wiki:TipAndDoc/Linux/OpenWRT/vlan

Version 7 (modified by mitty, 11 years ago) (diff)

--

restrictions of vlan with OpenWRT on WZR-HP-AG300H

  • eth0側でH/W VLANを無効(config switch_vlanを削除)にすると、eth0からの有線でのWZR-HP-AG300Hへのアクセスが不能になる
  • H/Wに設定したVLAN ID以外のtagged VLAN packetをeth0に向けて送信しても、eth0まで届かない
    • 単なるSwitching HUBとは異なる
    • eth1側にはこのような制約はない
      • mitty@AG300H:~$ sudo vconfig add eth1 2408
      • mitty@AG300H:~$ sudo ifconfig eth1.2408 10.0.0.1
      • これで、別のマシンから eth0.2408 などを通してpingが正しく届く
        • mitty@AG300H:~$ sudo tcpdump -e -i eth1
          12:20:52.941468 00:1d:zy:xz:yx:dc (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2408, p 0, ethertype ARP, Request who-has 10.0.0.1 tell 10.0.0.2, length 46
          12:20:52.941555 00:24:xx:yy:zz:76 (oui Unknown) > 00:1d:zy:xz:yx:dc (oui Unknown), ethertype 802.1Q (0x8100), length 46: vlan 2408, p 0, ethertype ARP, Reply 10.0.0.1 is-at 00:24:xx:yy:zz:76 (oui Unknown), length 28
          12:20:52.941675 00:1d:zy:xz:yx:dc (oui Unknown) > 00:24:xx:yy:zz:76 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 2408, p 0, ethertype IPv4, 10.0.0.2 > 10.0.0.1: ICMP echo request, id 2890, seq 1, length 64
          12:20:52.941855 00:24:xx:yy:zz:76 (oui Unknown) > 00:1d:zy:xz:yx:dc (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 2408, p 0, ethertype IPv4, 10.0.0.1 > 10.0.0.2: ICMP echo reply, id 2890, seq 1, length 64
          12:20:53.938338 00:1d:zy:xz:yx:dc (oui Unknown) > 00:24:xx:yy:zz:76 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 2408, p 0, ethertype IPv4, 10.0.0.2 > 10.0.0.1: ICMP echo request, id 2890, seq 2, length 64
          12:20:53.938458 00:24:xx:yy:zz:76 (oui Unknown) > 00:1d:zy:xz:yx:dc (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 2408, p 0, ethertype IPv4, 10.0.0.1 > 10.0.0.2: ICMP echo reply, id 2890, seq 2, length 64
          
  • untagged/taggedを同じネットワーク上で使う(multi vlan/trunking)場合、LAN側からuntagged packetをNAPTするにはeth0ではなくeth0.0をGatewayにする必要がある
  • VLAN IDは0~127のみ使用可能
    • wrong setting
      config switch_vlan
      	option device 'eth0'
      	option vlan '0'
      	option ports '0 1 2 3 4'
      
      config switch_vlan
      	option device 'eth0'
      	option vlan '128'
      	option ports '0t 1t 2t 3t 4t'
      
      • mitty@AG300H:~$ swconfig dev eth0 show
        VLAN 0:
        	vid: 0
        	ports: 0 1 2 3 4
        
    • correct setting
      config switch_vlan
      	option device 'eth0'
      	option vlan '0'
      	option ports '0 1 2 3 4'
      
      config switch_vlan
      	option device 'eth0'
      	option vlan '127'
      	option ports '0t 1t 2t 3t 4t'
      
      • mitty@AG300H:~$ swconfig dev eth0 show
        VLAN 0:
        	vid: 0
        	ports: 0t 1t 2t 3t 4t
        VLAN 127:
        	vid: 127
        	ports: 0t 1t 2t 3t 4t
        

switch_vlan config with "option vlan '0'"

  • http://wiki.openwrt.org/doc/uci/network/switch#vlanswitch.config

    In the option ports line, a number indicates that the specified vlan includes the port with that number. If the number is followed by a "t" then packets transmitted out that port on this VLAN are tagged, and that packets received on that port may be received with this VLAN tag. So, '0 1 2 3 5t' would mean that packets on this VLAN are transmitted untagged when leaving ports 0, 1, 2 and 3, but tagged when leaving port 5 (generally the CPU internal port as described above).

  • となっているが、untaggedなはずのportからも実際にはtagged packetが送出される
  • この問題は、VLAN ID として0を指定すると解決する

sample setting with problem

  • /etc/config/network
    config interface 'lan'
    	option ifname 'eth0.1'
    	option proto 'static'
    	option netmask '255.255.255.0'
    	option ipaddr '192.168.0.1'
    
    config interface 'vlan'
    	option ifname 'eth0.2'
    	option proto 'static'
    	option netmask '255.255.255.0'
    	option ipaddr '192.168.2.1'
    
    config switch
    	option name 'eth0'
    	option reset '1'
    	option enable_vlan '1'
    
    config switch_vlan
    	option device 'eth0'
    	option vlan '1'
    	option ports '0t 1 2 3 4'
    
    config switch_vlan
    	option device 'eth0'
    	option vlan '2'
    	option ports '0t 1t 2t 3t 4t'
    
    • VLAN1のポート1はuntaggedになっているが、実際にはVLAN IDは除去されない
  • mitty@AG300H:~$ ifconfig |egrep 'Link|addr'
    eth0      Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:74
    eth0.1    Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:74
              inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
    eth0.2    Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:74
              inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
    

with Linux node

  • root@Microknoppix:~# ifconfig |egrep 'Link|addr'
    eth1      Link encap:Ethernet  HWaddr 00:1d:zy:xz:yx:dc
              inet addr:192.168.0.60  Bcast:192.168.0.255  Mask:255.255.255.0
    eth1.1    Link encap:Ethernet  HWaddr 00:1d:zy:xz:yx:dc
    eth1.2    Link encap:Ethernet  HWaddr 00:1d:zy:xz:yx:dc
              inet addr:192.168.2.60  Bcast:192.168.2.255  Mask:255.255.255.0
    
  • root@Microknoppix:~# ip route
    192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.60
    192.168.2.0/24 dev eth1.2  proto kernel  scope link  src 192.168.2.60
    

untagged

  • root@Microknoppix:~# ping 192.168.0.1 -c 2
    PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
    From 192.168.0.60 icmp_seq=1 Destination Host Unreachable
    From 192.168.0.60 icmp_seq=2 Destination Host Unreachable
    
    --- 192.168.0.1 ping statistics ---
    2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1008ms
    
  • mitty@AG300H:~$ sudo tcpdump -n -e -i eth0 icmp or arp
    00:07:48.165448 00:1d:zy:xz:yx:dc > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Request who-has 192.168.0.1 tell 192.168.0.60, length 46
    00:07:48.165493 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 46: vlan 1, p 0, ethertype ARP, Reply 192.168.0.1 is-at 00:24:xx:yy:zz:74, length 28
    00:07:49.168881 00:1d:zy:xz:yx:dc > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Request who-has 192.168.0.1 tell 192.168.0.60, length 46
    00:07:49.168925 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 46: vlan 1, p 0, ethertype ARP, Reply 192.168.0.1 is-at 00:24:xx:yy:zz:74, length 28
    00:07:50.172211 00:1d:zy:xz:yx:dc > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Request who-has 192.168.0.1 tell 192.168.0.60, length 46
    00:07:50.172255 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 46: vlan 1, p 0, ethertype ARP, Reply 192.168.0.1 is-at 00:24:xx:yy:zz:74, length 28
    
  • root@Microknoppix:~# sudo tcpdump -n -e -i eth1 icmp or arp
    00:07:49.739793 00:1d:zy:xz:yx:dc > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.0.1 tell 192.168.0.60, length 28
    00:07:49.739923 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 60: vlan 1, p 0, ethertype ARP, Reply 192.168.0.1 is-at 00:24:xx:yy:zz:74, length 42
    00:07:50.743222 00:1d:zy:xz:yx:dc > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.0.1 tell 192.168.0.60, length 28
    00:07:50.743361 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 60: vlan 1, p 0, ethertype ARP, Reply 192.168.0.1 is-at 00:24:xx:yy:zz:74, length 42
    00:07:51.746558 00:1d:zy:xz:yx:dc > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.0.1 tell 192.168.0.60, length 28
    00:07:51.746698 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 60: vlan 1, p 0, ethertype ARP, Reply 192.168.0.1 is-at 00:24:xx:yy:zz:74, length 42
    
  • Microknoppixからすると、送る時はuntaggedなのに返ってくる時にtaggedになっているため、疎通不能である

VLAN ID 2 (eth0.2)

  • root@Microknoppix:~# ping 192.168.2.1 -c 2
    PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
    64 bytes from 192.168.2.1: icmp_req=1 ttl=64 time=2.95 ms
    64 bytes from 192.168.2.1: icmp_req=2 ttl=64 time=0.268 ms
    
    --- 192.168.2.1 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 0.268/1.610/2.952/1.342 ms
    
  • mitty@AG300H:~$ sudo tcpdump -n -e -i eth0 icmp or arp
    00:09:52.211509 00:1d:zy:xz:yx:dc > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype ARP, Request who-has 192.168.2.1 tell 192.168.2.60, length 46
    00:09:52.211613 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 46: vlan 2, p 0, ethertype ARP, Reply 192.168.2.1 is-at 00:24:xx:yy:zz:74, length 28
    00:09:52.211741 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.60 > 192.168.2.1: ICMP echo request, id 3528, seq 1, length 64
    00:09:52.211927 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.1 > 192.168.2.60: ICMP echo reply, id 3528, seq 1, length 64
    00:09:53.210338 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.60 > 192.168.2.1: ICMP echo request, id 3528, seq 2, length 64
    00:09:53.210453 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.1 > 192.168.2.60: ICMP echo reply, id 3528, seq 2, length 64
    
  • root@Microknoppix:~# sudo tcpdump -n -e -i eth1 icmp or arp
    00:09:53.786560 00:1d:zy:xz:yx:dc > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 2, p 0, ethertype ARP, Request who-has 192.168.2.1 tell 192.168.2.60, length 28
    00:09:53.786782 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 60: vlan 2, p 0, ethertype ARP, Reply 192.168.2.1 is-at 00:24:xx:yy:zz:74, length 42
    00:09:53.786816 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.60 > 192.168.2.1: ICMP echo request, id 3528, seq 1, length 64
    00:09:53.787074 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.1 > 192.168.2.60: ICMP echo reply, id 3528, seq 1, length 64
    00:09:54.785397 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.60 > 192.168.2.1: ICMP echo request, id 3528, seq 2, length 64
    00:09:54.785632 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.1 > 192.168.2.60: ICMP echo reply, id 3528, seq 2, length 64
    
  • eth1.2 (VLAN ID 2)については問題ない

VLAN ID 1 (eth1.1)

  • eth1.1で通信するように変更すると、疎通可能になる
  • root@Microknoppix:~# ifconfig eth1 0.0.0.0
  • root@Microknoppix:~# ifconfig eth1.1 192.168.0.60
  • root@Microknoppix:~# ping 192.168.0.1 -c 2
    PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
    64 bytes from 192.168.0.1: icmp_req=1 ttl=64 time=0.490 ms
    64 bytes from 192.168.0.1: icmp_req=2 ttl=64 time=0.268 ms
    
    --- 192.168.0.1 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 999ms
    rtt min/avg/max/mdev = 0.268/0.379/0.490/0.111 ms
    
  • mitty@AG300H:~$ sudo tcpdump -n -e -i eth0 icmp or arp
    00:16:27.724498 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 102: vlan 1, p 0, ethertype IPv4, 192.168.0.60 > 192.168.0.1: ICMP echo request, id 3579, seq 1, length 64
    00:16:27.724738 00:24:xx:yy:zz:74 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 1, p 0, ethertype ARP, Request who-has 192.168.0.60 tell 192.168.0.1, length 28
    00:16:27.724841 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Reply 192.168.0.60 is-at 00:1d:zy:xz:yx:dc, length 46
    00:16:27.724863 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 102: vlan 1, p 0, ethertype IPv4, 192.168.0.1 > 192.168.0.60: ICMP echo reply, id 3579, seq 1, length 64
    00:16:28.723493 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 102: vlan 1, p 0, ethertype IPv4, 192.168.0.60 > 192.168.0.1: ICMP echo request, id 3579, seq 2, length 64
    00:16:28.723613 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 102: vlan 1, p 0, ethertype IPv4, 192.168.0.1 > 192.168.0.60: ICMP echo reply, id 3579, seq 2, length 64
    
  • root@Microknoppix:~# sudo tcpdump -n -e -i eth1 icmp or arp
    00:16:29.301169 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 102: vlan 1, p 0, ethertype IPv4, 192.168.0.60 > 192.168.0.1: ICMP echo request, id 3579, seq 1, length 64
    00:16:29.301509 00:24:xx:yy:zz:74 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 1, p 0, ethertype ARP, Request who-has 192.168.0.60 tell 192.168.0.1, length 42
    00:16:29.301538 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 46: vlan 1, p 0, ethertype ARP, Reply 192.168.0.60 is-at 00:1d:zy:xz:yx:dc, length 28
    00:16:29.301628 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 102: vlan 1, p 0, ethertype IPv4, 192.168.0.1 > 192.168.0.60: ICMP echo reply, id 3579, seq 1, length 64
    00:16:30.300170 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 102: vlan 1, p 0, ethertype IPv4, 192.168.0.60 > 192.168.0.1: ICMP echo request, id 3579, seq 2, length 64
    00:16:30.300407 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 102: vlan 1, p 0, ethertype IPv4, 192.168.0.1 > 192.168.0.60: ICMP echo reply, id 3579, seq 2, length 64
    

with Windows

  • Windowsは、NICのドライバが対応していないと、VLAN IDを解さないのでおかしなことになる

untagged

  • Windows:NICのアドレス>192.168.0.102
  • D:\tmp>ping 192.168.0.1 -n 2
    192.168.0.1 に ping を送信しています 32 バイトのデータ:
    192.168.0.1 からの応答: バイト数 =32 時間 <1ms TTL=64
    192.168.0.1 からの応答: バイト数 =32 時間 =1ms TTL=64
    
    192.168.0.1 の ping 統計:
        パケット数: 送信 = 2、受信 = 2、損失 = 0 (0% の損失)、
    ラウンド トリップの概算時間 (ミリ秒):
        最小 = 0ms、最大 = 1ms、平均 = 0ms
    
  • mitty@AG300H:~$ sudo tcpdump -n -e -i eth0 icmp or arp
    23:22:02.948026 1c:c1:zz:yy:xx:ww > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.0.102 > 192.168.0.1: ICMP echo request, id 1, seq 4079, length 40
    23:22:02.948193 00:24:xx:yy:zz:74 > 1c:c1:zz:yy:xx:ww, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.0.1 > 192.168.0.102: ICMP echo reply, id 1, seq 4079, length 40
    23:22:03.950631 1c:c1:zz:yy:xx:ww > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.0.102 > 192.168.0.1: ICMP echo request, id 1, seq 4080, length 40
    23:22:03.950753 00:24:xx:yy:zz:74 > 1c:c1:zz:yy:xx:ww, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.0.1 > 192.168.0.102: ICMP echo reply, id 1, seq 4080, length 40
    
  • D:\tmp>windump -i 3 -e -n icmp or arp
    23:22:02.869718 1c:c1:zz:yy:xx:ww > 00:24:xx:yy:zz:74, ethertype IPv4 (0x0800), length 74: 192.168.0.102 > 192.168.0.1: ICMP echo request, id 1, seq 4079, length 40
    23:22:02.869962 00:24:xx:yy:zz:74 > 1c:c1:zz:yy:xx:ww, ethertype IPv4 (0x0800), length 74: 192.168.0.1 > 192.168.0.102: ICMP echo reply, id 1, seq 4079, length 40
    23:22:03.872305 1c:c1:zz:yy:xx:ww > 00:24:xx:yy:zz:74, ethertype IPv4 (0x0800), length 74: 192.168.0.102 > 192.168.0.1: ICMP echo request, id 1, seq 4080, length 40
    23:22:03.872450 00:24:xx:yy:zz:74 > 1c:c1:zz:yy:xx:ww, ethertype IPv4 (0x0800), length 74: 192.168.0.1 > 192.168.0.102: ICMP echo reply, id 1, seq 4080, length 40
    
  • WZR-HP-AG300Hからすると、VLAN IDを付与して返信しているが、WindowsがVLAN IDを解さないので通信出来てしまう

VLAN ID 2

  • Windows:NICのアドレスを手動設定 -> 192.168.2.102
  • Windowns -> WZR-HP-AG300H
    • D:\tmp>ping 192.168.2.1 -n 2
      192.168.2.1 に ping を送信しています 32 バイトのデータ:
      192.168.2.102 からの応答: 宛先ホストに到達できません。
      192.168.2.102 からの応答: 宛先ホストに到達できません。
      
      192.168.2.1 の ping 統計:
          パケット数: 送信 = 2、受信 = 2、損失 = 0 (0% の損失)、
      
    • mitty@AG300H:~$ sudo tcpdump -n -e -i eth0 icmp or arp
      23:32:20.640132 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Request who-has 192.168.2.1 tell 192.168.2.102, length 46
      23:32:21.257157 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Request who-has 192.168.2.1 tell 192.168.2.102, length 46
      23:32:22.257232 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Request who-has 192.168.2.1 tell 192.168.2.102, length 46
      23:32:23.260331 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Request who-has 192.168.2.1 tell 192.168.2.102, length 46
      23:32:24.257369 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Request who-has 192.168.2.1 tell 192.168.2.102, length 46
      23:32:25.257364 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Request who-has 192.168.2.1 tell 192.168.2.102, length 46
      
    • D:\tmp>windump -i 3 -e -n icmp or arp
      23:32:20.592232 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 192.168.2.1 tell 192.168.2.102
      23:32:21.209364 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 192.168.2.1 tell 192.168.2.102
      23:32:22.209380 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 192.168.2.1 tell 192.168.2.102
      23:32:23.212432 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 192.168.2.1 tell 192.168.2.102
      23:32:24.209411 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 192.168.2.1 tell 192.168.2.102
      23:32:25.209295 1c:c1:zz:yy:xx:ww > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 192.168.2.1 tell 192.168.2.102
      
    • Windowsから送出されるパケットにはVLAN IDが付与されないため、自動的にVLAN ID 1が付与される
  • WZR-HP-AG300H -> Windows
    • mitty@AG300H:~$ sudo ping 192.168.2.102
      PING 192.168.2.102 (192.168.2.102): 56 data bytes
      ^C
      --- 192.168.2.102 ping statistics ---
      73 packets transmitted, 0 packets received, 100% packet loss
      
    • mitty@AG300H:~$ sudo tcpdump -n -e -i eth0 icmp or arp
      23:59:17.651760 00:24:xx:yy:zz:74 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 2, p 0, ethertype ARP, Request who-has 192.168.2.102 tell 192.168.2.1, length 28
      23:59:17.652365 1c:c1:zz:yy:xx:ww > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Reply 192.168.2.102 is-at 1c:c1:zz:yy:xx:ww, length 46
      23:59:18.651759 00:24:xx:yy:zz:74 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 2, p 0, ethertype ARP, Request who-has 192.168.2.102 tell 192.168.2.1, length 28
      23:59:18.652148 1c:c1:zz:yy:xx:ww > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 64: vlan 1, p 0, ethertype ARP, Reply 192.168.2.102 is-at 1c:c1:zz:yy:xx:ww, length 46
      
    • D:\tmp>windump -i 3 -e -n icmp or arp
      23:59:17.646191 00:24:xx:yy:zz:74 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 56: arp who-has 192.168.2.102 tell 192.168.2.1
      23:59:17.646786 1c:c1:zz:yy:xx:ww > 00:24:xx:yy:zz:74, ethertype ARP (0x0806), length 42: arp reply 192.168.2.102 is-at 1c:c1:zz:yy:xx:ww
      23:59:18.645996 00:24:xx:yy:zz:74 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 56: arp who-has 192.168.2.102 tell 192.168.2.1
      23:59:18.646292 1c:c1:zz:yy:xx:ww > 00:24:xx:yy:zz:74, ethertype ARP (0x0806), length 42: arp reply 192.168.2.102 is-at 1c:c1:zz:yy:xx:ww
      
    • VLAN IDが抜け落ちるため、arpを受信出来てしまいreplyしているが、WZR-HP-AG300H側としてはVLAN ID 1のパケットとして届くので疎通出来ない

how to solve

  • 先に述べたように、VLAN IDとして0を設定すればよい
    • このとき、忘れずにconfig interface 'lan'option ifname 'eth0.0'に変更する
    • lan->wanで正常にNAPTされなくなる
  • ただし、WebUIからはセット出来ないため、/etc/config/networkをvimなどで直接編集する必要がある
  • /etc/config/network
    config interface 'lan'
    	option ifname 'eth0.0'
    	option proto 'static'
    	option netmask '255.255.255.0'
    	option ipaddr '192.168.0.1'
    
    config interface 'vlan'
    	option ifname 'eth0.2'
    	option proto 'static'
    	option netmask '255.255.255.0'
    	option ipaddr '192.168.2.1'
    
    config switch
    	option name 'eth0'
    	option reset '1'
    	option enable_vlan '1'
    
    config switch_vlan
    	option device 'eth0'
    	option vlan '0'
    	option ports '0t 1 2 3 4'
    
    config switch_vlan
    	option device 'eth0'
    	option vlan '2'
    	option ports '0t 1t 2t 3t 4t'
    
    • 設定ファイルを直接編集することにより、VLAN IDを0にすることが可能(実際にはタグ無しパケットになる)
    • ただし、WebUIからはそれ以降設定変更がが不能になる
    • (追記)vlan 0はoption ports '0 1 2 3 4'でも良い
  • mitty@AG300H:~$ ifconfig |egrep 'Link|addr'
    eth0      Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:74
              inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
    eth0.2    Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:74
              inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
    

check connection with Linux node

  • root@Microknoppix:~# ifconfig |egrep 'Link|addr'
    eth1      Link encap:Ethernet  HWaddr 00:1d:zy:xz:yx:dc
              inet addr:192.168.0.60  Bcast:192.168.0.255  Mask:255.255.255.0
    eth1.1    Link encap:Ethernet  HWaddr 00:1d:zy:xz:yx:dc
    eth1.2    Link encap:Ethernet  HWaddr 00:1d:zy:xz:yx:dc
              inet addr:192.168.2.60  Bcast:192.168.2.255  Mask:255.255.255.0
    

untagged

  • root@Microknoppix:~# ping 192.168.0.1 -c 2
    PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
    64 bytes from 192.168.0.1: icmp_req=1 ttl=64 time=0.460 ms
    64 bytes from 192.168.0.1: icmp_req=2 ttl=64 time=0.289 ms
    
    --- 192.168.0.1 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 999ms
    rtt min/avg/max/mdev = 0.289/0.374/0.460/0.087 ms
    
  • mitty@AG300H:~$ sudo tcpdump -n -e -i eth0 icmp or arp
    00:52:59.314253 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype IPv4 (0x0800), length 98: 192.168.0.60 > 192.168.0.1: ICMP echo request, id 3644, seq 1, length 64
    00:52:59.314476 00:24:xx:yy:zz:74 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.0.60 tell 192.168.0.1, length 28
    00:52:59.314579 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype ARP (0x0806), length 60: Reply 192.168.0.60 is-at 00:1d:zy:xz:yx:dc, length 46
    00:52:59.314600 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype IPv4 (0x0800), length 98: 192.168.0.1 > 192.168.0.60: ICMP echo reply, id 3644, seq 1, length 64
    00:53:00.313226 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype IPv4 (0x0800), length 98: 192.168.0.60 > 192.168.0.1: ICMP echo request, id 3644, seq 2, length 64
    00:53:00.313323 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype IPv4 (0x0800), length 98: 192.168.0.1 > 192.168.0.60: ICMP echo reply, id 3644, seq 2, length 64
    00:53:00.376869 00:24:xx:yy:zz:74 > 1c:c1:zz:yy:xx:ww, ethertype IPv4 (0x0800), length 148: 192.168.0.1 > 192.168.0.102: ICMP net 192.168.83.228 unreachable,
    

VLAN ID 2

  • root@Microknoppix:~# ping 192.168.2.1 -c 2
    PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
    64 bytes from 192.168.2.1: icmp_req=1 ttl=64 time=0.461 ms
    64 bytes from 192.168.2.1: icmp_req=2 ttl=64 time=0.357 ms
    
    --- 192.168.2.1 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 999ms
    rtt min/avg/max/mdev = 0.357/0.409/0.461/0.052 ms
    
  • mitty@AG300H:~$ sudo tcpdump -n -e -i eth0 icmp or arp
    00:53:34.735856 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.60 > 192.168.2.1: ICMP echo request, id 3645, seq 1, length 64
    00:53:34.736074 00:24:xx:yy:zz:74 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 2, p 0, ethertype ARP, Request who-has 192.168.2.60 tell 192.168.2.1, length 28
    00:53:34.736175 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype ARP, Reply 192.168.2.60 is-at 00:1d:zy:xz:yx:dc, length 46
    00:53:34.736197 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.1 > 192.168.2.60: ICMP echo reply, id 3645, seq 1, length 64
    00:53:35.735528 00:1d:zy:xz:yx:dc > 00:24:xx:yy:zz:74, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.60 > 192.168.2.1: ICMP echo request, id 3645, seq 2, length 64
    00:53:35.735663 00:24:xx:yy:zz:74 > 00:1d:zy:xz:yx:dc, ethertype 802.1Q (0x8100), length 102: vlan 2, p 0, ethertype IPv4, 192.168.2.1 > 192.168.2.60: ICMP echo reply, id 3645, seq 2, length 64
    

check connection with Windows node

  • D:\tmp>ping 192.168.0.1 -n 2
    192.168.0.1 に ping を送信しています 32 バイトのデータ:
    192.168.0.1 からの応答: バイト数 =32 時間 <1ms TTL=64
    192.168.0.1 からの応答: バイト数 =32 時間 =1ms TTL=64
    
    192.168.0.1 の ping 統計:
        パケット数: 送信 = 2、受信 = 2、損失 = 0 (0% の損失)、
    ラウンド トリップの概算時間 (ミリ秒):
        最小 = 0ms、最大 = 1ms、平均 = 0ms
    
  • mitty@AG300H:~$ sudo tcpdump -n -e -i eth0 icmp or arp
    00:55:12.487241 1c:c1:zz:yy:xx:ww > 00:24:xx:yy:zz:74, ethertype IPv4 (0x0800), length 74: 192.168.0.102 > 192.168.0.1: ICMP echo request, id 1, seq 4106, length 40
    00:55:12.487393 00:24:xx:yy:zz:74 > 1c:c1:zz:yy:xx:ww, ethertype IPv4 (0x0800), length 74: 192.168.0.1 > 192.168.0.102: ICMP echo reply, id 1, seq 4106, length 40
    00:55:13.490727 1c:c1:zz:yy:xx:ww > 00:24:xx:yy:zz:74, ethertype IPv4 (0x0800), length 74: 192.168.0.102 > 192.168.0.1: ICMP echo request, id 1, seq 4107, length 40
    00:55:13.490841 00:24:xx:yy:zz:74 > 1c:c1:zz:yy:xx:ww, ethertype IPv4 (0x0800), length 74: 192.168.0.1 > 192.168.0.102: ICMP echo reply, id 1, seq 4107, length 40
    

Briding LAN to NTT-NGN with tagged VLAN

  • 目的
    • eth1側のONU(NGN網)へ、eth0側のLAN配下のノードからL2で繋ぎたい
    • 単純にeth0 <-> eth1でブリッジすると、LAN側のパケットがフィルタ無しでNGN網に飛ぶので推奨されない
  • 方法
    1. eth0 <-> eth1でブリッジして、br deviceをpppoeのifnameに書くのが一番楽
      • PPPoEはoption ifnameをbr deviceのものに書き換えることで正常に動作するようになる
    2. LAN <-> PPPoEとは別に、VLANデバイスを作成してそれをeth1とブリッジする
      • 設定が煩雑
  • firewall(iptables/ufw)の設定を失念していていると、疎通出来ずに混乱するので注意

Bridging eth0 <-> eth1 directly

  • LAN側のパケットがフィルタ無しでONU側(NGN網)に飛ぶことに注意
  • eth0 <- br -> eth1をブリッジした上で、pppdをbrデバイス上で動かす場合
  • webUIからはpppoeの対象としてbrデバイスを選択出来ないため、設定ファイルを直接編集する必要がある
  • AG300H:/etc/config/network
    config interface 'lan'
           option ifname 'eth0 eth1'
           option type 'bridge'
           option proto 'static'
           option netmask '255.255.255.0'
           option ipaddr '192.168.0.1'
    
    config interface 'wan'
           option ifname 'br-lan'
           option proto 'pppoe'
    
  • mitty@AG300H:~$ ifconfig
    br-lan    Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:74
              inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
    
    eth0      Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:74
    
    eth1      Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:76
    
    pppoe-wan Link encap:Point-to-Point Protocol
              inet addr:114.159.70.188  P-t-P:118.23.8.36  Mask:255.255.255.255
    
  • mitty@AG300H:~$ brctl show
    bridge name     bridge id               STP enabled     interfaces
    br-lan          8000.0024xxyyzz74       no              eth0
                                                            eth1
    

Bridging eth1 to VLAN network

  • AG300H:/etc/config/network
    config interface 'lan'
    	option ifname 'eth0.0'
    	option proto 'static'
    	option netmask '255.255.255.0'
    	option ipaddr '192.168.0.1'
    
    config interface 'onu'
    	option ifname 'eth0.2 eth1'
    	option type 'bridge'
    	option proto 'none'
    	option auto '1'
    
    config interface 'wan'
    	option ifname 'br-onu'
    	option proto 'pppoe'
    
    config switch
    	option name 'eth0'
    	option reset '1'
    	option enable_vlan '1'
    
    config switch_vlan
    	option device 'eth0'
    	option vlan '0'
    	option ports '0 1 2 3 4'
    
    config switch_vlan
    	option device 'eth0'
    	option vlan '2'
    	option ports '0t 1t 2t 3t 4t'
    
