How to configure a VLAN with Internet access on a single Linux box?

Question

I am trying to setup a single-box network environment (on a fresh Linux VM running Debian 6.1) to test my application against a variety of network conditions.

The basic idea is:

1. Create a VLAN, that has internet access.
2. Apply tc qdisc on the vlan interface to simulate network packet loss/limited bandwidth etc.
3. Run my application and bind the connection against the VLAN interface.

However I am stuck in setting up the VLAN with internet access.

My steps are:

1. Set system flags

   sysctl -w net.ipv4.ip_forward=1  
   sysctl -w net.ipv4.conf.all.rp_filter=0
   sysctl -p
   

2. Create VLAN:

   # add link and IP address
   ip link add name "ens4.201" link ens4 type vlan id 201
   ip addr add 192.168.3.18/28 broadcast + dev "ens4.201"
   ip link set dev "ens4.201" up 
   
   # config route table
   ip -4 route add "192.168.3.16/28" dev "ens4.201" table "201"
   ip -4 route add default via "192.168.3.17" table "201"
   ip -4 rule add from "192.168.3.18/28" table "201"
   ip -4 rule add oif "ens4" table "201"
   
   # config NAT in iptables
   iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE
   
   iptables -P FORWARD DROP
   iptables -A FORWARD -i ens4 -o ens4.201 -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A FORWARD -i ens4.201 -o ens4 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
   

3. Test:

   # Has internet with interface ens4
   curl --interface 'if!ens4' http://www.example.com
    <success>
   
   # But does not have internet with interface ens4.201
   curl --interface 'if!ens4.201' http://www.example.com
     <timeout>
   

Could someone please shed some light on what I might have done wrong?

Answer 1

It sounds to me what you want is just to "split your network interface into two". While that may be one of the "results" of having a VLAN, it requires the gateway (e.g. the VM host) to be VLAN-aware.

For example, in the case of a VM connected to an "internal" / NAT bridge, you need to add a VLAN sub-interface onto the bridge on the host side as well. Otherwise the tagged VLAN traffics won't really get processed. (Unless it is e.g. an "external" bridge and the physical router the VM host connected to is VLAN-aware.)

Yet it hardly makes sense to have such set up, because you can have multiple bridges. In other words, you can have multiple virtualized (or maybe more like, emulated) LANs, instead of having VLANs in one.

More importantly, unless you e.g. need to have interface-based firewall rules on the host side, there's probably no reason to get the network "split" with any of the mentioned approaches (but just because you want a "doppelgänger" interface on the guest side).

Therefore, what you want / need is probably just a MACVLAN on the guest side:

ip link add name ens4_mv0 link ens4 type macvlan mode bridge

Note that you should use configure it with an IP address from the same subnet as its "link", and use the same default gateway.

---

The iptables rules do not seem to be relevant / useful as per my understanding on what you are trying to achieve. If you are not allowed to use one more IP address from the subnet (e.g. the setup is ultimately going be deployed directly on a workstation in your company or so), and hence need another layer of NAT, you would then need to leverage network namespace (with a veth pair) instead of VLAN or MACVLAN.

Answer 2

A VLAN trunk has to be configured in exactly the same way on both ends - same VLAN, same tagging, one of the VLANs may remain untagged ('native') on both sides.

You describe configuring a subinterface on your host but you seem to have missed creating the tagged VLAN on the uplink switch and router. You'd also configure NAT on the latter.

Adding a route to the locally connected network (once the trunk works) is redundant.