duplicating/forwarding wan port on vlans?

Discussion in 'Tomato Firmware' started by lollekatt, Jan 9, 2014.

  1. lollekatt

    lollekatt Reformed Router Member

    Ok.. so I have another vlan question here.

    I can confirm btw to Victek that WNR3500Lv2, when the tagging option finally is enabled, works as expected on this model, so can be removed from the 'experimental' part I think.

    Ok.. so here is the question.

    I have a Xen box in DMZ, and a LAN segment.

    IO use a trunk down to the xen box, and although I could just pass wan connections through the trunk, I wanted to test passing the wan ip down the wire to the xen firewall to act as primary router.. to then pass lan traffic back up to the tomato when need be to the lan and wan out.

    Why? Just because the wan card meant to be used on the xen is 100 mbit and doesn't deliver a good duplex payload (especially on xen). So I need to instead use the GB as trunk.

    The point is I feel a bit safer, if I do it this way.. Anyway tests will show.

    Now, my ISP binds (any) mac but only one can eb active at any one time on the wan. So I put the trunk port on vlan2 (both with or without the wan port on vlan2 but I see on tomato, the wan bridge mac will automatically be read by ISP).. meaning the only solution I had to pass trhough the wan onto an internal wan interface was to spoof the MAC address onto the xen wan interface. Then it works...

    Aka dual wan kinda. My question now is, is it "ok" to have two identical mac ports on same vlan?

    I did some short testing and I had varying results.. it seems ot work ok, but I am sure collisiion occur as it seemed to sometimes be slow to negotiate (or it is due to the double flooding I can imagine).

    I know that two MAC should not be on same segment, so.. if anyone has any input, I would appreciate it.

    I will do some more testing today to see and report back.

    And also, do we have some dual wan stuff on tomato{,shibby}?

    Although I want to 'split' the wan port, not bond two wans. :)

    YAA (yet another addendum):

    route on router:
    Destination Gateway Genmask Flags Metric Ref Use Iface
    xxx.xxx.149.1 * UH 0 0 0 vlan2
    xxx.xxx.149.0 * U 0 0 0 vlan2 * U 0 0 0 lo
    default 1.xxx-149.xx UG 0 0 0 vlan2

    On the spoofed wan mac (xen router):
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default 1.xxx-149.xx UG 202 0 0 eth0
    xxx.xxx.149.0 * U 202 0 0 eth0
    (oops, scary!)116.xxx.xxx-149. localhost.local UGH 202 0 0 lo
    192.168.x.x localhost.local UGH 203 0 0 lo

    Need to probably do something with these routes before being able to verify how viable this is. The point is it runs nice and smooth on both lan and the xen, except on the xen a clispeed test hangs.. so something is up, which has probably to do with these routes.

    Yikes, localhost is bound to an external ip?? brb at locking down :p

    (all incoming traffic is blocked on that test xen btw ).

    Ok, the netmask is locled down to the single host.. ok.. but still... it is an external ip under the ISP control .. imagine that. WTF... so all I need to do is sniff whilst pinging the machines I pinged on my customer network yes.. get their MAC, spoof it, set it to their ip manually, and voila.. Im on their LAN?
    Last edited: Jan 9, 2014
  2. lollekatt

    lollekatt Reformed Router Member

    I will add some explanation why I am doing all this:

    I have a DMZ xen server with 2 interfaces one GB and one 100 mbit.

    my wan down/up is 40/75 mbits/s.

    Originally I wanted this:

    wanin -> wan100 Xen GBlan (trunk) some vlans -> GB wanin tomato -> Gb (v)lans. all great.

    BUT, the 100 mbit card struggles on full duplex.. and my upload under xen and load drops to 20 mbit up. so it's a no go.

    But I want the xen router domain, to be the main front router and tomato 2nd firewall for LAN and vlans.

    SO I need too pass the wan on bridge, down to a xen interface, to then pass up the trunk wire again, traffic for vlans.

    Even doing this, I still hit 6-800 Mb/s on the GB wire so this is miles better than the 100mnbit (which will be a mgmt interface or even removed to save the PCI bandwidth).

    So, in the end, I need to do something like this:

    wanin -> tomato wanport, trunk -> xen router (all dhcp, firewall, dmz, bla bla here and not on tomato) - Xen DMZ services + vlans (one private server which belongs to a lan vlan) -> up the wire again -> ?? (a lan port acting as a new wanin/entry point| just a vlan bridge) -> tomato firewall, and vlans.

    DHCP would be on xen.

    So, Q is.. do I spoof mac on xen, and split up the wan traffic, or do I just pass it through, and define one of the lan ports as a new lan in for the LAN portion?

    Help appreciated.

    And like I said.. I am on vlan2 adding the trunk port .. this does not* allow me to add a different mac if and get the wan ip. Do I really need to add a LAN port then onto the vlan2 to make this work? (I was hoping to avoid losing a port as I kinda need 4.. BUT if that's the only way , and it would happen anyway if I would have use one to define a new wanin from xen, then so be it).
  3. lollekatt

    lollekatt Reformed Router Member

    Ok.. I think I have the idea now:

    To further (isolate the LAN segment, yes, it still is crossing the single HW bridge/switch on the router) but block all interaction with vlan2 from birdges, except the trunk port. Then the LAN is reached via wan -> vlan2 bridged trunk -> xen DMZ -> up again to the other vlans.

    Might be silly I know... but not sure if having communication with a spoofed port will create loops and/or other weirdness on the system. This way, only the one mac port, will technically be on the other vlans and should be ok.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice