Off Topic: Networking and VLANs

[paulca]

I know this is off topic, but to be honest I expect I will get better discussion and answers here than on most IT forums.

My network currently is 100% the same subnet, same Ethernet broadcast domain with the only exception being Guest WIFI provided by 2 out of 3 access points.

I have a new requirement to provide at least 1 wired Ethernet port on the Guest network.  Thus, as I'm not going to run separate cables and switches for this wired guest network, I need to VLAN it.

I understand what VLANs are and the basics of how to use them.  I'm just struggling to fit this into my current setup with minimal impact / reconfiguring.

I "believe" I have everything I need, the access switch is managed and supports VLANs and the "Main" router is OpenWRT v21 and supports VLANs.  They are connected by a single CAT5e giga ethernet.

I choose VLAN 1 = LAN,   VLAN 3 = Guest.  (2 was already there for WAN which I am not yet using).

So I set the access switch port 8 to be Untagged on VLAN 3 and removed VLAN 1 from port 8.  This had the expected effect of isolating the machine on port 8 entirely.

This is where it goes wrong.  I then added VLAN 3 as "Tagged" on the trunk link (port 4) to the Main 'switch/router' downstairs.  I added a virtual interface on VLAN 3 and gave it a static IP.  I statically assigned the Guest machine a fixed IP and tried to ping the remote VLAN 3 interface.  Nothing happened.

The issue may be that Port 4 (the trunk link) has to also carry VLAN 1 which it currently does as Untagged.  I feel that while the NetGear switch will allow me to have an Untagged VLAN 1 and a Tagged VLAN 3 down the same port, it's not a correct config.   Basically VLAN 1 continues to work, but VLAN 3 doesn't.... or it appears not to, as I'm not sure about either ends setup.

I tried a few times to Tag both VLAN1 and VLAN3 on port 4, but as I am on the remote end of that trunk link, any mistake removes access to the admin page on the main router.  I have to swap the VLANs around to get access to it again.

Part of the problem is that OpenWRT just went through a major shift in underlying tech, from Linux swconfig to Linux DSA.  This renders a lot of terminology and YouTube guides/howtos out of date and confusing.

I don't want to break my network too much as I need it.  So I am hoping to maybe get an other OpenWRT router (cheap) and set up this guest network on the "unused" side of the switch, not the Main switch in the hallway!  If that makes sense.

I expect I need to make that trunk link Tagged on both VLAN1 and VLAN3 and put associated VLAN devices with interfaces on router and bridge these appropriately with the gateway network.   There are a lot of pieces to get into place and working currently without locking myself out of parts of my network.

Any thoughts, guidance?   Anyone familiar with OpenWRT v21 or DSA switching and vLANs?

[Miyuki]

In my experience, if you combine tagged and untagged traffic you end up with a mess
Plus this is the main reason why is good practice to have a separate management interface/VLAN or whatever

[NiHaoMike]

https://goughlui.com/2018/08/17/tested-vlans-in-the-home-through-dumb-switches/
Quick summary is that mixing tagged and untagged VLANs work just fine, just not the most secure. In your case, the devices on the untagged network are "trusted" so it shouldn't be much of an issue.

Also, have you considered using a Torbox to provide the guest network? Could be a good idea for particularly untrustworthy guests.
https://www.torbox.ch/

[magic]

Part of the problem is that OpenWRT just went through a major shift in underlying tech, from Linux swconfig to Linux DSA.  This renders a lot of terminology and YouTube guides/howtos out of date and confusing.

Typical Loonix, just as something starts to work alright they go and fuck it up.
I really don't get the point of this change at all, the old system was very simple and easy to understand and to configure. The new system apparently just obscures the internal structure of the router behind some useless abstraction of an "external port" (and of course changes all the config tools)

Anyway, it seems you could follow example 4 from here:
https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial
Switch the LAN interface from br-lan to br-lan.1 (be sure not to leave WiFi out, what a fucking trainwreck) and create a new interface ("GUEST") on br-lan.3.
 

Or downgrade to OpenWRT 20

Quick summary is that mixing tagged and untagged VLANs work just fine, just not the most secure. In your case, the devices on the untagged network are "trusted" so it shouldn't be much of an issue.

In OP's case the devices on the mixed link are both managed switches so there is no trust issue as long as the two ends are configured correctly.

[newbrain]

I cannot be of much help as I have different equipment (EdgeRouter-X and a D-Link managed switch), but the setup on my LAN is very similar:
A trunk from the router with untagged frames + VLAN10 tagged ones, and the same on the switch where 6 ports get only the untagged frames, and 2 ports only the VLAN 10 tagged ones.
Different networks (10.x.x.x and 192.168.x.x), DHCP on both from the router, no other services on VLAN 10 (e.g. DNS, WAN access etc).

No problems in what is now ~5 years - apart the initial learning curve to set it up.

[Ranayna]

Keep everything tagged, exept on the edge ports where the end device is connected. There you should use an untagged VLAN. Though some network cards (most Intel cards) can actually understand VLAN tags if properly configured.

What switch and what access points are you using? Some companies use different vocabulary. A Cisco Trunk is not the same as an HPE Trunk for example. That can be iffy to set up.

[magic]

Is there a NIC that can not process tagged frames?
It works even on integrated Realtek NICs.

[paulca]

Plus this is the main reason why is good practice to have a separate management interface/VLAN or whatever

Yes, although technically I can always plug a laptop into the router, it just means getting up.  Obviously setting up a separate management VLAN would be a bit of chicken and the egg

What switch and what access points are you using? Some companies use different vocabulary. A Cisco Trunk is not the same as an HPE Trunk for example. That can be iffy to set up.

The access switch is a Netgear GS308T (Netgear UI)
The main router is a Linksys WRT3200 (openWRT)

The "gateway" is currently via a TPLink ArcherV900 but I am replacing this with a bridge modem (Draytech Vigor 100) on Saturday.

Anyway, it seems you could follow example 4 from here:
https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

I looked through that one.  I think I stopped as carry out that config would definitely disconnect me from the router.

To that end, I have decided to try and spin up a virtual lab.  I found I can run OpenWRT on Virtual Box.  Obviously I can run linux and windows desktops there too and can clone and reconfigure things to setup a replica of my network to gain some experience with what exactly works and doesn't.  Hopefully the vbnet networks will hold up to VLANs.

I mean I "can" accept downtime and make the changes to my actual network, I would just rather be a sure of a configuration sticking before I through it at it.  I don't really want to have to use a laptop to break back in at the router or worse... brick or have to reflash everything / anything.

[magic]

Yes, the enabling of VLAN on the switch and changing LAN from br-lan to br-lan.1 looks like it needs to happen atomically. Do only one and you won't be able to do the other anymore.

That should actually be the default out-of-the-box configuration on OpenWRT so that you don't need to do it yourself in order to use VLANs. On older OpenWRT releases enabling VLANs was an absolute no-brainer.

You could add a virtual AP, create a separate network for it (i.e. don't bridge it to LAN) with separate IP range and use that to access router configuration. Then it doesn't matter if LAN becomes nonfunctional for a moment while you are changing things.

edit
Would it be possible to create a lan4.3 device (VLAN 3 on port 4) and hook it up to the new network while leaving everything involving other ports and br-lan on defaults?

[paulca]

You could add a virtual AP, create a separate network for it (i.e. don't bridge it to LAN) with separate IP range and use that to access router configuration. Then it doesn't matter if LAN becomes nonfunctional for a moment while you are changing things.

I like this idea.  I forgot I can talk to it over Wifi still.  I can add an admin SSID temporarily and as you say.  Put it in a zone with "INPUT" accepted and set it with a DHCP range.

edit
Would it be possible to create a lan4.3 device (VLAN 3 on port 4) and hook it up to the new network while leaving everything involving other ports and br-lan on defaults?

Not sure about this.  I tried various things like creating a lan4.3 device, which did nothing.  Assigning it an IP did nothing either.  Including it in the bridge and setting the VLAN filtering on port 4 kicked me off the network LOL.  I think it dropped all LAN untagged traffic on that port.  That might have been the right next step and if I had the admin wifi setup I might have been able to see that.

The virtual lab is coming along slowly.  Major time killer was working out virtual box networks are picky feckers so "Promiscuous mode" set to "Allow all" seemed to help it be a "switch".

Next is to see if I can separate two clients by VLAN and set up the trunk for both to the "Edge router".  If it works LAN box and Guest box can see the internet, but not each other.  It occurred to me I might be able to do it without layer 3 routing and with the same IP subnet.  It also occurred to me there are easier ways to go insane debugging an already complex problem without adding that insanity.

[magic]

Interesting. I thought the idea behind DSA is that all those "ports" are supposed to look like ordinary Ethernet NICs so one would be excused for thinking that "vconfig add" should work on them. So it was like, no errors, no packets, no nothing?

BTW, I hope you know that tcpdump is a thing and aren't working completely in the dark, right?

[paulca]

Interesting. I thought the idea behind DSA is that all those "ports" are supposed to look like ordinary Ethernet NICs so one would be excused for thinking that "vconfig add" should work on them. So it was like, no errors, no packets, no nothing?

BTW, I hope you know that tcpdump is a thing and aren't working completely in the dark, right?

I know tcpdump is a thing, but I've been mostly flying blind as I haven't installed tcp dump on the router.

However...

I did get the lab successfully set up to replicate the solution successfully.

Still not quite done yet.  In the lab I had the advantage of using the "Host only network" as the management LAN.  And creating separate "Admin" interfaces on both routers.  On the real network I don't have that luxury, so need a way to VLAN them all up somehow so they are accessible from LAN, but not GUEST.

There weren't any surprises, except a bug with submitting VLAN changes which has a work around.

"UpstairsSwitch" was configured with 4 eth adapters.  3 on br-lan all on individual "Internal networks" called SwitchPort1,2,3 and the final ethernet as "Admin" with only the router itself on the "Host only network"
"MainRouter" was configured with 3 eth adapters.  1 for Admin on host only.  1 for WAN DHCP on the VMWare NAT network.  1 for "LAN" which was a single trunk on SwitchPort1 internal network.

With that in place, everyone could take to everyone else and the internet. 

So I then configured the VLANs on the bridges with 1 being LAN and 3 being Guest.  This caused devices br-lan.1 and br-lan.2 to magically appear.

I terminated these at the main router by assigning both interfaces and DHCP servers.  "UpstairsSwitch" does not need these as it is meant to be a switch not a router.   It just needed the tagging setup for the ports and the trunk.

Surprisingly this worked and the Guest got their own IP range from the Main Router VLAN 3 DHCP and the LAN got it's from the VLAN 1 DHCP server.

... they could still access each other though.  So firewall zones needed to be set up. 

Finally the guest could not access the lan.... but it couldn't get an IP address either.

So a little "Traffic rule" to allow DHCP and DNS through the router itself on the Guest VLAN and all is good.

Just need to figure out how to VLAN up those admin interfaces and give LAN access.

[magic]

I believe there is an option to set which firewall zones can access management.
Either somewhere in system administration or in the configuration of each zone.

[paulca]

I never did state why I needed a guest VLAN.  It's not like I have guest often.  

It's actually for "guest" devices.  Things that can have internet but are otherwise blind to everything else.

The pressing requirement is to extend the guest Wifi setup I have to wired for a work laptop I've now been told I have to use for customer access.  Not allowed to use my own PC, they say.  I know for a fact the customer doesn't give a sh1t about my companies security!

However, I have learnt the hard way about the data leakage that can happen between your personal life and your company device when they share a network.  So many laptops come stock with discovery protocols turned up to 10.  They will broadcast, poke, probe, query, list and cache any device they can find with no password or a default password and present it to you as being helpful.  When you are sitting on a call in work and the laptop pops up a notification that it found a new shared folder //server/dodgy-videos/ ...  My internal network is pretty much fully trusted, so a lot of it is unsecured.  Bring third party devices into that open scope is dubious anyway.

So.  GET OFF MY LAWN!.. sorry LAN!  Guest network it has to be.