Multiple wpa_supplicants/dhclients for multiple vlan network

magnum

Member
Aug 31, 2021
42
0
11
35
tl;dr: How to get multiple wpa_supplicants and dhclient on different nics in different vlan running on debian_bulls/proxmox7?
Ive been browsing and wasn't able to find a proper answer. I have this issue with being in 8021x WPA Network in our research lab.
The network consists of 3 VLAN:
  • W0 - Worker with Authentication at Proxy for internet, usage of local
  • W1 - Worker with Authentication through realm (e.g. user@building-w1.work.com)
  • Wifi - not necessary in our case right now.
Each building has its own router and switch. Each user is bound to his building.
In the Laboratory there is a server which hosts proxmox and serves many vm. The server is sitting in Lab and usually i sit in Building B. This is important since i do something called realm authentication from LAB-W1 into B-W1 to have my server logically accessible from my workplace and home. The MAC Adresses are registered by the admins. If the auth fails the fallback is being registered at w0 proxy level, which is also ok for me
It has multiple network interfaces connected to 3 Ports:
  • One for B-W1,
  • One for Robotic-Network 172.31.1.x... (kuka, siemens, Universal Robot, etc..),
  • One for LAB-W1
  • (one for management network - only local)
The server has some dhcp issues right now and i want to have a backup ip through which i can reach it in case something is not right. The idea is to go and start another wpa_supplicant on B-W1 and same authentication for LAB-W1.
I'm not sure (other sysadmins do also not know or dont have time) how to do it and i cant have much downtime now so i need some advice

Bash:
auto lo
iface lo inet loopback

iface eno2 inet manual

auto eno1
iface eno1 inet static
        hwaddress ac:1f:6b:e9:6e:56
# assign virtual FAKE MAC to avoid duplicate dhcp request

auto vmbr1
iface vmbr1 inet dhcp
        hwaddress ac:1f:6b:e9:7e:56
        pre-up /etc/network/preup.sh
        post-down /etc/network/postdown.sh
        bridge-ports eno1
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A PREROUTING -i vmbr1 -p tcp -m multiport ! --dport 80,443,22,8006 -j DNAT --to 192.0.0.2
        post-up iptables -t nat -A PREROUTING -i vmbr1 -p udp -j DNAT --to 192.0.0.2

# b-w1, assigning the original NIC ENO1 MAC.
# Open firewall for all ports except 22 and 8006. April2022: 80 and 443 for nginx baremetal.
# open all udp ports to pfsense

auto enx00e04c680542
iface enx00e04c680542 inet manual
        altname eno3
# USB NIC for vmbr3 LAB-W1

auto vmbr3
iface vmbr3 inet dhcp
        hwaddress ac:1f:6b:e9:7e:73
        bridge-ports enx00e04c680542
        bridge-stp off
        bridge-fd 0
    # LAB-W1 Bridge

auto vmbr2
iface vmbr2 inet static
        address 172.31.1.25/16
        bridge-ports eno2
        bridge-stp off
        bridge-fd 0
        hwaddress ac:1f:6b:e9:7f:60
# robonet, local access via eno2. NAT forwarding then comes via the Pfsense


auto vmbr100
iface vmbr100 inet static
        address 192.0.0.1/30
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        hwaddress ac:1f:6b:e9:7f:61
        post-up   iptables -t nat -A POSTROUTING -s '192.0.0.0/30' -o vmbr1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.0.0.0/30' -o vmbr1 -j MASQUERADE

# firenet bridge to firewall and only for communication from server to firewall with NAT and PAT

Here is my supplicant configuration:


