[Astlinux-users] VLAN epiphany

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Friends,

This note documents my recent experience using VLAN's in a SMB  
environment.

Probably many of you, are like me, and know what VLAN's are and how  
useful they are, but relegated their use to the big-time corporate  
infrastructures.

Well, I recently had a VLAN epiphany, and I am a believer; even for a  
small network.

For this discussion, consider the following equipment:
1) net4801 running m0n0wall (LAN - WAN - DMZ)
2) net4801 running AstLinux (asterisk, LAN port only)
3) net4801 running AstLinux (OpenVPN and NTP, LAN port only)
4) HP Procurve 1800-8G switches
5) Netgear FS116P PoE switch, SPA-942 phones and SIP ATA's
6) 802.11g access points

I had a couple of issues; the m0n0wall's DMZ included my wireless and  
asterisk, together.  The OpenVPN box connected to the LAN, resulting  
in OpenVPN's virtual subnet overlaying the LAN subnet, requiring a  
hack in m0n0wall to not apply rules to multiple subnets on the same  
interface... neither good network design.

VLAN's to the rescue.  Since the net4801 supports 802.1Q VLAN  
tagging, I configured the DMZ port of m0n0wall as a VLAN 'trunk' to a  
Procurve 1800-8G switch (under $160).  The m0n0wall's LAN and WAN  
ports remain standard untagged ethernet.

I created 4 VLANS on the m0n0wall DMZ interface:
(Each VLAN is on its own private subnet)
1) VOIP - asterisk, IP phones and ata's on non-VLAN switch
2) WLAN - 802.11g wireless
3) OVPN - solitary AstLinux box with OpenVPN, NTP; asterisk disabled
4) VLAN1 - VLAN management for switches

A key point is that all the magic is done in the m0n0wall and in the  
VLAN switch.  One switch port needs to be set to "tagged" that  
connects to the m0n0wall VLAN trunk interface, but all the other  
ports can accept "All" ethernet types, basically untagged ethernet.   
The VLAN switch needs to be carefully configured, port by port to  
assign which VLAN's are a member on each port.  The 'tagged' port to  
the m0n0wall must be a member of all four VLAN's.  The other untagged  
ingress ports are assigned only one VLAN membership to match what the  
port is connected to.

Be very careful when configuring a VLAN switch, one mistake can make  
your network inoperable, worst case requiring a factory reset of the  
switch and starting over.  Planning is the key.  The Procurve 1800  
has a very intuitive web interface for the VLAN setup.

The benefits:
1) The publicly available asterisk is segregated with tight firewall  
rules.
2) The wireless is segregated with tight firewall rules.
3) The OpenVPN server, with its own subnet, reaches any other device  
by passing through two interfaces, allowing full firewall rules and  
no hacks to reach a different subnet on the same segment.
4) Elegant, simple network design.

AstLinux has built-in VLAN interface support, but many will find  
standard untagged AstLinux setup to a VLAN switch the easiest way to go.

I hope my experiences will be useful to the readers here.

Lonnie