  • 以下の様なネットワークになる
    • 前述の通り、NAPTによってPPPoEに抜けるにはeth0ではなくeth0.0を指定する点に注意
    • mitty@AG300H:~$ ifconfig
      br-onu    Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:74
      
      eth0      Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:74
      
      eth0.0    Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:74
                inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
      
      eth0.2    Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:74
      
      eth1      Link encap:Ethernet  HWaddr 00:24:XX:YY:ZZ:76
      
      pppoe-wan Link encap:Point-to-Point Protocol
                inet addr:114.159.64.161  P-t-P:118.23.8.36  Mask:255.255.255.255
      
    • mitty@AG300H:~$ brctl show
      bridge name     bridge id               STP enabled     interfaces
      br-onu          8000.0024xxyyzz74       no              eth0.2
                                                              eth1
      
    • mitty@vlan-node:~$ ifconfig
      eth0      Link encap:Ethernet  HWaddr 00:16:3e:c9:70:da
                inet addr:192.168.0.166  Bcast:192.168.0.255  Mask:255.255.255.0
      
      eth0.2    Link encap:Ethernet  HWaddr 00:16:3e:c9:70:da
                inet6 addr: 2408:211:c083:6a00:a9b0:b00:786e:d38/64 Scope:Global
                inet6 addr: 2408:211:c083:6a00:216:3eff:fec9:70da/64 Scope:Global
      

check connection with untagged packet

  • mitty@vlan-node:~$ ping 8.8.8.8 -c 2
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_req=1 ttl=55 time=9.06 ms
    64 bytes from 8.8.8.8: icmp_req=2 ttl=55 time=8.42 ms
    
    --- 8.8.8.8 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 8.424/8.742/9.060/0.318 ms
    
  • mitty@vlan-node:~$ sudo tcpdump -e -n -i eth0 icmp or icmp6
    00:08:01.470667 00:16:3e:c9:70:da > 00:24:xx:yy:zz:74, ethertype IPv4 (0x0800), length 98: 192.168.0.166 > 8.8.8.8: ICMP echo request, id 543, seq 1, length 64
    00:08:01.479684 00:24:xx:yy:zz:74 > 00:16:3e:c9:70:da, ethertype IPv4 (0x0800), length 98: 8.8.8.8 > 192.168.0.166: ICMP echo reply, id 543, seq 1, length 64
    00:08:02.471963 00:16:3e:c9:70:da > 00:24:xx:yy:zz:74, ethertype IPv4 (0x0800), length 98: 192.168.0.166 > 8.8.8.8: ICMP echo request, id 543, seq 2, length 64
    00:08:02.480355 00:24:xx:yy:zz:74 > 00:16:3e:c9:70:da, ethertype IPv4 (0x0800), length 98: 8.8.8.8 > 192.168.0.166: ICMP echo reply, id 543, seq 2, length 64
    
  • mitty@AG300H:~$ sudo tcpdump -e -n -i eth0 icmp or icmp6
    00:08:01.470621 00:16:3e:c9:70:da > 00:24:xx:yy:zz:74, ethertype IPv4 (0x0800), length 98: 192.168.0.166 > 8.8.8.8: ICMP echo request, id 543, seq 1, length 64
    00:08:01.479326 00:24:xx:yy:zz:74 > 00:16:3e:c9:70:da, ethertype IPv4 (0x0800), length 98: 8.8.8.8 > 192.168.0.166: ICMP echo reply, id 543, seq 1, length 64
    00:08:02.471803 00:16:3e:c9:70:da > 00:24:xx:yy:zz:74, ethertype IPv4 (0x0800), length 98: 192.168.0.166 > 8.8.8.8: ICMP echo request, id 543, seq 2, length 64
    00:08:02.479991 00:24:xx:yy:zz:74 > 00:16:3e:c9:70:da, ethertype IPv4 (0x0800), length 98: 8.8.8.8 > 192.168.0.166: ICMP echo reply, id 543, seq 2, length 64
    

check connection with tagged packet

  • mitty@vlan-node:~$ ping6 flets-east.jp -c 2
    PING flets-east.jp(2404:1a8:ff06::1) 56 data bytes
    64 bytes from 2404:1a8:ff06::1: icmp_seq=1 ttl=57 time=4.42 ms
    64 bytes from 2404:1a8:ff06::1: icmp_seq=2 ttl=57 time=4.79 ms
    
    --- flets-east.jp ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 4.425/4.611/4.798/0.198 ms
    
  • mitty@AG300H:~$ sudo tcpdump -e -n -i eth0 icmp or icmp6
    00:12:11.795479 00:16:3e:c9:70:da > 00:12:e2:70:52:04, ethertype 802.1Q (0x8100), length 122: vlan 2, p 0, ethertype IPv6, 2408:211:c083:6a00:a9b0:b00:786e:d38 > 2404:1a8:ff06::1: ICMP6, echo request, seq 1, length 64
    00:12:11.799675 00:12:e2:70:52:04 > 00:16:3e:c9:70:da, ethertype 802.1Q (0x8100), length 122: vlan 2, p 0, ethertype IPv6, 2404:1a8:ff06::1 > 2408:211:c083:6a00:a9b0:b00:786e:d38: ICMP6, echo reply, seq 1, length 64
    00:12:12.797123 00:16:3e:c9:70:da > 00:12:e2:70:52:04, ethertype 802.1Q (0x8100), length 122: vlan 2, p 0, ethertype IPv6, 2408:211:c083:6a00:a9b0:b00:786e:d38 > 2404:1a8:ff06::1: ICMP6, echo request, seq 2, length 64
    00:12:12.801717 00:12:e2:70:52:04 > 00:16:3e:c9:70:da, ethertype 802.1Q (0x8100), length 122: vlan 2, p 0, ethertype IPv6, 2404:1a8:ff06::1 > 2408:211:c083:6a00:a9b0:b00:786e:d38: ICMP6, echo reply, seq 2, length 64
    
