TP-Link Easy Smart Switch security question
-
You mean specifically the VLAN1 restriction?
You should not ever use VLAN 1 for exactly these sorts of reasons. Switches often use VLAN 1 internally for untagged traffic and the results of trying to use it externally can be unpredictable.
I haven't found it a restriction myself. Of course I'm not using VLAN1 though… ;)
Steve
So it should be fine as long as I stay away from the default VLAN1?
No.
Crappy fly-by-nite chinese company networking hardware is almost always full of security problems, you would be better off purchasing a used switch off ebay from a more reputable OEM.
-
I've never really tested VLAN isolation to any depth, I have a hard time believing it's not isolated if configured correctly. I've never seen any stray traffic on the wrong VLAN/Port. I could probably run a test if you need me to.
I'd appreciate if you can run a simple test to check if it's isolated correctly.
-
Are we talking installation in a DOD facility or your house?? ;)
Pretty sure it does vlan isolation, kind of useless of them to state its a smart switch with vlan support if it doesn't actually isolate the vlans.. It might be very limited in what "vlan" its managment IP is on - most likely its going to be default vlan 1 with no way to change it.. And will have to be untagged.
I really don't see how that is an issue in a "home" setup.. Are you worried about someone coming into your house plugging into one of your switch ports and doing a vlan hop attack on you? Really??? ;)
While I agree in enterprise setup you always remove vlan 1, do not use vlan 1 etc.. Your management vlan is not vlan 1, etc etc etc.. But pretty sure your setting this up in you house right?? Your looking at very LOW END smart switches.. To expect the bells and whistles of a fully managed switch?? If you want the ability to change your management vlan away from an untagged vlan 1 setup then your going to have to spend a few more $'s
But for quick and dirty hey I need to have vlan support on my home budget that is really low or the wife will kill me.. Then sure the tplink or negear low end less than $40 smart switches are fine.. I have a netgear 108ev3 in my av cabinet. It does what it needs to do.. Not worried about someone plugging into my av cab switch and doing a vlan hop attack on me ;) And yeah I run vlan 1 on my "home" network - its just easier!!
I wish it did more, has not snmp support, etc. again its a LOW END smart switch - you get what you pay for.. Now if you bump your budget to say closer to 200 then sure you can get some really feature rich switches..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
If someone wants to suggest a test I can probably run it.
I've never had any issues with it. I have different DHCP servers on different VLANs and clients always pull from the expected subnet.
Yes the management interface is always on the default vlan, effectively untagged. I'm using it at home, that's not a problem.
Steve
-
Well per the link he gave says
"attacker on VLAN1 can spoof the ARP table for other VLANs."
So on vlan 1 can you arp for other devices on other vlans? If you are connected to a vlan 1 port, can you spoof a mac that is on different vlan and then gain access to that vlan device? I find it highly unlikely to be honest.. But then again this is a HOME setup.. Who exactly is going to have access to your vlan 1 in the first place? And they are going to be doing a vlan hop attack?
As you mentioned already if there was no actual layer 2 isolation then you would have issues with your multiple dhcp servers. There are many switches that are open to vlan hoping attacks.. not just the cheap ones.. Especially if they are not configured secure..
Either way I don't see how any of that really matters for a "home" setup.. It does what you need it to do right - which is isolate your traffic at layer 2. It clearly does that ;) Or Stephenw10 for example would have all kinds of issues with his dhcp servers and other vlans getting the wrong IP..
You could use any of the vlan hopping pentesting tools, frogger comes to mind.
-
… my sister laptop won't be able to access my NAS or PC...
Unless your sister is a hardcore hacker this is totally over the top!
Even if she was then there are different ways to solve this "problem" in the family - get her involved in testing the network security for example. But if she was she'd taken care of it already and not you…
So you worry about problems you don't have. -
I don't want to sound offensive, but my question is simple if this have proper isolation before I drop $150 on it. I don't see any relevance on "this is home switch, you better not to expect anything", well yeah if it doesn't do anything that I want it, I'd rather invest in a better switch because $150 is not cheap for me.
