Well, after much strife, we've figured out how to configure appropriate VLANs on a device running ClarkConnect. Since there are so few resources available for this online, we figured we'd do the IT world a little favor and post our findings here. We hope this helps others in their quest for network partitioning! (Please note, the instructions below are primarily for Linux n00bs.)
Configuration of VLANs with ClarkConnect
NOTES OF IMPORTANCE:
Read through this entire set of instructions carefully before beginning to make any changes to the ClarkConnect box. This is especially important if you're not familiar with text editors in Linux/UNIX. Research any terms in this document you're unfamiliar with before moving forward.
Follow these directions very carefully. Missing a single keystroke can add a lot of confusion and strife to your ClarkConnect experience.
These directions assume you already have a basic ClarkConnect v4.3 firewall set up. The ClarkConnect device also needs to be connected to the Internet at the time of performing the directions below.
You should not explicitly add VLAN 1 to the ClarkConnect device. This VLAN is already present, though you won't see it listed with your other VLANs.
Planning your VLAN IP settings and switch ports up front will save you hours of wasted effort and frustration. Have a firm plan for your entire LAN in hand prior to configuring switches or your ClarkConnect box. An hour or two up front could save you ten hours later. Make sure you know the IP addresses, subnet masks, and DHCP scopes you want to use for each VLAN before moving forward.
Your ClarkConnect device on the management VLAN will still be visible to all other VLANs. This is VLAN 1 by default. If adding other items to this VLAN, they will not be visible to devices on other VLANs, as long as you add the recommended entry to the rc.firewall.local file listed below.
On your switch or switches, the VLANed ports should have a status of "untagged" and the trunked ports should be "tagged" (AKA: 802.1q or dot1q) for all VLANs other than the management VLAN.
If you are creating a large number of VLANs for a network, it is advised to first create just a few VLANs using the steps listed below. Then, you should test the few you've created. Once you have a few up and running, then you can go back and move straight through creating the rest of your VLANs.
-------------------------------------------------------------------------------------------------Did you read all the notes above? If not, DO IT NOW! If you did, then you may proceed.
First, you should configure VLANs on your switch or switches. Methods for doing this are different for each brand of switch - consult the user guide from your switch for instructions on setting up VLANs with that specific device. After you've configured your VLANs on your switch or switches, you'll need to configure your ClarkConnect box to communicate on these VLANs and keep data separate, while providing DHCP and DNS services for each VLAN.
Once you've verified your VLANs and trunks from the switches are set up and communicating properly on the switches themselves, it's time to configure your ClarkConnect box. To do this, you'll want to have a monitor and keyboard attached to the ClarkConnect box (though you can get there via other methods). The initial screen you'll see is the ClarkConnect Main Console. Press Alt-F2 to go to the BASH shell (the Linux/UNIX equivalent to a Command prompt in DOS or Windows). Press Alt-F1 to return to the Main Console.
To configure VLANs, you'll need to use the Linux BASH shell, so press Alt-F2 and then follow these steps as appropriate; (everything inside "quotes" is what you'll type in, but don't include the quotation marks when you type unless specifically mentioned):
1. Login with the appriate username (root) and password.
2. Type "apt-get update" and press enter.
3. Allow the update to finish - it takes a few minutes.
4. Type "apt-get install vconfig" and press enter.
5. Allow the vconfig installation to complete - it takes a few minutes.
6. Type "cd /etc/sysconfig/network-scripts" then press Enter. This moves you into the /etc/sysconfig/network-scripts directory.
7. Type "vi ifcfg-ethx.y" (x is the LAN port you want to add VLANs to, and y is the VLAN ID you wish to add; E.G.- eth1.101), then press Enter and you will be presented with a blank file.
Press "i" to allow editing of the file and enter the following on each line, INCLUDING quotation marks, and changing variables as appropriate:DEVICE="ethx.y"VLAN="yes"ONBOOT="yes"USERCTL="no"BOOTPROTO="static"IPADDR="z.z.z.z"NETMASK="a.a.a.a"
8. Press Esc then type "ZZ" to save the file.
9. Type "ls" and his enter. You should now see a file named ifcfg-ethx.y listed in the /etc/sysconfig/network-scripts directory.
