Routing Multiple VLANs to Multiple Interfaces

[heretech]

I'm trying to setup a server, which will be used as a router.
Trouble is, I have a number of VLANs, some of which must have link to Internet and a specific network (corporate resources).
In theory, there must be 3 VLANs - 1st with access to Internet, 2nd - Corporate Network, 3rd - both of them (default Internet and some corporate resources). Internet is provided from NIC1, Corporate Network - NIC2. NIC3 used for local network.

Here are some examples: DHCP and VLAN interface config example.

Code: Select all

# Internet
subnet 1.1.11.0 netmask 255.255.255.0 {
	allow client-updates;
	option domain-name-servers 1.1.11.11;
         }
# Corporate
subnet 1.1.12.0 netmask 255.255.255.0 {
	allow client-updates;
	option domain-name-servers 1.1.12.12;
         }
# Hybrid
subnet 1.1.13.0 netmask 255.255.255.0 {
	allow client-updates;
	option domain-name-servers 1.1.13.13;
         }

Code: Select all

VLAN_ID=11
GATEWAY=1.1.11.11
BROWSER_ONLY=no
PHYSDEV=eth0
BROADCAST=1.1.11.255
VLAN=yes
NAME=Internet
BOOTPROTO=none
TYPE=Vlan
IPV6_FAILURE_FATAL=no
DEVICE=eth0.11
NETMASK=255.255.255.0
DEFROUTE=no
IPADDR=1.1.11.10
NETWORK=1.1.11.0
ONBOOT=yes

How should i route it, especially Hybrid connection?
Should I create NAT for Hybrid network on both outbound interfaces?
Yeah, know smthg about policy-routing, but I think, I'm missing something in it.

netstat -rn OUTPUT
0.0.0.0 <ISP GW ADDR> 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 <Corporate GW> 0.0.0.0 UG 0 0 0 eth1
<ISP WG Net> 0.0.0.0 255.255.255.192 U 0 0 0 eht0
<Corpotate GW Net> 0.0.0.0 255.255.255.0 U 0 0 0 eth1
1.1.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2.11
1.1.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2.12
1.1.13.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2.13

[jlehtone]

On logical level you have 5 subnets. (VLANs are an implementation detail.)
Three of them have private address range.
One (inet) has public address range.
(Not sure about the corp range.)

Traffic from private to public must SNAT (aka masquerade) on the outgoing interface.

You want device from subnet A to open new connection to subnet B.
The router must route / forward traffic from A to B.
The router must allow new connections from A to B. (Replies are allowed by default.)

The firewalld manages NAT and filtering. Predefined zone "external" is probably a good starting point for the inet interface.

How to block routing from 1st to corp, from 2nd to inet, and from 3rd to some parts of corp ...
I bet that firewall-cmd is the tool to use, but the incantations are beyond me.

[heretech]

Yeap.
0. Corp range is some kind of public network.

1. Private networks already has SNAT to public addresses.
2. Router already allows connection between interfaces.

(No, I have no experience with firewalld, so it's iptables for now; I'm not sure there is any difference for router)

Looks like I have some troubles with iproute, but I can't find where - it simply doesn't work, all traceroutes are ended with router interface.

[heretech]

Okay, here is solution.
INTERNET WAN is configured as IP/PREFIX/GATEWAY
CORPNET WAN is configured as IP/PREFIX - I didn't set gateway, so our router won't lost in his "defaults routes". We will use CORPNET GATEWAY later.

And here is a script for it. Maybe will help to someone, sometime

Code: Select all

#!/bin/sh

ip route flush cache
ip route flush table 11
ip route flush table 12
ip route flush table 13

ip route add default via <CORPNET GATEWAY> dev <CORPNET INTERFACE> table 11
ip route add <CORPNET VLAN>/24 dev <CORPNET VLAN INTERFACE> src <CORPNET VLAN GATE> table 11
ip route add default via <ISP GATEWAY> dev <INTERNET INTERFACE> table 12
ip route add <INTERNET VLAN>/24 dev <INTERNET VLAN INTERFACE> src <INTERNET VLAN GATE> table 12
ip route add default via <ISP GATEWAY> dev <INTERNET INTERFACE> table 13
ip route add <HYBRID VLAN>/24 dev <HYBRID VLAN INTERFACE> src <HYBRID VLAN GATE> table 13

ip route add <CORPNET HOST 1>/32 via <CORPNET GATEWAY> dev <CORPNET INTERFACE> table 13
ip route add <CORPNET HOST 2>/32 via <CORPNET GATEWAY> dev <CORPNET INTERFACE> table 13
ip route add <CORPNET HOST 3>/32 via <CORPNET GATEWAY> dev <CORPNET INTERFACE> table 13
ip route add <CORPNET HOST 4>/32 via <CORPNET GATEWAY> dev <CORPNET INTERFACE> table 13
...

ip rule add from <CORPNET VLAN>/24 table 11
ip rule add to <CORPNET VLAN>/24 table 11
ip rule add from <INTERNET VLAN>/24 table 12
ip rule add to <INTERNET VLAN>/24 table 12
ip rule add from <HYBRID VLAN>/24 table 13
ip rule add to <HYBRID VLAN>/24 table 13

Case is solved.