And I don't see any relevance in "your sister is probably not a hacker" or "this is highly unlikely someone's going to come to your house and plug something into the port". Well it's also very highly unlikely that someone will get your modem or router password especially if you turn your wifi off so why not just leave the default admin/admin or it's also very highly unlikely someone will get into your email account especially if you have 2 way auth so don't bother with password manager.
I mean what's the point of the discussion then? That being said, I'm new here so I don't know how things work around here and I don't mean disrespect, but these responses are definitely not what I expected.
-
I'm new here so I don't know how things work around here and I don't mean disrespect, but these responses are definitely not what I expected.
We get a fair amount of people (usually with little networking knowledge) who think they're trying to secure their family photos from nefarious Russian super-hackzors. This usually leads to overly-complex configurations that nobody can decipher. Gauging your users & their abilities will help you to determine how tightly to wind the tinfoil around your head. I run networks at the office and at home. At the office, everything is locked down. At home, things are much looser since my family wouldn't know a network if they tripped over the Ethernet cable.
For what it's worth, I just bought the 105E over the holidays for $40, but I haven't had much time to play with it or its VLAN support.
-
No offense taken.
before I drop $150 on it.
What do you want to buy for $150?
A TL-SG108E is something like 25 Euros which should be $30 max, double that for a TL-SG1016DEPersonally, I don't like Esay Smart Switches and prefer one step up. Have a look at the TL-SG3210 of which I use multiple myself at home.
Don't use VLAN1 for anything and you should be fine and have proper isolation.
-
I've got 2 of the TL-SG108E and while they're basic in function, they are inexpensive and do work as intended. They will indeed provide the level of security you're looking for, as long as you have the networking knowledge to do so.
-
A TL-SG108E is something like 25 Euros which should be $30 max, double that for a TL-SG1016DE
Where do you find 1016DE for $60? Here 1016DE is about $125 but it's currently on sale on Amazon for $100, 108E is about $25-30.
-
Where do you find 1016DE for $60?
I just looked here
but it seems that those are only TL-SG1016D, which is the unmanaged version.
The version in question isn't that much more expensive though:
That is including 19% VAT.This isn't, that's dealer cost…
 -
Hi,
I just bought one TL-SG108E ( it is v2 with web management interface HTTP ) and price is ~30Euro.PVID 1 it is default and can't be changed.
I defined 3 VLANS
101 for WIFI private
103 for WIFI guests
105 for LAN privateI wanted to use port 8 as Trunk & port 6 & 7 for AP:
port 8 from pfSense interface Tagged ( for VLAN 101 & 103 & 105 )
port 7 Tagged to AP1 CISCO 2602 ( for VLAN 101 & 103 ).
port 6 Tagged to AP2 CISCO 2602 ( for VLAN 101 & 103 ).
port 3-2-1 Untagged to LAN devices ( for VLAN 105 ).It's working, but in this configuration watching with NTOPNG on each VLAN interface it reveal that all traffic, from other/all VLANs it is broadcasted / visible in every VLAN interface, not exactly what I wanted … any ideas ?
-
PVID 1 it is default and can't be changed.
Yes, it can. I have a simple setup with two of the TL-SG108E (one of which is V1, the other V2) and I changed the PVID of all ports to my primary VLAN ID (not 1). My primary VLAN is for my home LAN; the only other VLAN I have defined is for my guest network and that is provided entirely via wireless. So I set the port for my Ubiquiti AP to tag that one, and the port for my ESXi box (which hosts pfSense) to tag both. The tagged traffic is passed to the pfSense VM still tagged via a port group in ESXi with VLAN ID 4095 (which is ESXi's version of a trunk. In other words, pass all traffic with tags intact). I also have an uplink between the two switches, which tags both VLANS. No problems here; everything works as expected and traffic is isolated. It's not super intuitive if you've come from managing switches that have a Cisco-like CLI, but once you get it, it works.
I'm showing the web interface of the V2 switch here because I'm on my Mac and can only access the V1 switch with a Windows app (at least easily).
-
For me it look like you can change PVID for any port, only if that port is member in that VLAN… if you can show the VLAN Configuration page we can see exactly what you set.
-
For me it look like you can change PVID for any port, only if that port is member in that VLAN…
Then change the PVID to whatever VLAN you want that port to be a member of.
Here's my tagging config for my V2 switch. Port 1 is the trunk between the two switches. Port 4 is connected to my Ubiquiti AP. Bear in mind I have another V1 switch connected to this one, so you're not seeing the whole picture:
-
Exactly how I anticipated I already tested this model of config and for my config will not solve that all traffic is mirrored on all VLANs.
Now when you have time have a look with NTOPNG in every VLAN interface you defined and let us know if you see all tagged traffic from all VLAN.
For example in your VLAN 11 you will see all traffic from 44, for me this is not normal to be seen there.
In my test all traffic from all clients on LAN, WIFI can be seen also on GUESTS… etc.
-
The only thing I can see wrong with your config is that some of your ports are still set to PVID 1.
I'm coming from a world where I manage Dell Powerconnect switches. In Dell CLI parlance (and I think Cisco is similar), there are two main switchport modes, access, and trunk. Setting a switchport to access with the command "switchport access vlan 44" tells the switch to tag any incoming traffic on that port with VLAN 44, and to send any traffic on VLAN 44 out of that port, removing the tag in the process. In reality it's a bit more than that, since it is, after all, a switch, and learns MAC addresses, thereby avoiding sending all VLAN 44 traffic over all VLAN 44 ports. But let's ignore that for now.
So, to mirror that behavior on the TP-LINK switch, you need to set the port as an untagged member in VLAN 44, but you also need to set the PVID to 44. The reason for this, as I understand it, is that the untagged setting tells the switch to send VLAN44 out of the port, but it doesn't tell it what to do with incoming untagged traffic. That's what the PVID setting does. For a port with PVID 44, any incoming traffic that's not already tagged with a VLAN ID will get tagged with 44. (someone correct me if I'm wrong on this, please).
The other mode on the Dell switch is trunk. This is used in a situation where we want to send traffic with VLAN tags intact, so that the device on the other end can handle the VLANs. That device could be anything: a pfsense router with multiple VLAN interfaces, another switch, whatever. In that case, we set the port with "switchport trunk allowed vlan add 44" and "switchport trunk allowed vlan add 11". (I'm using my own VLAN IDs here, obviously). So, that works in the case where all the traffic on the port is tagged. But what if we want to handle untagged traffic on a trunk port as well? In that case, we also set "switchport trunk native vlan 15" and then any untagged ingress traffic will get VLAN ID 15. [EDIT: and egress traffic for VLAN 15 would be sent over the port as well, untagged.] That's roughly equivalent to the PVID setting on the TP-LINK switch. That comes in handy in the case of a device like the Ubiquiti AP, where the management network is untagged, but the SSIDs handle tagged traffic in different VLANs than the management network.
To mirror the trunk allowed setting on the TP-LINK switch, you just need to set the port as a tagged member of whichever VLANs you want to trunk. The PVID will still be in place, and will handle any untagged traffic coming into the port, if there is any. The PVID setting comes in handy again for devices like the Ubiquiti AP. My own has its management interface in VLAN44 and also serves an SSID in that VLAN. So the port it's connected to is untagged 44 and PVID 44. But it also serves an SSID in VLAN 11, so the port is also set to tag VLAN 11. That's port 4 in the screenshots I've posted.
I've checked with ntopng and also with tcpdump and I don't see any untoward traffic on any of my interfaces.
-
@n3by Are you sure ntopng is not listening on the parent interface in pfSense?
Even if the switch were leaking traffic from VLANs you don't have 103 or 101 untagged or set as PVID anywhere so it's hard to believe that traffic could end up on those?
Steve
-
I was really surprised and I double checked, also on history traffic log:
As you can see all VLAN 101-103-105 had the same high traffic spike ( one week ago ) but on VL103 = Guest I don't had / have any client.At the moment I am using SG-108E only as L3 switch for LAN.
Next day I disabled VL105 and moved back to separate network interface ( this is why in history log now is showed as opt2 instead of VL105 ).
I moved back on another separate network interface VL101 & VL103 managed only by pfSense ( and a no-managed switch as trunk to connect the APs to pfSense ) so no more problems with unwanted traffic on VLANs.
