Vlan over Netplan in 18.04 LTS

Disclaimer: To this day I've been a lurker, still learning and for the the first time in 2 years, I didn't find any answer to my question, thank you very much for your read and I hope you'll take some time to help

I'm trying to setup two VLANS on my already existing LAN card, the purpose of this setup is to first make a first VLAN work before having everything going through different VLANS for different purposes

Here is my configuration:

Lan card:

cat /etc/netplan/10-enp1s0.yaml network:  version: 2  renderer: networkd  ethernets:
#LAN CARD config
   enp1s0:
     optional: true
     dhcp4: false
     dhcp6: false
     addresses: [192.168.1.91/24, ]
     gateway4: 192.168.1.254
     nameservers:
       addresses: [192.168.1.91, ] //I have a DNS on the server
       search: [domain.net]

Vlan:

cat /etc/netplan/11-vlan.11.yaml
 vlans:
   vlan.11:
     id: 11
     link: enp1s0
     optional: true
     dhcp4: false
     dhcp6: false
     addresses: [192.168.1.92/24, ]
     nameservers:
       addresses: [192.168.1.91, ]

With this configuration, here are the results:

• When I try to ping vlan.11 from enp1s0, or the other way around I have no reply.
• When I try to ping any internet from enp1s0, it works, but when I try with vlan.11, it doesn't work.

8.8.8.8 with enp1s0:

ping -I enp1s0 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.1.91 enp1s0: 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=9.24 ms

8.8.8.8 with vlan.11:

ping -I vlan.11 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.1.92 vlan.11: 56(84) bytes of data.
3 packets transmitted, 0 received, 100% packet loss, time 2039ms

• The last part and the weirdest one is that I'm able to ping both adresses with my a different PC on the same network

Pinging 192.168.1.91 with 32 bytes of data: Reply from 192.168.1.91:
bytes=32 time<1ms TTL=64

Pinging 192.168.1.92 with 32 bytes of data: Reply from 192.168.1.92:
bytes=32 time<1ms TTL=64 Reply from 192.168.1.92: bytes=32 time<1ms
TTL=64

So, can you please explain me why my vlan is not working properly ? What am I missing to have vlan.11 to behave like a network card.

Thank you very much for your read and any help is greatly appreciated.

When I type sudo netplan --debug generate, I see this (don't worry about enp2s0, not configured neither connected for now):

sudo netplan --debug generate
DEBUG:command generate: running ['/lib/netplan/generate']
** (generate:9423): DEBUG: 11:30:08.752: Processing input file /etc/netplan/10-enp1s0.yaml..
** (generate:9423): DEBUG: 11:30:08.752: starting new processing pass
** (generate:9423): DEBUG: 11:30:08.752: Processing input file /etc/netplan/11-vlan.11.yaml..
** (generate:9423): DEBUG: 11:30:08.752: starting new processing pass
** (generate:9423): DEBUG: 11:30:08.752: Processing input file /etc/netplan/20-enp2s0.yaml..
** (generate:9423): DEBUG: 11:30:08.752: starting new processing pass
** (generate:9423): DEBUG: 11:30:08.752: vlan.11: setting default backend to 1
** (generate:9423): DEBUG: 11:30:08.752: Configuration is valid
** (generate:9423): DEBUG: 11:30:08.752: enp2s0: setting default backend to 1
** (generate:9423): DEBUG: 11:30:08.752: Configuration is valid
** (generate:9423): DEBUG: 11:30:08.752: enp1s0: setting default backend to 1
** (generate:9423): DEBUG: 11:30:08.752: Configuration is valid
** (generate:9423): DEBUG: 11:30:08.752: Generating output files..
** (generate:9423): DEBUG: 11:30:08.752: NetworkManager: definition enp1s0 is not for us (backend 1)
** (generate:9423): DEBUG: 11:30:08.752: NetworkManager: definition vlan.11 is not for us (backend 1)
** (generate:9423): DEBUG: 11:30:08.752: NetworkManager: definition enp2s0 is not for us (backend 1)

Hello, Thank you very much for your time. By "erasing" I just meant I'll remove IP configuration from the LAN card, not erasing the yaml file of course, I've corrected the question. Thank you for answering my question, I've tried this solution however I'm having the exact same result as with the configuration I posted above. Everything is behaving the exact same way. Do you have any other suggestion ?

@Samy Your sudo netplan --debug generate is for when you still had two separate .yaml files. Show me when using my .yaml please.

@Samy show me uname -r and dpkg -l *netplan*

@Samy What does "I'll remove IP configuration from the LAN card" mean?

Thank you very much for your time, I'll put it below

@Samy Please see my prior comment about sudo netplan --debug generate while using only my .yaml file. Then do sudo netplan apply then reboot, then retest the pings.

