Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


140 posts

Master Geek
+1 received by user: 8


Topic # 160176 27-Dec-2014 09:33
Send private message

I'm trying a variation of a slightly overcomplicated (but fun) network setup. I've got a Unifi AP offering two SSIDs, one on the default VLAN and the other on VLAN 2. VLAN 2 gets internet access via a VPN to the US.

If I setup a completely separate subnet etc. for VLAN 2 it's all fine - separate DHCP server gives out a different DNS server to clients on that wifi network so all the geolocation stuff works beautifully and everything I connect to via VLAN 2 thinks I'm in the USA.

The only pain with this is that various Apple devices won't talk to each other properly when they're not on the same subnet. So I'm trying to figure out a way to bridge the two VLANs while keeping the packets tagged in some way.

My first attempt didn't really work. I added VLAN 2 to the main bridge, and added a bridge NAT (dstnat chain) that marks packets originating from the VLAN as "mark-us". Then in the IP firewall I've got a mangle rule which picks up all the mark-us packets and adds a "strongvpn" routing mark. the IP firewall NAT has a rule to masq strongvpn to the VPN. Additionally, I've got two NAT rules which look for routing mark strongvpn and change TCP & UDP to address fields from the local router to the VPN service's DNS server.

One of the notable effects of all this was a very slow network, which I guess means I've made packets go flooding around the place.

Any thoughts on how to achieve this?

Filter this topic showing only the reply marked as answer Create new topic
1231 posts

Uber Geek
+1 received by user: 152


  Reply # 1204414 27-Dec-2014 10:26
Send private message

Sounds a bit over complicated - my mikrotik has 2 wifi ssid's - 2 DHCP servers - one dishes out the DNS of the router the other the DNS of the unblock service.

You shouldn't need to add a routing mark to get the 2 internal networks to see each other - just add a static route.



140 posts

Master Geek
+1 received by user: 8


  Reply # 1204418 27-Dec-2014 10:29
Send private message

Routing works fine but e.g. iTunes home sharing won't function across subnets, which is one of the main things I want. I can put my media server on both vlans but the iOS Remote app won't work unless I switch wifi networks… hence the attempt to do something a bit craftier.

1231 posts

Uber Geek
+1 received by user: 152


  Reply # 1204419 27-Dec-2014 10:31
Send private message

Yep a static route between subnets as mentioned above should sort it 

3589 posts

Uber Geek
+1 received by user: 1320

Subscriber

  Reply # 1204420 27-Dec-2014 10:32
Send private message

So I'm trying to figure out a way to bridge the two VLANs while keeping the packets tagged in some way.


That goes against what a VLAN actually is though. They are isolated broadcast domains so trying to bridge them screws that up.

I'm not sure what devices you have that you want to go out via the VPN (whether they are phones laptops etc, or stuff like roku, chromecast etc.). I have my Raspberry Pi's and Chromecast (there are only 3 of them) all set on static DHCP leases, then just a simple mangle rule for each one to give it a routing mark. Then just the associated routes and masquerade rules and they all head out over the VPN.



140 posts

Master Geek
+1 received by user: 8


  Reply # 1204422 27-Dec-2014 10:35
Send private message

The main things are Apple TVs so the static DHCP would work for them. I wanted the separate VLAN & SSID so I could e.g. login to Netflix on my laptop by just choosing the US wifi network. But I guess I should just keep the Apple TVs on the main VLAN and configure the routing & DNS for them, and keep the separate wifi network for Netflix admin etc.

6312 posts

Uber Geek
+1 received by user: 293

Trusted
Subscriber

  Reply # 1204423 27-Dec-2014 10:35
2 people support this post
Send private message

Hi, I suspect your problem is a lack of Bonjour services, this is what apple uses to advertise various services, typically to get around this we use a Bonjour Gateway, our main Wireless vendors (Aerohive and Ruckus) both support this. Bonjour is a multicast DNS type service that is not intended to route, ie is intended to only survive in a single L2 network, hence a Gateway to bridge networks is required.

Cyril

27065 posts

Uber Geek
+1 received by user: 6508

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1204529 27-Dec-2014 15:40
Send private message

If you want to bridge two different VLANs you'll need to set a horizon - set this to (say) 1 for each member of the bridge.

That's not going to help with your problem though, Bonjour simply isn't supposed to work the way you want it to.



3234 posts

Uber Geek
+1 received by user: 632

Trusted

  Reply # 1205200 28-Dec-2014 23:39
One person supports this post
Send private message

Although I am not an expert on mikrotik, I would do it this way

Create a routing rule so that any clients from x.x.x.2-x.x.x.50 get routed out to the internet as per normal
x.x.x.51-x.x.x.60 get routed out via the VPN
Create two DHCP pools of the same ip address ranges - less a few in each.

Then just use DHCP reservations so that certain computers or devices can default to being assigned in a specific pool.

On your computer, use the dhcp client to let it fall into the correct pool, or manually set an ip address in the alternate routing range, but not in the alternate dhcp pool.

So for example, a computer can join the network and be issued 192.168.1.20 which is a normal routing source.
If you wanted to suddenly start running via the VPN, open the control panel and assign its network interface a manual ip of 192.168.1.59 which is a source for VPN routing.
If you always wanted it to route via the VPN, put it in the 50-56 pool of ip addresses by means of a dhcp reservation and routing rules will always vpn it - then you could temporarily reverse it with a manual ip in the non-vpn routed range.

Meanwhile both a non-vpn computer of 192.168.1.25 and a vpn computer of 192.168.1.53 can still talk directly to each other at layer 2 and establish a bonjour / itunes streaming session.

Instead of using the control panel to manually set a temporary ip address on your computer, you can use a network profile switching application where you can create a static ip profile, and a dhcp client profile and switch between them with just two clicks of a task tray icon.




Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




Filter this topic showing only the reply marked as answer Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.