Routing LAN to VLAN-tagged WAN and lease options.


Recommended Posts

Hi!

 

I've set up a small server that runs FreeBSD and it has dual NICs and it's acting as my router and firewall, using ISC dhcpd and BSD pf.

I have a VoIP adapter (turns VoIP into analog PSTN standard) and a IPTV decoder which are both connected to my LAN. They quest for IP and they accept the offers they get. The problem is that they ask for more information that I can't give them right off the bat. The information that they need are obtained from VLAN 845 for IPTV and VLAN 855 for VoIP.

 

I've set up virtual interfaces with my WAN interface as the parent interface and dhclient can obtain the extra info required. I want to relay the extra DHCP options from the dhclient's VLAN lease information. I've looked into /sbin/dhclient-script and enter-hooks but that doesn't make me any wiser. I used tcpdump to see what it is that the two devices request over DHCP. I looked up dhcrelay but it doesn't seem to help me as I want to keep the two devices in my LAN and only relay certain fields. The information requested is successfully obtained by dhclient.

 

Is this even remotely possibly in BSD?

 

Please help! :/

 

Thanks in advance,

Radium, Sweden.

Link to comment
Share on other sites

"I want to keep the two devices in my LAN and only relay certain fields. "

Confused here - if your devices are suppose to be in vlan 845 and 855 respectively then you would put them in those vlans and could use dhcp relay so that they get the correct IP and info for those vlans.

You don't put a device in network X or some native vlan (untagged) and expect them to work as though they are in vlans 845 and 855.

Link to comment
Share on other sites

"I want to keep the two devices in my LAN and only relay certain fields. "

Confused here - if your devices are suppose to be in vlan 845 and 855 respectively then you would put them in those vlans and could use dhcp relay so that they get the correct IP and info for those vlans.

You don't put a device in network X or some native vlan (untagged) and expect them to work as though they are in vlans 845 and 855.

The devices are untagged. They are only tagged on the WAN for QoS and traffic shaping etc.

They don't work tagged. The devices are completely unaware of the VLAN tagging and they do not work if the network is tagged.

Link to comment
Share on other sites

that is fine - but the port they are connected to would need to be in that vlan. So lets say your lan is vlan 1 (untagged)

I would assume these networks are different ip space.

So lets say your native vlan 1 is 192.168.0/24, vlan 845 is 192.168.1/24 and 855 is 192.168.2/24

So what native vlan is on the ports the devices are connected to? Vlan 1? Then how would they work if they are in vlan1? How would you tag them over the wan to the other vlans?

So you put the port on the switch they are connected to in vlan 845 or 855 as native untagged. And then as it goes out the wan those vlans are tagged. you setup a dhcp relay so that those devices on those ports get dhcp server for those vlans.

You can not expect it to work if its on the switch vlan1 or whatever other native vlan your using for your lan.

edit: What switch are you using? It supports vlans or is it unmanaged?

Link to comment
Share on other sites

that is fine - but the port they are connected to would need to be in that vlan. So lets say your lan is vlan 1 (untagged)

I would assume these networks are different ip space.

So lets say your native vlan 1 is 192.168.0/24, vlan 845 is 192.168.1/24 and 855 is 192.168.2/24

So what native vlan is on the ports the devices are connected to? Vlan 1? Then how would they work if they are in vlan1? How would you tag them over the wan to the other vlans?

So you put the port on the switch they are connected to in vlan 845 or 855 as native untagged. And then as it goes out the wan those vlans are tagged. you setup a dhcp relay so that those devices on those ports get dhcp server for those vlans.

You can not expect it to work if its on the switch vlan1 or whatever other native vlan your using for your lan.

edit: What switch are you using? It supports vlans or is it unmanaged?

The LAN is untagged. The devices do not support tagging (VLAN is only used to prioritize by the ISP and special handling in their network). The LAN is 192.168.1.0/24.

The traffic is tagged when redirected to the vlan845 and vlan855 interfaces which have the WAN interface (igb0) as their parent interface.

I intend to tag and untag them as I send and recieve data over the VLAN interfaces (this is done automatically by PF as it translates back and forth). The VLAN interfaces are up and running, what I need to do now is take the DHCP options from the VLAN interfaces and give them to dhcpd so that it can hand those same options to the LAN devices that ask for them.

 

I do not understand how dhcrelay will only relay certain requests to vlan845 and vlan855 and let dhcpd handle the rest.

Link to comment
Share on other sites

Dude what ports are these devices connected too? What switch are you using?

dhcp relay sends the dhcp request info to the dhcp server with the info in it required to use the correct scope in the dhcp server. This is the GIADDR field, so when the dhcp relay sees a discover sent to gateway 0.0.0.0 on a segment it is suppose to relay. It adds the gateway address for that segment to the dhcp packet and sends it on to the dhcp server. The dhcp server looks in this field and says oh that is for scope X, and sends the info back to the dhcp relay, who then forwards it back to the client.

I can show you some sniffs on how exactly this works.

Your not going to be able to pull info from this and give it to the client - I have never heard of such a thing. And still don't see how you think this would work..

So your running vlans on your wan for 845 and 855 - but your clients are on your lan connected to what interface igb1 ? That is untagged -- how do you expect that to work??

How is your router going to know to tag what traffic from your lan side that is untagged interface with no vlans on it?? And send it out tagged your wan? How does the router know tag the traffic from your phone or iptv vs tagging your pc traffic?

So "all" the devices on your lan are 192.168.1.0/24 -- but you want your router to know that 192.168.1.x is not to be tagged but traffic from say 192.168.1.y is to be tagged 844 and traffic from 192.168.1.z is 855?

Link to comment
Share on other sites

PF does the NAT and routing. I NAT towards vlan845 and vlan855 as if I had tripple WAN. So that actual tag itself is not interesting except to the ISP.

Yes, igb0 is WAN and igb1 is LAN. The switch is a Linksys SE2800.

What I'm saying is that if 192.168.1.y wants to get igb0:network then NAT -> vlan845, which is the WAN designated for IPTV only.

It might as well be three physical WAN and I want to split the traffic depending on the device on the LAN asking to head to WAN. So if 192.168.1.y wants to go to igb0:network then -> vlan845.

The devices also have web interfaces accessible from the LAN and they work just fine on LAN as long as they get the DHCP options they request. I can copy and paste them from dhclient.leases.vlan845 and dhclient.leases.vlan855 to dhcpd.conf but that isn't optimal since all IPs are dynamic so I wish that it was done automatically.

So, wait for dhclient for all three interfaces to finish and then copy relevant DHCP options from dhclient.leases-files and put into relevant fields in dhcpd.conf.

 

It's similar to this:

Wait for dhclient on WAN interface.

Copy name servers from /etc/resolv.conf to /usr/local/etc/dhcpd.conf

Start dhcpd

Each time dhclient gets a new lease, renew name servers in dhcpd.conf, tell dhcpd to parse dhcpd.conf again if the options were changed.

 

The NAT and routing is done by PF and the DHCP options requested by the two LAN devices are obtained by dhclient which then starts a script which in turn look up the fields in dhcpd.conf and change them if needed.

This is not about adding VLAN tags in my LAN, just that I need to send them through different interfaces.

Who do I patch dhcpd.conf with new data for the name-server option field?

Link to comment
Share on other sites

So you get 3 different IPs on the wan?

Why do you need your lan side to be dhcp - why don't you just set them static with these options - what options do they need. You say you copy and paste them, what are they?

Since your natting does not matter what the public side is.

What is in front of the pf box? What id the device from your isp? Is this doing nat, or is it just a bridge?

Link to comment
Share on other sites

I use DHCP on the LAN but give the devices fixed addresses.

The WAN gets three IPs, yes, one for each service. They are three separate services with mandatory VLAN IDs on the WAN side and the ISP uses DHCP and I can not set the VoIP and IPTV to static IP, so I use DHCP on LAN.

The machine (with pf) is a router (NAT) and not a bridge. The LAN can not use VLAN, the devices do not support that.

The things that are needed are client identification and vendor class identification sent to the ISP using DHCP and return, the ISP hands over vendor encapsulated information.

Link to comment
Share on other sites

So you get 3 different IPs on the wan?

We used to get 3 IP's a few years back for free but now you have to pay like 5$ a month and you get 3 some give 5 if I am not mistaking. ;)

 

How many do you get? :p

Link to comment
Share on other sites

"vendor class identification sent to the ISP using DHCP and return"

How are you sending this from your wan interface? Can you post your configs for this.. What your attempting seems like a mess if you ask me. Why not just put these devices on the outside on the wan. They are TV and voice - why would you want that traffic flowing through lan interface in the first place? Why would you want to route that traffic?

And maybe you missed the question - what is the device in front of your router, what is the make and model number. Does it have more than ethernet interface. Why not just connect a switch to this device and connect your iptv and phone to this switch.

And connect your router to switch and then your lan behind your router. Problem solved. - what do you think having these devices on your lan gets you? And just so we are clear your router, the one running freebsd is getting 3 public IPs. One on its physical interface, and then 1 each on these vlans you setup connected to this interface.

Could do it with a switch that does vlans

post-14624-0-13269400-1406754241.png

Or with 2 dumb switches like this

post-14624-0-98170100-1406754325.png

Link to comment
Share on other sites

The reason I want to do it is because I know that it can be done and that I want to learn things. I'm doing this for educational purposes, to teach myself things. I would also be able to eliminate one switch and one of two wireless networks if I got this to work.

WAN is connected straight into one NIC and the other NIC is then connected to my SE2800.

My IPTV is connected over WLAN, big clumsy and out-dated 802.11g. I wish to replace that with slimmer 802.11ac equipment and I don't want to have one WLAN for HTPC and one for IPTV, which is what I currently have.

What am I'm looking for is advice on how to solve it in BSD. The physical network itself is simple enough.

I create two VLAN's with ifconfig and config dhclient for those.

The problem is how to feed dhcpd the info obtained by dhclient.

Is this the way to do it?

