Hello All,
Have been reading extensively the Beginner's basics forum, and while I do understand most of what I am reading about VLAN and DMZs, I am not fully sure what path to take for my setup.
I have a CRS328-24P-4S+ serving the complete house, SFP01 is connected via Fiber to my Intrnet Provider router
Ethernet ports 1 to 24 are connected to various equipment within the house (Sonos speakers, TV, NAS, computers, ....)
All is working out of the box pretty much as default and I am trying to isolate traffic between what I trust and what I don' trust and I would like some advice on wich path to take, so i can read more in depth about this.
Devices that I trust should be able to reach each-other's + the internet, while the devices I do not trust, should NOT be able to reach each-other's (or any other device on other VLANs), but reaching the internet should be possible.
I understand that I can take the VLAN route (with VLAN filtering) but going this way will fill all my requirements other than the fact the untrusted devices will be able to communicate between each other's if I understand this correctly.
How could I address this ? I think the way to achieve this, would be to create a DMZ where I would put all my trusted devices, and to create a single DMZ per port that I want to fully isolate; then I would create appropriate firewall rules; is this correct or is there a 'simpler' way of implementing this ?
Thanks very much all for your time
Cheers
Re: Isolation of devices - path to take ? DMZ vs VLANs
Not sure what the problem is.
VLANs separate all devices/users at layer 2 ( they wont talk to each other, cannot discover each other).
Firewall Rules ensure that the router CAN or CANNOT route between the L2 subnets, (aka under your control).
For example in the forward chain my last rule is always
add action=drop chain=forward.
This means that I block all WAN to LAN, LAN to WAN and LAN to LAN traffic automatically
To allow any traffic I have to explicitly state what is allowed above this rule.
Typically I will have
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN (aka allow outbound internet traffic).
Yes, a vlan is for a single or more bunch of users and or devices.
If you have more than one device/user in a vlan, those devices within the vlan will be able to discover each other at L2.
Typically one puts untrusted devices on one vlan and one wifi ssid and the trusted devices in another wifi ssid and vlan.
Whatever you want to do is possible for the most part.
VLANs separate all devices/users at layer 2 ( they wont talk to each other, cannot discover each other).
Firewall Rules ensure that the router CAN or CANNOT route between the L2 subnets, (aka under your control).
For example in the forward chain my last rule is always
add action=drop chain=forward.
This means that I block all WAN to LAN, LAN to WAN and LAN to LAN traffic automatically
To allow any traffic I have to explicitly state what is allowed above this rule.
Typically I will have
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN (aka allow outbound internet traffic).
Yes, a vlan is for a single or more bunch of users and or devices.
If you have more than one device/user in a vlan, those devices within the vlan will be able to discover each other at L2.
Typically one puts untrusted devices on one vlan and one wifi ssid and the trusted devices in another wifi ssid and vlan.
Whatever you want to do is possible for the most part.
Re: Isolation of devices - path to take ? DMZ vs VLANs
Thanks anav for the reply,
my understanding of VLANs is that all members of the VLAN can communicate with each other's, I am trying to prevent this.
Should I use different VLANs to group TRUSTED and UNTRUSTED devices, and then firewall rules to further dictacte what is allowed within the UNTRUSTED VLAN ?
sorry if what I am asking makes little sense, this is quite a lot of information to take onboard; my knowledge is not that strong on the networking level
my understanding of VLANs is that all members of the VLAN can communicate with each other's, I am trying to prevent this.
Should I use different VLANs to group TRUSTED and UNTRUSTED devices, and then firewall rules to further dictacte what is allowed within the UNTRUSTED VLAN ?
sorry if what I am asking makes little sense, this is quite a lot of information to take onboard; my knowledge is not that strong on the networking level
Re: Isolation of devices - path to take ? DMZ vs VLANs
There is no such thing at least are our level of knowledge of controlling traffic within a VLAN, at least by firewall rules within a vlan ( a layer 2 construct). Firewall rules are at layer 3 (finding routes between subnets).
There may be more finesse ways of doings things at a mac level but gets complex and not sure its viable for what you are thinking.
The important point is untrusted means untrusted and thus if they are lumped together at least they are not touching anything trusted.
If you have a scale of untrustworthyness you could create further vlans or perhaps, a service that is untrusted is more critical to the house or home operation than others and should be segregated.
For example smoke/firealarms could be considered critical and thus have their own vlan while media/tv and thermostats not so much!!
Now for wifi, I have trusted home and untrusted - guests. Do I care that guests can ping each others smart phones,
For the most part more untrusted subnets requires MORE WIFI SSSIDS and virtual WLANs.............. so the limit is really the AP as making many virtual WLANs although possible has its limits in useful functionality and one doesnt want to compromise home trusted wifi performance just to separate out untrusted devices from each other.
There may be more finesse ways of doings things at a mac level but gets complex and not sure its viable for what you are thinking.
The important point is untrusted means untrusted and thus if they are lumped together at least they are not touching anything trusted.
If you have a scale of untrustworthyness you could create further vlans or perhaps, a service that is untrusted is more critical to the house or home operation than others and should be segregated.
For example smoke/firealarms could be considered critical and thus have their own vlan while media/tv and thermostats not so much!!
Now for wifi, I have trusted home and untrusted - guests. Do I care that guests can ping each others smart phones,
For the most part more untrusted subnets requires MORE WIFI SSSIDS and virtual WLANs.............. so the limit is really the AP as making many virtual WLANs although possible has its limits in useful functionality and one doesnt want to compromise home trusted wifi performance just to separate out untrusted devices from each other.
Re: Isolation of devices - path to take ? DMZ vs VLANs
There is a discussion to be had ref WIFI devices (access points or if a wifi router, the wireless settings portion) if they can separate users.
Some devices have this capability built in to the Access Point or software.
I know MT has some settings that will accomplish this........
In this regard it would not be firewall rules but I think mac address blocking internal to the access point or router radio settings.
Some devices have this capability built in to the Access Point or software.
I know MT has some settings that will accomplish this........
In this regard it would not be firewall rules but I think mac address blocking internal to the access point or router radio settings.
Re: Isolation of devices - path to take ? DMZ vs VLANs
my understanding of VLANs is that all members of the VLAN can communicate with each other's, I am trying to prevent this.
Should I use different VLANs to group TRUSTED and UNTRUSTED devices, and then firewall rules to further dictacte what is allowed within the UNTRUSTED VLAN ?
sorry if what I am asking makes little sense, this is quite a lot of information to take onboard; my knowledge is not that strong on the networking level
There are a few things in the mix that are in theory separate but in practice often stick near to each other.
One is L2 subnet or LAN. As @anav mentioned devices members of same LAN freely communicate with each other. In practice LANs are nowdays ethernet networks, active equipment connecting devices are ethernet switches. Separate LANs don't share any of equipment (neither wires nor switches).
Then there's VLAN ... which can provide Virtual LANs while sharing equipment. Devices members of same VLAN can communicate with each other. Devices members of different VLANs can not communicate, VLAN aware switches do not (and can not) allow cross-communication (if they do, then something is misconfigured).
Then there are routers which enable communication between devices members of different (V)LANs. To do that, router has to be connected to all involved (V)LANs. Router's duty is to pass traffic between networks and not to filter traffic in any way. However, for devices from different networks to communicate, they have to use router as their gateway (either specific or default route set). Which means devices have to be aware of the fact they need the intermediate device (in IP world, subnet mask gives needed information). Device without appropriate gateway set can not communicate outside its own LAN.
And least (but not last) there are firewalls which filter traffic passing. The strategic placement is "on the crossroads" - same device as router. But remember, functionality, even if implemented in same device, is distinct and in some cases even contradictory.
So in your case: use VLANs to create different LANs. Your CRS is, as ethernet switch, fuly capable of creating several VLANs and keep traffic in those VLANs separated from each other.
CRS running ROS can also route ... between all networks where CRS has own IP address. And it will allow traffic between different LANs because that's what routers do. WAN interface connects another LAN - ISP's access network. The special thing about it is simply the fact you're pointing default route at it, but conceptually it's the same as other interfaces ... connects to certain network.
CRS running ROS can be also firewall and by using this function it is possible to (selectively) block traffic passing it (e.g. between different LANs).
Re: Isolation of devices - path to take ? DMZ vs VLANs
Thanks a lot anav & mkx,
Understood thanks.
I now realize that what I want to achieve would make it a very complex configuration to setup & manage, I will indeed settle for a 3 VLANs (one for Trusted and two different ones for untrusted), you have very valid points.
Thanks again, now that I know which way to go, I will do some more reading; thanks again
Understood thanks.
I now realize that what I want to achieve would make it a very complex configuration to setup & manage, I will indeed settle for a 3 VLANs (one for Trusted and two different ones for untrusted), you have very valid points.
Thanks again, now that I know which way to go, I will do some more reading; thanks again
Re: Isolation of devices - path to take ? DMZ vs VLANs
Heads up........
For any MT wifi device ( like a wifi router or an access point) , use the "Access List" tab under wireless to stop devices on the same WLAN from seeing each other
Only three entries required, 1 - identify the WLAN 2. ENSURE check box is checked for Authentication 3. ENSURE check box is NOT selected for Forwarding.
In this way if you have untrusted devices for different purposes sharing the same VLAN and on wifi, this is one way of preventing them from talking to one another. This works from the RADIO selections and is not a router/routing/firewall selection.
For any MT wifi device ( like a wifi router or an access point) , use the "Access List" tab under wireless to stop devices on the same WLAN from seeing each other
Only three entries required, 1 - identify the WLAN 2. ENSURE check box is checked for Authentication 3. ENSURE check box is NOT selected for Forwarding.
In this way if you have untrusted devices for different purposes sharing the same VLAN and on wifi, this is one way of preventing them from talking to one another. This works from the RADIO selections and is not a router/routing/firewall selection.
Re: Isolation of devices - path to take ? DMZ vs VLANs
duely noted, thanks, Wifi is out of scope for now as I want to secure wired devices first, but I have marked your post and I will return once wired devices are sorted out
Re: Isolation of devices - path to take ? DMZ vs VLANs
"Access List" is for selected devices connecting to the wifi interface. It will overrule for those devices the default "VLAN", "authorize" and "forward" setting of the wireless interface.For any MT wifi device ( like a wifi router or an access point) , use the "Access List" tab under wireless to stop devices on the same WLAN from seeing each other
"forward" acts only within the same wireless interface. If multiple (WLAN or ethernet) interfaces are bridged together, then using bridge port "horizon" is a way to separate traffic between interfaces.
If multiple tagged VLAN are used in the wired connection, then the end device can access the other VLAN. If separation is crucial then only the content of one VLAN may be transmitted on the port. (this is mostly done as untagged traffic).
DMZ and VLAN are different concepts. An isolated VLAN or ethernet port (by the Firewall) is functionally a DMZ.
To be more specific: isolating (e.g. guest or IOT) devices all from each other, while they are in the same L2 subnet .... yes we can.
I do it all the time to reduce the massive multicast/broadcast traffic in a large mainly wifi guest network, that was overwelmed by broadcast Airtime.
Every ethernet interface and every wifi connection can be isolated enough for all a practical means. (Never checked if this is waterproof tight isolation, but traffic stops.)
- for wifi it is the "forward" setting
- for the bridge, is putting all downstream interfaces on the same bridge port "horizon" value. (Upstream and eventual controller don't have that horizon set)
- for SwOS it is the interface filter
That way I create one big tree shaped network. My tree has following typical long branche, at each knot splitting in 3 subbranches.
Powerbox Pro - PtP CUBE links - Powerbox Pro - SXTSA5 PtoMP SXTsq- CSS106 - APs - SSIDs
Split up is by Horizon - - Horizon - Wifi forward - - - SwOS filter - Horizon - Wifi forward
This stopped Bonjour (iPad looking for printer) and Windows (SMB, NBT) broadcasts from spreading, but also Dropbox, Skype and other softwares that search for neighbors to collaborate.
ROS Neighbors only sees the MT on the branche itself ad subbranches. Btest or PING to another branche is not possible.
Devices are connected to the AP ethernet or SSID, they only have upstream (internet) connectivity. (Unless I make exceptions)
Roaming wifi over the SSID in same or different AP is no problem, and session is not broken.
Re: Isolation of devices - path to take ? DMZ vs VLANs
Hi BPWL,
What is the difference between.
A. ON a selected WLAN, Main TAB - I uncheck the forwarding box. Result?
a. wifi clients on the wlan are isolated from each other Y N ?
b. wifi clients on the wlan are isolated from any other clients (wired) on the same subnet Y N
c. wifi clients on the wlan are isolated from any other private subnets (including wired or wireless clients) Y N
c. wifi clients on the wlan are isolated from ALL Forwarding including to the internet?? Y N
In other words WTF does unchecking forwarding mean..........
B. THe same forwarding function on the ACCESS LIST TAB.
Im assuming the ACCESS LIST TAB could do the same thing.
For example lets say In the MAIN TAB for WLANX, I have forward box and authentication box checked.
Then I go the ACCESS LIST TAB and do the following.
i. Enter in Interfac WLANX
ii. check off the box for authentication
iii. leave the forwarding box unchecked.
What will happen ????
What is the difference between.
A. ON a selected WLAN, Main TAB - I uncheck the forwarding box. Result?
a. wifi clients on the wlan are isolated from each other Y N ?
b. wifi clients on the wlan are isolated from any other clients (wired) on the same subnet Y N
c. wifi clients on the wlan are isolated from any other private subnets (including wired or wireless clients) Y N
c. wifi clients on the wlan are isolated from ALL Forwarding including to the internet?? Y N
In other words WTF does unchecking forwarding mean..........
B. THe same forwarding function on the ACCESS LIST TAB.
Im assuming the ACCESS LIST TAB could do the same thing.
For example lets say In the MAIN TAB for WLANX, I have forward box and authentication box checked.
Then I go the ACCESS LIST TAB and do the following.
i. Enter in Interfac WLANX
ii. check off the box for authentication
iii. leave the forwarding box unchecked.
What will happen ????
Re: Isolation of devices - path to take ? DMZ vs VLANs
As far as I understand and use/see it happen ....
A. ON a selected WLAN, Main TAB - I uncheck the forwarding box. Result? -> wifi WLAN is by default not forwarding between connections on that WLAN interface
a. wifi clients on the wlan are isolated from each other Y ?
b. wifi clients on the wlan are isolated from any other clients (wired) on the same subnet N
c. wifi clients on the wlan are isolated from any other private subnets (including wired or wireless clients) N
c. wifi clients on the wlan are isolated from ALL Forwarding including to the internet?? N
-> that's why I need to stop the forwarding (same horizon) at the common bridge of the WLAN interfaces to separate the WLAN's.
->and at the switch (RB260) to separate the hAP and wAP in the house
-> and stop forwarding at the SXTSA5 to separate the houses linked with SXTsq
-> and at the Powerbox Pro to separate the SXTSA5's
B. THe same forwarding function on the ACCESS LIST TAB.
Im assuming the ACCESS LIST TAB could do the same thing. -> will set VLAN/authorize/forwarding for all devices that match the selection criteria (WLAN interface, MAC, signal strength range with allowance to be out of range for a certain time), and as such overrules the default setting
For example lets say In the MAIN TAB for WLANX, I have forward box and authentication box checked.
Then I go the ACCESS LIST TAB and do the following.
i. Enter in Interfac WLANX -> only criteria here is WLAN# , this overrules the default setting for all connections to that WLAN#
ii. check off the box for authentication
iii. leave the forwarding box unchecked.
What will happen ???? : No one will be able to authenticate on that WLAN#, no forwarding as you are not authenticated
When did I learn this? Used "VLAN mode = tagged & VLAN ID" on WLAN definition, no bridge VLAN filtering. Works fine.
Then started setting signal strength range to kick off sticky clients off 5 GHz. VLAN usage failed on 5 GHz .... (because VLAN mode was not set in the "accept" Access List entry.)
Test would be to make devices go to different VLAN on same WLAN based on client MAC address, by using Access List.
A. ON a selected WLAN, Main TAB - I uncheck the forwarding box. Result? -> wifi WLAN is by default not forwarding between connections on that WLAN interface
a. wifi clients on the wlan are isolated from each other Y ?
b. wifi clients on the wlan are isolated from any other clients (wired) on the same subnet N
c. wifi clients on the wlan are isolated from any other private subnets (including wired or wireless clients) N
c. wifi clients on the wlan are isolated from ALL Forwarding including to the internet?? N
-> that's why I need to stop the forwarding (same horizon) at the common bridge of the WLAN interfaces to separate the WLAN's.
->and at the switch (RB260) to separate the hAP and wAP in the house
-> and stop forwarding at the SXTSA5 to separate the houses linked with SXTsq
-> and at the Powerbox Pro to separate the SXTSA5's
B. THe same forwarding function on the ACCESS LIST TAB.
Im assuming the ACCESS LIST TAB could do the same thing. -> will set VLAN/authorize/forwarding for all devices that match the selection criteria (WLAN interface, MAC, signal strength range with allowance to be out of range for a certain time), and as such overrules the default setting
For example lets say In the MAIN TAB for WLANX, I have forward box and authentication box checked.
Then I go the ACCESS LIST TAB and do the following.
i. Enter in Interfac WLANX -> only criteria here is WLAN# , this overrules the default setting for all connections to that WLAN#
ii. check off the box for authentication
iii. leave the forwarding box unchecked.
What will happen ???? : No one will be able to authenticate on that WLAN#, no forwarding as you are not authenticated
When did I learn this? Used "VLAN mode = tagged & VLAN ID" on WLAN definition, no bridge VLAN filtering. Works fine.
Then started setting signal strength range to kick off sticky clients off 5 GHz. VLAN usage failed on 5 GHz .... (because VLAN mode was not set in the "accept" Access List entry.)
Test would be to make devices go to different VLAN on same WLAN based on client MAC address, by using Access List.
Re: Isolation of devices - path to take ? DMZ vs VLANs
Separation with "horizon" works quite well, as even ARP doesn't get resolved.
