[ previous ] [ next ] [ threads ]
 From:  "Dennis Lloyd (ABC)" <dennis at abccomm dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  VLAN routing 2 x 4801 + 3 Interfaces each (over IPSEC)
 Date:  Thu, 26 May 2005 21:27:07 -0700
Hello everyone,  New to the list and looked over the archives but I 
can't find exactly what I"m looking for.

We hav purchased 3 Soekris (4801) boxes, to be used as private IPSec VPN 
endpoint connections, routing traffic between branch offices using E10 
links.  The issue i'm having is this..

I need to use VLAN links on both endpoints,  each Soekris 4801 box will 
be connecting to both a WAN link as well as two interfaces for LAN 
network connectivity.  Each network runs two VLANS that must be able to 
communicate with the office on the other end..

I'm having some difficulty getting these to work correctly.. ie. I can 
create the VLAN on each interface and still regain connectivity to the 
other office via the IPSec link..  but It does not segment the VLAN's 
from each other.  How is m0n0wall managing the interfaces on these boxes 
?  I see by status.php that the VLAN interface is parented to sis0 ( no 
patch cable in right now )

	inet netmask 0xffffffc0 broadcast
	ether 00:00:24:c4:16:e0
	media: Ethernet autoselect (none)
	status: no carrier
	inet xxx.xxx.xxx.180 netmask 0xffffff00 broadcast xxx.xxx.xxx.255
	ether 00:00:24:c4:16:e1
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
sis2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	ether 00:00:24:c4:16:e2
	media: Ethernet autoselect (none)
	status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
	ether 00:00:24:c4:16:e0
	media: Ethernet autoselect (none)
	status: no carrier
	vlan: 100 parent interface: sis0

If I create vlan200 on the remote side.. there does not seem to be any 
segmentation to the VLAN's accross the IPSec VPN links.  VLAN header 
information *should* be left encapsulated within each ESP packet and 
'unwraped' intact on the remote end, should it not ??  Do the interfaces 
strip/add  tags ingress/egress on the ports? or do they assume that only 
802.1q tagged packets will hit the parrent interfaces??

Is my design flawed or is there something that i'm just missing from my 
Thanks to all who can help with this.