Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Router with vlan

offweek
 Share

I'm currently using a generic (ISP provided) wifi and router in one.  It has performance issues intermittently, and doesn't support VLAN.  I particularly want VLAN so I can isolate devices that only need internet access from those that need whole network access - although any switching method that isolates specified physical ports would be fine.  I have time to learn a new thing, but intermittently have periods where I have no time for maintenance or troubleshooting so would rather avoid anything CLI heavy.

 

I don't think I need VPN functions.  Built in wifi6 with WPA3 support would be nice, but wifi is not strictly required.  I'd like to avoid anything supporting WPS or remote management or anything with subscription services or anything with a fan.

 

I've now read so much that I've hit a point of decision fatigue and am stuck.  Miktronics is apparently CLI heavy.  TP-Link ER605 Omada is apparently slow.  Netgear RAX20 looks OK but apparently needs an account to use and it's unclear if it supports managed switching functions.  Uniquiti Edge is apparently defunct.

 

Is there a router with this feature set?

Link to comment
Share on other sites

Link to post
Share on other sites

There are probably plenty, but the question is how much you're willing to pay. 

The FortiWiFi 40F has all those things but it will be really expensive, and since it's a full blown enterprise firewall it will probably be very confusing to you despite having a good GUI. 

 

What about the Ubiquiti Dream Machine? 

https://store.ui.com/collections/unifi-network-unifi-os-consoles/products/unifi-dream-machine

 

Link to comment
Share on other sites

Link to post
Share on other sites

Nothing you described requires a VLAN. Just a Firewall with flexible policies and multiple internal ports. You throw the IPs of the specific devices in a group and then block that group from the WAN interface. You then split devices internally according to the internal interface. You can then create rules to allow certain internal devices to see each other across the interfaces  etc. 

 

VLANs accomplish vertical network segmentation by default, but I just find this cumbersome in this scenario and prefer the flexibility of a firewall with multiple internal interfaces. 

 

Take another look at Ubiquiti gear. Used Edge Router Lites are fantastic little boxes. I like Fortigate for enterprise. 

Link to comment
Share on other sites

Link to post
Share on other sites

I run UniFi Wifi 6 lite’s. Great little Wifi devices. Support vlans. And for the firewall I use pfsense. Can’t use a switch (or AP) with vlans without a firewall that creates them…

 

Main use case for Wifi subnet segmentation is IoT devices, get them off your main LAN 🙂

Rig: i7 10700k @ 5.1Ghz, 4.8 Ring - - Z490 Vision G - - EVGA RTX 2080 XC Ultra @ 2025Mhz - - 4x8GB Vengeance Pro 3000Mhz 15-17-17-34 @ 3500MHz 16-19-19-38 - - Samsung 950 Pro 512 NVMe Boot + Main Programs - - Samsung 830 Pro 256 RAID 0 Lightroom + Photo work - - WD Blue 1 TB SSD for Games - - Corsair RM850x - - Sound BlasterX EA-5 - - EK Supremacy Evo - - XT45 X-Flow 420 + UT60 280 rads - - EK Full Cover GPU Block - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 64 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - 10TB WD Red for expendable data - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone Xs - 2018 MacBook Air

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, LAwLz said:

There are probably plenty, but the question is how much you're willing to pay. 

The FortiWiFi 40F has all those things but it will be really expensive, and since it's a full blown enterprise firewall it will probably be very confusing to you despite having a good GUI. 

 

What about the Ubiquiti Dream Machine? 

https://store.ui.com/collections/unifi-network-unifi-os-consoles/products/unifi-dream-machine

 

Doesn't the dream machine (and most enterprise gear) have a fan?  No fans allowed.

 

3 hours ago, LIGISTX said:

I run UniFi Wifi 6 lite’s. Great little Wifi devices. Support vlans. And for the firewall I use pfsense. Can’t use a switch (or AP) with vlans without a firewall that creates them…

 

Main use case for Wifi subnet segmentation is IoT devices, get them off your main LAN 🙂

Thanks, that actually clears up some confusion I had about the distinction between products advertised as routers and firewalls.  The intent is to isolate 3 segments, wired IoT, wireless IoT (a single AP), and everything else.

