Monitor Network Separation with VLANs
-
Ouch, indeed, you're right. I just tested the notifications with another rule, and wanted to try the entire setup today. But you have saved me some work on finding this on my own. Indeed any host configured to another subnet couldn't even send any ip packet if it's on the wrong interface because the initial ARP would already fail… ok, I'll try some of the other options... Thanks!
-
I just tried the arpwatch package. It would help to solve my task, but unfortunately it lacks a few configurations: it must send alerts by email (why!), and the syslog messages which I could filter on the rsyslog server do not contain the interface information for the discovered arp assignments :-( Otherwise I could simply use regexes to check if IP assignments match the interface…
But maybe I do stick with my previous solution, because I do get traffic for the rules with traffic "not originating from the interface subnet"! We do have some windows machines in almost every network and they are usually chatty and always send some broadcasts (e.g. 10.0.0.123/24 -> 10.0.0.255/24), which actually doesn't rely on ARP, and so these packets really hit the pfSense rule filtering on "source !LAN1_NET" when I connect the different VLANs together.
I think that's good enough for now, because I only want to detect accidental VLAN 'short circuits'; I don't want/need to protect against internal attackers.
Thank you all for the quick help!
-
"because I only want to detect accidental VLAN 'short circuits'"
What?? How exactly are you connecting your vlans together.. Someone takes a cable from port A on a switch and puts it in B?? So now you have a loop?
-
Well, yes. That could happen on some locations where different VLANs exit on untagged ports. Is that uncommon?
-
Well, yes. That could happen on some locations where different VLANs exit on untagged ports. Is that uncommon?
Connecting 2 ports on the same switch has always been bad practice. Why would you ever do it? As for "short circuits", decent switches run something called spanning tree or similar, to prevent that from happening. Even my cheap TP-Link managed switch has it's own proprietary method to block loops.
-
Yeah it would be uncommon.
Why would anyone connect port A to B? Are these users just complete idiots?
Do you not have STP (spanning tree) running on your switches? Spanning tree whole point is to prevent such problems.
I can see a user connecting a device to the wrong port and being on the wrong vlan.. But why would they interconnect switch ports? If they connect a device to vlan A port, then the device would be on vlan A - it would get a IP from the dhcp server on vlan A.. If they connect to B then it would be on vlan B and get an IP from that dhcp server, etc. If you have dhcp running.
If they setup an IP for A, and connect it to B then it wouldn't work, etc.
I assume you have had such issues in the past? Reason they have to put such nonsense like don't drink on the bottle of bleach ;) Is because some idiot, or multiple idiots have actually done it… hehehe
If they are interconnecting switches.. You would see all broadcast traffic on all other devices from both vlans.. How are you going to track that down? You would need to look in the mac address tables on the switches to see which ports show all the macs on them, etc.
I thought you were wanting to prevent user from connecting their device to the wrong port and getting access to stuff they are not suppose to have access to. This would be done with disable unused ports or put them in dummy vlan or both options, and or port security on your ports. Static Arp setup, etc. etc.. Run a full blown NAC, etc. etc.
Your wanting to stop a user from unplugging a cable from port A (vlan A) and B (vlan B) and connecting them together?
I would suggest you keep these idiot monkeys away from the switches ;)
-
Indeed you are right. The thing I wanted to protect me from is actually already done by STP :-)
I didn't know STP is on cable level, I rather assumed it was on Ethernet/VLAN leven, so it couldn't really detect the 'VLAN loops'. But in fact, the switch blocks one of the looping ports if I configure the cables badly.
I guess this obsoletes the whole discussion :-P Sorry for bugging you with this! But still the idea of making unused ports part of a specific VLAN is nice. I think I'll do that.
-
Even on my home switches I put unused ports into dummy vlan (10) in my case and shut them down..
The dummy vlan goes nowhere - its not connected to pfsense at all. Its just a place holder of sorts. One thing this does do is allow for easy see which ports are open for use..
sg300-28#sho vlan tag 10 Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN Vlan Name Tagged Ports UnTagged Ports Created by –-- ----------------- ------------------ ------------------ ---------------- 10 disabled gi2,gi15,gi20-23 SI have 6 ports not doing anything on this switch currently ;)
-
I didn't know STP is on cable level, I rather assumed it was on Ethernet/VLAN leven
Actually, it is on a LAN/VLAN level. Depending on the version, it's possible to have different Spanning Tree root switches on a VLAN basis. There's nothing on the cable level, other than carrying bits from one port to another.
Spanning tree works by sending out Ethernet frames containing the "cost" to the root switch, with the cost increasing with each hop. Higher bandwidth links have a lower cost than lower bandwidth links. The root switch is determined by the lowest MAC address, unless priority is assigned to a switch.
https://en.wikipedia.org/wiki/Spanning_Tree_Protocol
Incidentally, Spanning Tree is one of the few protocols that uses the IEEE 802.3 Ethernet frames these days. Everything to do with IP, including ARP uses Ethernet II (DIX) frames
-
Per-VLAN Spanning Tree is a thing.
