Skip to content

Instantly share code, notes, and snippets.

@stif

stif/InterVlanRouting.md

Last active February 7, 2018 12:44
Show Gist options
  • Save stif/6b7eb100cf4f51b5dbea3b6c5bc7e33b to your computer and use it in GitHub Desktop.
Save stif/6b7eb100cf4f51b5dbea3b6c5bc7e33b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
InterVlanRouting.md

cnt-host Interfaces

/etc/network/interfaces.d/enp2s0

auto enp2s0
iface enp2s0 inet dhcp

auto enp2s0.10
iface enp2s0.10 inet dhcp
    vlan-raw-device enp2s0

auto enp2s0.20
iface enp2s0.20 inet dhcp
    vlan-raw-device enp2s0

cnt-host ip addr

maintain@cnt-host:~$ ip addr
...
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0d:b9:45:84:49 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.50/24 brd 10.0.0.255 scope global enp2s0
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:b9ff:fe45:8449/64 scope link 
       valid_lft forever preferred_lft forever
5: enp2s0.10@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0d:b9:45:84:49 brd ff:ff:ff:ff:ff:ff
    inet 10.0.10.50/24 brd 10.0.10.255 scope global enp2s0.10
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:b9ff:fe45:8449/64 scope link 
       valid_lft forever preferred_lft forever
6: enp2s0.20@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0d:b9:45:84:49 brd ff:ff:ff:ff:ff:ff
    inet 10.0.20.50/24 brd 10.0.20.255 scope global enp2s0.20
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:b9ff:fe45:8449/64 scope link 
       valid_lft forever preferred_lft forever
...

Ping Tests

cnt-host->pfSense

maintain@cnt-host:~$ ping -c2 10.0.0.254
PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.
64 bytes from 10.0.0.254: icmp_seq=1 ttl=64 time=0.244 ms
64 bytes from 10.0.0.254: icmp_seq=2 ttl=64 time=0.184 ms

--- 10.0.0.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.184/0.214/0.244/0.030 ms

maintain@cnt-host:~$ ping -c2 10.0.10.254
PING 10.0.10.254 (10.0.10.254) 56(84) bytes of data.
64 bytes from 10.0.10.254: icmp_seq=1 ttl=64 time=0.302 ms
64 bytes from 10.0.10.254: icmp_seq=2 ttl=64 time=0.242 ms

--- 10.0.10.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1020ms
rtt min/avg/max/mdev = 0.242/0.272/0.302/0.030 ms

maintain@cnt-host:~$ ping -c2 10.0.20.254
PING 10.0.20.254 (10.0.20.254) 56(84) bytes of data.
64 bytes from 10.0.20.254: icmp_seq=1 ttl=64 time=0.492 ms
64 bytes from 10.0.20.254: icmp_seq=2 ttl=64 time=0.239 ms

--- 10.0.20.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1032ms
rtt min/avg/max/mdev = 0.239/0.365/0.492/0.127 ms
maintain@cnt-host:~$

pfSense->cnt-host

[2.4.2-RELEASE][admin@pfsense.reichhard.lan]/root: ping -c2 10.0.0.50
PING 10.0.0.50 (10.0.0.50): 56 data bytes
64 bytes from 10.0.0.50: icmp_seq=0 ttl=64 time=0.455 ms
64 bytes from 10.0.0.50: icmp_seq=1 ttl=64 time=0.271 ms

--- 10.0.0.50 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.271/0.363/0.455/0.092 ms
[2.4.2-RELEASE][admin@pfsense.reichhard.lan]/root: ping -c2 10.0.10.50
PING 10.0.10.50 (10.0.10.50): 56 data bytes
64 bytes from 10.0.10.50: icmp_seq=0 ttl=64 time=0.501 ms
64 bytes from 10.0.10.50: icmp_seq=1 ttl=64 time=0.302 ms

--- 10.0.10.50 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.302/0.401/0.501/0.100 ms
[2.4.2-RELEASE][admin@pfsense.reichhard.lan]/root: ping -c2 10.0.20.50
PING 10.0.20.50 (10.0.20.50): 56 data bytes
64 bytes from 10.0.20.50: icmp_seq=0 ttl=64 time=0.460 ms
64 bytes from 10.0.20.50: icmp_seq=1 ttl=64 time=0.274 ms

--- 10.0.20.50 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.274/0.367/0.460/0.093 ms
[2.4.2-RELEASE][admin@pfsense.reichhard.lan]/root:

laptop->pfSense

[stif@stif-laptop ~]$ ping -c2 10.0.0.254
PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.
64 bytes from 10.0.0.254: icmp_seq=1 ttl=64 time=1.63 ms
64 bytes from 10.0.0.254: icmp_seq=2 ttl=64 time=1.59 ms

