Monday, 9 September 2019

networking - VLAN Configuration for Home Network

I would like to provide some separation of devices in my home network using a managed switch. I've read other related questions/answers, but they have different requirements that get into VLAN routers or other equipment because they want different VLANs to talk to each other. I just want separation, and I want to know if I can do everything with a single managed switch.



  • My goals:

    1. Isolate Internet-accessible server from rest of network to prevent compromised server from attacking internal nodes.

    2. Isolate computer used for sensitive data from rest of network.

    3. Allow all devices access to Internet.

    4. Restrict switch management to a single port.



  • My planned switch configuration:

    • VLAN:

      • 10: ports 1 - 47 (Internet access)

      • 20: ports 1 and 2 (server)

      • 30: ports 1 and 3 - 46 (home devices)

      • 40: ports 1 and 47 (sensitive data machine)

      • 50: port 48 (switch management)



    • Port:

      • 1: untagged, pvid=10 (connected to Internet router)

      • 2: untagged, pvid=20 (connected to server)

      • 3 - 46: untagged, pvid=30 (connected to home machines)

      • 47: untagged, pvid=40 (connected to sensitive data machine)

      • 48: untagged, pvid=50 (connected to switch management machine)






In addition, the router is configured to forward port 80 to the server machine, which has a static IP address. The router uses DHCP to assign IP addresses to the rest of the machines.


When I set the switch up this way things seem to work, in the sense that I can access the Internet from machines on ports 2-47, I can access the server (through the external facing IP address of the router) from other VLANs, and I can't seem to access any other machines across VLANs. However, I've read some best practices such as the following:



  1. Each VLAN is a different IP subnet

  2. Access ports (e.g., 2-47) should be members of a single VLAN

  3. Use tagging-aware router to filter traffic across VLANs


In my setup, I use a single IP subnet. I only have ~20 devices, so there is no issue with size, but I'm curious if there are other issues. For example, could different devices on different VLANs get the same IP address, and if so, would this be a problem? My understanding is that this is OK because they can't access each other, but if they both send Internet requests could the responses get mixed up?


In my setup, I also use VLAN 10 across nearly all ports as a way to allow Internet access. Is this a problem? It seems like maybe someone could use this VLAN to hop VLANs (e.g., compromised server to access home machines, or home machines to access sensitive data machine). Does the combination of untagged and pvid=X prevent this sort of behavior? Would a VLAN tag of 10 get rejected from a port other than Port 1 with this setup?


My router is the standard Verizon router, and I don't know how it handles VLAN tagging (probably not at all?). Is there any problem if it actually does handle tags (e.g., insecure defaults) or if it doesn't (e.g., allows routing between VLANs due to lack of knowledge about them)?


Is this an appropriate configuration for my goals, or do I need to change things or introduce more equipment to properly isolate and secure the network?

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...