[ previous ] [ next ] [ threads ]
 
 From:  mtnbkr <waa dash m0n0wall at revpol dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Howto reach the admin pages from a vlan with a procurve 2626 switch
 Date:  Wed, 05 Mar 2008 10:49:27 -0500
Guido Kostons wrote:
> 
>> On Mon, Mar 3, 2008 at 6:27 PM, Guido kostons <guidokostons at gmail dot com> 
>> wrote:
>>> I set up a small network to test my new procurve 2626 switch with 
>>> m0n0wall
>>>  and vlan's.
>>>  The 3 vlan subnets are working.
>>>  I receive an IP and can surf the net from al 3 vlan's.

Hi Guido!

Where are you getting an IP from?

In each "VLAN" are you getting an IP on the same subnet?

If you really do have differnt VLANS/subnets what pieces of hardware is
doing the 'routing' (or IP forwarding)??

  From your description below, it is clear that VLANS are not properly
configured on your m0n0wall and/or the Procurve and your network either
can not work as you describe it, OR it is working -  but not exactly as
you think it is.

> Wen i connect a client pc directly to the m0n0wall lan port, without the 
> switch, i can reach webgui.
> Only when i use the switch with the vlans in place i can't reach the 
> webgui no more.
> 
> I tried al kinds of rules but nothing worked.
> I probably overlook something small, but what?

If you can plug directly into the m0n0wall LAN port and access the web
GUI, or ping it's IP address from a "non 802.1q aware" PC, then you have
not yet properly configured VLANS on the m0n0wall's LAN interface.

With m0n0wall's giu, VLAN configuration and assignment can be a
confusing process, and if done incorrectly WILL force you to reset your
m0n0wall config and try again. :)


Let's start from the beginning:

On the Interfaces (assign) page, select the VLANS tab. Here you tell
m0n0wall about your VLANS. As you add each VLAN, make sure that you
assign it to the proper parent interface (eg: your LAN interface)

In my case, on the ALIX, all my VLANS are assigned to a parent interface
of vr2 because I always re-assign the first interface (vr0) to the WAN
port, vr1 to the DMZ (OPT1) and vr2 to what m0n0wall calls "LAN".

Once you have added the VLANS and have assigned them to the proper
parent interface on the VLANS page, save that page and select the
"Interface Assignments" tab.

On this page, you will need to create a new interface for each VLAN that
you have added on the VLAN page, and assign each new interface to one of
the VLANs.

You will make some changes here and will be told to reboot to activate
the changes. DO NOT reboot until this process is finished and you are
sure that everything looks correct. :)

First, for the LAN Interface, click the drop-down button and change it
from a real (physical eth0, xl0, etc) interface to the correct VLAN you
have configured on your Procurve switch to be your LAN subnet.

Next, click on the (+) plus sign at the bottom right of the WAN, LAN,
OPT1 list and you will now see a new interface (probably OPT2 - which
can be renamed later) and choose the correct VLAN from the drop-down
list for the VLAN it will represent. Do this step for each VLAN you have.

See image: http://www.revpol.com/images/waa-m0n0wall-vlans.png for 
example of the drop-down interface assignments, as well as the names of 
the interfaces in the left column.

Click SAVE, but do NOT reboot yet!

In the left column, click the LAN link under Interfaces and make sure to
give it an IP/mask that represents your LAN subnet/VLAN.  Do this for
each Interface. While on each interface configuration page, you might as
well rename the interface to something that make sense too.

In my case, since I subnetted a /24 to a /26,  I have named my
interfaces both for their use (ie: CAM, WIFI, GAMES) along with the IP
address range within the /24  (ie: 0-64, 65-127, 128-191) that they
represent.

The IP address that you enter in each of these interface configuration
pages will be the default gateway, dns server address and dhcp server
address for clients on that subnet/VLAN.


Now, on your Procurve switch, you will need to enable VLAN Tagging (or
trunking - whatever that vendor calls it) on the port where m0n0wall's
LAN interface will be connected. You will also need to assign all the
VLANS to that trunk.

So for example on my switch, port #1 is a tagged trunk consisting of
VLANS 10 (LAN), 11 (GAMES), 12 (CAM), and 13 (WIFI) and my m0n0wall
"LAN" ethernet port has been configured to be the parent interface for
all these VLANS.

Then, to start, you can configure a port on the Procurve as an UNTAGGED
member of VLAN 10.  Plug a PC into that port and (once m0n0wall has been
rebooted and plugged into the trunked port) you should be able to access
m0n0wall's gui from the PC in that port, but NOT from any other ports
(yet).

Next, on the Procurve you assign your other VLANS to some other ports
and test - Make sure that you have configured DHCP on the m0n0wall for
EACH VLAN, and make sure that ou have configured RULES on m0n0wall for
each VLAN interface too.

Chris has nice graphical write-up and explanation about VLANS here:
http://wiki.m0n0.ch/wikka.php?wakka=VLAN

I am want to clean up and rework/reword this explanation and finish the
"m0n0wall VLAN configuration TBD..." part of that page so there is a
one-stop-shopping place for a decent VLAN explanation (with graphics) as
well as a how-to for a m0n0wall-specific VLAN configuration... Stay
tuned. :)

I am sure that this is confusing, so ask questions. I am sure I can
clarify some of the more confusing parts.


--
Bill Arlofski
Reverse Polarity, LLC
* Stop the NSA from illegally eavesdropping on your personal email *
Learn about PGP and start encrypting your email today
http://gnupg.org or http://www.pgp.com