  • mitty@vlan-node:~$ sudo tcpdump -e -n -i eth0 icmp or icmp6
    00:12:11.793550 00:16:3e:c9:70:da > 00:12:e2:70:52:04, ethertype 802.1Q (0x8100), length 122: vlan 2, p 0, ethertype IPv6, 2408:211:c083:6a00:a9b0:b00:786e:d38 > 2404:1a8:ff06::1: ICMP6, echo request, seq 1, length 64
    00:12:11.797929 00:12:e2:70:52:04 > 00:16:3e:c9:70:da, ethertype 802.1Q (0x8100), length 122: vlan 2, p 0, ethertype IPv6, 2404:1a8:ff06::1 > 2408:211:c083:6a00:a9b0:b00:786e:d38: ICMP6, echo reply, seq 1, length 64
    00:12:12.795197 00:16:3e:c9:70:da > 00:12:e2:70:52:04, ethertype 802.1Q (0x8100), length 122: vlan 2, p 0, ethertype IPv6, 2408:211:c083:6a00:a9b0:b00:786e:d38 > 2404:1a8:ff06::1: ICMP6, echo request, seq 2, length 64
    00:12:12.799942 00:12:e2:70:52:04 > 00:16:3e:c9:70:da, ethertype 802.1Q (0x8100), length 122: vlan 2, p 0, ethertype IPv6, 2404:1a8:ff06::1 > 2408:211:c083:6a00:a9b0:b00:786e:d38: ICMP6, echo reply, seq 2, length 64
    
  • 期待通り、VLANを通してONU側のNTT NGN網へ抜けている

BUGS

  • いくつかうまく通信出来ないケースがある
  1. SuperMicro X7SPA-HFのLAN1はIPMI用の口としても使われているが、全く通信出来ない
    • IPMIのMACアドレスをsourceとしてARP requestは来るが、IPMIのIPへpingを送ってもreplyが無い
  2. Windowsはtaggedパケットをuntaggedであるかのように受け取ってしまう(#withWindows)ため、WindowsノードではNGN網のRAを受け取ってしまいScope:Globalなv6アドレスが付与される
    • v6で通信しようとすると、untaggedでWZR-HP-AG300Hに届くため、期待通りにブリッジされない
  3. UT-VPNのローカルブリッジと相性が悪い
    • see wiki:TipAndDoc/network/vpn/utvpn#localbridge

      物理NICを追加するのが難しい場合(ノートPCなど)、UT-VPN Server側でTAPデバイスとローカルブリッジを作成し、TAPとターゲットとなる物理NICをさらにブリッジする

    • これを行うと、UT-VPN Serverが動いているノードから、ブリッジされている外部のノードへ通信出来ない
    • -> 詳細

something wrong on UT-VPN Windows client with complex vlan network

  1. tap経由ローカルブリッジ
    • ut-vpn serverの設定
    • この場合、utvpnノードからL2レベルで外に出ることが出来ない
      • utvpn:br0に繋がっているNIC(tap_utvpn以外のtapも含む)とだけ疎通可能
    • WZR-HP-AG300Hとも当然疎通出来ないので、WANに抜けることも不可
    • 症状
      • DHCPでIPが割り振られない
        • 図中のtap_utvpnでtcpdumpによりパケットキャプチャすると、クライアント側の仮想NICからはDHCP requestが正しく送出されていて、DHCPdも正しくDHCP replyしている
          21:02:04.824228 00:ac:4d:xz:yx:zy > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:ac:4d:xz:yx:zy, length 300
          21:02:04.824421 00:ac:4d:xz:yx:zy > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:ac:4d:xz:yx:zy, length 300
          21:02:04.826382 00:24:xx:yy:zz:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 350: 192.168.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 308
          21:02:04.828059 00:24:xx:yy:zz:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 350: 192.168.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 308
          21:02:07.707834 00:ac:4d:xz:yx:zy > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:ac:4d:xz:yx:zy, length 300
          21:02:07.708966 00:24:xx:yy:zz:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 350: 192.168.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 308
          
        • クライアント側の仮想NICでキャプチャすると、DHCPに限らずパケットを全く受信していない
      • 手動でIPアドレスを付与しても、疎通不可
      • Windows 7 SP1 x64 / Windows XP SP3 32bit いずれでも同じ
      • Ubuntu 12.04 x64 / Ubuntu 12.10 (3.7.0) i686 では問題ないため、クライアント側の問題ではないかと思われる
  2. eth0に直接ローカルブリッジ
    • ut-vpn serverの設定
    • utvpn:br0に繋がっているNICとは疎通不可
    • それ以外はWindows/Linuxとも問題なし

Attachments (10)

Download all attachments as: .zip