TP-Link Easy Smart Switch security question
-
I've never really tested VLAN isolation to any depth, I have a hard time believing it's not isolated if configured correctly. I've never seen any stray traffic on the wrong VLAN/Port. I could probably run a test if you need me to.
I'd appreciate if you can run a simple test to check if it's isolated correctly.
-
Are we talking installation in a DOD facility or your house?? ;)
Pretty sure it does vlan isolation, kind of useless of them to state its a smart switch with vlan support if it doesn't actually isolate the vlans.. It might be very limited in what "vlan" its managment IP is on - most likely its going to be default vlan 1 with no way to change it.. And will have to be untagged.
I really don't see how that is an issue in a "home" setup.. Are you worried about someone coming into your house plugging into one of your switch ports and doing a vlan hop attack on you? Really??? ;)
While I agree in enterprise setup you always remove vlan 1, do not use vlan 1 etc.. Your management vlan is not vlan 1, etc etc etc.. But pretty sure your setting this up in you house right?? Your looking at very LOW END smart switches.. To expect the bells and whistles of a fully managed switch?? If you want the ability to change your management vlan away from an untagged vlan 1 setup then your going to have to spend a few more $'s
But for quick and dirty hey I need to have vlan support on my home budget that is really low or the wife will kill me.. Then sure the tplink or negear low end less than $40 smart switches are fine.. I have a netgear 108ev3 in my av cabinet. It does what it needs to do.. Not worried about someone plugging into my av cab switch and doing a vlan hop attack on me ;) And yeah I run vlan 1 on my "home" network - its just easier!!
I wish it did more, has not snmp support, etc. again its a LOW END smart switch - you get what you pay for.. Now if you bump your budget to say closer to 200 then sure you can get some really feature rich switches..
-
If someone wants to suggest a test I can probably run it.
I've never had any issues with it. I have different DHCP servers on different VLANs and clients always pull from the expected subnet.
Yes the management interface is always on the default vlan, effectively untagged. I'm using it at home, that's not a problem.
Steve
-
Well per the link he gave says
"attacker on VLAN1 can spoof the ARP table for other VLANs."
So on vlan 1 can you arp for other devices on other vlans? If you are connected to a vlan 1 port, can you spoof a mac that is on different vlan and then gain access to that vlan device? I find it highly unlikely to be honest.. But then again this is a HOME setup.. Who exactly is going to have access to your vlan 1 in the first place? And they are going to be doing a vlan hop attack?
As you mentioned already if there was no actual layer 2 isolation then you would have issues with your multiple dhcp servers. There are many switches that are open to vlan hoping attacks.. not just the cheap ones.. Especially if they are not configured secure..
Either way I don't see how any of that really matters for a "home" setup.. It does what you need it to do right - which is isolate your traffic at layer 2. It clearly does that ;) Or Stephenw10 for example would have all kinds of issues with his dhcp servers and other vlans getting the wrong IP..
You could use any of the vlan hopping pentesting tools, frogger comes to mind.
-
… my sister laptop won't be able to access my NAS or PC...
Unless your sister is a hardcore hacker this is totally over the top!
Even if she was then there are different ways to solve this "problem" in the family - get her involved in testing the network security for example. But if she was she'd taken care of it already and not you…
So you worry about problems you don't have. -
I don't want to sound offensive, but my question is simple if this have proper isolation before I drop $150 on it. I don't see any relevance on "this is home switch, you better not to expect anything", well yeah if it doesn't do anything that I want it, I'd rather invest in a better switch because $150 is not cheap for me.
And I don't see any relevance in "your sister is probably not a hacker" or "this is highly unlikely someone's going to come to your house and plug something into the port". Well it's also very highly unlikely that someone will get your modem or router password especially if you turn your wifi off so why not just leave the default admin/admin or it's also very highly unlikely someone will get into your email account especially if you have 2 way auth so don't bother with password manager.
I mean what's the point of the discussion then? That being said, I'm new here so I don't know how things work around here and I don't mean disrespect, but these responses are definitely not what I expected.
