Difficulty access the internet using my VLAN as an Guest Access Point

cxcmax

@stephenw10

Hi and thanks to everyone also who has contributed to what must be a simply problem. I am going to look go through the steps listed in the "../Switch-Overview" give this a whirl. @stephenw10 the only thing that is confusion me a little is the LAN ports.
I am only using the one port to connect to my Switch, LAN1, I assume in the example in the documentation I am basically just substituting 'LAN4' for my 'LAN1'

Chris

stephenw10

Yes, you can use any port as the trunk to the external switch.

Steve

papdee

@stephenw10 Relying on VLAN's for security is foolhardy. VLAN hopping through a switch is easily accomplished with a few simple commands on a linux box. VLAN's were not designed for security, they were designed for segmenting networks.

stephenw10

@papdee said in Difficulty access the internet using my VLAN as an Guest Access Point:

VLAN hopping through a switch is easily accomplished with a few simple commands on a linux box.

Can you demonstrate that? I'd like to test it if you have the commands.

Steve

bPsdTZpW

@papdee said in Difficulty access the internet using my VLAN as an Guest Access Point:

@stephenw10 Relying on VLAN's for security is foolhardy. VLAN hopping through a switch is easily accomplished with a few simple commands on a linux box. VLAN's were not designed for security, they were designed for segmenting networks.

I think that depends on how you're using VLANs. If you depend upon hosts to tag their packets correctly [1], then yes, it's trivial to hop VLANs. If you require each host to use a specific switch port as an untagged access port that is a member of a particular VLAN, then the host should not be able to hop VLANs without a bug or misconfiguration in the switch. (Because the switch adds the VLAN tag on packets entering the access port, and removes them from packets exiting the access port). Of course "misconfiguration" could include errors involving nested VLANs and multiple switches.

[1] Don't do that!

stephenw10

Mmm indeed, I would hope nobody is having hosts tag their own traffic in anything other than a test environment. Obviously that is no sort of security.

cxcmax

@bpsdtzpw & @stephenw10

This is very interesting stuff, being the novice do I need to have rethink about what I am trying to create here if security is a risk? Not having this knowledge, I could be doing more harm than good.

Just to recap, I am just trying to setup a Wifi Access or Hot spot for visiting friends and family, they do not need to see my main LAN if you wish.

I tried the suggested link/documentation, https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/switch-overview.html, I hit a bit of a snag with part of the setup process, the step that said delete the Member(s) from the VLAN group. I need to look at it again, possible reset everything back to fresh starting point go over these instructions few times. When I deleted the member, in my example LAN1, I was having to physically swap the LAN1 to LAN2 port on my netgate to get internet access again, and when I was on LAN1 I was also getting the IP address and Subnet mask range I setup as WiFi Access Point(172.16.0.1/28). The reference to "..Ethernet ports as discrete ports", since I am using VLAN 20 along with my Native VLAN, all traffic passes via that single cable from Netgate to a Switch, is this to help LAN1 on my netgate understand what information is coming through LAN1 and where it is to be redirected, ie back to the Switch port(s) assigned to VLAN 20(which again is routed through the same LAN1 on the Netgate)? Just a thought, you said 'Trunk', in an earlier reply, so I am trying to setup some form of a junction between VLANS; a Native VLAN which is the default and in my case VLAN 20, is that right?

Apology if the extra questions, its just so I can better understanding how this all fits together.

I will be the first to say I need to do a bit more background research, I do enjoy the negate device its a good learning curve.

Many thanks
Chris

stephenw10

Are you adding the guest wifi network as a second SSID to an existing AP?

Or are you adding a new AP that will only carry the guest wifi?

In the first case the AP will present the guest wifi fraffic on a VLAN directly. So would be looking to trunk the VLAN through both the switch in the 2100 and the HP switch so it;s tagged to the AP.

In the second case you only need trunk it through the 2100 switch and then it will be an access port in the HP switch to the AP.

Steve

cxcmax

@stephenw10

Again, many thanks for the advice.

Chris

JKnott

@stephenw10 said in Difficulty access the internet using my VLAN as an Guest Access Point:

An unmanaged switch will usually pass all tagged traffic but you cannot be sure of that until you try it.

