l2 gre tunnel to DMZ with users egress out Eth1

  • 1
  • Question
  • Updated 3 months ago
  • Answered
Basically I want to tunnel all traffic from a particular ssid to a dedicated AP.  Pretty sure I've got the basics with how to set it up etc, but I believe the customer wants the following.

AP is connected on the normal corporate network on Eth 0, with Eth 1 being connected into their DMZ firewall.  Essentially, the traffic from the other APs will be tunneled to this AP and the user traffic will egress out of Eth 1.

Just wondering what sort of setup needed for the Eth1 port?  Is it just a case of making Eth 1 to be bridge-access with the allowed vlan to be the one that we are tunneling?

Photo of wombat

wombat

  • 62 Posts
  • 3 Reply Likes

Posted 4 years ago

  • 1
Photo of Deven Ducommun

Deven Ducommun, Beta Program Manager

  • 53 Posts
  • 5 Reply Likes

Multiple Default Routes: It is now possible to configure multiple Layer 2 routes based on the VLAN ID of a user so that the HiveAP can route Layer 2 traffic through different Ethernet interfaces as appropriate. This allows, for example, a guest user on a corporate network segment to access a more appropriate segment for routing to the Internet while the HiveAP forwards traffic from an employee on a different VLAN through a different Ethernet interface.

HiveAPs with two Ethernet ports can now support multiple default routes based on the VLAN of the traffic. With this feature configured, you can easily tunnel guest traffic from a HiveAP on a private network to a HiveAP in the DMZ. The HiveAP in the DMZ terminates the tunnel and forwards it out eth1—properly tagged with the correct VLAN—to the public network. For corporate traffic, the HiveAP applies a different VLAN tag and forwards it out eth0 to the corporate network. To do this, the HiveAP that bridges the two subnets must meet the following requirements: 

  • The HiveAP must have two Ethernet ports.

  • The HiveAP must have the eth1 port in backhaul mode.

  • The Ethernet ports must not be set as an aggregate or redundant pair.

    If your guest (public) network is on a separate subnet from your corporate (private) network, guests who connect through HiveAPs on your corporate subnet can be easily redirected to the public network using a HiveAP as an intermediary to bridge the two disparate subnets. This intermediary HiveAP connects to your corporate subnet using its eth0 interface, and to your public subnet using its eth1 interface. You configure eth0 to use the corporate VLAN by default, and eth1 to use the public VLAN by default.

    When a guest connects to a HiveAP on the corporate network, the HiveAP applies a guest user policy to the traffic, which assigns it to the public VLAN (20). The HiveAP tags the frame with the public VLAN, encapsulates it with a GRE wrapper, and forwards it to the eth0 port of the HiveAP in the DMZ. That HiveAP terminates the GRE tunnel, revealing the public VLAN ID and routes the frame out the eth1 port to the public network with the public VLAN tag (see the illustration on the next page).

Note: You do not need to set a default Layer 2 route for VLAN 20 on the HiveAP in the trusted network. The user profile applied to guest traffic directs the HiveAP to forward all that traffic through an INXP tunnel, which uses eth0 as its egress interface and the HiveAP in the DMZ as its destination. On the other hand, the user profile for corporate users assigns their traffic to VLAN 1. The HiveAP forwards it out eth0, which is the egress interface in its default Layer 2 route. 


There are two places that require configuration to forward traffic in this way. Steps 1-3 below configure the Ethernet interfaces to accept tagged frames; steps 4-6 configure the HiveAP to forward the internal traffic between interfaces.

Furthermore, the following process assumes that you have already configured the SSIDs, user policies, and WLAN policies on your WLAN, and that you have configured your network infrastructure to handle 802.1Q or similar VLAN tagging where necessary. For more information on configuring the WLAN and other policies, see the HiveManager Help system. To configure multiple default routes based on VLAN ID, enter the following on HiveManager:

  1. Click Monitor > Access Points > HiveAPs, select the HiveAPs that you want to configure to mediate traffic between the trusted network and the public network/DMZ, and then click Modify.

  2. In the HiveAP settings dialog box that appears, expand the Interface and Network Settings section, and then choose Backhaul from the Eth1 Operation Mode drop-down list.

  3. Expand the Advanced Ethernet Settings section, enter the default VLAN ID for your public network in the Eth1 row in the Native VLAN column, and then enter the VLAN IDs you want to allow on the public network in the Allowed VLAN column.