I've edited my answer using your config file only, I've retested the pings and it's behaving in the same exact manner.... If this can help, networkctl list is giving me "configuring" on each interface.

@Samy I'd try booting to a Ubuntu Live 19.10 DVD/USB, installing my .yaml, and see if it works there.

Good idea! I'll give it a try

Alright, after LONG minutes of testing, I've come up with a fresh new install on two different computers, and used exactly what you've sent me, and still have the same behavior. At this point, I think I'm stupid because I think I got the issue. All those computers are connected through a switch that came with the ISP. Do I need something special is term of hardware ?

@Samy You tried 19.10, yes? I don't think the problem is with you... I think the problem is with netplan. Is this a server or desktop installation?

@Samy Please see wiki.ubuntu.com/vlan and askubuntu.com/questions/660506/…. These are NetworkManager specific, but the vlan and 8021q software may be required for this to work with netplan. If you're using netplan, then you shouldn't modify /etc/network/interfaces. Report back.

Oh...I've tried 18.04 because that's the setup I have, however in both cases I have the latest version of netplan package. my main computer is the server 18.04 LTS version, the one I did use on the USB is 18.04 LTS desktop version.

I've seen those links, I already have 8021q module installed and firing up at boot, however I didn't want to use vlan package for the fact that netplan should be able to do it, it's just I'm uncomfortable with splitting up my network configuration between netplan & vlan. of course I won't modify network/interfaces because of the risk of conflict. I will check if netplan need vlan module setup tonight, I will keep you informed, and again, thank you very much for your help and time, you're really making me ask myself the right questions

Also, my renderer is networkd, not NetworkManager

Alright, reporting time. I've tried setting up everything, installing vlan and doing the steps required, with the method in the wiki and the netplan method I've been using till now, I have the same exact result. I can ping both vlan interfaces from a windows PC in the same network, but the vlans can't ping ANYTHING, not even each other or the windows machine that can ping them successfully. At this point, I believe my configuration is correct, but something is missing, or blocking to traffic out of the vlans. What do you think ?

@Samy I just spent the last few hours playing with this myself. I set up a 19.10 server in Virtualbox, and used a clone of my .yaml file. What I found was that ip a showed .91 and .92. I could ping/host in/out of .91, but not .92. I could ping both .91 and .92 from my host, AND I could ssh into either .91 or .92. What have we learned? That vlans don't work the way we think they do. There's a user here named slangseek, or something like that, who works for the netplan folks, and I wish we could track him down...

@Samy I found that user... name is "slangasek"... and I just sent them a message, asking them to take a look at your question. Hopefully...

Hope he will answer, thank you very much. If it wasn't you, no one for now have answered me and I would have lost faith on this. It's my first question ever on this website.

I don't understand this answer. 'ping -I' always takes an interface name, but you don't say what interface name you used in place of 'vlan.11'. And no, vlan.11 is not a "layer 2" name. Your previous ping output shows that ping /does/ recognize it as an interface name. My question would be, how is your switch configured for the handling of this vlans? You can't put a vlan on a bare, unmanaged network and expect it to interoperate; only other devices using the same vlan ID (ID 11) will see your interface, and you don't mention anything about that configuration.

Also you mention trying to ping the public internet using the VLAN interface, but you don't mention having set up any routing via that VLAN, either. Is a vlan actually what you're trying to set up? Or are you really after having multiple addresses assigned to an interface?

Hello @slangasek, I will to answer your questions the best I can. I myself don't understand why ping -I vlan.11 doesn't work, but actually ping -I 192.168.1.92 (which is the ip of vlan.11) work.

Vlan.11 is not interoperating with anything, I'm just using it to have a second ip adress on my network card, it directly communicate with the main switch/ISP router.

Yes I'm able to ping public addresses without setting any routing, I actually posted my netplan config, you can try it yourself and see that it works, why ? I'm not a network engi... however I think that's because it's linked to the main NIC and it route everything through it by default

If you are not using vlans for broadcast domain isolation on a physical network, then vlans are the wrong tool for what you're trying to accomplish. If all you want is a second IP address, then use netplan's support for multiple addresses on a single interface.

Thank you very much for your advice ! Can you please send me some good read about vlan and how to properly setup one for domain isolation in a network please ? I want to implement that in the future to isolate my computer and work tools from home network (I work from home from time to time)

Here is some information about what a vlan is and what they are used for: study-ccna.com/what-is-a-vlan In order to use vlans for isolation to prevent machines from being able to see each other (instead of someone just reconfiguring the system to talk on a vlan), you need vlan support on your switches.

Thank you very much for your help. Problems solved and questions answered, have a good day !