Results 1 to 6 of 6
  1. #1
    Newbie
    Join Date
    Jun 2020
    Posts
    5

    Question VLAN traffic passing through Untangle

    Hi all.

    Experiencing something which (I think) shouldn't happen. I have 3 VLAN's set up, Trusted, IOT and Guest, as well as the internal network. I have an Unraid box sitting on the untagged "management" network, on 10.1.1.x, and my PC on the Trusted VLAN with a 10.1.10.x IP. I have an HP 1920-24G switch doing the VLAN stuff, and my PC is untagged VLAN10, unraid on untagged 1, buy for some reason the CIFS traffic is going through the Untangle interfaces (untagged 1, tagged 10, 172 & 192 for VLANs). Is this supposed to happen? I'm not a networking guy so though I've managed to get VLANs working (mainly for isolating IOT devices), I'm not actually sure if it's set up right.

    Many thanks

  2. #2
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    Not 100% sure I understand your question (so sorry in advance if I get am off here).

    Untangle will route between non-WAN interfaces by default. If you want to limit connectivity between the VLANs/subnets you should setup some access controls between them. Could do it a few places (firewall, filter rule, etc).

    I have a similar setup and do it via filter rules between the interfaces.

    Quote Originally Posted by borkensnoot View Post
    I'm not a networking guy
    Not trying to be snarky, but why are you implementing such a complex home network if you're not a networking guy? Sounds like you are just adding a lot of complexity/admin overhead...
    Last edited by JasonJoel; 08-20-2020 at 08:35 AM.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    Yeah, if you're not a networking guy, my question is do you want to become one?

    Because if we go down this rabbit hole... you will be before it's done!

    I'll start...

    IP Network and VLAN are not the same things... VLANs don't have IP addresses. Though you use IP addresses over them. And, Untangle as a router routes IP addresses, which is to say it connects IP Networks.

    And I don't want to scare you off here, but for not being a network guy... you've managed to actually get layer 2, and layer 3 working well enough to pass traffic! You've already DONE the hard part! And given that problems on layer 2 simply "don't work" in very obscure and hard to troubleshoot ways... if you honestly haven't a clue what you're doing that's actually pretty impressive.

    So I can't speak for others, but color me shocked! So I'm left with, where do you want to go from here?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Newbie
    Join Date
    Jun 2020
    Posts
    5

    Default

    Thanks for the replies guys.

    So if it's intended behaviour for Untangle to do the inter-VLAN routing, that's fine, I guess I just thought that would be the job of the switch.
    As for my "not a network guy" comment, I'm a cloud solutions architect, so I'm not exactly entering from the lobby, but networking isn't my area of expertise I'm implementing complexity because a) I enjoy a challenge, and b) I'm trying to implement some network security. I've already got rules for blocking between IOT/Guest and Trusted.

    Understand the difference between L2 and L3 networking, but like I said above, I just assumed the switch would be doing the heavy work, but fundamentally it doesn't really matter, I'm not maxing out any of my interfaces, I was just curious more than anything

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    From what you're describing, you have an L2 managed switch, and the L3 is being handled by Untangle. Even if the switch can do L3, you've configured it not to.

    If you have an L3 switch, Untangle has ONE interface aimed at it, and static routes for the networks beyond the switch. The VLANs aren't terminated on Untangle at all. Ok well ONE is... but yeah. Again how far down the rabbit hole do you want to go?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Apr 2019
    Posts
    13

    Default

    Quote Originally Posted by sky-knight View Post
    From what you're describing, you have an L2 managed switch, and the L3 is being handled by Untangle. Even if the switch can do L3, you've configured it not to.

    If you have an L3 switch, Untangle has ONE interface aimed at it, and static routes for the networks beyond the switch. The VLANs aren't terminated on Untangle at all. Ok well ONE is... but yeah. Again how far down the rabbit hole do you want to go?
    Agreed.

    Although When I read this, it sounds to me like the OP set up VLANs on BOTH the Untangle and the L3 switch.

