Tuesday, June 09, 2015

VLAN adventures with Netgear GS108T and TrendNet TEW-814DAP

As part of setting up my new home network, I'm experimenting with VLANs.  The pfSense firewall has the following user-defined VLANs on the interior port.  Each of these VLANs has a separate address range (all are IPv4 with a 24-bit netmask, i.e. The pfSense firewall is always the ".1" address on each network segment and routes traffic between the segments.

em0 / 12 - Unsecured Guest WiFi
- This will (probably) be the VLAN used for an access point that is not password protected or that encrypts traffic.  I plan on limiting it to 1Mbps, plus put a SMS-authentication captive portal on it, plus point it at OpenDNS with heavy filtering.

em0 / 24 - Secured Guest WiFi
- This will be protected with an easy-to-enter WPA2/PSK password.  Suitable for handing out to people that I marginally trust or know.  No access to the internal LAN, and only selected ports allowed out.

em0 / 36 - Internal Guest WiFi
- Protected with a moderate strength WPA2/PKS password.  Suitable for friends.  Wide open access to the internet, limited access to the internal LAN.

em0 / 48 - Internal WiFi
- Protected via WPA2/PSK with a strong password.  Has full access to the internal LAN.

em0 / 87 - LAN
- This is the internal LAN network.

em0 / 100 - Infrastructure.  In a normal shop, all switches / APs would be members of this VLAN and management would only be allowed via this VLAN.

em0 / 999 - Blackhole VLAN ID (nothing should ever listen here).

That's the easy part, defining the various VLANs.  Those same VLAN IDs have to be configured in the GS108T switch as well.  This is done under Switching / VLAN / VLAN Configuration.

Note that the first three defined VLANs (1/2/3) are hard-coded into the GS108T firmware and cannot be removed.  As I indicated in a previous post on the subject of VLAN security, you should avoid using VLAN #1 for anything.  And now I would amend that to say that you should avoid VLAN IDs 1-9.

There are a few key pieces to think about when setting up VLANs:

Inbound #1 - Are the packets already tagged when they reach the switch (inbound) from another device (i.e. switch or WiFi Access Point)?

Inbound #2 - Should untagged (no VLAN header) packets inbound to the switch be blocked/dropped?

Inbound #3 - What VLAN should untagged packets be assigned to on inbound?

In the GS108T, the inbound concerns are handled under Switching / VLAN / Port PVID Configuration.  This screen will allow you to apply a VLAN tag as packets enter the switch.

In the case of the WiFi Access Point which is attached to "g2", it does not support VLAN tagging of the various SSID networks, so we have to treat it as a "dumb" device.  So when the WiFi sends packets to the switch they get assigned to VLAN #48.

Outbound #1 - Should the VLAN header be stripped as the packets leave the switch via a particular port?

Outbound #2 - Does the device attached to this port understand VLAN tags?

Outbound #3 - Should untagged packets be blocked from exiting via this port?

Egress handling is configured through Switching / VLAN / VLAN Membership and is somewhat unintuitive in the GS108T user interface.  You need to read this screen as:

"If a packet that belongs to VLAN ## is traversing the switch and about to egress (exit/outbound), what ports is it allowed to leave by and what should happen to the VLAN header?"

In the case of VLAN #48 (Internal WiFi), the answers to that are:
  • VLAN #48 is only allowed to egress via port "g2" and port "g3". 
  • "g2" is our "dumb" WiFi Access Point
  • "g3" is the "smart" pfSense firewall that understands VLAN tags
  • Packets going to the WiFi Access Point need to have VLAN headers stripped
  • Packets going to the pfSense firewall should have VLAN headers left intact

The above shows that any packets on VLAN 48 are only allowed to leave untagged (U) via "g2" (WiFi AP) or tagged (T) via "g3" (pfSense firewall).

No comments: