I spent several hours today figuring out/implementing this and I suspect that someone will find it handy (especially me a year from now).
Here is the situation, my employer provides us teleworkers these awesome little Aruba RAP3 remote access points (hardware vpn essentially). But I wanted to use a VM rather than a physical machine, and that VM's host (a laptop) must not connect to the VPN itself, just the VM. I also wanted to be able to use this laptop from any of my LAN drops or via WiFi and still have the VM connect to the VPN.
So what I decided I would do is place the VM and the RAP's LAN port in a VLAN together essentially creating a "dual WAN" situation. Devices in the new VLAN will get DHCP and VPN WAN from the RAP... while all other devices use the router's DHCP and WAN connection.
My N66u is wired like this:
WAN -> ISP
Port 1 -> External Switch (unmanaged)
Port 2 -> External Switch (managed)
Port 3 -> Aruba RAP WAN port
Port 4 -> Aruba RAP LAN port
As you can see both of the RAP ports are connected to my N66u, however Port 4 is on a separate VLAN, so there isn't some crazy loop created.
First I SSH'd into my router and ran the following command to view the existing VLANs and port assignments:
Then I removed port 4 from VLAN 1 and created vlan101 with the following commands:
What this is essentially saying is that VLAN 1 is the 'default' VLAN on ports 1, 2, & 3, and the CPU (port 8) can access it using tags. VLAN 101 is the default for port 4 and is also accessible via tags on ports 1, 2, 3, and 8.
Once I did that, I needed to add the VLAN to the ethernet interface and bring it up with:
At this point, the router configuration was complete for wired networking. All I had to do then was enable vlan101 tagging on all the ports of my managed switch and I was ready to test.
I set the VLAN id on one of my corporate devices to 101 and it pulled an IP address and connected to corporate vpn via the RAP beautifully. But then I hit the snag that cost most of my time... I couldn't get my VM's to work.
First of all, the default Windows Intel e1000e NIC driver in VMWare Workstation 12 did not include an advanced option for VLAN tagging. This was resolved by switching to the, arguably better, vmxnet3 para-virtualized NIC... to do this I shut down the VM and modified the .vmx file for my VM to change ethernet0.virtualDev to read:
Once I booted the VM back up, I was able to set the VLAN id to 101, however it still wouldn't pull an IP.
After several hours of troubleshooting and finding page after page telling me that VMWare Workstation does not support VLAN's on bridged virtual adapters, I discovered the solution. All I had to do was disable support for VLANs on my host's adapter:
Apparently, having Priority & VLAN enabled caused the host's adapter to discard any return packets for VLAN101 (since the host wasn't on that VLAN). By disabling VLAN support, the host adapter no longer dropped the packets, it just ignores them and the VM receives the tagged packet.
I will finish this journal tomorrow, once I add support for the VLAN over wireless and have created a startup script to have the router settings persist through a reboot.
Here is the situation, my employer provides us teleworkers these awesome little Aruba RAP3 remote access points (hardware vpn essentially). But I wanted to use a VM rather than a physical machine, and that VM's host (a laptop) must not connect to the VPN itself, just the VM. I also wanted to be able to use this laptop from any of my LAN drops or via WiFi and still have the VM connect to the VPN.
So what I decided I would do is place the VM and the RAP's LAN port in a VLAN together essentially creating a "dual WAN" situation. Devices in the new VLAN will get DHCP and VPN WAN from the RAP... while all other devices use the router's DHCP and WAN connection.
My N66u is wired like this:
WAN -> ISP
Port 1 -> External Switch (unmanaged)
Port 2 -> External Switch (managed)
Port 3 -> Aruba RAP WAN port
Port 4 -> Aruba RAP LAN port
As you can see both of the RAP ports are connected to my N66u, however Port 4 is on a separate VLAN, so there isn't some crazy loop created.
First I SSH'd into my router and ran the following command to view the existing VLANs and port assignments:
Code:
admin@router:/tmp/home/root# robocfg show
Switch: enabled gigabit
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: redacted
Port 1: 100FD enabled stp: none vlan: 1 jumbo: off mac: redacted
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: off mac: redacted
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: redacted
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: redacted
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: redacted
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8uThen I removed port 4 from VLAN 1 and created vlan101 with the following commands:
Code:
admin@router:/tmp/home/root# robocfg vlan 1 ports "1 2 3 8t"
admin@router:/tmp/home/root# robocfg vlan 101 ports "1t 2t 3t 4 8t"
admin@router:/tmp/home/root# robocfg show
Switch: enabled gigabit
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: redacted
Port 1: 100FD enabled stp: none vlan: 1 jumbo: off mac: redacted
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: off mac: redacted
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: redacted
Port 4: 100FD enabled stp: none vlan: 101 jumbo: off mac: redacted
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: redacted
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 1 2 3 8t
2: vlan2: 0 8u
101: vlan101: 1t 2t 3t 4 8tOnce I did that, I needed to add the VLAN to the ethernet interface and bring it up with:
Code:
admin@router:/tmp/home/root# vconfig add eth0 101
admin@router:/tmp/home/root# ifconfig vlan101 upAt this point, the router configuration was complete for wired networking. All I had to do then was enable vlan101 tagging on all the ports of my managed switch and I was ready to test.
I set the VLAN id on one of my corporate devices to 101 and it pulled an IP address and connected to corporate vpn via the RAP beautifully. But then I hit the snag that cost most of my time... I couldn't get my VM's to work.
First of all, the default Windows Intel e1000e NIC driver in VMWare Workstation 12 did not include an advanced option for VLAN tagging. This was resolved by switching to the, arguably better, vmxnet3 para-virtualized NIC... to do this I shut down the VM and modified the .vmx file for my VM to change ethernet0.virtualDev to read:
Code:
ethernet0.virtualDev = "vmxnet3"Once I booted the VM back up, I was able to set the VLAN id to 101, however it still wouldn't pull an IP.
After several hours of troubleshooting and finding page after page telling me that VMWare Workstation does not support VLAN's on bridged virtual adapters, I discovered the solution. All I had to do was disable support for VLANs on my host's adapter:
Apparently, having Priority & VLAN enabled caused the host's adapter to discard any return packets for VLAN101 (since the host wasn't on that VLAN). By disabling VLAN support, the host adapter no longer dropped the packets, it just ignores them and the VM receives the tagged packet.
I will finish this journal tomorrow, once I add support for the VLAN over wireless and have created a startup script to have the router settings persist through a reboot.
Attachments
Last edited:
