Shortcuts

From Our Users

As an IT outsourcing provider to small and mid sized companies Lemon Computing uses Firewall Builder to manage firewalls at customer sites and in our data centre.

Read More...

Martijn D.
Managing Director

Search Users Guide

9.5.2. VLAN Interface Management on BSD
Prev Next

9.5.2. VLAN Interface Management on BSD

Unlike on Linux, on OpenBSD, the name of the VLAN interfaces is restricted to the "vlanNNN" scheme. We start with a basic firewall object with two interfaces and will add VLAN interfaces to interface em0. Note that em0 is configured as "unnumbered", this is a requirement for the VLAN parent interface object.

Figure 9.16. OpenBSD Test Firewall Object

OpenBSD Test Firewall Object


To create VLAN subinterfaces, select the parent interface object in the tree and right-click to open the context menu:

Figure 9.17. Adding a VLAN Subinterface

Adding a VLAN Subinterface


The new interface is created with generic name "Interface" and needs to be renamed:

Figure 9.18. VLAN Subinterface vlan100

VLAN Subinterface vlan100


Firewall Builder is aware of the naming convention for VLAN interfaces on BSD and automatically recognized vlan100 as a VLAN interface with VLAN ID 100. To inspect or change the VLAN ID, click "Advanced Interface Settings" button:

Figure 9.19. Editing VLAN Interface Parameters

Editing VLAN Interface Parameters


Note

Firewall Builder verifies that the name of the subinterface is acceptable as the name of a VLAN interface on OpenBSD system. You can use name that looks like "vlan100" but it won't accept "em0.100" or any other.

I am going to add second VLAN interface eth1.101 and add IPv4 addresses to both VLAN interfaces. The final configuration is shown in Figure 9.20:

Figure 9.20. Two VLAN Interfaces with IP Addresses

Two VLAN Interfaces with IP Addresses


Compiling this firewall object produces script /etc/fw/openbsd-test-vlan-1.fw and PF configuration file /etc/fw/openbsd-test-vlan-1.conf. To activate the firewall and configure the interface, run script /etc/fw/openbsd-test-vlan-1.fw: 

# /etc/fw/openbsd-test-vlan-1.fw
Activating firewall script generated Fri Feb 26 14:57:54 2010 by vadim
net.inet.ip.forwarding: 0 -> 1
# Creating vlan interface vlan100
# Creating vlan interface vlan101
# Adding VLAN interface vlan100 (parent: em0)
# Adding VLAN interface vlan101 (parent: em0)
# Adding ip address: vlan100 10.1.1.1 netmask 0xffffff00
# Adding ip address: vlan101 10.1.2.1 netmask 0xffffff00

Here is how configuration of the VLAN interfaces looks like in the output of ifconfig: 

vlan100: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0c:29:83:4d:2f
        vlan: 100 priority: 0 parent interface: em0
        groups: vlan
        inet6 fe80::20c:29ff:fe83:4d2f%vlan100 prefixlen 64 scopeid 0x6
        inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
vlan101: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0c:29:83:4d:2f
        vlan: 101 priority: 0 parent interface: em0
        groups: vlan
        inet6 fe80::20c:29ff:fe83:4d2f%vlan101 prefixlen 64 scopeid 0x7
        inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255

Let's try to run the same script again: 

#  /etc/fw/openbsd-test-vlan-1.fw  
Activating firewall script generated Fri Feb 26 14:57:54 2010 by vadim
net.inet.ip.forwarding: 0 -> 1

The script detected that both VLAN interfaces already exist and have correct IP addresses and made no changes to their configuration.

Let's change the VLAN ID of the interface vlan100. I cannot change the VLAN ID without changing its name. When I rename interface vlan100 to vlan102 in Firewall Builder, it changes its VLAN ID automatically.

Figure 9.21. Interface vlan100 Renamed to vlan102

Interface vlan100 Renamed to vlan102


Here is what happens when I run the generated script on the firewall: 

#  /etc/fw/openbsd-test-vlan-1.fw  
Activating firewall script generated Fri Feb 26 15:57:03 2010 by vadim
net.inet.ip.forwarding: 1 -> 1
# Deleting vlan interface vlan100
# Creating vlan interface vlan102
# Adding VLAN interface vlan102 (parent: em0)
# Adding ip address: vlan102 10.1.1.1 netmask 0xffffff00

Ifconfig shows that interface vlan100 was removed and vlan102 added: 

vlan101: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0c:29:83:4d:2f
        vlan: 101 priority: 0 parent interface: em0
        groups: vlan
        inet6 fe80::20c:29ff:fe83:4d2f%vlan101 prefixlen 64 scopeid 0x14
        inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
vlan102: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0c:29:83:4d:2f
        vlan: 102 priority: 0 parent interface: em0
        groups: vlan
        inet6 fe80::20c:29ff:fe83:4d2f%vlan102 prefixlen 64 scopeid 0x17
        inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
Prev  Up  Next
9.5. VLAN Interfaces  Home  9.6. Bridge ports
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.