Bash:
~# cat wpasupp.conf
ctrl_interface=/run/wpa_supplicant
#ctrl_interface_group=wheel
ctrl_interface_group=root

eapol_version=2
fast_reauth=0
ap_scan=0

network={
        disabled=1
        ssid="current lan"
        key_mgmt=NONE
}

network={

        disabled=0
        ssid="work-w1"
        key_mgmt=IEEE8021X
        eapol_flags=2
        phase2="auth=MSCHAPV2"
        eap=TTLS
        anonymous_identity="anonymous@work.com"
        identity="myuser@building-w1.work.com"
        password=hash:blabla
        ca_cert="mycert"
        subject_match="/CN=radius1.work.com"
}

Hardware: Supermicro Super Server/H11SSL-i, AMD EPYC 7302P 16-Core Processor, OnBoard NIC for B-W1, RoboNet and mgmt.., USB NIC (to Try-Out) afaik realtek chip



posted here as well:
https://superuser.com/questions/1719485/multiple-wpa-supplicants-dhclients-for-multiple-vlan-network
 
I dug in the documentation and found a good configuration...


zless /usr/share/doc/wpa_supplicant/README.gz

Now i have made my preup.sh like this but wpa_supplicant wont start.. I have to dig it more
Bash:
# cat /etc/network/preup.sh
#!/bin/sh
# Debugging
wpa_supplicant \
        -c /etc/wpa_supplicant/wpasupp_eit.conf -i vmbr1 -D wired -f /var/log/wpasupplicant_eit_vmbr1.log -N \
        -c /etc/wpa_supplicant/wpasupp_iras.conf –i vmbr3 –D wired -f /var/log/wpasupplicant_iras_vmbr3.log \

# Production
# wpa_supplicant -B -D wired -i eno0 -c /etc/wpa_supplicant_eno0.conf -f /var/log/wpa_supplicant.log
# sleep 5
dhclient -r vmbr1 vmbr3
dhclient vmbr1 vmbr3
 
Ok found the way to do it :


Bash:
auto vmbr1
iface vmbr1 inet dhcp
        hwaddress ac:1f:6b:e9:7e:56
        wpa-conf /etc/wpa_supplicant/wpasupp.conf
        wpa-driver wired
        wpa-logfile /var/log/eit-wpa.log
        wpa-debug-level 2
        #pre-up /etc/network/preup.sh
        #post-down /etc/network/postdown.sh
        bridge-ports eno1
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A PREROUTING -i vmbr1 -p tcp -m multiport ! --dport 80,443,22,8006 -j DNAT --to 1>
        post-up iptables -t nat -A PREROUTING -i vmbr1 -p udp -j DNAT --to 192.0.0.2

auto vmbr3
iface vmbr3 inet dhcp
        hwaddress ac:1f:6b:e9:7e:73
        #hwaddress ac:1f:6b:e9:7e:58
        wpa-conf /etc/wpa_supplicant/wpa_iras.conf
        wpa-driver wired
        wpa-logfile /var/log/iras-wpa.log
        wpa-debug-level 2
        bridge-ports enx00e04c680542
        bridge-stp off
        bridge-fd 0


Only missing thing is dhclient seems not to work properly on both.. vmbr3 does not get, but i assume this is not my issue...
Nevertheless, vmbr1 keeps losing the lease or atleast the connection.. Every now and then the handshake is repeated, but dhcp server is blocking me until i ask for dhcp one more time..




Bash:
> interface vmbr3
Connected to interface 'vmbr3.
> status
bssid=01:80:c2:00:00:03
freq=0
ssid=iras
id=1
mode=station
pairwise_cipher=NONE
group_cipher=NONE
key_mgmt=IEEE 802.1X (no WPA)
wpa_state=COMPLETED
address=ac:1f:6b:e9:7e:73
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=21 (EAP-TTLS)

> interface vmbr1
Connected to interface 'vmbr1.
> status
bssid=01:80:c2:00:00:03
freq=0
ssid=eit
id=1
mode=station
pairwise_cipher=NONE
group_cipher=NONE
key_mgmt=IEEE 802.1X (no WPA)
wpa_state=COMPLETED
ip_address=10.152.32.76
address=ac:1f:6b:e9:7e:56
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
....

>
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!