 

3 hours ago, wseaton said:

Nothing you described requires a VLAN. Just a Firewall with flexible policies and multiple internal ports. You throw the IPs of the specific devices in a group and then block that group from the WAN interface. You then split devices internally according to the internal interface. You can then create rules to allow certain internal devices to see each other across the interfaces  etc. 

 

VLANs accomplish vertical network segmentation by default, but I just find this cumbersome in this scenario and prefer the flexibility of a firewall with multiple internal interfaces. 

 

Take another look at Ubiquiti gear. Used Edge Router Lites are fantastic little boxes. I like Fortigate for enterprise. 

Thank you!  I clearly need to learn more about the other capabilities of firewalls.  I'd rather not use IP or MAC based rules though as I don't have much control over some of my IoT devices, and a badly compromised device could spoof a friendly MAC or similar, at least in theory.  Also mapping network segments to physical plugs seems like something I'm less likely to stuff up if I'm troubleshooting in a rush.

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, wseaton said:

Nothing you described requires a VLAN. Just a Firewall with flexible policies and multiple internal ports. You throw the IPs of the specific devices in a group and then block that group from the WAN interface. You then split devices internally according to the internal interface. You can then create rules to allow certain internal devices to see each other across the interfaces  etc. 

You're right that he could solve this with just a firewall, but if he ever wants to add a switch where he plugs in both let's say his computer as well as a device he wants to be isolated he will need VLANs or do hacky solutions like run multiple cables. It's best to just design things properly from the start, and "properly" in this context means using VLANs.

 

4 hours ago, wseaton said:

VLANs accomplish vertical network segmentation by default, but I just find this cumbersome in this scenario and prefer the flexibility of a firewall with multiple internal interfaces.

Not really sure what you mean by VLANs creating "vertical network segmentation by default", but network segmentation is exactly what he wants. Using VLANs and a "router on a stick" will give him MORE flexibility than what you describe, not less. What you are describing will be cumbersome and non-flexible.

 

4 hours ago, LIGISTX said:

Can’t use a switch (or AP) with vlans without a firewall that creates them…

Yes you can. Firewalls don't "create VLANs". 

 

 

 

1 hour ago, offweek said:

Doesn't the dream machine (and most enterprise gear) have a fan?  No fans allowed.

Sorry I missed that part. Yes, the UDM has a fan according to Google. It probably doesn't make a whole lot of noise though.

 

1 hour ago, offweek said:

Thanks, that actually clears up some confusion I had about the distinction between products advertised as routers and firewalls.

The difference between a router and a firewall is not that "firewalls create VLANs", if that's what you gathered from the previous post.

The difference between a firewall and a router is kind of blurred and depends on which specific device you are looking at. Most routers have some level of firewall functionality, and most firewalls have some routing capabilities. 

Link to comment
Share on other sites

Link to post
Share on other sites

6 hours ago, offweek said:

I'm currently using a generic (ISP provided) wifi and router in one.  It has performance issues intermittently, and doesn't support VLAN.  I particularly want VLAN so I can isolate devices that only need internet access from those that need whole network access - although any switching method that isolates specified physical ports would be fine.  I have time to learn a new thing, but intermittently have periods where I have no time for maintenance or troubleshooting so would rather avoid anything CLI heavy.

...

Is there a router with this feature set?

Your wants make a lot of sense, and it's something I've done with one of my VLANs (I'll go a bit into what I did at the end).  You will probably also need some smart switches to keep things VLAN'd right to the edge.

 

The ideal situation is to have a stand-alone router, and then manage your WiFi independently; it's a bit more money up front and a bit of overhead, but it keeps things flexible and long term costs less money since each individual piece of equipment lasts longer.  Now, for your setup, there used to be an slam-dunk recommendation: the Cisco RV series, as it includes a decent built-in firewall, but that's been discontinued and its replacement SBR is MIA so far.  Ditto almost all of the good edge devices, most of them have been discontinued or gone out of support as the most common CPUs for them have been unavailable for over a year, being redirected to enterprise equipment.

 

The two left that I'd recommend as easy, capable and reliable, are the Netgear Orbi Pro: https://www.netgear.com/business/wifi/mesh/ and Linksys: https://www.linksys.com/us/c/business-virtual-private-network-vpn-routers/

 

For any switches to pass the VLANs along, I highly recommend either the Netgear Prosafe "Smart" lineup of switches as having way more bang for the buck and ease of setup, and just very, very long support, I have some 10 year old switches that still get firmware updates and security fixes.  Other good ones are Cisco SBS and Linksys, both are also very easy to configure.

 

A note on VPNs and firewalls: Most good network edge devices at reasonable cost for a home have both VPN capability and a firewall, which vary in quality.  For your situation, all of the current implementations are more than acceptable, just make sure your router is still getting firmware updates, and if it goes out of support, replace it ASAP.

 

 

Now the promised what my setup is:

 

Cisco RV edge router, but VLANs are all handled on a L3/L4 switch, which includes a firewall and ACLs that let me provide the absolute minimum access required.  The VLANs I use:

 

0) Router VLAN - used for router-to-router communication only, the only VLAN for RIP.

1) Main VLAN - for broadcast devices (anything where it and my stuff needs to be on the same VLAN, such as Sonos/HEOS).

2) Secondary VLAN - for devices that only need routable access to things, helps keep the number of devices in the main /24 from getting too high and provides a tiny bit of extra security

3) Management VLAN - for my switches, WAPs, wireless controllers, out of band management, and so on.  To get into it, you first RDP to a jump system with access to this VLAN, which conveniently has all of the tools you'd need to use for access.

4) HA VLAN - used for devices that need internet but nothing else, things like my washer/dryer, energy monitor, and so on.  This is your use case.

5) Camera VLAN - Cameras can reach from here to my NVR and that's it.

6) Guest VLAN - Self explanatory, everybody is 100% isolated from each other.

 

Of these, only 1, 4, 5, and 6 are available on the WiFi.

Link to comment
Share on other sites

Link to post
Share on other sites

16 hours ago, offweek said:

Thanks, that actually clears up some confusion I had about the distinction between products advertised as routers and firewalls.  The intent is to isolate 3 segments, wired IoT, wireless IoT (a single AP), and everything else.

Thats more or less what I do. I am a little more complicated.... I have a homelab subnet, and some others, but more or less, same idea. I have 2 SSID's on my wifi AP, and one of them is the same vlan as my wired IoT vlan (which unifi makes a 30 dollar 5 port managed switch... so you can vlan pretty cheaply assuming you have a firewall or way to actually define the vlans and segment their traffic).

 

15 hours ago, LAwLz said:

Yes you can. Firewalls don't "create VLANs". 

No, they don't, but something has to define the vlan tags and actually route the traffic on the subnets (or... send it into a wall of fire in the case of IoT trying to traverse to LAN). You can do segmentation on some managed switches, but I would argue it would be more noob friendly to just do it all on the firewall, set up the rules on the firewall, have it do all management, and then use a smart switch or 2 and a AP that supports vlans and thats more or less it.

 

There are definitely a lot of ways to do this, and no firewalls are not routers and routers are not fiirewalls, and firewalls are not what create vlans. But something like a pfsense box (which is what I run) is a firewall appliance that does routing, will create the vlans, will allow for policy creation to segment vlans via the firewall, and will do all the things, AND its actually pretty simple to get started with if you watch some youtube videos and take your time. And at that point, the sky is the limit.

 

That said, you can 100% do it "in a more simple" way then going all out and diving into pfsense or one of the other widely used homelab (and enterprise) grade solutions.

