Sorry for being such a noob. My networking is not very strong, thought I’d ask the fine folks here.
Let’s say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I’m asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
You must log in or register to comment.
As others have said: It will work as you’ve planned it. The subnetting will keep these two PCs separated (If they still need internet, just add a second IP in your router-PC to allow for communication with this subnet).
VLANs aren’t required, but are more relevant when you want to force network segregation based on individual ports. If you really want to, you can add tagged virtual interfaces on these two separated hosts so that the others hosts aren’t able to simply change the address to reach these. The switch should ignore the VLAN tag and pass it through anyway. But again, it’s not really needed, just something you can do if you really want to play with tagged VLAN interfaces
Thank you. In theory, is there a mechanism which will prevent other hosts from tagging the interface with a VLAN ID common with another host and spoof traffic that way? Sorry, I need to study more about this stuff
Yes, but that’s done on the switch. Basically VLAN tags are applied in one of two ways:
Untagged (sometimes called Access) is something you apply on a switch port. For example, if you assign a port to Untagged VLAN 32, anything connected to that port will only be able to see traffic assigned to VLAN 32.
Tagged (sometimesreferred to as Trunk), on the other hand, is for traffic that is already assigned a VLAN tag. For example Tagged 32 means that it will allow traffic that already has a VLAN tag of 32. It is possible to assign multiple VLANs to a Tagged port. Whatever is connected to that port will need to be able to talk to the associated VLAN(s).
In your particular case, the best practice would be to assign two ports (One for each host, obviously) to Untagged 32 (arbitrarily chosen number, any VLAN ID will do, as long as you’re consistent), and all the other ports as Untagged to a different VLAN ID. That way the switch will effectively contain two segments that cannot talk to each other.
Yes you need vlans
Technically there would be some isolation at layer 3 but they would all still be in the same layer 2 network.
What is holding you back in regards to VLANs?
I’d either have to do it in the router (which would need a lot of PCIe network cards which can get expensive + difficult to accommodate enough physical PCIe lanes on consumer hardware) or run it on a switch running a proprietary OS that I can’t control and don’t know what it’s doing underneath.
Can you elaborate why you think you need much more PCIe network cards? Technically you can do with 1 single LAN port with all your VLANs.
You configure the VLANs on the router then make a single trunk port to a switch. then have that switch divide the VLANs on the ports you desire. this can be a L2 switch.
Thanks, but to make that work I would need a managed switch running a proprietary OS can I cannot trust. If there was a switch running a FOSS OS then I would use that
What in the world is “a proprietary OS I cannot trust”. What’s your actual threat model? Have you actually run any risk analyses or code audits against these OSes vs. (i assume) Linux to know for sure that you can trust any give FOSS OS? You do realize there’s still an OS on your dumb switch, right?
This is a silly reason to not learn to manage your networking hardware.
Thank you for the comment.
My threat model in brief is considering an attack on my internal networking infrastructure. Yes, I know that the argument of “if they’re in your network you have other problems to worry about” is valid, and I’m working on it.
I’m educating myself about Lynis, AuditD and OpenVAS, and I tend to use OpenSCAP when I can to harden the OS I use. I’ve recently started using OpenBSD and will use auditing tools on it too. I still need to figure out how to audit and possibly harden the Qubes OS base but that will come later.
Yes, I do realise that the dumb switch has an OS. And you raise a good point. I’m starting to feel uneasy with my existing netgear dumb switches too. Thank you for raising this, I think a whitebox router build might be the only way.
I’d like to mention that I would use VLANs if I could use them on hardware and software I feel comfortable with. But I cannot. Whitebox build it is, I suppose.
Thanks again for the comment and I’d like to hear any suggestions you have.
