Products > Networking & Wireless

Off Topic: Networking and VLANs

<< < (3/3)

magic:
Interesting. I thought the idea behind DSA is that all those "ports" are supposed to look like ordinary Ethernet NICs so one would be excused for thinking that "vconfig add" should work on them. ::) So it was like, no errors, no packets, no nothing?

BTW, I hope you know that tcpdump is a thing and aren't working completely in the dark, right? ;)

paulca:

--- Quote from: magic on December 01, 2021, 07:43:42 pm ---Interesting. I thought the idea behind DSA is that all those "ports" are supposed to look like ordinary Ethernet NICs so one would be excused for thinking that "vconfig add" should work on them. ::) So it was like, no errors, no packets, no nothing?

BTW, I hope you know that tcpdump is a thing and aren't working completely in the dark, right? ;)

--- End quote ---

I know tcpdump is a thing, but I've been mostly flying blind as I haven't installed tcp dump on the router.

However...

I did get the lab successfully set up to replicate the solution successfully.

Still not quite done yet.  In the lab I had the advantage of using the "Host only network" as the management LAN.  And creating separate "Admin" interfaces on both routers.  On the real network I don't have that luxury, so need a way to VLAN them all up somehow so they are accessible from LAN, but not GUEST.

There weren't any surprises, except a bug with submitting VLAN changes which has a work around.

"UpstairsSwitch" was configured with 4 eth adapters.  3 on br-lan all on individual "Internal networks" called SwitchPort1,2,3 and the final ethernet as "Admin" with only the router itself on the "Host only network"
"MainRouter" was configured with 3 eth adapters.  1 for Admin on host only.  1 for WAN DHCP on the VMWare NAT network.  1 for "LAN" which was a single trunk on SwitchPort1 internal network.

With that in place, everyone could take to everyone else and the internet. 

So I then configured the VLANs on the bridges with 1 being LAN and 3 being Guest.  This caused devices br-lan.1 and br-lan.2 to magically appear.

I terminated these at the main router by assigning both interfaces and DHCP servers.  "UpstairsSwitch" does not need these as it is meant to be a switch not a router. ;)  It just needed the tagging setup for the ports and the trunk.

Surprisingly this worked and the Guest got their own IP range from the Main Router VLAN 3 DHCP and the LAN got it's from the VLAN 1 DHCP server.

... they could still access each other though.  So firewall zones needed to be set up. 

Finally the guest could not access the lan.... but it couldn't get an IP address either.

So a little "Traffic rule" to allow DHCP and DNS through the router itself on the Guest VLAN and all is good.

Just need to figure out how to VLAN up those admin interfaces and give LAN access.

magic:
I believe there is an option to set which firewall zones can access management.
Either somewhere in system administration or in the configuration of each zone.

paulca:
I never did state why I needed a guest VLAN.  It's not like I have guest often. :P 

It's actually for "guest" devices.  Things that can have internet but are otherwise blind to everything else.

The pressing requirement is to extend the guest Wifi setup I have to wired for a work laptop I've now been told I have to use for customer access.  Not allowed to use my own PC, they say.  I know for a fact the customer doesn't give a sh1t about my companies security!

However, I have learnt the hard way about the data leakage that can happen between your personal life and your company device when they share a network.  So many laptops come stock with discovery protocols turned up to 10.  They will broadcast, poke, probe, query, list and cache any device they can find with no password or a default password and present it to you as being helpful.  When you are sitting on a call in work and the laptop pops up a notification that it found a new shared folder //server/dodgy-videos/ ...  My internal network is pretty much fully trusted, so a lot of it is unsecured.  Bring third party devices into that open scope is dubious anyway.

So.  GET OFF MY LAWN!.. sorry LAN!  Guest network it has to be. 

Navigation

[0] Message Index

[*] Previous page

There was an error while thanking
Thanking...
Go to full version