I scrapped all the configs and I'm starting over. I need to figure out how to pass data from dhclient to dhcpd before I try again.

I guess that I could use some text tools such as grep to find the things on the config that needs to be updated. But I'm not familiar with dhclient enter hook scripts or if there are features in dhcpd that can help me.

Link to comment
Share on other sites

"My IPTV is connected over WLAN"

Is this a shared wireless network, do you have other devices that will want to use this wireless network while you watch tv? Most live iptv systems are multicast and have issues with nat in general, and not be good choice to use wireless at all. Many wireless bridge setups block multicast even.

While I applaud your desire to learn, not sure where you got the idea that this could be done "The problem is how to feed dhcpd the info obtained by dhclient."

Your attempted setup does not fit best practice models, and to be honest shouldn't teach your self bad habits. While lots of things are possible, there are specific ways to do things for reasons that you might not be taking into account.

Wireless be N or AC, bandwidth is not the only thing to take into consideration for mobile devices, I find it unlikely your TV or your HPTC are mobile anything - why in the world would you want to connect these things with wireless? Run a wire!! Sure you can do it over wireless - should be the last possible last ditch choice.. Leave the wireless bandwidth to the mobile devices that have no way to connect with a wire. Your smartphone, tablet, laptop.

Now if you want to go over a GOOD setup for htpc, iptv and isolation of multicast or other types of traffic from the rest of your network - lets have a discussion. But to me your going down the wrong path.

If what you were trying to was a "good" way to do it - there would be guides all over the place on how to accomplish it ;)

If you want to learn something I would suggest you do a sniff of the IPTV traffic, now is that sort of bandwidth and packet numbers you want to send over wireless or flooding your normal lan traffic with.

Link to comment
Share on other sites

Neither use multicast. The WLAN is a separate WLAN because there are no cables nor room for cables, the walls are solid reinforced concrete and the floor needs to be fully replaced if I want cables under it. It's all glued together.

The ISP offers the same solution but for a monthly fee and a cheap router with barely any advanced options.

The separate WLAN for my IPTV is sold by the ISP and I wish to run my HTPC and IPTV down the same signals.

Link to comment
Share on other sites

How do you know your IPTV is not multicast? Have you sniffed the traffic? Live IPTV is always multicast from my understanding of the protocols, while video on demand normally unicast.

Do you think your IPTV provider is going to want to create specific streams to every single tv for a live stream, or does it make more sense to send out the stream via multicast and let the clients that want to watch join that multicast group.

When you change channels, your joining a a different multicast group. If your provider is doing something different, then I would love to read up on the protocols being used. Can you provide source to info on how you know its not multicast.

Again if you want to learn something - take a sniff of the traffic for your IPTV ;)

"the walls are solid reinforced concrete"

So you live in a bomb shelter? ;) If running wires is a problem, have you looked in to powerline adapters? IPTV is not really a good suited protocol for wireless, especially shared wifi. Normally IPTV is very crabby about lost packets or latency, or packets out of order, etc. I can not imagine that reinforced concrete is all that great for wifi signals across rooms. So so these devices are in the same room as the wifi AP?

What is this cheap router they are giving you. I would assume its customized in some way for use with iptv. Off the cuff, I would think they are putting the device plugged into specific port or on wifi connection directly on the outside internet connection and not natting that connection. IPTV is not real great protocol to nat, for one hard to join specific multicast groups when behind a nat. You could setup a igmp proxy to accomplish this or udpxy could be used to proxy the udp stream via tcp connection, etc. Lots of ways to skin the cat!! But generally speaking its much easier to just isolate the devices that need access to such services from your normal network.

Link to comment
Share on other sites

It appears that they use multicast but it works just fine over wifi and the 54 Mbps is enough for HDTV 1080i.

So why can't I make that work over my own wifi? The offer wifi solutions for IPTV themselves and it works fine, I just don't want multiple wifis and extra equipment.

It's just sent across the livingroom. If there was enough room then I would've had a cable instead of wifi a long time ago. I've bought cables and everything that I need but there's not enough room for it. I need to lift the whole floor.

 

Oh well, I'll drop this project for now and look into it in the future.

Link to comment
Share on other sites

Again is this a shared wifi? Do you want to use the wifi you run say your tablet/laptop/smarthphones over the the same wifi you will use for iptv?

Why do you have to lift the floor, you can not run the cable along the baseboards?

Can you draw out your network as it is current with what hardware is in place, etc. And we can look to ways to optimize and limit the hardware in use, etc. While sure it is possible to stream 1080 over wifi, and even multicast over wifi - your going to severely limit the usefulness of that wifi network for anything else wanting do anything over that network.

There was just a thread recently I don't recall if this forum or another I frequent where user was wondering why when he watches TV that are wired his wifi clients could only do like 1-2mbps max.. So he needed to filter the multicast traffic from going over the wifi network that was connected to his wired lan.

Again I am all for exploring the best way to get your network setup the best it can be with budget and hardware constraints, etc. So more than happy to help -- lets get a drawing and details of what your doing now and can explore ways to optimize it!

Link to comment
Share on other sites

This topic is now closed to further replies.