--- 10.0.0.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.590/1.613/1.637/0.046 ms
[stif@stif-laptop ~]$ ping -c2 10.0.10.254
PING 10.0.10.254 (10.0.10.254) 56(84) bytes of data.
64 bytes from 10.0.10.254: icmp_seq=1 ttl=64 time=1.59 ms
64 bytes from 10.0.10.254: icmp_seq=2 ttl=64 time=1.55 ms

--- 10.0.10.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.555/1.573/1.591/0.018 ms
[stif@stif-laptop ~]$ ping -c2 10.0.20.254
PING 10.0.20.254 (10.0.20.254) 56(84) bytes of data.
64 bytes from 10.0.20.254: icmp_seq=1 ttl=64 time=1.58 ms
64 bytes from 10.0.20.254: icmp_seq=2 ttl=64 time=1.89 ms

--- 10.0.20.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.589/1.744/1.899/0.155 ms
[stif@stif-laptop ~]$

laptop->cnt-host

[stif@stif-laptop ~]$ ping -c2 10.0.0.50
PING 10.0.0.50 (10.0.0.50) 56(84) bytes of data.

--- 10.0.0.50 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1017ms

[stif@stif-laptop ~]$ ping -c2 10.0.10.50
PING 10.0.10.50 (10.0.10.50) 56(84) bytes of data.

--- 10.0.10.50 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1011ms

[stif@stif-laptop ~]$ ping -c2 10.0.20.50
PING 10.0.20.50 (10.0.20.50) 56(84) bytes of data.
64 bytes from 10.0.20.50: icmp_seq=1 ttl=64 time=0.962 ms
64 bytes from 10.0.20.50: icmp_seq=2 ttl=64 time=1.48 ms

--- 10.0.20.50 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.962/1.225/1.489/0.265 ms
[stif@stif-laptop ~]$

cnt-host ip route

maintain@cnt-host:~$ ip route
default via 10.0.0.254 dev enp2s0 
10.0.0.0/24 dev enp2s0  proto kernel  scope link  src 10.0.0.50 
10.0.10.0/24 dev enp2s0.10  proto kernel  scope link  src 10.0.10.50 
10.0.20.0/24 dev enp2s0.20  proto kernel  scope link  src 10.0.20.50 
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-c84017971222  proto kernel  scope link  src 172.18.0.1 linkdown 
172.20.0.0/24 dev br-58425a7c4f51  proto kernel  scope link  src 172.20.0.1

Laptop ip route

[stif@stif-laptop ~]$ ip route
default via 10.0.20.254 dev wlan0 proto dhcp metric 600 
10.0.20.0/24 dev wlan0 proto kernel scope link src 10.0.20.6 metric 600 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown

pfSense route

[2.4.2-RELEASE][admin@pfsense.reichhard.lan]/root: route -n get 10.0.10.0/24
   route to: 10.0.10.0
destination: 10.0.10.0
       mask: 255.255.255.0
        fib: 0
  interface: igb1.10
      flags: <UP,DONE,PINNED>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0 
[2.4.2-RELEASE][admin@pfsense.reichhard.lan]/root: route -n get 10.0.20.0/24
   route to: 10.0.20.0
destination: 10.0.20.0
       mask: 255.255.255.0
        fib: 0
  interface: igb1.20
      flags: <UP,DONE,PINNED>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0 
[2.4.2-RELEASE][admin@pfsense.reichhard.lan]/root: route -n get 0.0.0.0
   route to: 0.0.0.0
destination: 0.0.0.0
       mask: 0.0.0.0
    gateway: 84.XXX.XXX.XXX
        fib: 0
  interface: igb0
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

traceroute pfSense -> cnt-host

[2.4.2-RELEASE][admin@pfsense.reichhard.lan]/root: traceroute 10.0.0.50
traceroute to 10.0.0.50 (10.0.0.50), 64 hops max, 40 byte packets
 1  cnt-host (10.0.0.50)  0.584 ms  0.256 ms  0.233 ms

tracepath Laptop -> cnt-host

[stif@stif-laptop ~]$ tracepath -n 10.0.0.50
 1?: [LOCALHOST]                      pmtu 1500
 1:  10.0.20.254                                           2.238ms 
 1:  10.0.20.254                                           1.188ms 
 2:  no reply
 3:  no reply
 4:  no reply
^C
[stif@stif-laptop ~]$

