Routing issue - clients unable to access internet

Vlystria,

what message do you receive when you try to traceroute from a PC running on VLAN 10 or 20 to another network?

For XG as you said, the ping and traceroute are fine, right?

Thanks.

Hi lferrara,

I should clarify that VLAN 10 and 20 is defined on the WAN interface as my ISP delivers access through them.

Running a ping and traceroute from a PC connected to port 2 or 3 of the XG to an internet address (for e.g 8.8.8.8) only gives a Request Timed Out error

Hi Will,

I have changed the destination networks to " Any" and yielded the same results.

Hi lferrara,

I have edited the main post to include the ping and traceroute results for reference.

By the way, I have also changed the IP address and DHCP scopes as well.

Vlystria,

who is 192.168.1.16? Are you able to draw a network map and share it with all IPs?

Thanks.

Vlystria,

is "Rewrite source address" enabled? What address are the 2 VLAN using?

Expand policy rule and share the screenshots.

Hi Ifterrara,

As per the interfaces screenshot, 192.168.1.16 is the configured IP for the LAG interface.

As for the policies, only policy ID 1 and 2 is defined and the screenshots are in the original post.

Also, for all policies, "Rewrite source address" has been enabled. Screenshots for all policies can be found in the original post.

For the VLANs, these are configured as DHCP and configured on the WAN interface as mentioned on the original post.

The reason which I mentioned before is that my ISP delivers the access via VLAN trunk, where VLAN 10 is for internet and VLAN 20 is for IPTV where IPTV requires packets to be marked with PCP value of 4.

Thank you

Note of caution, I am not a professional—just fascinated by routing (and a bit obsessive). I apologize if this extremely long post is completely off base.

My understanding of the ArchLinux setup is that you are essentially setting up a DMZ for VLAN 20 and routing/masquerading the other internet traffic. The TV receiver gets it IP via DHCP from the Fibre Network Terminal, and the other (non-TV/ VLAN 10) traffic is routed/masqueraded through the router.

That being said, I reviewed the ArchLinux setup, and have the following observations, relative to your configuration compared with the ArchLinux setup:

1. In the ArchLinux configuration, the physical WAN port “Singtel” seems to have no IP configuration. This would suggest that you should uncheck both IPv4 Configuration and IPv6 Configuration on the physical WAN Port 1. 

2. The ArchLinux VLAN 10 interface is configured DHCP and is assigned on the physical WAN Port 1 (as you have done).

# cat /etc/network.d/broadband

INTERFACE="singtel.10"

VLAN_PHYS_DEV="singtel"

VLAN_ID="10"

CONNECTION="vlan"

IP="dhcp"

3. The ArchLinux VLAN 20 interface has a static IP with no address assigned. Your WAN Port 1.20 address configuration is DHCP, with no address assigned. Maybe, you should uncheck both IPv4 Configuration and IPv6 Configuration on the VLAN Port 1.20. since no IP address is required.

# cat /etc/network.d/miotv

INTERFACE="singtel.20"

VLAN_PHYS_DEV="singtel"

VLAN_ID="20"

DESCRIPTION="mioTV vlan"

CONNECTION="vlan"

IP="static"

IPCFG=("link set dev singtel.20 type vlan egress-qos-map 0:4 1:4 2:4 3:4 5:4 6:4 7:4")

 4. Masquerading and NAT in the ArchLinux configuration is only configured for the LAN (data) port(s)—not for the Internal Singtel/IPTV port. 

# cat /etc/network.d/lan

CONNECTION='ethernet'

DESCRIPTION='My private intranet'

INTERFACE='lan'

IP='static'

ADDR='192.168.100.1'

NETMASK='255.255.255.0'

BROADCAST='192.168.100.255'

DNS=('127.0.0.1')

# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# iptables -A FORWARD -i lan -j ACCEPT

# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreachable

# iptables -P FORWARD DROP

# iptables -A POSTROUTING -s 192.168.100.0/24 -o singtel.10 -j MASQUERADE

# sysctl -w net.ipv4.ip_forward=1

# sysctl -w net.ipv6.conf.all.forwarding=1

5. The ArchLinux LAN port for IPTV is configured with static IP (no address assigned). 

# cat /etc/network.d/miolan

INTERFACE="miolan"

CONNECTION="ethernet"

IP="static"

DESCRIPTION='mioTV LAN'

6. The LAN port for IPTV (your Port 6) in the ArchLinux configuration is bridged to the Singtel/IPTV Port 1.20, and an internal address is assigned to the Bridge. The author of the Singtel ArchLinux configuration noted that he is not sure that assigning an IP address to the bridge is necessary. I do not believe it is necessary, because the TV receiver gets an IP address of 192.168.1.1, via DHCP from the Fibre Network terminal, not from the router. 

# cat /etc/network.d/miobridge

INTERFACE="miobridge"

CONNECTION="bridge"

DESCRIPTION="Bridge"

BRIDGE_INTERFACES="singtel.20 miolan"

IP="static"

ADDR="192.168.1.254"

7. You have assigned the 192.168.1.x subnet to NAS_LAG, which is a conflict if your Fibre Network terminal is using that subnet for IPTV traffic on VLAN 20. Also, Port 6 (internal IPTV port) has a static address assigned of 192.168.2.16, which is the wrong subnet if IPTV is using 192.168.1.x. Again, I do not believe that either the internal IPTV port, the 1.20 VLAN WAN port, or the bridge of the two require an IP address. However, the author of the ArchLinux setup used an address of 192.168.1.254 for the bridge 

8. I do not believe that the IPTV LAN port (your port 6) should be assigned to Zone “LAN”. It is really a sort of DMZ port. Perhaps, you can create a custom Zone “IPTV” and assign the IPTV LAN port to that zone. That way, you can set up a policy to handle the IPTV traffic, assign the appropriate PCP value, and process that traffic without Masquerading, etc.

Will

Hi Will,

Thank you for taking the time to review the document and sharing your thoughts on this.

That said, based on point 2 and 4, even if the IPTV is not working, other internet capable devices should be able to access the internet (via port 3 to 5) since masquerade / NAT have been defined in policy ID 1.

Yet from the ping / traceroute results, it appears it never got beyond the XG.

At this, it appears to me that either NAT / masquerade config is done incorrectly or some static route needs to be defined.

Then again, I'm practically just guessing at this point.

Best Regards

Vlystria,

Do you have static routes defined for each of your internal subnets?

Destination: 192.168.3.0 /255.255.255.192

Gateway:      192.168.3.16

Interface:      Port3

Destination: 192.168.1.0 /255.255.255.192

Gateway:      192.168.1.16

Interface:      NAS_LAG

Hi Will,

I finally figured out the needed configuration for clients to access the internet:

In System > Routing > Static Routing

Create new IPv4 Unicast Route with the following values:

Destination IP / Prefix: 0.0.0.0 /0 (0.0.0.0)

Gateway: <Blank>

Interface: Port 1.10

Distance: 0

For the IPTV, it will most likely not be possible to configure.

In the KB, VLANs cannot be part of a bridge.

Additionally, static interface cannot be defined without IP. Interfaces that are defined as part of a zone cannot configured without either IPv4 / IPv6 protocol.

Thank you

Hi Vlystria,

Happy to hear that you got the internet portion working. I completely overlooked there being no default route defined.

One more idea regarding IPTV traffic, if you were to create a bridge with Port6 and physical Port1 (with no IPv4 address defined on either ports or the bridge), would the bridge pass the IPTV traffic like a dumb switch, and without interfering with the VLAN10 traffic?

Hi Will,

When creating a bridge on port 1 and 6, this will remove all VLANs configured on port1.

Do note that VLANs cannot be created on a bridge. Thus, this will not work.

Thank you

Hi Will,

When creating a bridge on port 1 and 6, this will remove all VLANs configured on port1.

Do note that VLANs cannot be created on a bridge. Thus, this will not work.

Thank you