-
I'm new here so I don't know how things work around here and I don't mean disrespect, but these responses are definitely not what I expected.
We get a fair amount of people (usually with little networking knowledge) who think they're trying to secure their family photos from nefarious Russian super-hackzors. This usually leads to overly-complex configurations that nobody can decipher. Gauging your users & their abilities will help you to determine how tightly to wind the tinfoil around your head. I run networks at the office and at home. At the office, everything is locked down. At home, things are much looser since my family wouldn't know a network if they tripped over the Ethernet cable.
For what it's worth, I just bought the 105E over the holidays for $40, but I haven't had much time to play with it or its VLAN support.
-
No offense taken.
before I drop $150 on it.
What do you want to buy for $150?
A TL-SG108E is something like 25 Euros which should be $30 max, double that for a TL-SG1016DEPersonally, I don't like Esay Smart Switches and prefer one step up. Have a look at the TL-SG3210 of which I use multiple myself at home.
Don't use VLAN1 for anything and you should be fine and have proper isolation.
-
I've got 2 of the TL-SG108E and while they're basic in function, they are inexpensive and do work as intended. They will indeed provide the level of security you're looking for, as long as you have the networking knowledge to do so.
-
A TL-SG108E is something like 25 Euros which should be $30 max, double that for a TL-SG1016DE
Where do you find 1016DE for $60? Here 1016DE is about $125 but it's currently on sale on Amazon for $100, 108E is about $25-30.
-
Where do you find 1016DE for $60?
I just looked here
but it seems that those are only TL-SG1016D, which is the unmanaged version.
The version in question isn't that much more expensive though:
That is including 19% VAT.This isn't, that's dealer cost…
![Bildschirmfoto 2017-01-04 um 09.52.16.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2017-01-04 um 09.52.16.png_thumb)
![Bildschirmfoto 2017-01-04 um 09.52.16.png](/public/imported_attachments/1/Bildschirmfoto 2017-01-04 um 09.52.16.png)
![Bildschirmfoto 2017-01-04 um 09.51.08.png](/public/imported_attachments/1/Bildschirmfoto 2017-01-04 um 09.51.08.png)
![Bildschirmfoto 2017-01-04 um 09.51.08.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2017-01-04 um 09.51.08.png_thumb)
![Bildschirmfoto 2017-01-04 um 10.03.26.png](/public/imported_attachments/1/Bildschirmfoto 2017-01-04 um 10.03.26.png)
![Bildschirmfoto 2017-01-04 um 10.03.26.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2017-01-04 um 10.03.26.png_thumb) -
Hi,
I just bought one TL-SG108E ( it is v2 with web management interface HTTP ) and price is ~30Euro.PVID 1 it is default and can't be changed.
I defined 3 VLANS
101 for WIFI private
103 for WIFI guests
105 for LAN privateI wanted to use port 8 as Trunk & port 6 & 7 for AP:
port 8 from pfSense interface Tagged ( for VLAN 101 & 103 & 105 )
port 7 Tagged to AP1 CISCO 2602 ( for VLAN 101 & 103 ).
port 6 Tagged to AP2 CISCO 2602 ( for VLAN 101 & 103 ).
port 3-2-1 Untagged to LAN devices ( for VLAN 105 ).It's working, but in this configuration watching with NTOPNG on each VLAN interface it reveal that all traffic, from other/all VLANs it is broadcasted / visible in every VLAN interface, not exactly what I wanted … any ideas ?
-
PVID 1 it is default and can't be changed.
Yes, it can. I have a simple setup with two of the TL-SG108E (one of which is V1, the other V2) and I changed the PVID of all ports to my primary VLAN ID (not 1). My primary VLAN is for my home LAN; the only other VLAN I have defined is for my guest network and that is provided entirely via wireless. So I set the port for my Ubiquiti AP to tag that one, and the port for my ESXi box (which hosts pfSense) to tag both. The tagged traffic is passed to the pfSense VM still tagged via a port group in ESXi with VLAN ID 4095 (which is ESXi's version of a trunk. In other words, pass all traffic with tags intact). I also have an uplink between the two switches, which tags both VLANS. No problems here; everything works as expected and traffic is isolated. It's not super intuitive if you've come from managing switches that have a Cisco-like CLI, but once you get it, it works.
