I moved the L3 routing duties from my untangle vm to the ICX6450. It was a lot easier than expected, but just wanted to post what I did in one post since I ended up taking info from different posts here & externally to make one complete post. now my internet gw is just a firewall and not a does everything box at long last!
1. Move your DHCP outside of your firewall. I've been meaning to do this for such a long time but finally have.
It's convenient, it works, you know it all. But the more I can make my firewall just a dumb box that does the one function it's supposed to (you know.. connecting to the internet) the better. You also avoid issues with the crap firewall vendors stick you with, easing configuration when you get the itch to try the next greatest firewall.
For
some different
reasons you should avoid using the FastIron DHCP server as well.
My poison of choice is dnsmasq for zero effort DHCP+DNS integration, but you can do the exact same thing with ISC, Kea, Windows Server, whatever.
Your dnsmasq or equivalent configuration should look similar to this:
Code:
# Untagged VLAN DHCP
# The tag names (home,vlan11) are purely visual for you.
# The dhcp range/options used will be based on whether the ICX switch relayed a DHCP request or not
# (in which case it embeds the source VLAN's subnet! that is where the magic happens)
dhcp-range=home,10.10.1.100,10.10.1.240,255.255.255.0,12h
dhcp-option=home,option:router,10.10.1.1
dhcp-option=home,option:dns-server,10.10.1.8
dhcp-option=home,option:domain-search,BLAH.ca
# A single VLAN (11)
# Note you do NOT 'configure' the VLAN, you just configure the DHCP range and it will sort itself out
dhcp-range=vlan11,10.11.1.100,10.11.1.240,255.255.255.0,12h
dhcp-option=vlan11,option:router,10.11.1.1
dhcp-option=vlan11,option:dns-server,10.10.1.8
dhcp-option=vlan11,option:domain-search,BLAH.ca
- router: the default route/next-hop. I changed addressing so that the ICX6450 is .1 and my internet gw is .4 just to keep things consistent. Do as you do. In either situation, the router option should be set to the IP of the ICX device in the same subnet.
- dns server: your dns server. For me this is my dhcp server as well. Yours may be different.
- search domain: optional, only if you need it do you know you need it.
Then spend the next 20 mins copying over DHCP reservations to your config file and you are good.
VLAN1 will work automatically and use the right range. (really, I think it just uses the range with the same subnet as your DHCP host.)
At this point everything should be working as it was before.
2. Setup VLAN11 on the switch first. This will be the validation test that your config is OK.
N.B. I already had the tagged interfaces setup.... if you don't
and are going to be using both VLAN 1 (untagged) and tagged VLANs on the same port, connect via serial and enable
dual-mode on vlan 1 for those ports. Otherwise you will stop getting VLAN 1.
Using dual-mode is really the same as combining trunk+access (Cisco). You can trunk X vlans with an untagged native VLAN.
In my situation, 1/2/1 to 1/2/4 are connected to my proxmox hosts. They speak vlan1 but have trunks for a few tagged VLANs. This requires dual-mode.
Code:
# If you have NOT configured any VLANs before and need to enable dual-mode
# (because you want to send untagged vlan1 or another vlan as WELL as tagged traffic)
# you need to configure each interface with dual-mode, e.g.:
interface eth 1/2/4
dual-mode
# done
# Create VLAN 11 and tag interfaces
vlan 11 vlantest
tagged ethernet 1/2/1 to 1/2/4
router-interface ve 11
# Assign ve11 as the default route
interface ve 11
ip address 10.11.1.1/24
ip helper-address 1 10.10.1.8
- ip helper-address: This is the DHCP relay option. The dest is your DHCP server (any VLAN, so long as the switch can access it). The VE's address is used by your DHCP server to pick the same subnet.
- ip address: the IP address the switch will take in the subnet (& mask). This is what you will use for next-hop/default route on devices
At this point you should have a working VLAN 11 with DHCP. Try it. Everything else should be working as it is.
3. Change the internet gw to another IP. I changed mine from 10.10.1.1/24 to 10.10.1.4/24.
This is optional if you want to juggle around different IPs but I kept it consistent... .1- ICX6450, .4- Untangle.
Switch to the serial console at this point unless you live by the seat of your pants because you will probably lose connectivity unless you don't change the IP address.
4. Patch up VLAN 1 on the switch and fix the default routes.
Your addresses will of course be different.
Code:
# Change ve1's IP and default route
interface ve 1
no ip address 10.10.1.19/24
ip address 10.10.1.1/24
# (You need this if your DHCP server is on a different VLAN)
# (If it's the same VLAN, don't sweat it and you can omit this.)
ip helper-address 1 10.10.1.8
# Change the default route to the new firewall
exit
no ip route 0.0.0.0/0 10.10.1.1
ip route 0.0.0.0/0 10.10.1.4
5. Lastly, add a static route on the firewall for vlan11 (and any new future VLANs) to point at your switch. This will allow vlan11 to access the internet.
For mine, I created the route 10.11.1.0/24 via 10.10.1.1.
Yes, could just do the whole /8, but it prevents internet connectivity for new VLANs until I link it up which is a nice side effect.
At this point everything should work and your old firewall should no longer be doing inter-VLAN routing. Test DHCP, routing (between subnets and to the internet), etc.
Code:
$ traceroute 10.11.1.223
traceroute to 10.11.1.223 (10.11.1.223), 64 hops max
1 10.10.1.1 1.764ms 1.757ms 0.762ms
2 10.11.1.223 1.025ms 0.222ms 0.119ms
(10.10.1.1 is now my switch, 10.10.1.4 (the firewall) is no longer involved!)
Code:
# ./iperf3 -c 10.10.1.12 --bidir
Connecting to host 10.10.1.12, port 5201
[ 6] local 10.11.1.223 port 51624 connected to 10.10.1.12 port 5201
[ 8] local 10.11.1.223 port 51626 connected to 10.10.1.12 port 5201
[ ID][Role] Interval Transfer Bitrate Retr Cwnd
[ 6][TX-C] 0.00-1.00 sec 1.01 GBytes 8.67 Gbits/sec 301 413 KBytes
[ 8][RX-C] 0.00-1.00 sec 1001 MBytes 8.39 Gbits/sec
[ 6][TX-C] 1.00-2.00 sec 954 MBytes 8.01 Gbits/sec 0 721 KBytes
[ 8][RX-C] 1.00-2.00 sec 962 MBytes 8.07 Gbits/sec
[ 6][TX-C] 2.00-3.00 sec 1.05 GBytes 9.02 Gbits/sec 26 758 KBytes
[ 8][RX-C] 2.00-3.00 sec 1.04 GBytes 8.93 Gbits/sec
[...]
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID][Role] Interval Transfer Bitrate Retr
[ 6][TX-C] 0.00-10.00 sec 10.1 GBytes 8.64 Gbits/sec 1026 sender
[ 6][TX-C] 0.00-10.00 sec 10.1 GBytes 8.63 Gbits/sec receiver
[ 8][RX-C] 0.00-10.00 sec 10.1 GBytes 8.67 Gbits/sec 0 sender
[ 8][RX-C] 0.00-10.00 sec 10.1 GBytes 8.67 Gbits/sec receiver
(full duplex working! this is inside random containers, so the speed is what it is)