Note: You do not have to enter a value in the Allowed VLAN column if the only VLAN ID allowed is entered in the Native VLAN column. This is because entering a value in the Native VLAN column implicitly allows that VLAN ID on that interface. If you have additional VLAN IDs you want to add, you can enter a single VLAN ID (e.g., 20), a range of VLAN IDs (e.g., 11-30), a non-contiguous list of VLAN IDs separated by commas (e.g., 15,20,25), or a combination of these formats (e.g., 11-15,20,25-30). Be careful to avoid permitting access to the VLAN of your corporate network on an interface permitting access to the VLAN of your public network as this might expose your corporate data to guests and other non-corporate users.

  1. Expand the Routing section, and then in the Multiple Network Default Routing subsection, click New.

  2. Enter the VLAN ID whose default route you the HiveAP to forward out the eth1 interface, and then click Apply. By default, the egress interface for default Layer 2 routes is eth0. However, the VLAN IDs you enter here use eth1 as the egress interface in their default routes.

  3. If you want to forward multiple VLAN IDs, you can add more VLAN IDs, but you can only enter one VLAN ID per line. 






Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Photo of Philipp Breinlinger

Philipp Breinlinger

  • 1 Post
  • 0 Reply Likes
the link above is no longer valid. any chance to provide a mirror for the document?
thanks in advance :-)
Photo of Slick Slick

Slick Slick

  • 2 Posts
  • 0 Reply Likes
W
lan
Photo of wombat

wombat

  • 62 Posts
  • 3 Reply Likes
great explanation. Thanks
Photo of wombat

wombat

  • 62 Posts
  • 3 Reply Likes
ok, so I've done all that, connected Eth1 to a firewall and it doesn't even come up.  Bit of a show stopper at the moment.

Besides that, the GRE tunnel isn't even coming up.
(Edited)
Photo of Deven Ducommun

Deven Ducommun, Beta Program Manager

  • 53 Posts
  • 5 Reply Likes
It sounds like there may be a number of configuration issues going on.  Its possible a call to support will be needed to resolve this.  So what type of AP are we talking about running what code and how is it powered? If the GRE tunnels are not coming up can we ping the two GRE points from the CLI.  A number of issues I've seen with GRE tunnels not coming up is no route back from the DMZ as well as port 3000 not opened or IP protocol 47 not allowed through the firewall to either of the participants in the GRE tunnel.  

Deven
Photo of wombat

wombat

  • 62 Posts
  • 3 Reply Likes
The 'show gre tunnel' option in the diagnostics, shows nothing unless there is actually some traffic.  I just left a device trying to connect, and then it had some info in there at each end of the tunnel.

As for Eth1, our support partner seems to says that an ap in 'ap-mode' can't have Eth1 active as well.  Fair enough, but would be helpful if the option was greyed out if that was the case.
Photo of Deven Ducommun

Deven Ducommun, Beta Program Manager

  • 53 Posts
  • 5 Reply Likes
GRE tunnels will only form when there are clients present and will tear down when there are no clients so that is expected behavior.  

What model AP are we talking about? There shouldn't be any restrictions on eth ports while in AP mode unless there is a power issues such as the AP320 needs AT power to have eth1 turned on.  

Deven
Photo of wombat

wombat

  • 62 Posts
  • 3 Reply Likes
ok, that makes sense with the tunnel given that the tunnel policy is part of the user profile.

The AP was an AP330.  Does that need PoE+ for Eth1 to be active, or the AC supply?
Photo of Oliver Washbrook

Oliver Washbrook

  • 13 Posts
  • 0 Reply Likes
I know this is a pretty old post but if i was to plug the HiveAP which terminates the tunnels into a l3 switch, would i need to make eth1's operational mode "Bridge.802.1Q" as well as the l3's switches interface?  From there my intention is to use policy based routing on the l3 switch to route to different types of guests.

Thank you
Ollie
(Edited)
Photo of Deven Ducommun

Deven Ducommun, Beta Program Manager

  • 53 Posts
  • 5 Reply Likes
Hi Ollie,

For the GRE tunnel termination on an AP you do not need to set the APs eth port into Bridge mode.  Leaving the port in Backhaul mode will allow the VLANs and GRE traffic to pass correctly, as the GRE traffic will be encapsulated and passing on the APs MGT VLAN.   The L3 switch interface will need to be able to pass any VLANs that are leaving the access point. 

Thanks,

Deven
Photo of Oliver Washbrook

Oliver Washbrook

  • 13 Posts
  • 0 Reply Likes
Thanks Deven, that answers my question perfectly.

Cheers Ollie
Photo of taj

taj

  • 1 Post
  • 0 Reply Likes
Is there any step by step guide for this setup 
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes