Add a VLAN tag to specific UDP port traffic

iptables ubuntu-12.04 linux-networking vlan
8,703

Solution 1

iptables and ebtables can't set VLAN tags on packets. That's what VLAN sub-interfaces are for.

There's an article on the Ubunut wiki that discusses VLANs that you should probably review. In summary, though, you want to:

  • Make sure the 802.1q module is loaded with a modprobe 8021q.

  • Create the VLAN sub-interface with vconfig add eth0 444.

  • Add an IP address and subnet mask from the subnet used in VLAN 444 to the eth0.444 sub-interface with ip addr add x.x.x.x/z dev eth0.444

You'lll also need to configure the switch port to which the server is attached to accept tagged frames for VLAN 444. You don't mention your brand of switch so I can't give much guidance there, but you're probably looking for either a "trunk" or "general" port configured as a tagged member of VLAN 444 and an untagged member of whatever VLAN is used by the subnet assigned to the the eth0 interface.

Be aware that tcpdump can have problems displaying the VLAN tags so don't necessarily assume that frames aren't being tagged if you're just using tcpdump on the host itself to verify that frames are tagged.

Edit:

Typically there's a one-to-one relationship between VLANs and IP subnets. It would be exceedingly atypical if the switch had a management interface in VLAN 444 that was the same IP subnet as whatever VLAN your current eth0 port is located in.

Solution 2

802.1Q tag is inserted into MAC header, and kernel won't decode it if your interface isn't VLAN tagged. So, even if you could mangle outgoing packets, incoming traffic with VLAN tag would stay ignored.

What you need to do is create a VLAN tagged interface, just as you did, and add an IP to it within the same rage the switch IP you're trying to access is in.

Share:
8,703

Related videos on Youtube

Noah Kreiger
Author by

Noah Kreiger

Real-time/Embedded SW specialist with proven expertise in Networking and Storage

Updated on September 18, 2022

Comments

  • Noah Kreiger
    Noah Kreiger almost 2 years

    I'm running an application in Ubuntu12.04 that I've written that does some remote switch management. I have only a single NIC connected to the network of managed switches, eth0 which is set with IPv4 10.0.0.1/24. This IPv4 address is the only address that this Ubuntu machine can use since this is the only "globally" routable address assigned to the Ubuntu machine (due to some network administration, not due to technical issues...)

    I need the switch management traffic (NetConf over SSH, using UDP port 830) to include a 802.1q VLAN tag with VLAN ID 444), when sending the NetConf frames and the replies will be received also with this tag. All other traffic (http, ftp, dhcp, snmp, etc.) will use eth0 without the VLAN tag.

    I've tried using a VLAN interface eth0.444 on eth0, but is seems the traffic sent doesn't include the VLAN tag.

    Can (and how) can I use ebtables/iptables to add a specific VLAN tag to specific UDP port traffic? Will the ebtables/iptables solution work also for the receive path?

    Thank you!

    David

    • drookie
      drookie over 9 years
      You're mixing terms. Your question is composed in a way when the most exact answer will be "you should not do this". dot1q vlans are not used to distinguish traffic types. they are used to distinguish virtual networks. to distinguish traffic types tos and dscp are used, but I'm not sure what you are trying to achieve, this tos/dscp don't seem applicable to this.
    • drookie
      drookie over 9 years
      you can use as many ipv4 addresses as you want. basically - one per vlan.
  • Noah Kreiger
    Noah Kreiger over 9 years
    Can't add another IPv4 address to the VLAN interface, since the IPv4 in use for eth0 is the single one assigned and permitted to be used by net admin. This IPv4 is "globabally" routable and for some security reasons I can't get another...
  • Noah Kreiger
    Noah Kreiger over 9 years
    Updated original question: Can't use another IPv4 address
  • drookie
    drookie over 9 years
    I doubt there can be any "security" reason to violate basic network principles.
  • Noah Kreiger
    Noah Kreiger over 9 years
    Eugene M. Zheganin: Why is it a "violation of basic network principles"? The IPv4 address "belongs" to the entire machine (having a single interface to the world) but still I need to use a separate VLAN just for management of other devices, while "regular" traffic is handled untagged. Is it a MUST to have another IPv4 just because I also use a VLAN interface?
  • Andy
    Andy over 5 years
    Should be modprobe 8021q. Its a 802.1q VLAN, not an 802.11 WLAN :-).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to route specific traffic through OpenVPN?
How to use conntrack to allow SIP traffic
arp -n responds with (incomplete) on the wrong subnet, can't remove it
Manually flush iptables in rescue mode
Setting up a server with two NICs using two separate subnets (each on a different VLAN)
iptables v1.4.21: Couldn't load match `-d':No such file or directory
No route to host : ssh Error
sudo ifconfig eth0 192.168.1.7 netmask 255.255.255.0 not permanent
Can not open port 3306 on Ubuntu using iptables
iptables destination ip and port