Guest wireless VLAN without managed switches
-
I have an SG-1100 router, several unmanaged Netgear switches, and two Unifi wireless access points. I created a guest VLAN and added the LAN and OPT ports as tagged members. I added firewall rules to allow the new VLAN to access the internet but not the original network. I configured the access points to have a new guest wireless network associated with the new VLAN. Somewhat to my surprise, everything seems to work: presumably the unmanaged switches are happily passing the tagged packets through.
My question is, is this really working and doing anything useful?
-
@ebcdic said in Guest wireless VLAN without managed switches:
presumably the unmanaged switches are happily passing the tagged packets through.
My question is, is this really working and doing anything useful?Yes, absolutely. There is no reason for an unmanaged switch to not pass VLAN frames. Some people seem to think they can't. However a switch is supposed to pass all valid Ethernet frames and the only significant difference with a VLAN frame is the contents of the Ethertype/length field. There is no other difference. So, if an unmanaged switch were to block a VLAN frame, it would have to read the contents of that field, determine it was VLAN and then block it. That seems to be a bit much to ask of an unmanaged switch. The only issue you might come across is if you have an ancient switch that can't handle more than a 1500 byte payload, with the 4 extra bytes for the VLAN tag. If you have such a thing, just reduce the MTU on your LAN by 4 bytes.
Here is a list of Ethertype numbers. Any switch that can't pass every one of them is defective.
-
Thanks, that explains why it works. But I'm also wondering if it is providing the security expected. If an honest client on the guest VLAN attempts to communicate with a host on the main VLAN, it will see that it's on a different subnet and send the packet to the router, which will block it because of the firewall rules. But what if a malicious client on the guest VLAN constructs a packet with the MAC address of a host on the main VLAN? Will the unmanaged switches pass it through? And would this be different with managed switches? Or is it unimportant because the target will reject a tagged packet?
-
It is possible for someone directly connected to the LAN to configure the interface to also receive VLAN packets. That means they could appear on both the LAN and VLAN, just as pfSense does. However, someone connected to the guest WiFi wouldn't be able to do that, as they have no direct access to the LAN. The AP will remove the VLAN tag for traffic to WiFi and add it to traffic from it.