    OP: thereís a couple of things about VLANs you should know. Here is a spark notes version. @sky-knight please correct me if any of this is incorrect, or feel free to add on if something is unclear. This is my first attempt at a long post so if it makes absolutely no sense just let me know and Iíll delete it lol. Iím an engenere... enginere... engineer? Not a righter...writer?

    There are two types of VLAN ports:
    Trunk ports, which accept traffic from multiple VLANs
    Access ports, which accept traffic from a single VLAN.

    So if you have a device connected to port 12 on the switch, say a computer, that will always be sending traffic from a single VLAN (ie trusted VLAN) then this port would be an access port.

    On the other hand, if the device is connected to port 12 was a phone that shares a single wire for both data and voice (where data and voice are supposed to be separate VLANs) this would be a trunk port.

    Same goes for an access point link that broadcasts two SSIDs one for an trusted network and one for a guest network, this would be a trunk port because it requires the ability to accept traffic from multiple VLANs.

    Some switches require you to specify whether itís an access port or a trunk port, others will allow you to specify which VLANs are associated with the switch port and if thereís more than one it handles it for you.

    So when connecting the untangle to the switch you have two options.

    Option 1.) you create the VLANs on the untangle and connect a single wire from the untangle to the switch where the switch port is a... you guessed it trunk port.

    Option 2.) which is my personal favorite is you create a NETWORK on the untangle a matching VLAN on the switch. You then connect a wire for each network to the switch. On the switch side, each port will be a... you guessed it again!... access port because weíre only accepting traffic for the corresponding VLAN.

    Next up... tagging!

    When using VLANs, traffic can be tagged or untagged and any device can do the tagging as the traffic flows through it.

    Imagine Youíre single and live by yourself. When Santa drops off your Christmas gifts, you know that every gift under the tree is meant for you. So even though the gifts are UNTAGGED, you still know who they are designated for.

    Now imagine youíre back in your childhood living with you parents and four siblings. If Santa just dropped off untagged gifts it would be a free for all! Santa knows this so he TAGS the gifts with a nametag so on Christmas morning there isnít a brawl in the living room.

    Tagging with VLANs does the same thing. At some point through the travels of the packets, the traffic can be tagged with a particular VLAN ID. If a switch port is designated as an access port, the device attached to that port, for example the computer, doesnít need to tag its traffic, because the switch knows everything originating from that port is for one particular VLAN.

    On the other hand, if the switch port is a trunk port then the most untagged VLANs you can support is one, otherwise the switch wouldnít know what to do! The other(s) must be tagged.

    Some switches allow you to specify the untagged traffic on a trunk port to be a specific VLAN others assume that any untagged traffic from a trunk port should be on the native VLAN.

    So in our VoIP phone line scenario, our phone has a computer tethered off of the phones computer port. We configure the phone to put the computer port on the DATA VLANís VLAN ID so that as the computer sends untagged traffic to the phone, the phone then TAGs the computer traffic with the DATA VLAN ID. When the traffic makes it to the switch, the switch knows that the traffic coming from the computer is Data traffic because itís been tagged by the phone. If the switch has the untagged VLAN membership feature it will know that the traffic coming from the phone is for the VOICE VLAN.

    Same goes for the WiFi access points: the internal SSID should leave its traffic untagged (in the case where the switch allows untagged vlan membership) and the guest network should be tagged with the GUEST VLAN ID.

    So what happens in between traffic entering the switch from the endpoint and leaving the switch to the untangle?

    If you did option 1 (one wire from untangle to switch with VLANs on the untangle) then all traffic needs to be tagged with the appropriate VLAN by either the endpoint or the switch.

    This means if a computer is sending untagged traffic into the switch through an access port the switch will tag that traffic with the VLAN on that port before forwarding the traffic to untangle. So when it arrives at the untangle, itís tagged with the trusted VLAN.

    If you did option 2, the computer will send untagged traffic to the switch. Since itís an access port the switch will tag the traffic coming from the computer with the trusted VLAN ID so the switch knows where to put it. The switch then untags the traffic as it goes out of the access port connected to the untangle for that network. This is why the untangle doesnít need any VLANs configured: because the traffic is tagged and untagged at the switch level. So by the time it gets to the untangle, the untangle says Psshh! I know what Iím doing with these packets!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2