Rig: i7 10700k @ 5.1Ghz, 4.8 Ring - - Z490 Vision G - - EVGA RTX 2080 XC Ultra @ 2025Mhz - - 4x8GB Vengeance Pro 3000Mhz 15-17-17-34 @ 3500MHz 16-19-19-38 - - Samsung 950 Pro 512 NVMe Boot + Main Programs - - Samsung 830 Pro 256 RAID 0 Lightroom + Photo work - - WD Blue 1 TB SSD for Games - - Corsair RM850x - - Sound BlasterX EA-5 - - EK Supremacy Evo - - XT45 X-Flow 420 + UT60 280 rads - - EK Full Cover GPU Block - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 64 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - 10TB WD Red for expendable data - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone Xs - 2018 MacBook Air

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, LIGISTX said:

but something has to define the vlan tags

That's done locally on the switch. Each switch contains its own, local, VLAN database. That's simply how VLANs work.

 

3 hours ago, LIGISTX said:

and actually route the traffic on the subnets

Doesn't have to be a firewall, and you don't actually have to route traffic. You can have a VLAN without a default gateway if you want. Completely valid configuration. I don't think many people in their home networks would want that, but it's not like it's invalid configuration.

 

3 hours ago, LIGISTX said:

(or... send it into a wall of fire in the case of IoT trying to traverse to LAN).

I don't understand what you mean by this. How is your IoT traffic "trying to traverse to LAN" different from "route traffic on the subnet"? They are the same thing, but the way you divided them up makes it sound like there is a difference. Both of the things you described is just routing traffic (and since you run PFSense, also do traffic filtering).

 

3 hours ago, LIGISTX said:

You can do segmentation on some managed switches

Are you talking about routing when you say "segmentation"? Because VLANs are a type of segmentation, so you can do it on all switches that supports VLANs.

 

 

I have a feeling you don't really understand how things like VLANs, switching and routing works in general, so when you describe how to set it up and how it works you are just describing how you set it up and how you think it works. You end up using incorrect terminology and say things that aren't true but that might appear to be true.

 

I would actually recommend the same thing you recommend, some VLANs on the switch and a router-on-a-stick for routing, but the way you describe that is simply inaccurate and as a result you are giving OP the wrong impression of how it works.

I just want to correct your inaccuracies so that OP actually understands how things work.

Link to comment
Share on other sites

Link to post
Share on other sites

13 hours ago, LAwLz said:

That's done locally on the switch

I can’t define a vlan on my UniFi flex mini… it can only respect segmentation set up by in my case pfsense, at least as far as I am aware. Some switches can do it internally, most enterprise appliance would be able to…

 

13 hours ago, LAwLz said:

They are the same thing, but the way you divided them up makes it sound like there is a difference.

Correct. Same thing. Not sure where your confusion is. 
 

13 hours ago, LAwLz said:

you talking about routing when you say "segmentation"?

Yes, I mean routing. 


 

13 hours ago, LAwLz said:

I have a feeling you don't really understand how things like VLANs, switching and routing works in general, so when you describe how to set it up and how it works you are just describing how you set it up and how you think it works. You end up using incorrect terminology and say things that aren't true but that might appear to be true.

Thanks? In my experience there are polite ways to help self taught folks in which they can improve their understanding….. and then there is the other angle of reminding people they are self taught and should just go home. 
 

I would recommend adopting the former vs the latter, but, ¯\_(ツ)_/¯. 
 

Like this….

13 hours ago, LAwLz said:

I just want to correct your inaccuracies so that OP actually understands how things work

Anyways, fun talk. But in my setup, this is how it works. I do not believe my switches have the ability to define vlans internally. All routing between subnets is done at the pfsense appliance, and as far as I have ever seen all I can do with my managed switches is set which ports pass which vlan tags. I would like to think I have a decent working knowledge of the subject, but compared to network admins that wouldn’t be the case. 

Rig: i7 10700k @ 5.1Ghz, 4.8 Ring - - Z490 Vision G - - EVGA RTX 2080 XC Ultra @ 2025Mhz - - 4x8GB Vengeance Pro 3000Mhz 15-17-17-34 @ 3500MHz 16-19-19-38 - - Samsung 950 Pro 512 NVMe Boot + Main Programs - - Samsung 830 Pro 256 RAID 0 Lightroom + Photo work - - WD Blue 1 TB SSD for Games - - Corsair RM850x - - Sound BlasterX EA-5 - - EK Supremacy Evo - - XT45 X-Flow 420 + UT60 280 rads - - EK Full Cover GPU Block - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 64 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - 10TB WD Red for expendable data - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone Xs - 2018 MacBook Air

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, LIGISTX said:

I can’t define a vlan on my UniFi flex mini

Either the UniFi Flex Mini is a bad switch, or you are misunderstanding what a VLAN is and are getting it confused with a gateway.

If the UniFi Flex Mini is a half-decent switch, then it supports creating VLANs. If it can't, then it's because of limitations in that particular device and not representative of how the technology actually works.

It's like saying "you need a helicopter to transport groceries from the store. You can't do it in a car because my bobby car can't do it".

 

I don't have much experience with Ubiquiti so I don't know how the Flex Mini works, but from reading around it seems like it is just very limited in its feature set, like a Bobby Car.

Don't get me wrong, it might work really well for your use case, but it seems like it has arbitrary limitations in its software that has given you the wrong impression of how the technology works.

 

 

2 hours ago, LIGISTX said:

Thanks? In my experience there are polite ways to help self taught folks in which they can improve their understanding….. and then there is the other angle of reminding people they are self taught and should just go home. 
 

I would recommend adopting the former vs the latter, but, ¯\_(ツ)_/¯. 

I'm sorry. I was in a bad mood. I am more than willing to explain it if you want, but I understand if you don't want to talk/listen after I have insulted you.

 

 

My guess is that you have gotten VLANs confused with gateway.

Again, I am guessing here, but I assume that when you refer to "creating VLANs" you are talking about creating an interface on your PFSense box and then assigning an IP to it. That's not the same as creating a VLAN. That's simply configuring your PFSense box to be part of a VLAN. 

 

 

 

2 hours ago, LIGISTX said:

and as far as I have ever seen all I can do with my managed switches is set which ports pass which vlan tags.

But that's what "creating a VLAN" is. You assign it a tag.

What you are (probably) describing is creating a default gateway. Your switches most likely don't have much layer 3 functionality and as a result they can't act as default gateways. Configuring a default gateway is not the same as creating a VLAN though.

A VLAN is just an isolated layer 2 domain. Traffic gets tagged with an ID and then the switch makes sure that traffic with for example tag 10 doesn't get sent out on a port that doesn't allow VLAN 10.

A gateway is a device that allows traffic to go from one network to another, for example VLAN 10 to VLAN 20. It accomplishes this by having two network interfaces, one assigned to VLAN 10 and one assigned to VLAN 20.

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, LAwLz said:

it has arbitrary limitations in its software

I mean, its a 30 dollar 5 port managed switch.... I would assume so. But it is just respecting what vlans tags it is presented. Thankfully its not actually a horrible switch, TP Link has some managed switches that will allow you to hit its management interface from a vlan that is explicitly not allowed to talk to any other subnet via your pfsense rules. Based on this, either your interpretation of vlans is incorrect, or there are different implementations. For instance, I can not (and wouldn't expect to be able to) set up a firewall rule in pfsense and restrict 10.0.0.5 from access 10.0.0.6 - they are all on the same subnet and that traffic never even hits the firewall for a routing decision. Being a noob at this, I believe this is because the traffic is being routed at layer 2 not 3. I can add a rule in pfsense to block traffic from .5 to .6, but it would just be passed by the switch to .6 regardless since its all within the same subnet; a firewall and segmentation decision is never made.

 

Yes, there are switches that allow for you to have rules within it, and on such switches you would be able to stop the traffic in this example - but that requires a switch with that capability.

 

3 hours ago, LAwLz said:

I'm sorry

No problem, life happens... Thanks for the apology.

 

3 hours ago, LAwLz said:

My guess is that you have gotten VLANs confused with gateway.

I don't think so? All of my vlans use the default gateway of my WAN, except one that uses a VPN gateway. I create a vlan on an interface:

image.thumb.png.9d43770439b8ee0bda3f0762b1a4a7cf.png

These vlans both ride over the physical em1 interface.

 

3 hours ago, LAwLz said:

A gateway is a device that allows traffic to go from one network to another, for example VLAN 10 to VLAN 20

Is this not "the firewall"? Terms can get confused pretty easily certainly, but to allow traffic to flow from vlan to vlan, you allow that at the firewall. If I do not add an allow rule in pfsense, no traffic will flow from vlan to vlan (subnet to subnet). If I want to allow 10.0.1.5 to be able to talk to 10.0.2.10 and only that device to traverse the subnets, I would add an allow rule specifically for that... I don't do anything at the switch level.  Again, I know some switches allow for this, but I believe that is above and beyond standard vlan tagging, that would be adding routing to the switch. 

 

But, again, I am only really self taught and still trying to learn networking...

Rig: i7 10700k @ 5.1Ghz, 4.8 Ring - - Z490 Vision G - - EVGA RTX 2080 XC Ultra @ 2025Mhz - - 4x8GB Vengeance Pro 3000Mhz 15-17-17-34 @ 3500MHz 16-19-19-38 - - Samsung 950 Pro 512 NVMe Boot + Main Programs - - Samsung 830 Pro 256 RAID 0 Lightroom + Photo work - - WD Blue 1 TB SSD for Games - - Corsair RM850x - - Sound BlasterX EA-5 - - EK Supremacy Evo - - XT45 X-Flow 420 + UT60 280 rads - - EK Full Cover GPU Block - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 64 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - 10TB WD Red for expendable data - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone Xs - 2018 MacBook Air

Link to comment
Share on other sites

Link to post
Share on other sites

Thanks all, purchased a new 5 port Ubiquity Edgerouter.  It seems to fulfil my needs.  I just hope it really is in stock as advertised.  Will either report back or edit this post with progress.

 

Almost splurged for a UDM, but I found a couple of articles complaining that it exposes some internal functions to the internet without easy options to change that ("UDM GUI firewall rules do not apply to communication between router's internal interface and WAN").  It's probably an irrational fear, but as I don't strictly need an all in one solution it's a minor point.

 

I think a lot of old terminology is becoming increasingly fuzzy when discussing SDN and similar solutions.  Would make a good LTT video *hint* *hint*

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, LIGISTX said:

But it is just respecting what vlans tags it is presented.

But your switch is also tagging traffic by itself. Your switch keeps an internal database of which VLANs exist and are associated with each port, as well as which packets it should tag depending on which port it comes from. It is doing that independently of what your PFSense router says. All of that is done locally on the switch. 

 

 

5 hours ago, LIGISTX said:

Based on this, either your interpretation of vlans is incorrect, or there are different implementations.

I think the problem here is a misunderstanding between us and our explanations. We might be talking about the same thing, we might have different ideas about how your network is set up, and we might be talking about different details. I can't tell because I find your posts confusing. It might just be that we don't use the same terminology to refer to the same things.

 

5 hours ago, LIGISTX said:

For instance, I can not (and wouldn't expect to be able to) set up a firewall rule in pfsense and restrict 10.0.0.5 from access 10.0.0.6 - they are all on the same subnet and that traffic never even hits the firewall for a routing decision. Being a noob at this, I believe this is because the traffic is being routed at layer 2 not 3. I can add a rule in pfsense to block traffic from .5 to .6, but it would just be passed by the switch to .6 regardless since its all within the same subnet; a firewall and segmentation decision is never made.

That is absolutely correct. But that doesn't really have anything to do with VLANs. With VLANs, you could potentially block the computer with IP 10.0.0.5 from accessing the computer with IP 10.0.0.6, and that would be done locally on the switch, with no involvement from the firewall. It wouldn't be done using the IP addresses though. It would be done using VLAN tags at layer 2. VLANs are strictly a layer 2 standard and do not rely on anything layer 3 related to work. VLANs segment networks at layer 2. IP addresses are not involved.

 

 

5 hours ago, LIGISTX said:

Yes, there are switches that allow for you to have rules within it, and on such switches you would be able to stop the traffic in this example - but that requires a switch with that capability.

Again, I think you're thinking of layer 3 (IP addresses) here. I am not talking about something where you write "IP 10.0.0.5 is not allowed to talk to IP 10.0.0.6". With VLAN tags you don't use IP Addresses. You just say "this port belongs to the same network segment as this port".

 

5 hours ago, LIGISTX said:

I don't think so? All of my vlans use the default gateway of my WAN, except one that uses a VPN gateway. I create a vlan on an interface:

image.thumb.png.9d43770439b8ee0bda3f0762b1a4a7cf.png

These vlans both ride over the physical em1 interface.

Yes, but my guess is that your em1 interface has multiple IPs assigned to it based on VLAN tags, and that each VLAN segment has its own unique default gateway.

When I say default gateway I am not talking about your outside interface's IP address. I am talking about the inside address. The one you see listed as "default gateway" when you run ipconfig on Windows.

That's the default gateway for your internal networks, and those IP addresses most likely belong to your PFSense box.

 

If you run ipconfig on a device that belongs to VLAN 69 it will say "default gateway: 192.168.69.1" (for example).

If you run ipconfig on a device that belongs to VLAN 10 it will say "default gateway: 10.0.0.1" (for example).

 

Default gateway just means "the router I send packets to when I want to send data to a computer on another network".

 

 

6 hours ago, LIGISTX said:

Is this not "the firewall"? Terms can get confused pretty easily certainly, but to allow traffic to flow from vlan to vlan, you allow that at the firewall. If I do not add an allow rule in pfsense, no traffic will flow from vlan to vlan (subnet to subnet). If I want to allow 10.0.1.5 to be able to talk to 10.0.2.10 and only that device to traverse the subnets, I would add an allow rule specifically for that...

Yes, in your case your default gateway is most likely your firewall.

Everything you just said is correct.

 

6 hours ago, LIGISTX said:

I don't do anything at the switch level.

This is where you get a bit confused, I think. It is the switch which binds the traffic to a certain VLAN. It's not the firewall that does it.

Again, I think you are getting layer 2 and layer 3 protocols confused, or maybe your network is not correctly configured and you don't use VLANs properly.

 

It is 100% the switch where your computers are connected that determines which VLAN they belong to. The firewall doesn't determine that. It is the switch that applies the tags to the traffic from your hosts and that enforces the VLAN boundaries (for example VLAN 10 isn't allowed to talk to VLAN 20).

This is done at layer 2. 

 

Without VLANs, if you plug in two computers to the same out-of-the-box switch, these two computers will be able to talk to each other even if they have different IPs such as 10.0.0.5 and 192.168.0.11. They might not be able to talk to each other using IP, but they can talk to each other over layer 2. A broadcast packet from 10.0.0.5 will reach and be read-able by the computer with IP 192.168.0.11 if they are on the same VLAN. The firewall never gets involved with that.

The computer with IP 10.0.0.5 could also just change IP to 192.168.0.5 and suddenly be able to talk to 192.168.0.11, bypassing the firewall if it wants to talk over layer 3.

This is why VLANs exist and what they prevent from happening.

 

I recommend watching the first ~13 minutes of this video (or the entire thing if you find it interesting):

 

Link to comment
Share on other sites

Link to post
Share on other sites

  • 2 weeks later...

The Edgerouter stock was in error, and after reading further Ubiquity's software seems to have issues.  Went with a cheap Mikrotik hex product instead, if it's good, and learnable in the time I have, I'll upgrade to something higher in their product stack later on.

 

I noticed a lot of 'out of stock' gear has restock ETA of May in many stores.  If that's real hopefully it means a looming end to the chip shortage.

 

Edit:

By way of addition, the internet service I'm on runs PPPoE with VLAN tagging.  Despite configuring this multiple times, and having a seemingly correctly configured DHCP client, the WAN port does not want to give me internet.  No idea if there's another security layer from my ISP or what, but I have been defeated, at least for now.

Edited by offweek
Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×