Would someone please explain why that might happen. The only significant difference between a VLAN frame and any other is the contents of the Ethertype/Length field. That's it. Given that Ethernet switches are supposed to pass all Ethertypes, why would a switch not pass a VLAN frame?

For an unmanaged switch to not pass a VLAN frame, it would have to check the Ethertype and then specifically drop VLAN frames. It seems to me that's a lot to ask of a dumb switch. And to what end?

papdee

@jknott

1. At the cable level VLAN hopping is straightforward. There is nothing to mitigate this.

2. At the switch level there are various ways to hop a VLAN. Most switches fresh out of their packing box will allow you to hop the VLAN. You must to take the effort to harden the switch. Even though you have spent days maybe weeks hardening your switch any security bugs in the software makes your hardening completely useless. For e.g. Some Cisco switches have a security bug in the HTTP server that is suscetiple to an OB attack giving the attacker executive privileges. This attack is easy to execute using simple telnet and a python script.

3. Finally there is the human error aspect. You can spend forever hardening your switch but at some point you are going to need to take that little paperclip bend it straight and do a full blown reset on the switch. At which point you forget you have just unhardened your switch.

papdee

@jknott Oh...and I forgot...

If an attacker fails to break into your super hardened switch all they need to do is literally cut the physical cable that is the trunk cable, crimp it with a new RJ45 plug, and plug it into their own switch and feed it back. Unless you have the proper monitoring software on your trunk line you wouldn't know.

papdee

if all you're doing is setting up a VLAN for friends and family I don't see where your concerns are. VLAN's are fine your purpose.

VLAN's are adequate for creating private networks
VLAN's should not be relied upon for security if that's what you're looking for.

NollipfSense

@cxcmax To me, your setup seems awkward...why not put an guest AP device that does its own DHCP and let your pfSense do DNS? Seems simpler than to have a static IP for your AP then trying to use the vlan as DHCP server.

papdee

@stephenw10 alternatively why don't you point me to a reliable source that states VLANs are a viable security solution.

papdee

@nollipfsense all APs should use static IP. This will allow you to configure the firewall to block access to the management interface. It will also allow you to manage APs with management software.

stephenw10

@jknott said in Difficulty access the internet using my VLAN as an Guest Access Point:

For an unmanaged switch to not pass a VLAN frame, it would have to check the Ethertype and then specifically drop VLAN frames. It seems to me that's a lot to ask of a dumb switch. And to what end?

Indeed it would have to do exactly that. When I have seen this it's because what appears to be a 'dumb' switch is in fact a managed switch IC that is simply configured as a single VLAN. As I understand it (and I won't pretend to have done an exhaustive study here!) most small unmanaged switches are built like that because those are the available switch ICs. But when configured as port based VLAN they will pass all tagged traffic.
I have most commonly hit this as a problem when people try to re-use some combo device as a switch. So a router/AP/switch style device. Typically those are configured in 802.1q mode to segregate ports but there's no way to know until you test it since that is not exposed to the user interface.
Anyway having wasted hours or my life trying to solve a problem only to discover there was an additional 'dumb' switch in the connection I hadn't been told about I can only advise; do not assume tagged traffic will pass.

Steve

stephenw10

@papdee said in Difficulty access the internet using my VLAN as an Guest Access Point:

@stephenw10 alternatively why don't you point me to a reliable source that states VLANs are a viable security solution.

I think you will need to define 'security solution' in that context.

Typically VLANs are used to segregate traffic that is using the same physical connection. If that's for security reasons then it could be considered a security solution IMO.
You have suggested it's possible, trivial even, to 'hop' VLANs which I understand to mean a host on one VLAN is able to access a resource on a different VLAN. Maybe I've misunderstood what you're saying. I'm not aware of any way to do that without re-configuring a switch in between but I'd love to learn if it is.

Steve

JKnott

@papdee

????

What do your posts have to do with mine?
I'm well aware of how VLANs work. I use one here for my guest WiFi, have set some up for business customers and am a Cisco CCNA.

papdee

@jknott sorry fat fingers. should have been the one above you