11. If you have more than one VLAN to create, you can save yourself a ton of time by typing "cp ifcfg-ethx.y ifcfg-ethx.y2" to copy the ifcfg-ethx.y file you just created to a new file named ifcfg-ethx.y2, with y2 standing for your next VLAN ID. E.G.- cp ifcfg-eth1.101 ifcfg-eth1.102Do this for every VLAN you want to create.
12. After creating all your VLAN configuration file placeholders, you'll need to alter each one using the vi command as described in steps 3 and 4 above. Be careful to match up the changes to your VLAN configuration files to the filenames you've created and the IP settings you have planned for the VLAN you're configuring. This is an area where having your plan in hand ahead of time will be very valuable!
After finishing all your VLAN configuration files, you need to add your VLANs to the firewall configuration file.
1. Type "cd /etc" hit Enter.
2. Type "vi firewall".
3. Arrow down to the line starting with "LANIF=" then arrow over to the space between eth1 and ethx, then press "i" to edit. Now type in all your VLAN IDs, separating each with a space. E.G. - LANIF="eth1 eth1.101 eth1.102 eth1.103 ethx".
4. After all VLAN IDs are entered, press Esc then type "ZZ" to save the firewall file.
Now that we've enabled all our VLANs to be able to communicate on the network, we need to set up a firewall rule that stops traffic from being routed between our VLANs.
1. Type "cd /etc/rc.d" hit Enter.
2. Type "vi rc.firewall.local" hit Enter.
3. Press "i" to be able to edit the rc.firewall.local file.
4. Arrow down to a blank line and type "iptables -I FORWARD -i eth1.+ -o ! eth0 -j DROP". This line of code assumes eth0 is your WAN port and your VLANs are all attached to the eth1 LAN port. You will have to adjust this if your scenario is different.
5. Press Esc then type "ZZ" to save the local firewall rules file.
Now we need to reboot our system and verify all our ports are visible on the system. To reboot the system, just press Ctrl-Alt-Del. Watch the process carefully. You should see all your VLANs drop and come back up with a status of OK.
Next, we need to set up DHCP for our VLANs. After the system completes booting up, you will be back at the main console screen.
1. Enter the root password and hit Enter.
2. Choose the text interface (first choice) and hit Enter.
3. Enter the root password again, then hit Enter twice.
4. Verify all your VLANs are displayed in the menu.
5. Arrow down to "Configure DHCP Server" and hit Enter.
6. Arrow down to "Add" on a line for one of your VLANs and hit Enter.
7. You will be offered a DHCP scope and other IP options you can either modify or leave alone. In most cases, you'll want to accept the default settings.
8. Arrow down to "Confirm" and press enter.
9. Repeat steps 6 through 8 for each VLAN until you've configured them all.
10. Press "q" then "y" to quit and save your settings from the main console.
11. Arrow down to the "Reboot" option and reboot the system.
12. Watch the system reboot and verify your VLANs and the Firewall list a status of OK.
Now we're ready to test our configuration.
1. Plug PCs or laptops into various ports on various VLANs.
2. Verify you are getting DHCP addresses that match up to the VLAN configurations you'd set up for the port your device is plugged into.
3. Verify you can hit the Internet on each device (assuming your WAN port is configured and plugged into an active Internet connection).
4. Try to ping active addresses on other VLANs. If you've done everything right, you should not be able to see anything on any VLAN except your own and VLAN 1.
Congratulations! You've now finished setting up a ClarkConnect firewall for use in a VLANed environment. Please leave comments if this helped you, or if you have any other bits of advice that may be helpful to others. If this all seems a bit intimidating and you'd rather have us take care of it for you, give us a call at (616) 301-1791, or contact us through our website at http://www.delios.com.
Thursday, April 23, 2009
Subscribe to:
Posts (Atom)