pfSense ARP Table

VLAN10	10.0.10.50	00:0d:b9:45:84:49	cnt-host-10.reichhard.lan	Expires in 359 seconds	vlan	
VLAN20	10.0.20.50	00:0d:b9:45:84:49	cnt-host-20.reichhard.lan	Expires in 1199 seconds	vlan	
LAN	10.0.0.50	00:0d:b9:45:84:49	cnt-host.reichhard.lan	Expires in 12 seconds	ethernet

pfSense Firewall->Rules->VLAN20->State

VLAN20	icmp	10.0.20.6:9371 -> 10.0.0.50:9371	0:0	2 / 0	168 B / 0 B

pfSense configuration snippets

Interfaces

		<lan>
			<if>igb1</if>
			<enable></enable>
			<descr><![CDATA[LAN]]></descr>
			<spoofmac></spoofmac>
			<ipaddr>10.0.0.254</ipaddr>
			<subnet>24</subnet>
		</lan>
		<opt1>
			<descr><![CDATA[VLAN10]]></descr>
			<if>igb1.10</if>
			<enable></enable>
			<spoofmac></spoofmac>
			<ipaddr>10.0.10.254</ipaddr>
			<subnet>24</subnet>
		</opt1>
		<opt2>
			<descr><![CDATA[VLAN20]]></descr>
			<if>igb1.20</if>
			<enable></enable>
			<spoofmac></spoofmac>
			<ipaddr>10.0.20.254</ipaddr>
			<subnet>24</subnet>
		</opt2>

vlans

	<vlans>
		<vlan>
			<if>igb1</if>
			<tag>10</tag>
			<pcp></pcp>
			<descr><![CDATA[VLAN 10]]></descr>
			<vlanif>igb1.10</vlanif>
		</vlan>
		<vlan>
			<if>igb1</if>
			<tag>20</tag>
			<pcp></pcp>
			<descr><![CDATA[VLAN 20]]></descr>
			<vlanif>igb1.20</vlanif>
		</vlan>
	</vlans>

rule

		<rule>
			<id></id>
			<tracker>1517951109</tracker>
			<type>pass</type>
			<interface>lan</interface>
			<ipprotocol>inet</ipprotocol>
			<tag></tag>
			<tagged></tagged>
			<max></max>
			<max-src-nodes></max-src-nodes>
			<max-src-conn></max-src-conn>
			<max-src-states></max-src-states>
			<statetimeout></statetimeout>
			<statetype><![CDATA[keep state]]></statetype>
			<os></os>
			<source>
				<any></any>
			</source>
			<destination>
				<any></any>
			</destination>
			<descr></descr>
            		<updated>
				<time>1517951109</time>
				<username>admin@10.0.20.6</username>
			</updated>
			<created>
				<time>1517951109</time>
				<username>admin@10.0.20.6</username>
			</created>
		</rule>
        	<rule>
			<id></id>
			<tracker>1517942447</tracker>
			<type>pass</type>
			<interface>opt1</interface>
			<ipprotocol>inet</ipprotocol>
			<tag></tag>
			<tagged></tagged>
			<max></max>
			<max-src-nodes></max-src-nodes>
			<max-src-conn></max-src-conn>
			<max-src-states></max-src-states>
			<statetimeout></statetimeout>
			<statetype><![CDATA[keep state]]></statetype>
			<os></os>
			<source>
				<any></any>
			</source>
			<destination>
				<any></any>
			</destination>
			<descr></descr>
			<updated>
				<time>1517942447</time>
				<username>admin@10.0.20.6</username>
			</updated>
			<created>
				<time>1517942447</time>
				<username>admin@10.0.20.6</username>
			</created>
		</rule>
        	<rule>
			<id></id>
			<tracker>1517942483</tracker>
			<type>pass</type>
			<interface>opt2</interface>
			<ipprotocol>inet</ipprotocol>
			<tag></tag>
			<tagged></tagged>
			<max></max>
			<max-src-nodes></max-src-nodes>
			<max-src-conn></max-src-conn>
			<max-src-states></max-src-states>
			<statetimeout></statetimeout>
			<statetype><![CDATA[keep state]]></statetype>
			<os></os>
			<source>
				<any></any>
			</source>
			<destination>
				<any></any>
			</destination>
			<descr></descr>
			<created>
				<time>1517942483</time>
				<username>admin@10.0.20.6</username>
			</created>
			<updated>
				<time>1517962300</time>
				<username>admin@10.0.20.6</username>
			</updated>
		</rule>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment