Scenario

We have a router/firewall with two NICs one used to connect to the Internet (WAN) and the other to connect to the local network (LAN). We would like to beef up the security aspect of our site and introduce a Demilitarized Zone (DMZ). If this should be implemented without the use of vlans we would have to buy a new switch and a third NIC for our router/firewall.

Luckily the switch used supports 802.1q. The switch configuration is done by adding a new vlan. How this is done should be documented in the switch documentation.

Networks

• WAN 172.16.0.0/24
• LAN 192.168.0.0/24
• DMZ 10.0.0.0/24

Installation

sudo apt-get install vlan

 

Configuration

Load the 8021q module into the kernel.

sudo modprobe 8021q

Create a new interface that is a member of a specific vlan, vlan id 10 is used.

sudo vconfig add eth1 10

Assigning an address to the new interface.

sudo ip addr add 10.0.0.1/24 dev eth1.10

 

To make this setup permanent, some lines has to be added to some configuration files.

Add the module to the kernel on boot.

sudo su -c 'echo "8021q" >> /etc/modules'

Create the interface and make it available during the boot. Add the following lines to /etc/network/interfaces

auto eth1.10
iface eth1.10 inet static
    address 10.0.0.1
    netmask 255.255.255.0
    vlan-raw-device eth1