The challenge that I am faced with is as follows.

I need to give internet access to several VLANs via a single Ubuntu 16.04 router.

The VLANs are 8021q tagged and arrive at the router on interface ens1f1. VLANs are named vlan10, vlan20, vlan30, and vlan40. The internet uplink is connected to enp0s25. Enp0s25 has a static public IP address assigned by the ISP. The upstream device connected to Enp0s25 is not VLAN capable.

I ask you sage and wizened engineers or packet manglers out there if you would please explain to me how I can route, bridge, NAT, or catapult packets between those VLANs and that great tangle of plumbing we call the internet. In the meantime, I shall retreat to my cupboard muttering error 418 (RFC 2324).

Regards,

Kevin

1

1 Answer

This answer assumes you use an iptables firewall on your 'router', and not something 'easier' like ufw, and that you have properly set up the router to handle VLANs on the given interface.

What you're looking for is called "NAT". This is done by default on many routers, however by default isn't done on Linux systems.

You'll need to enable IPv4 forwarding also in the system to make it work. Add this to the end of /etc/sysctl.conf:

net.ipv4.ip_forward = 1

You can get that to apply by doing sudo sysctl -p afterwards. This enables the ability to forward traffic through.

Since your default Internet route is out to the Public Internet, but you want to set up NAT so that the other VLAN machines can go out to the Internet via your system, you would need to set up something like this in iptables:

iptables -t nat -A POSTROUTING -s ! -d -m comment --comment "Allow vlanXX to go to the Internet, masquerade as the public IP." -j MASQUERADE

This is a rule in the NAT table for how to route traffic after it's arrived at the system. You'll need three of these rules, one for each subnet of each VLAN. Adjust ip.add.re.ss and vlanXX accordingly to match the information for your network specifically.

You also need to have an ACCEPT rule in the filter table of iptables for FORWARD, and you would typically do this by interface, like this, updating the XX items to be the vlan number:

iptables -t filter -A FORWARD -o ens1f1.XX -m comment --comment "NAT for vlanXX" -j ACCEPT
iptables -t filter -A FORWARD -i ens1f1.XX -m comment --comment "NAT for vlanXX" -j ACCEPT

Once you've done this, you need to make sure you save the iptables rules. Ideally you would do this if you didn't have it installed first, and tell it "Yes" when it asks to save your rules:

sudo apt-get install iptables-persistent

... and that would set up the iptables rules at boot properly as well as save the rules. If you already have iptables-persistent, then you need to update the rules it loads:

sudo su -c 'iptables-save > /etc/iptables/rules.v4'

... and now the NAT MASQUERADE rule will be in place every time you boot.

3

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy