I would like to provide some separation of devices in my home network using a managed switch. I've read other related questions/answers, but they have different requirements that get into VLAN routers or other equipment because they want different VLANs to talk to each other. I just want separation, and I want to know if I can do everything with a single managed switch.
- My goals:
- Isolate Internet-accessible server from rest of network to prevent compromised server from attacking internal nodes.
- Isolate computer used for sensitive data from rest of network.
- Allow all devices access to Internet.
- Restrict switch management to a single port.
- My planned switch configuration:
- VLAN:
- 10: ports 1 – 47 (Internet access)
- 20: ports 1 and 2 (server)
- 30: ports 1 and 3 – 46 (home devices)
- 40: ports 1 and 47 (sensitive data machine)
- 50: port 48 (switch management)
- Port:
- 1: untagged,
pvid=10(connected to Internet router) - 2: untagged,
pvid=20(connected to server) - 3 – 46: untagged,
pvid=30(connected to home machines) - 47: untagged,
pvid=40(connected to sensitive data machine) - 48: untagged,
pvid=50(connected to switch management machine)
- 1: untagged,
- VLAN:
In addition, the router is configured to forward port 80 to the server machine, which has a static IP address. The router uses DHCP to assign IP addresses to the rest of the machines.
When I set the switch up this way things seem to work, in the sense that I can access the Internet from machines on ports 2-47, I can access the server (through the external facing IP address of the router) from other VLANs, and I can't seem to access any other machines across VLANs. However, I've read some best practices such as the following:
- Each VLAN is a different IP subnet
- Access ports (e.g., 2-47) should be members of a single VLAN
- Use tagging-aware router to filter traffic across VLANs
In my setup, I use a single IP subnet. I only have ~20 devices, so there is no issue with size, but I'm curious if there are other issues. For example, could different devices on different VLANs get the same IP address, and if so, would this be a problem? My understanding is that this is OK because they can't access each other, but if they both send Internet requests could the responses get mixed up?
In my setup, I also use VLAN 10 across nearly all ports as a way to allow Internet access. Is this a problem? It seems like maybe someone could use this VLAN to hop VLANs (e.g., compromised server to access home machines, or home machines to access sensitive data machine). Does the combination of untagged and pvid=X prevent this sort of behavior? Would a VLAN tag of 10 get rejected from a port other than Port 1 with this setup?
My router is the standard Verizon router, and I don't know how it handles VLAN tagging (probably not at all?). Is there any problem if it actually does handle tags (e.g., insecure defaults) or if it doesn't (e.g., allows routing between VLANs due to lack of knowledge about them)?
Is this an appropriate configuration for my goals, or do I need to change things or introduce more equipment to properly isolate and secure the network?
Best Answer
You can't do this without a VLAN capable router/firewall . There are multiple reasons for this, one of which is that your server needs internet access while not being being directly accessible to other devices which also need Internet access, meaning a router/firewall is needed to interface the 2 types of devices.
If you think of each VLAN as a virtual unmanaged switch you will be well on your way to understanding the problem - it either the ports are connected and can freely transmit to each other, or they are not connected and can't see each other - there are no half measures.
You really need subnets and routing - if you put machines on different vlans in the same subnet they will not be able to find or talk to each other. Thus even if you have a router, the machines won't know to speak to it when trying to reach other machines, and indeed won't be able to see it in most cases.
An untagged port can be viewed as a port with a "default" tag - when you have a port with multiple tags, it carries the data inside tagged packets, so the router needs to know how to remove the tags for data to be interpreted. This is generally done by having a separate IP address per VLAN on the router, with each address in the associated subnet used by the VLAN.
(I note I've simplified things a bit, and an expert may be able to break some rules above in some cases - but you really need to understand all the above and how it fits together before you can do this - and breaking the rules is not generally good design either.
Similarly, while in practice VLANS do provide security, using VLANS as a security measure is a bit contovertial to some experts)