Debian VLAN

• Versão avaliada: Debian 11 Bullseye

• Versão avaliada: Debian 12 Bookworm

• Instale as dependências

# apt install vlan isc-dhcp-server net-tools dnsutils psmisc netcat logrotate binutils nftables

• Na versão Bookworm

# apt install vlan isc-dhcp-server net-tools dnsutils psmisc netcat-traditional logrotate binutils nftables

•  Suba o módulo 802.1q

# modprobe 8021q

• Criar rotas de rede

# echo "500     firsttable" | tee -a /etc/iproute2/rt_tables

# echo "501     secondtable" | tee -a /etc/iproute2/rt_tables

• Configurar sysctl

# echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.d/local.conf

# echo "net.ipv4.conf.all.arp_filter = 0" | tee -a /etc/sysctl.d/local.conf

# echo "net.ipv4.conf.all.rp_filter = 2" | tee -a /etc/sysctl.d/local.conf

# sysctl -p /etc/sysctl.d/local.conf

Rever:  OU aqui /etc/sysctl.conf    OU aqui /etc/sysctl.d/99-sysctl.conf

• Configurar as interfaces

# vi /etc/network/interfaces

allow-hotplug eth0

#iface eth0 inet dhcp

iface eth0 inet static

address 192.168.1.109/24

getaway 192.168.1.254

dns-nameservers 192.168.1.254 1.1.1.1 8.8.8.8 9.9.9.9

# VLAN_255

auto eth0.255

iface eth0.255 inet static

address 10.0.0.1/24

#vlan-raw-device eth0    <- Opcional se a interface vlan for eth0.255

# VLAN_300

auto eth0.300

iface eth0.300 inet static

address 172.17.0.1/29

# VLAN_301

auto eth0.301

iface eth0.301 inet static

address 172.18.0.1/29

• Subir as interfaces (Opcional)

# ifup eth0.255 && ifup eth0.300 && ifup eth0.301

• Libere as interfaces que tera o serviço DHCP Server

# vi /etc/default/isc-dhcp-server 

INTERFACESv4="eth0.255 eth0.300 eth0.301"

• Configurarção do DHCP Server

# vi /etc/dhcp/dhcpd.conf

# VLAN_255

subnet 10.0.0.0 netmask 255.255.255.0 {

authoritative;

range 10.0.0.70 10.0.0.99;

option subnet-mask 255.255.255.0;

option broadcast-address 10.0.0.255;

option routers 10.0.0.1;

option domain-name-servers 1.1.1.1,8.8.8.8,9.9.9.9;

#option domain-name "local.matrix";

default-lease-time 600;

max-lease-time 7200;

}

# VLAN_300

subnet 172.17.0.0 netmask 255.255.255.248{

   pool{

      range 172.17.0.3 172.17.0.6;

   }

   option subnet-mask 255.255.255.248;

   option broadcast-address 172.17.0.7;

   option routers 172.17.0.1;

   option domain-name-servers 1.1.1.3,9.9.9.11;

   default-lease-time 600;

   max-lease-time 7200;

}

# VLAN_301

subnet 172.18.0.0 netmask 255.255.255.248{

   pool{

      range 172.18.0.3 172.18.0.6;

   }

   option subnet-mask 255.255.255.248;

   option broadcast-address 172.18.0.7;

   option routers 172.18.0.1;

   option domain-name-servers 1.1.1.3,9.9.9.11;

   default-lease-time 600;

   max-lease-time 7200;

}

Nota: Conforme a configuração da subnet é configurado para a porta Ethernet

• Reiniciar

# reboot

• Configurar NAT

NFTABLES

# systemctl enable nftables.service && systemctl restart nftables.service

# nft add table nat

# nft 'add chain nat postrouting { type nat hook postrouting priority 100 ; }'

# nft add rule nat postrouting oifname eth0 ip saddr 10.0.0.0/24 counter masquerade

# nft add rule nat postrouting oifname eth0 ip saddr 172.17.0.0/29 counter masquerade

# nft add rule nat postrouting oifname eth0 ip saddr 172.18.0.0/29 counter masquerade

• Ou edite o arquivo 

# vi /etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

chain input {

#type filter hook input priority 0;

         type filter hook input priority 0; policy drop;

         ct state invalid counter drop

         icmp type timestamp-request counter drop

         ct state {related,established} counter accept         

         iifname "lo" counter accept

     # REGRAS ADICIONAIS

     iifname eth0 ip saddr 192.168.1.0/24 tcp dport 22 ct state new,established counter accept

        counter drop

}

chain output {

#type filter hook output priority 0;

         type filter hook output priority 0; policy drop;

         ct state invalid counter drop

         icmp type timestamp-request counter drop

         ct state {related,established} counter accept         

         oifname "lo" counter accept

     # REGRAS ADICIONAIS

     oifname {eth0} udp dport {domain,ntp} counter accept 

     oifname eth0 tcp dport {http,https} counter accept 

    oifname {eth0} ip protocol icmp ip daddr 0.0.0.0/0 counter accept

         counter drop

}

chain forward {

#type filter hook forward priority 0;

         type filter hook forward priority 0; policy drop;

         ct state invalid counter drop

         icmp type timestamp-request counter drop

         ct state {new,related,established} counter accept         

     # REGRAS ADICIONAIS

         counter drop

}

}

table ip nat {

chain postrouting {

type nat hook postrouting priority srcnat; policy accept;

oifname eth0 ip saddr 10.0.0.0/24 counter masquerade

oifname eth0 ip saddr 172.17.0.0/29 counter masquerade

oifname eth0 ip saddr 172.18.0.0/29 counter masquerade

}

}

• Testes

# ping -I eth0.255 8.8.8.8

# tail -f -n 40 /var/log/syslog

# dhcpd -t    <- testa

# cat /var/lib/dhcp/dhcpd.leases

# ip r