[CentOS] VLAN tagging problems

Fri Oct 28 16:35:48 UTC 2005
Aleksandar Milivojevic <alex at milivojevic.org>

Quoting Robin Mordasiewicz <robin at bullseye.tv>:

> Is there any way to say that if traffic is recieved on VLAN#911 to be 
> sure that the return traffic is tagged with the same vlan id. 
> Currently traffic is tagged based on the routing table, and even if 
> traffic comes in on VLAN#911, when it returns the traffc it uses the 
> VLAN tag from the network that the default gateway is on(VLAN#902).

If you can use something to identify those outgoing packets inside Netfilter,
you can set firewall mark on them, and than use that firewall mark to route
packets to correct VLAN.  For example, if all port 80 traffic is from 
VLAN#911,
and there is no way for traffic from VLAN#902 (or anywhere else) to get 
to your
box, this might work.

Failing that, you might consider CONNMARK target.  Than you could set 
connection
mark on the incomming packet (hm, is there a way to set mark based n 
VLAN tag?),
and then based on that set firewall mark on the outgoing packets (--save-mark
and --restore-mark options of CONNMARK target).  And than, again, route
outgoing packets based on the firewall mark.  I'm not sure if CONNMARK target
is included with CentOS kernel.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.