Networking between two vlans

Ok technical support engineer and looking to recreate an issue

Have a client on 172.168.2.102 that need to talk to a server 172.168.3.100 on a separate VLAN with the port only open on the server side (11002).

Here is what I got and it does not appear to work. Feel free to drop off the wans or the wireless to make it easy as I am just networking two isolated networks without internet access. I think my main problem is that each vlan cannot see the other vlans gateway. Bonus points if you can help me set this up on a cisco catalyst 3560 switch (outside the scope of this forum I know). I will settle for a quick and dirty on a linksys e3000. Let me know if you need any other config files.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9a:484b:34fb::/48'

config interface 'wan'
	option ifname 'eth0.1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.1'
	option proto 'dhcpv6'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '172.16.2.2'
	option gateway '172.16.2.2'
	option dns '172.16.2.1'
	option _orig_ifname 'eth0.2 radio0.network1 radio1.network1'
	option _orig_bridge 'true'
	option netmask '255.255.255.0'
	option ifname 'eth0.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '3 4 8t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '1 2 8t'

config interface 'LAN2'
	option proto 'static'
	option ifname 'eth0.3'
	option ipaddr '172.16.3.2'
	option dns '172.16.3.1'
	option gateway '172.16.3.2'
	option netmask '255.255.255.0'

config route
	option interface 'lan'
	option target '172.16.3.0'
	option netmask '255.255.0.0'
	option gateway '172.16.3.2'

My two cents:

  • Options "geteway" and "dns" are to inform the LEDE device of the gateway and DNS available on each network, not to inform DHCP clients of the gateway and DNS on the LEDE router (that information goes into the DHCP configuration file).
  • Likewise, the "route" section informs the LEDE device of a route it can use, not the DHCP clients; and the LEDE device already has that information, as it is configured in the LAN2 interface.
  • There are no gateways on the VLANs, all VLANs share a common gateway: the LEDE device.
  • You must allow forwarding from one VLAN to the other in the "firewall" config file.
2 Likes

+1 to everything @eduperez said.

It seems you are trying to replicate the scenario with a LEDE router and that you want to deploy it on a Cisco Catalyst... I can't help you there, but you might need to adjust settings on the network controller/router, not just the switch (I've never tried to do these types of inter-VLAN routing things on a managed switch, it is plausible it can be done, but I would generally do it on the router).

Ok here is my firewall configuration. What rules do I need to set up?

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'lan2'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'LAN2'
	option input 'REJECT'

config rule
	option target 'ACCEPT'
	option name 'Allow-ping lan2'
	list icmp_type 'echo-reply'
	option proto 'icmp'
	option family 'ipv4'
	option src '*'
	option dest '*'

config redirect
	option enabled '1'
	option target 'DNAT'
	option dest 'lan2'
	option proto 'tcp udp'
	option src_dport '11002'
	option dest_port '11002'
	option name 'JCP'
	option src 'lan'
	option dest_ip '172.16.3.100'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'DNS LAN1'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option name 'DNS LAN2'
	option src 'lan2'
	option dest_port '53'

config rule
	option target 'ACCEPT'
	option name 'DHCP LAN'
	option proto 'udp'
	option src 'lan'
	option dest_port '67-68'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option name 'DHCP LAN2'
	option proto 'udp'
	option src 'lan2'
	option dest_port '67-68'

config forwarding
	option dest 'lan2'
	option src 'lan'

config zone
	option name 'bridge'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'Bridge'

Please, read my post again, and fix your mistakes in the network configuration, one by one; then we can talk about the firewall configuration.

Eduperez right now I have two domains one with DNS and DHCP '172.16.2.1' and the other with DNS and DHCP '172.16.3.1' and i have DHCP switched off on LEDE. I am up for whatever settings connect clients in LAN2 to a server in LAN1 like a client would contact a web server except over port 11101. Also looking to block clients from LAN1 from doing the reverse. This is an internal network with no internet access. What would you suggest for a config? You can leave the gateways blank for all I care as long as it works but something has to tell the traffic to route to another network and typically that is handled by a gateway.

I'm by no means an expert on this stuff

my idea goes something like this and is probably flawed

client on lan2 -> 192.168.3.2 (gateway on router on client side) -> route on port 11101 -> 192.168.2.2 (gateway on router on serverside) -> Server on lan 1

Feel free to enlighten me