top of page
Search

Enabling Raspberry Pi vLAN Tagging


Back in December 24, I put together an article on installing and configuring a Raspberry Pi and Pi-Hole. It’s over here if you’re curious: https://www.tenaka.net/post/pi-hole-ad-blocker-setup.


The initial deployment was a straightforward dual-Pi setup on a flat 192.168.0.0/24 network. It was simple to manage and, at the time, I was content relying on the existing Windows security and Firewall controls to protect the domain-joined systems.


However, as the network footprint expanded, with an increasing number of Internet facing devices and other less-trustworthy endpoints, "stuff" made East of where I live, the risk profile changed significantly.


Relying on a flat topology became untenable, and the lack of segmentation started to feel like an open invitation for lateral movement. It was clear the convenience trade-off had reached its limit.


So I decided to implement a vLAN or 2, let me provide a very basic explanation of vLANs.


VLAN (Virtual LAN)

  • A VLAN (Virtual LAN) is a logical segmentation of a network at Layer 2 that allows you to group devices as if they were on separate physical networks, even if they share the same switch or cable.


  • By isolating traffic between VLANs, the broadcast domains are reduced and lateral movement is limited, improving both performance and security.


  • Communication between VLANs requires routing, typically through a Layer 3 switch and, in my case, a new PFSense firewall, giving control over the ports and IP's that can communicate.


That covers the why, but not the how, specifically how I got VLAN tagging working on the Raspberry Pis. On Windows, it’s pretty much a checkbox and you're done. On Raspbian? Yeah... not quite that simple.


Before bashing the keyboard, PiHole is at version 6.0.6, installed on Raspberry Pi 4's with 4Gb RAM, with Raspbian being at version 6.6 plus all the latest updates. IP addresses are DHCP assigned and then reserved.


Install the latest updates and then vlan package.

sudo apt update
sudo apt install vlan

Load the 8021q kernel module, which is essential for enabling VLAN tagging on network interfaces.

sudo modprobe 8021q
echo "8021q" | sudo tee -a /etc/modules

Define how VLANs are created and configured.

sudo nano /etc/systemd/network/25-vlan.network

[Match]
Name=eth0.VLAN_ID

[Network]
DHCP=yes

This file instructs systemd-networkd how to create and manage the VLAN interface

sudo nano /etc/systemd/network/25-vlan.netdev

[NetDev]
Name=eth0.VLAN_ID
Kind=vlan

[VLAN]
Id=VLAN_ID

Update the VLAN tagging on the network switch that the Pi's are plugged into.


Restart the network interface.

sudo systemctl restart networking
sudo systemctl status networking

Confirm the IP has updated from 192.168.0.70 to 192.168.10.70.

ip addr show

Finally, I updated the Domain Controller's DNS Forwarders to point to the new addresses.




 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page