LAN - VLAN routing

Question

Hi! I have an XG125 where the network of port 6 is 192.168.12.0/24 and the port 1 is 192.168.0.0/24, both in LAN zone. Port 6 has a DHCP server I've added a VLAN on port 1 (Port1.40) with IP in DHCP 
 I've created 2 rules: 1: Source zones: LAN Source network: #Port1.40 Destination zones LAN Destination networks: #Port6 Service: Any 
 2: 
 Source zones: LAN Source network: #Port6 Destination zones LAN Destination networks: #Port1.40 Service: Any But the VLAN interface doesn't get the any IP from the DHCP server on port6. 
 What am I doing wrong?

PhilippRusch · Answer

Hello Mario, 
 you are mixing / confusing Layer 2 and Layer 3 here. 
 While "Port 1" and "VLAN 40" sit on the same physical Interface, these are complete different Networks, which don't "see each other" in terms of IP-addresses. 
 The same with "Port 6", the network on Port 1 does not "see" the traffic on "Port 1" or "Port1.40" simply by putting them into the same Firewall-Zone. 
 You either have to build a bridge (connection on Layer 2), or you have to route between the IP-nets on top of those interfaces (connection on Layer 3). 
 Like now, the VLAN-Port 1.40 will never get a DHCP address from the server running on Port 6, nor will it get one, if you run that on Port 1. 
 Please tell us, what you want to achieve, so that we can help you to find a solution for your use case.

PhilippRusch · Answer

Ciao Mario, 
 no, let us clarify: If you have a network interface, either physical ("Port X") or virtual ("VLAN Y"), you CAN assign a static IP to it. 
 You did this with "Port 1" and "Port 6". So now you firewall knows about two networks, which are directly connected to it. 
 Normal mode of a linux kernel is IP-routing between all directly attached interfaces. 
 NOW comes your packet filter into play, this is what you configure with "firewall rules" and "zones" and so on. 
 If you have a so called "DENY all" philosophy with your firewall rules (this is the case with XG/XGS default settings), then you have to define which traffic is allowed from one network to the other. If you put two different interface into the same "Zone" definition, you implicitely allow traffic between them. 
 Why don't you reach your VLAN on "Port1.40" ? Because this his no IP-Address! And hence no network it belongs to, that's all.

PhilippRusch · Answer

When it comes to VLANs: 
 AFAIK, the Ports of an XG system are configured like a trunk-port, you have one untagged default VLAN (=VLAN ID 1) and all the other VLAN you define for this same port are tagged VLANs. 
 So you could solve your "dilemma" without a switch and solely using XG-Ports, but you will need to change the configuration of your virtualization host o Port 1, then.

PhilippRusch · Answer

Routing is Routing. 
 Firewall rules is packet filter. 
 These are two different things, you first have to have functional network, either routed or bridged, so that packets can flow from A to B. 
 Then you allow or deny certain IP-connections or ports with firewall rules.

LAN - VLAN routing

Top Replies