Puffy Logo This post continues from my last post where I setup VLANs with a HP Switch.

A Virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). LAN is the abbreviation for local area network and in this context, virtual refers to a physical object recreated and altered by additional logic. VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed. OpenBSD has supported VLANs since 2001 (OpenBSD 2.9).

In this post I will setup OpenBSD as an 802.1Q compatible switch. This post will also include configuration to allow routing to send packets between the VLANs. Further I will also setup a DHCP server to allow devices to automatically obtain IP addresses.

Finally I will touch on the OpenBSD Packet Filter, I will not implement it at this stage, as this will be better covered in its own post which you can find here.

VLAN Configuration

I will start with configuring 4 VLANs to connect to the HP Switch. One of the interfaces is the parent interface which is an actual physical interface, the other three interfaces are virtual.

At any time you, can restart the OpenBSD network service with the following command:

# sh /etc/netstart

Trunk Interface

hostname.re0 is the interface that we have chosen that will connect directly to the switch. This has been configured as a trunk port on the HP Switch to allow VLANs 1-4 to transmit packages. OpenBSD does not have directives to set an interface as a trunk, however interface re0 will act as a trunk, as the VLANs will set this interface as the parent.

# file location and name: /etc/hostname.re0

inet 192.168.1.254 255.255.255.0
up

VLAN Interfaces

Follows are VLANs 2-4. VLAN 1 does not need to be set as OpenBSD sets the hostname.re0 network as VLAN 1, as it is the physical interface. The directives in the VLAN interface files are set as network gateway ip, subnet, broadcast address, trunk interface and the id of the VLAN.

hostname.vlan2

# file location and name: /etc/hostname.vlan2

192.168.2.254/24 192.168.2.255 parent re0 vnetid 2

hostname.vlan3

# file location and name: /etc/hostname.vlan3

192.168.3.254/24 192.168.3.255 parent re0 vnetid 3

hostname.vlan4

# file location and name: /etc/hostname.vlan4

192.168.4.254/24 192.168.4.255 parent re0 vnetid 4

Routing Configuration

We now have to configure the routing configuration. This involves configuring the ingress interface hostname.re0 (which we have already configured in the VLAN section above), and the egress interface. Along with this we have to tell OpenBSD to act as a router by sending packets in-between interfaces in the sysctl.conf file. Finally we set the egress interface as the default gateway. This will require a reboot for these changes to take effect, however we should wait until we have configured the following sections before we reboot. Alternatively, we can issue the sh /etc/netstart command.

hostname.re0

# file location and name: /etc/hostname.re0
 
inet 192.168.1.254 255.255.255.0
up

hostname.re1

# file location and name: /etc/hostname.re1
 
inet 196.7.13.30 255.255.255.0
up

sysctl.conf

# file location and name: /etc/sysctl.conf
    
net.inet.ip.forwarding=1

mygate

# file location and name: /etc/mygate

196.7.13.254

DHCP Configuration

It is very handy to have a DHCP server on the network to allocate IP addresses to devices, and fortunately OpenBSD provides this with a very easy way to manage. By reading the file it is obvious how DHCP is configured. Finally you will need to add the DHCP flags to /etc/rc.local.conf to enable the DHCPD daemon on startup.

dhcpd.conf

# file location and name: /etc/dhcpd.conf

subnet 192.168.1.0 netmask 255.255.255.0 {
        option routers 192.168.1.254;
        option domain-name-servers 1.1.1.1, 1.0.0.1;
        range 192.168.1.5 192.168.1.50;
        host mylaptop {
                fixed-address 192.168.1.100;
                hardware ethernet c3:de:ad:be:ef:4c;
        }
}
subnet 192.168.2.0 netmask 255.255.255.0 {
        option routers 192.168.2.254;
        option domain-name-servers 1.1.1.1, 1.0.0.1;
        range 192.168.2.5 192.168.2.50;
        host mylaptop {
                fixed-address 192.168.2.100;
                hardware ethernet c3:de:ad:be:ef:4c;
        }
}
subnet 192.168.3.0 netmask 255.255.255.0 {
        option routers 192.168.3.254;
        option domain-name-servers 1.1.1.1, 1.0.0.1;
        range 192.168.3.5 192.168.3.50;
        host mylaptop {
                fixed-address 192.168.3.100;
                hardware ethernet c3:de:ad:be:ef:4c;
        }
}
subnet 192.168.4.0 netmask 255.255.255.0 {
        option routers 192.168.4.254;
        option domain-name-servers 1.1.1.1, 1.0.0.1;
        range 192.168.4.5 192.168.4.50;
        host mylaptop {
                fixed-address 192.168.4.100;
                hardware ethernet c3:de:ad:be:ef:4c;
        }
}

rc.conf.local

# file location and name: /etc/rc.conf.local

dhcpd_flags=re0 vlan2 vlan3 vlan4

Nameserver Configuration

We all want to look at pictures of cats on the internet and we will not be able to achieve this if we do not have a working resolv.conf file. This file lists the default DNS servers to use.

resolv.conf

# file location and name: /etc/resolv.conf

nameserver 1.1.1.1
nameserver 1.0.0.1

Packet Filter Configuration

With the above configurations set, we still have one very important step to take. At this stage we can reboot/netstart, and our VLANs will function but the OpenBSD Packet Filter will drop any packages as they traverse the networks. I will cover the workings of pf.conf in this post.

At the moment we will disable OpenBSD’s Packet Filter at this stage and set it up in the next post.

rc.conf.local

# file location and name: /etc/rc.conf.local

dhcpd_flags=re0 vlan2 vlan3 vlan4

pf=NO

Wrapping Up

If you have not issued a reboot/netstart, now is the time to do that. When OpenBSD comes back up again, our VLANs will all be working and you can verify this by checking the IP address that the DHCP server issues and also ping different hosts (try the alternative OpenBSD VLAN IP Address for a start) on the different virtual networks.

Next post, as said above, I plunge into the workings of the pf.conf file. Hopefully you stick around for the ride!