Synology DS918+ on multiple subnets/vlans – overload nic/open vSwitch

Preamble
My aim was to introduce some security into my home network by using subnets and vlans. The issue is I wanted to make my main fileserver accessible on each network, preferably not going via the router. Going via the router, rather than directly, puts load on the router for no reason.

Solution
Initially I used http://www.mybenke.org/?p=2373 excellent solution. This works effectively for bonds or single connections.

However As I began experimenting with virtual machines/docker I realised I had to enable open vswitch in order to route to the internal virtual machines/docker bridge. Turning on vSwitch means that all routing is now done in software and the overloading of the cards as before needs some tweaking to get it to work.
These links were useful but ultimately don’t provide a solution.
https://forum.synology.com/enu/viewtopic.php?t=141679
https://forum.synology.com/enu/viewtopic.php?t=133189

The issues are:
1) They talk about bonding via the command line but I only have 2 ethernet connections so once half the setup is done I would loose connection.
2) The overloading doesn’t survive a reboot.

I found you CAN create the bond/open vSwitch setup via the gui and doing the above still works.

However having done this it doesn’t survive a reboot. In order to do that you need modify the /etc/rc.network file. Add

is_ovs_child_interface ()
{
       unset OVS_PARENT
       ifconfigFile="/etc/sysconfig/network-scripts/ifcfg-$1"
       if ! source "$ifconfigFile" ; then
               return 1
       fi

       if [ ! -z $OVS_PARENT ]; then
               return 0
       fi

       return 1
}

And change activate_ovs as below. It does work, but note it’s a little broken as generates an ovs_ovs_ovs_ovs… file in the network directory. I didn’t bother to fix it.

activate_ovs ()
{
    [ $# -ne 0 ] || return

    if ! is_ovs_enable; then
        return 0
    fi


    #If the external interface has been remove.
    #Remove the ifcfg of ovs and modify the ovs_interface.conf.
    local tmpdev=`/bin/grep -v ovs /proc/net/dev | /bin/grep ${1##ovs_}` > /dev/null 2>&1
    if [ -z "$tmpdev" ] && ! is_ovs_child_interface "$1" ; then
        ovs-vsctl del-br $1
        sed -i.bak "/${1##ovs_}/"d /usr/syno/etc/synoovs/ovs_interface.conf
        rm /etc/sysconfig/network-scripts/ifcfg-$1
        return 0
    fi

    ifconfigFile="/etc/sysconfig/network-scripts/ifcfg-$1"
    if ! source  "$ifconfigFile" ; then
                return
    fi

    check_exist_ovs $1
    if ! is_ovs_child_interface "$1" ; then
    /bin/ovs-vsctl add-br $1
    fi
    if is_ovs_child_interface "$1" ; then
    /bin/ovs-vsctl add-br $1 $OVS_PARENT $OVS_VLAN_ID
    fi
    set_ovs_mac_address $1
    for device in `grep -l "^BRIDGE=$1$" /etc/sysconfig/network-scripts/ifcfg-*` ; do
        DEVICE=`basename ${device} | cut -d '-' -f 2`
        # Config bridge of wlan in /etc/hostapd/hostapd.conf and controlled by hostapd (activate_ap)
        find=`echo "${DEVICE}" | grep -c wlan`
        if [ $find -eq 1  ]; then
            # only wired interface will be added to bridge as a slave
            # wlan interface should be handled by synowifid
            continue
        fi
        $SYNONET --set_ip -4 $DEVICE flush
        /sbin/ifconfig $DEVICE up
        echo 1 >>  /proc/sys/net/ipv6/conf/${DEVICE}/disable_ipv6
        /bin/ovs-vsctl add-port $1 ${DEVICE}

        #Set MTU
        MTU_VALUE=`get_mtu_value ${DEVICE}`
        MTU="" ; [ -n "${MTU_VALUE}" ] && MTU="mtu ${MTU_VALUE}"
        ifconfig ${DEVICE} ${MTU}
    done

    start_ovs_vlan $1 $ifconfigFile
    setup_ovs_default_flow $1

    /sbin/ip link set dev $1 up

    return 0
}

I didn’t go on to fix this as I decided this configuration is definitely not supported and would probably require reapplying on a system update. I don’t want the overhead of maintaining this. This has lead me to the purchase of a layer 2+ (layer 3) switch.

Apologies this post isn’t a perfect description how to do the above, but I am writing this a few months later, but if you get stuck please feel free to drop me a line.

conclusion

You can do it, but definitely not synology supported, and a new piece of hardware is a lot better.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.