Test from hAP04 (.34) to hAP05 (.35) , sub-branche 4 to sub-branche 5 , common at the SXTSA5
Test from hAP04 (.34) to hAP05 (.35) , sub-branche 4 to sub-branche 5 , common at the SXTSA5
You do not have the required permissions to view the files attached to this post.
Re: Isolation of devices - path to take ? DMZ vs VLANs
Hi bpwl thanks for that.
one point though in my example of the TAB ACCESS LIST FOR WLANX.
I have WLANX identified as the interface
I have the forwarding box UNCHECKED
BUT I have the authentication box checked.
Now for the the same WLAN on the main page I have both the Forwarding and Authentication boxes CHECKED>
My understanding is that the TAB ACCESS LIST settings will overide the MAIN TAB settings, so my expected behaviour
should be
a. wifi clients on WLANX are isolated from each other
b. all other forwarding continues as per normal.
Now my uses are different from yours.
What I want to do is block by untrusted IOT/smart devices from each other on the WLAN.
To do this my plan is to put them on their own VLAN, assign the vlan to the WLAN
Then use the Main TAB settings (authenticate Yes, forwarding No) to block wifi clients from each other but not prevent internet access.
Because all the clients are in a WLAN that is carried on a VLAN, I use firewall rules to block any other communication between the WLAN clients and any other subnets (which are all on their own vlans).
Therefore the only reason I could see to do anything different is if I also had wired untrusted IOT/smart device on the same vlan.
So considering that I have wired and wifi clients on the same VLAN, how do I block the WLAN clients from the wired clients in this scenario???
one point though in my example of the TAB ACCESS LIST FOR WLANX.
I have WLANX identified as the interface
I have the forwarding box UNCHECKED
BUT I have the authentication box checked.
Now for the the same WLAN on the main page I have both the Forwarding and Authentication boxes CHECKED>
My understanding is that the TAB ACCESS LIST settings will overide the MAIN TAB settings, so my expected behaviour
should be
a. wifi clients on WLANX are isolated from each other
b. all other forwarding continues as per normal.
Now my uses are different from yours.
What I want to do is block by untrusted IOT/smart devices from each other on the WLAN.
To do this my plan is to put them on their own VLAN, assign the vlan to the WLAN
Then use the Main TAB settings (authenticate Yes, forwarding No) to block wifi clients from each other but not prevent internet access.
Because all the clients are in a WLAN that is carried on a VLAN, I use firewall rules to block any other communication between the WLAN clients and any other subnets (which are all on their own vlans).
Therefore the only reason I could see to do anything different is if I also had wired untrusted IOT/smart device on the same vlan.
So considering that I have wired and wifi clients on the same VLAN, how do I block the WLAN clients from the wired clients in this scenario???
Re: Isolation of devices - path to take ? DMZ vs VLANs
Oooops. Misunderstood "check off". I think there is no default (main page) setting used, if there was an "Access List" hit.
For splitting wired and WLAN on the same AP, use "bridge port horizon". But I never tested this with VLAN.
Maybe maybe the bridge should be specific for that VLAN, and have untagged traffic if "horizon" is not working for VLAN.
I have it set up in 2 of the AP with a dumb bridge (no VLAN filtering) but did not check if this "horizon" still works for the VLANned clients.
(Nobody there now, no clients, covid-red-zone)
For splitting wired and WLAN on the same AP, use "bridge port horizon". But I never tested this with VLAN.
Maybe maybe the bridge should be specific for that VLAN, and have untagged traffic if "horizon" is not working for VLAN.
I have it set up in 2 of the AP with a dumb bridge (no VLAN filtering) but did not check if this "horizon" still works for the VLANned clients.
(Nobody there now, no clients, covid-red-zone)
Re: Isolation of devices - path to take ? DMZ vs VLANs
Thats what I thought no biggie, so any access list entry nullifies both entries for forwarding and authentication on the MAIN Tab so its important to ensure Authentication is Checked and Forwarding is not checked if using Access List.
Okay so good I have a way to isolate clients on teh same wifi that way.
As an aside on my TPLINKS they used to have a specific isolate button but the bozos removed it and added it as part of the GUEST WIFI functionality.
So will have to move my IOT/smart devices to a guest wifi to access this functionality.
Okay so good I have a way to isolate clients on teh same wifi that way.
As an aside on my TPLINKS they used to have a specific isolate button but the bozos removed it and added it as part of the GUEST WIFI functionality.
So will have to move my IOT/smart devices to a guest wifi to access this functionality.
Who is online
Users browsing this forum: satepson and 51 guests