Sorry for being such a noob. My networking is not very strong, thought I’d ask the fine folks here.
Let’s say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I’m asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
You must log in or register to comment.
I’ve got 3 subnets on an L2 switch. You will have clashes over DHCP if you have both broadcasting on the same L2 switch without VLANs.
My guest wifi is on a vlan, but the switch is L2 and it’s fine. The router has separate physical ports for each subnet. The “guest” subnet is only accessible over Wifi, and the access points are configured so that the guest VLAN is mapped to a separate SSID.
My third subnet has no VLAN. It’s IPv6-only and all devices have a static IP address. It’s only used for security cameras. I did this so they don’t transmit on the same physical cables as my primary subnet. It is otherwise insecure, as I can join the subnet by simply assigning myself a static address in the same range.
Note: There is a bug in Windows where it will join an IPv6 subnet on a different VLAN. I had to tweak my DHCPv6 / radvd so that Windows would ignore it. Yes, Windows is this dumb.
Yes you need vlans
Technically there would be some isolation at layer 3 but they would all still be in the same layer 2 network.
As others have said: It will work as you’ve planned it. The subnetting will keep these two PCs separated (If they still need internet, just add a second IP in your router-PC to allow for communication with this subnet).
VLANs aren’t required, but are more relevant when you want to force network segregation based on individual ports. If you really want to, you can add tagged virtual interfaces on these two separated hosts so that the others hosts aren’t able to simply change the address to reach these. The switch should ignore the VLAN tag and pass it through anyway. But again, it’s not really needed, just something you can do if you really want to play with tagged VLAN interfaces
Thank you. In theory, is there a mechanism which will prevent other hosts from tagging the interface with a VLAN ID common with another host and spoof traffic that way? Sorry, I need to study more about this stuff
Yes, but that’s done on the switch. Basically VLAN tags are applied in one of two ways:
Untagged (sometimes called Access) is something you apply on a switch port. For example, if you assign a port to Untagged VLAN 32, anything connected to that port will only be able to see traffic assigned to VLAN 32.
Tagged (sometimesreferred to as Trunk), on the other hand, is for traffic that is already assigned a VLAN tag. For example Tagged 32 means that it will allow traffic that already has a VLAN tag of 32. It is possible to assign multiple VLANs to a Tagged port. Whatever is connected to that port will need to be able to talk to the associated VLAN(s).
In your particular case, the best practice would be to assign two ports (One for each host, obviously) to Untagged 32 (arbitrarily chosen number, any VLAN ID will do, as long as you’re consistent), and all the other ports as Untagged to a different VLAN ID. That way the switch will effectively contain two segments that cannot talk to each other.
Thank you so much for the explanation. I followed everything but:
Untagged (sometimes called Access) is something you apply on a switch port. For example, if you assign a port to Untagged VLAN 32, anything connected to that port will only be able to connect to port 32.
I couldn’t really understand what you meant here. Did you mean VLAN 32 in the last line?
Derp, yes. Corrected. VLAN numbers are obviously not related to port numbers in any way.
Usually you would configure that on the switch
I see, I was completely off-track lol. But isn’t this really for a setup where each computer is connected to an individual port of the switch? I.E. this won’t work if to one port of an L3 switch one were to attach a dumb 5 port switch and plug 4 computers in
https://en.wikipedia.org/wiki/IEEE_802.1Q
Vlans are simply a tag on a frame. You can set what if any tags are allowed and you can set the switch to tag untagged traffic. You can can limit Mac addresses with port security.
Thank you. Now I just need to learn to do all of this on Linux/BSD lol
https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
You create an device called interface.vlanid
Something like eth0.1
Ooh, would it be similar on other Linux distros/Unixes? I’m trying to decide between Debian, VyOS, Alpine and OpenBSD for my main firewall. All of them have strengths but I think it’ll be between VyOS and OpenBSD for me.
What you are asking will work. That’s the whole point of subnets. No you don’t need a VLAN to segregate traffic. It can be helpful for things like broadcast control.
However, you used the word “trust” which means that this is a security concern. If you are subnetting because of trust, then yes you absolutely do need to use VLANs.
Could you elaborate why the question of trust invalidates using just subnets?
Subnets are on layer 3 not layer 2. You can easy access other devices on layer 3 by finding the right subnet on layer 2. ARP is used to resolve IP addresses into MAC addresses and vis versa.
Thanks, but isn’t ARP contained inside a subnet? I guess you could find everything if you inspected the MAC table of the main switch
ARP is in the broadcast domain (otherwise known as a lan)
Vlans create multiple lans
Ah, I see. Thanks
no. Arp bridges layer 1 and 2. It’s switch local. With a VLAN, it becomes VLAN local, in the sense that 802.1q creates a “virtual” switch.
ARP is in a single broadcast domain which can span multiple switches.
Sorry, I’m not sure what you mean by “ARP bridges L1 and L2”. I’ll have to read more about this. Other than that, I understand what you said.
A VLAN is (theoretically) equivalent to a physically separated layer 2 domain. The only way for machines to communicate between vlans is via a gateway interface.
If you don’t trust the operating system, then you don’t trust that it won’t change it’s IP/subnet to just hop onto the other network. Or even send packets with the other network’s header and spoof packets onto the other subnets.
It’s trivially easy to malform broadcast traffic and hop subnets, or to use various arp table attacks to trick the switching device. If you need to segregate traffic, you need a VLAN.
Edit: Should probably note that simply VLAN tagging from the endpoints on a trunk port isn’t any better than subnetting, since an untrusted machine can just tag packets however it wants. You need to use an 802.1q aware switch and gateway to use VLANs effectively.
Thank you for the great comment.
This line cleared it up for me:
802.1q aware switch and gateway to use VLANs effectively.
It is indeed as you say. VLANs on a trunk port wouldn’t really work for security either. This is making me reconsider my entire networking infrastructure since when I started I wasn’t very invested in such things. Thanks for giving me material to think about
For simple cases you might be able to use 802.1x authentication if “trust” is the issue. This doesnt scale well as a solution on a larger network though.
Hmm, I haven’t heard of that before. Could you explain?
https://en.m.wikipedia.org/wiki/IEEE_802.1X
802.1x are a set of protocols that allow port access to be locked to specific devices, which would preclude your need for multiple subnets. You would likely need a few extra physical ports on your white box router, the unmanaged switch could later become overwhelmed passing traffic in a more complicated setup, and you would still need to keep trusted and untrusted traffic separate at the gateway subnet.
Your use case is exactly why vlans were invented.
However, I suspect from your other answers that you are actually looking for an open source managed switch so your entire networking stack is auditable.
There are a few solutions like opx, but hardware supporting opx is prohibitively expensive and it is almost always cheaper to build a beige box and use Linux or get a 2nd hand supported device and use openwrt.
Ah, is that something like sticky ports?
Indeed, I would like to run a switch with a FOSS OS, and I don’t see any viable way of doing that. Unfortunate, but whitebox router + switch it is then
The effect is similar to sticky ports, but sticky ports is just filtering based on Mac address, which can be spoofed.
802.11x allows traffic from a device only if they also have the correct EAP certificate.
I see. I didn’t know about this. I have saved your comment, I’ll come back to this in a bit
What is holding you back in regards to VLANs?
I’d either have to do it in the router (which would need a lot of PCIe network cards which can get expensive + difficult to accommodate enough physical PCIe lanes on consumer hardware) or run it on a switch running a proprietary OS that I can’t control and don’t know what it’s doing underneath.
Can you elaborate why you think you need much more PCIe network cards? Technically you can do with 1 single LAN port with all your VLANs.
You configure the VLANs on the router then make a single trunk port to a switch. then have that switch divide the VLANs on the ports you desire. this can be a L2 switch.
Op specified they have a dumb switch
Thanks, but to make that work I would need a managed switch running a proprietary OS can I cannot trust. If there was a switch running a FOSS OS then I would use that
Or a openwrt to make it L3
True, a commodity all-in-one-box running OpenWRT, or an SBC that supports it would work perfectly, except maybe for a lack of ports
What in the world is “a proprietary OS I cannot trust”. What’s your actual threat model? Have you actually run any risk analyses or code audits against these OSes vs. (i assume) Linux to know for sure that you can trust any give FOSS OS? You do realize there’s still an OS on your dumb switch, right?
This is a silly reason to not learn to manage your networking hardware.
Thank you for the comment.
My threat model in brief is considering an attack on my internal networking infrastructure. Yes, I know that the argument of “if they’re in your network you have other problems to worry about” is valid, and I’m working on it.
I’m educating myself about Lynis, AuditD and OpenVAS, and I tend to use OpenSCAP when I can to harden the OS I use. I’ve recently started using OpenBSD and will use auditing tools on it too. I still need to figure out how to audit and possibly harden the Qubes OS base but that will come later.
Yes, I do realise that the dumb switch has an OS. And you raise a good point. I’m starting to feel uneasy with my existing netgear dumb switches too. Thank you for raising this, I think a whitebox router build might be the only way.
I’d like to mention that I would use VLANs if I could use them on hardware and software I feel comfortable with. But I cannot. Whitebox build it is, I suppose.
Thanks again for the comment and I’d like to hear any suggestions you have.
As a heads up, almost all OpenWRT routers function as managed switches with vlan capabilities. Not truly all, but a very good number.
Thanks, yes I realised that OpenWRT devices can do this
One of the PCs can spoof the MAC of the other and receive its Ethernet frames.
