RED_NETADDRESS=0.0.0.0
RED_BROADCAST=255.255.255.255
DNS1=192.168.1.1
DNS2=
DEFAULT_GATEWAY=192.168.1.1
```
 
### VLAN system start
 
After rebooting the system, ifconfig should show you the resulting interfaces:
 
```text
green0 Link encap:Ethernet HWaddr 00:22:B1:B1:B1:B1
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:33068 errors:0 dropped:0 overruns:0 frame:0
TX packets:50400 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4427532 (4.2 Mb) TX bytes:59602567 (56.8 Mb)
Interrupt:16 Memory:d0120000-d0140000
 
blue0 Link encap:Ethernet HWaddr 00:22:B1:B1:B1:30
inet addr:192.168.2.1 Bcast:192.168.2.225 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9047 errors:0 dropped:0 overruns:0 frame:0
TX packets:6817 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1523088 (1.4 Mb) TX bytes:6122127 (5.8 Mb)
 
orange0 Link encap:Ethernet HWaddr 00:22:B1:B1:B1:40
inet addr:10.0.1.1 Bcast:10.0.1.225 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
 
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:271586 errors:0 dropped:0 overruns:0 frame:0
TX packets:271586 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14982933 (14.2 Mb) TX bytes:14982933 (14.2 Mb)
 
ppp0 Link encap:Point-to-Point Protocol
inet addr:XXX.XXX.XXX.XXX P-t-P:XXX.XXX.XXX.XXX Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1492 Metric:1
RX packets:45197 errors:0 dropped:0 overruns:0 frame:0
TX packets:30590 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:56567643 (53.9 Mb) TX bytes:3016567 (2.8 Mb)
 
red0 Link encap:Ethernet HWaddr 00:22:A1:A1:A1:A1
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48860 errors:0 dropped:0 overruns:0 frame:0
TX packets:34252 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:57977321 (55.2 Mb) TX bytes:4046398 (3.8 Mb)
Interrupt:17 Memory:d0020000-d0040000
 
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.2.1 P-t-P:10.0.2.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
```
 
 
## Enable Blue for the network
Finally, you may want to configure the "new" networks that you created with the VLANs. For example the **blue** network (blue0) must be enabled for the access to DNS, SMTPs, HTTPs etc., also the appropriate clients must be allowed to access the net.
 
Here is the description for [](/configuration/firewall/accesstoblue).
 
## More information
* [VLAN entry on Wikipedia](http://en.wikipedia.org/wiki/Virtual_Local_Area_Network)