Join Log in
Score:1
Tony avatar Server

Multiple vlans on same interface in the same subnet

ng flag
Tony

In a device application we use the following VLAN network setup:

In the device we have an internal network for internal devices and an external network for the customer / customer network. All devices are connected via managed switch to a raspberry pi compute module, where the application runs.

In the setup we use the following VLANs

  • VLAN 1: externel network
  • VLAN 2: internal network

The compute module has on interface eth0 the two vlan interfaces eth0.1 (external) and eth0.2 (internal). This is made, that a customer dont sees the internal network devices. The managed switch has port based VLANs configured.

network setup

For the internal network, the compute module uses eth0.2 with the static ip address 192.168.2.1 - internal network devices also in the same subnet 192.168.2.x.

For the external network, the compute module uses eth0.1 with the static ip address 192.168.1.100.

Our config on the compute module:

/etc/sysctl.conf

net.ipv4.ip_forward = 1

/etc/network/interfaces

# VLAN external interface
auto eth0.1
iface eth0.1 inet manual
    vlan-raw-device eth0


# VLAN internal interface
auto eth0.2
iface eth0.2 inet manual
    vlan-raw-device eth0

/etc/dhcpcd.conf

interface eth0
static ip_address=
static routers=
static domain_name_servers=
static domain_search=

interface eth0.1
static ip_address=192.168.1.100/24
static routers=
static domain_name_servers=
static domain_search=

interface eth0.2
static ip_address=192.168.2.1/24
static routers=
static domain_name_servers=
static domain_search=

For the communication to the internal device 192.168.2.100 directly from the customer pc via the external ip, we made the following rules. With this, the customer will reach the internal 192.168.2.100:80 via the external ip address 192.168.1.100:8080 on port 8080.

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.2.100:80
sudo iptables -t nat -A POSTROUTING -j MASQUERADE

In general this setup works, but not in all cases: The customer can change the external ip address of eth0.1. The customer can configure the ip of eth0.1 to another static ip address or dhcp. In case of the static ip address 192.168.2.x on eth0.1, the customer will reach the 192.168.2.1 of eth0.2.

How is it possible that a customer will not reach the internal ip 192.168.2.1 if the external ip of eth0.1 is in the same subnet? How is it possible to separate eth0.1 and eth0.2 if they are in the same subnet or have both 192.168.2.1?

For example: If eth0.2 has the same ip address like a device from the internal network, then a connection to the compute module is not possible with this ip conflict.

240
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.