I'm showing the web interface of the V2 switch here because I'm on my Mac and can only access the V1 switch with a Windows app (at least easily).
-
For me it look like you can change PVID for any port, only if that port is member in that VLAN… if you can show the VLAN Configuration page we can see exactly what you set.
-
For me it look like you can change PVID for any port, only if that port is member in that VLAN…
Then change the PVID to whatever VLAN you want that port to be a member of.
Here's my tagging config for my V2 switch. Port 1 is the trunk between the two switches. Port 4 is connected to my Ubiquiti AP. Bear in mind I have another V1 switch connected to this one, so you're not seeing the whole picture:
-
Exactly how I anticipated I already tested this model of config and for my config will not solve that all traffic is mirrored on all VLANs.
Now when you have time have a look with NTOPNG in every VLAN interface you defined and let us know if you see all tagged traffic from all VLAN.
For example in your VLAN 11 you will see all traffic from 44, for me this is not normal to be seen there.
In my test all traffic from all clients on LAN, WIFI can be seen also on GUESTS… etc.
-
The only thing I can see wrong with your config is that some of your ports are still set to PVID 1.
I'm coming from a world where I manage Dell Powerconnect switches. In Dell CLI parlance (and I think Cisco is similar), there are two main switchport modes, access, and trunk. Setting a switchport to access with the command "switchport access vlan 44" tells the switch to tag any incoming traffic on that port with VLAN 44, and to send any traffic on VLAN 44 out of that port, removing the tag in the process. In reality it's a bit more than that, since it is, after all, a switch, and learns MAC addresses, thereby avoiding sending all VLAN 44 traffic over all VLAN 44 ports. But let's ignore that for now.
So, to mirror that behavior on the TP-LINK switch, you need to set the port as an untagged member in VLAN 44, but you also need to set the PVID to 44. The reason for this, as I understand it, is that the untagged setting tells the switch to send VLAN44 out of the port, but it doesn't tell it what to do with incoming untagged traffic. That's what the PVID setting does. For a port with PVID 44, any incoming traffic that's not already tagged with a VLAN ID will get tagged with 44. (someone correct me if I'm wrong on this, please).
The other mode on the Dell switch is trunk. This is used in a situation where we want to send traffic with VLAN tags intact, so that the device on the other end can handle the VLANs. That device could be anything: a pfsense router with multiple VLAN interfaces, another switch, whatever. In that case, we set the port with "switchport trunk allowed vlan add 44" and "switchport trunk allowed vlan add 11". (I'm using my own VLAN IDs here, obviously). So, that works in the case where all the traffic on the port is tagged. But what if we want to handle untagged traffic on a trunk port as well? In that case, we also set "switchport trunk native vlan 15" and then any untagged ingress traffic will get VLAN ID 15. [EDIT: and egress traffic for VLAN 15 would be sent over the port as well, untagged.] That's roughly equivalent to the PVID setting on the TP-LINK switch. That comes in handy in the case of a device like the Ubiquiti AP, where the management network is untagged, but the SSIDs handle tagged traffic in different VLANs than the management network.
To mirror the trunk allowed setting on the TP-LINK switch, you just need to set the port as a tagged member of whichever VLANs you want to trunk. The PVID will still be in place, and will handle any untagged traffic coming into the port, if there is any. The PVID setting comes in handy again for devices like the Ubiquiti AP. My own has its management interface in VLAN44 and also serves an SSID in that VLAN. So the port it's connected to is untagged 44 and PVID 44. But it also serves an SSID in VLAN 11, so the port is also set to tag VLAN 11. That's port 4 in the screenshots I've posted.
I've checked with ntopng and also with tcpdump and I don't see any untoward traffic on any of my interfaces.
-
@n3by Are you sure ntopng is not listening on the parent interface in pfSense?
Even if the switch were leaking traffic from VLANs you don't have 103 or 101 untagged or set as PVID anywhere so it's hard to believe that traffic could end up on those?
Steve
-
I was really surprised and I double checked, also on history traffic log:
As you can see all VLAN 101-103-105 had the same high traffic spike ( one week ago ) but on VL103 = Guest I don't had / have any client.At the moment I am using SG-108E only as L3 switch for LAN.
Next day I disabled VL105 and moved back to separate network interface ( this is why in history log now is showed as opt2 instead of VL105 ).
I moved back on another separate network interface VL101 & VL103 managed only by pfSense ( and a no-managed switch as trunk to connect the APs to pfSense ) so no more problems with unwanted traffic on VLANs.
-
I want to restate what's being said here because I believe that these TP-Link "Easy Smart Switches" do indeed have a fundamental flaw with their VLAN implementation. I hope this can serve as a warning for future prospective buyers.
I am a networking professional and I have been using pfSense appliances in my personal network for years. Power consumption is something that I'm trying to minimize as of late, so I wanted to purchase a low power switch that supported VLANs so that I could implement a "pfSense on a stick" style network with a slightly older low power Intel NUC that only has one 1gbps port. It was to be a fairly simple deployment with one "access port" on a VLAN designated for the "WAN" (external network, VLAN99), several "access ports" designated for the "LAN" (internal network, VLAN10) and one "trunk" port which would trunk these two networks into the pfSense appliance.
Flaw #1: The first flaw with this switch is that you have no control over the management interface with regard to VLANs. On a Cisco switch, there is the concept of an "Interface VLAN" where you can select what VLAN you wish to attach a layer-three interface. Not only do these TP-Link switches switch lack that functionality, they instead allow access to their management IP interface from all ports on the switch regardless of the VLAN or PVID configured.
Here is how to test this: For anyone who has this switch configured with multiple VLANs, plug a computer into any port on the switch and hard-code your IP to be in the same subnet as the switches management IP and ping the switch. I am able to access the management IP of the switch from any port regardless of changes made to the "802.1Q VLAN Configuration" tab or the "802.1Q PVID Setting" tab. This is a huge security issue in router on a stick deployment such as the one outlined above
When I noticed this behavior, I quickly pulled out my old WireShark PC and the results were simply baffling:
Flaw #2: Any broadcast received on a port whose PVID is set to VLAN1 will be flooded out of all ports regardless of the VLAN or PVID settings. Easy enough, just don't use VLAN1 right? This was verified by injecting ARP requests into port 8 and monitoring every other port with WireShark (see photos which contain my configuration settings).
Flaw #3: Traffic sourced from the switch's management IP address is flooded out of all ports regardless of the destination MAC address or the VLAN or PVID settings. This was verified by opening a browser and pointing it to the switches web based management while connected to a port set to PVID of VLAN 10. This resulted in WireShark showing a flood of HTTP traffic sourced from the MAC address of the switch egressing a port whose PVID and untagged VLAN setting was set to VLAN99 or VLAN1.
I purchased two of these TP-Link switches over the past few weeks. The first was the 8 port model: TL-SG108E 2.0, which I promptly returned upon the discovery of this "flaw". The second was model: TL-SG1024DE 2.0 which was on sale for the ridiculously low price of 35$ after mail-in rebate at Amazon. Both exhibited the same behavior.
I guess that why they always say: caveat emptor!
![TL-SG108E PVID SETTINGS.PNG](/public/imported_attachments/1/TL-SG108E PVID SETTINGS.PNG)
![TL-SG108E PVID SETTINGS.PNG_thumb](/public/imported_attachments/1/TL-SG108E PVID SETTINGS.PNG_thumb)
![TL-SG108E VLAN SETTINGS.PNG](/public/imported_attachments/1/TL-SG108E VLAN SETTINGS.PNG)
![TL-SG108E VLAN SETTINGS.PNG_thumb](/public/imported_attachments/1/TL-SG108E VLAN SETTINGS.PNG_thumb)