 |
FirewallBuilder |
|
Search Users Guide
Unlike on Linux, on OpenBSD, the name of the VLAN interfaces is restricted to the "vlanNNN" scheme. We start with a basic firewall object with two interfaces and will add VLAN interfaces to interface em0. Note that em0 is configured as "unnumbered", this is a requirement for the VLAN parent interface object.
To create VLAN subinterfaces, select the parent interface object in the tree and right-click to open the context menu:
The new interface is created with generic name "Interface" and needs to be renamed:
Firewall Builder is aware of the naming convention for VLAN interfaces on BSD and automatically recognized vlan100 as a VLAN interface with VLAN ID 100. To inspect or change the VLAN ID, click "Advanced Interface Settings" button:
Note
Firewall Builder verifies that the name of the subinterface is acceptable as the name of a VLAN interface on OpenBSD system. You can use name that looks like "vlan100" but it won't accept "em0.100" or any other.
I am going to add second VLAN interface eth1.101 and add IPv4 addresses to both VLAN interfaces. The final configuration is shown in Figure 9.20:
Compiling this firewall object produces script /etc/fw/openbsd-test-vlan-1.fw and PF configuration file /etc/fw/openbsd-test-vlan-1.conf. To activate the firewall and configure the interface, run script /etc/fw/openbsd-test-vlan-1.fw:
# /etc/fw/openbsd-test-vlan-1.fw
Activating firewall script generated Fri Feb 26 14:57:54 2010 by vadim
net.inet.ip.forwarding: 0 -> 1
# Creating vlan interface vlan100
# Creating vlan interface vlan101
# Adding VLAN interface vlan100 (parent: em0)
# Adding VLAN interface vlan101 (parent: em0)
# Adding ip address: vlan100 10.1.1.1 netmask 0xffffff00
# Adding ip address: vlan101 10.1.2.1 netmask 0xffffff00
Here is how configuration of the VLAN interfaces looks like in the output of ifconfig:
vlan100: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:83:4d:2f
vlan: 100 priority: 0 parent interface: em0
groups: vlan
inet6 fe80::20c:29ff:fe83:4d2f%vlan100 prefixlen 64 scopeid 0x6
inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
vlan101: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:83:4d:2f
vlan: 101 priority: 0 parent interface: em0
groups: vlan
inet6 fe80::20c:29ff:fe83:4d2f%vlan101 prefixlen 64 scopeid 0x7
inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
Let's try to run the same script again:
# /etc/fw/openbsd-test-vlan-1.fw
Activating firewall script generated Fri Feb 26 14:57:54 2010 by vadim
net.inet.ip.forwarding: 0 -> 1
The script detected that both VLAN interfaces already exist and have correct IP addresses and made no changes to their configuration.
Let's change the VLAN ID of the interface vlan100. I cannot change the VLAN ID without changing its name. When I rename interface vlan100 to vlan102 in Firewall Builder, it changes its VLAN ID automatically.
Here is what happens when I run the generated script on the firewall:
# /etc/fw/openbsd-test-vlan-1.fw
Activating firewall script generated Fri Feb 26 15:57:03 2010 by vadim
net.inet.ip.forwarding: 1 -> 1
# Deleting vlan interface vlan100
# Creating vlan interface vlan102
# Adding VLAN interface vlan102 (parent: em0)
# Adding ip address: vlan102 10.1.1.1 netmask 0xffffff00
Ifconfig shows that interface vlan100 was removed and vlan102 added:
vlan101: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:83:4d:2f
vlan: 101 priority: 0 parent interface: em0
groups: vlan
inet6 fe80::20c:29ff:fe83:4d2f%vlan101 prefixlen 64 scopeid 0x14
inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
vlan102: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:83:4d:2f
vlan: 102 priority: 0 parent interface: em0
groups: vlan
inet6 fe80::20c:29ff:fe83:4d2f%vlan102 prefixlen 64 scopeid 0x17
inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.