tech-net: Transitioning to 802.11q VLANs on a network using a NetBSD box with multiple physical interfaces

Subject: Transitioning to 802.11q VLANs on a network using a NetBSD box with multiple physical interfaces
To: None <tech-net@NetBSD.org>
From: Douglas Wade Needham <cinnion@ka8zrt.com>
List: tech-net
Date: 06/08/2007 14:02:38
Sender: tech-net-owner@NetBSD.org

Greetings,

I am in the process of doing some major reworking of my network to
include 802.11q VLANs, and have some questions for folks who are a bit
more familiar with VLANs and how they are implemented on NetBSD.  But
to provide an answer, you first will need to know what my network
looks like at present.

Presently, I have a box called "alpha", running NetBSD with 3 Pro/100
(fxp) interfaces, doing NAPT thanks to ipf.  The first interface on
alpha is configured with my 5 public IP addresses, the second has a
secure (internal) subnet attached to it, and the third has a DMZ
subnet on which resides my bastion hosts handling mail, web and other
gateway services.  The use of ipfilter/ipnat on this box handles the
NAPT which takes place to direct inbound connections to various boxes,
as well as isolating the three networks.  For the sake of the
discussion, we will say that these three subnets are:

	fxp0	68.164.221.208/29	Public
	fxp1	192.168.0.0/24		Private/Secure
	fxp2	192.168.1.0/24		DMZ

All these networks are connected via a DLink DES-3226 switch which can
do 802.11q VLANs, as well as port based VLANs (currently in use to put
all three subnets on the same switch, so that traffic usage can be
monitored).

Now, in recent months, I have started adding boxes for a wireless
network which for various reasons really should be on a fourth subnet,
and other development (working with CPCI SBCs) I am doing may warrant
a fifth.  But, given the available wiring in the house, while some of
these devices could easily be connected to a fourth subnet on my
switch, other devices would have to share a connection with my
workstations on my secure subnet.  Fortunately, these devices can
handle 802.11q VLANs, and after months of not having the time to look
at this problem due to real-life time drains, I am starting to
consider how I will transtion my network.

Now, in playing around with NetBSD, I found that I could not do the
following:

    ifconfig vlan4 create
    ifconfig vlan4 vlan 4 vlanif fxp1
    ifconfig vlan4 inet 192.168.4.1 netmask 0xffffff00
    ifconfig vlan4 vlan 4 vlanif fxp2

The attempt at doing a second vlanif for the vlan fails because unlike
every other switch/router I have dealt with, NetBSD apparently can
only bind a vlan to a single physical interface.  And so, I am now
looking at the proper direction to proceed.  My thoughts (which I
would like feedback on) are as follows:

1) I could possibly move to having just a single physical interface on
   alpha, and switch my ipf/ipnat rules to use vlan pseudo-interfaces
   instead.  This would seem to be in keeping with what seems to be
   the common practice of others on this and other NetBSD lists, but
   for me, presents the problem in that once I move to using a Sun QFE
   (hme) card, I will have the potential for two physical subnets to
   be talking at rates which would saturate a single physical
   interface, and starvation of another subnet's connectivity to the
   Internet would occur.

   BTW... in another site I manange which may soon have to go through
   a similar transition, this definitely occurs, as we broadcast data
   from a radio telescope receiver to computers on one physical vlan
   at the full 100Mbps data rate.  On occasion, telecommands will go
   through the a firewall just like mine onto this network to the
   devices broadcasting the data.  Thankfully packets in both
   directions are one way broadcasts instead of the normal 2-way like
   in TCP.

2) I could configure additional vlan devices, so that say vlan10
   vlan11 and vlan12 could handle one vlan on fxp0, fxp1 and fxp2,
   vlan20, vlan21 and vlan22 would handle a second vlan on those
   interfaces, and so on.  It would then mean I would probably have to
   do some additional configuration in my ipnat/ipfilter rules.

3) There is some other way which takes care of the whole forest, but
   which I am not seeing because of my nose being in the bark of a
   single tree.

Anyone have any suggestions/comments?  Also, has anyone had experience
using dhcp to serve up the IP addresses on 802.11q VLAN subnets?  My
dhcp server is on the private subnet, and alpha is running dhrelay to
pass along requests from the DMZ.

Oh... and alpha will likely be upgraded from 1.6 to 3.1 or current
when I do the transition (since I do not believe that the QFE was
supported way back then).  Given it does not accept any connections
externally and only certain protocols from key hosts on the private
subnet, it was not broke, so I did not fix it. ;)

Thanks!

- Doug    

-- 
Douglas Wade Needham - KA8ZRT        UN*X Consultant & UW/BSD kernel programmer
Email:  cinnion @ ka8zrt . com       http://www.ka8zrt.com
Disclaimer: My opinions are my own.  Since I don't want them, why
            should my employer, or anybody else for that matter!