Thank you for that. I’d also like to ask you: is that a possibility too if one were to configure a trunk port on a switch and plug the PCs in?
That would be worse, because then it would send and receive traffic for multiple vlans.
Unless your switch uses that to refer to link aggregation instead of vlan trunking. Network terminology like that can mean different things to different vendors.
I’m using Cisco terminology so it likely means VLAN trunking unfortunately (unless I missed something)
I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
Ok, so you are trusting the PCs which you need to keep separate.
There’s no way to know if one of them is hoovering all the traffic from the other, if they are both connected to the same unmanaged switch.
https://youtube.com/playlist?list=PLjVwd8FlHBASO5vLBtMYNOzm8Q9DegSjO
The computers will be running OpenBSD. I am researching hardening methods for them and also seeing if it is feasible for me to get Corebooted hardware. I didn’t mention it because I didn’t think it was important.
I feel like my post is being taken very negatively with people finding faults in my words rather than in the networking concept. Would you happen to know why?
You are basically asking for people to solve a solved problem, there’s no actual need for keeping the PCs separate since you control them both, and oh and you want it done cheap. A bespoke custom solution will not scale regardless if you need it to or not, you should know that.
https://hometechhacker.com/great-choices-for-opnsense-hardware/
A firewall device with as many ports as you need is your best bet.
asking for people to solve a solved problem
Solved using devices that run proprietary software (which is, I imagine, frowned upon in such communities) which we don’t control at all. Heck, even Mikrotik who has a good rapport with this community uses a proprietary Linux distro with a severely outdated kernel for their devices. For something as critical as internal networking, I’m surprised I do not see more dialogue on improving the situation.
Let me try and explain the problem. I want to build a setup where I have multiple clustered routers (I’m sure you’ve heard of the clustering features in PFSENSE/OPNSENSE/DIY approach using Keepalived). But if I want to use VLANs without using a switch running god-knows-what under the hood, I’m going to need a LOT OF ports. Unfortunately, 6+ port PCIe cards are quite expensive and sometimes have many other problems.
This is why I’m trying to find simpler solution. The solution that you mention doesn’t seem to be a solution at all, but just the community giving up on trying to find one and accepting what is given. I was hoping for a better outcome.
Not liking the solution you have doesn’t mean you don’t have a solution.
Anyway, watch the playlist I sent, it’s a great overview of the OSI model with some other stuff. You mentioned not understanding some layers, once you do you will understand the limitations of the hardware you have.
Thanks
If computers are in same network, even with different ip addresses, they still can see all broadcast and multicast traffic. This means for example dhcp.
If you fully trust your computers, and are sure that no external party can access any of them, you should be fine. But if anyone can gain access to any of your computers, it is trivial to gain access and sniff traffic in all networks.
If you need best security, multiple switches and multiple nics are unfortunately only really secure solution.
Broadcast traffic (such as DHCP) doesn’t cross subnets without a router configured to forward it. It’s one of the reasons subnets exist.
No, I do not trust my computers that much. Quite unfortunate, really that I’ll have to build a whitebox switch to get what I want
I would just get a basic layer 2 managed switch and use VLANs. The 5 port and 8 port switches are super cheap these days.
It’s not that they are expensive, it’s that they run archaic proprietary OSes which the consumer cannot control. I cannot trust such a switch when the rest of my network depends on it. Please let me know if something in the post didn’t make sense.
Put a multi port NIC in your router PC and use a separate unmanaged switch for each network then.
Thanks but as I mentioned that will not scale. I’m interested in if separating computers by subnets will work. Have you tried something like this?
It’s been a long time since I actually used subnets, but IIRC you will need a physical interface for each network on the router regardless.
So let’s say you set up your /24 network into 2x /25’s, you will need an interface for the .0 network, and another for the .128 network
If you just have an interface for the switch, and another for the WAN connection, I don’t think subnetting will work for what you’re trying to do
Hmm, so virtual interfaces on the router won’t work? I admit I’m a bit stumped, would you be able to give me an ELI5 on why this is the case? I will try and read up more, of course
Have you looked into Tailscale or an equivalent solution like Netbird?
You could set up a tailnet, create unique tags for each machine, add both machines to the tailnet, and then set up each machine’s network interface to only go through the tailnet.
Then you just use Tailscale’s ACLs with the tags to isolate those machines, making sure they can only talk to whatever central device(s) or services you want them to, but also stopping them from talking to or even seeing each other.
I never considered tailscale for my LAN, but it’s certainly an intriguing idea. I suppose running Headscale as a VM on my router isn’t that difficult. Thank you, I will think about it a bit more
Yeah, and it’s free for a basic account + up to 100 devices, so plenty for most home lab needs.
