TP-Link Easy Smart Switch security question
-
Why do you not remove the ports from vlan 1.. Clearly from your shot showing that you have multiple untagged ports on a port then yeah if you send broadcast traffic on vlan 1, and the port is a member of vlan 1 it should see that traffic..
If your saying there is no way to remove a port from untagged 1 then sure that would be an issue, but looks like you can do it on the screen you posted above - you just didn't do it.. Not talking about delete vlan 1, talking about taking port out of the vlan vs it being a member of 2 in an untagged state.
"which was on sale for the ridiculously low price of 35$ after mail-in rebate at Amazon"
Really.. That is not what I show, I show that the rebate is $30.. So puts the price at 80$ If there was a mistake and you got the switch for $30 sweet for you!! But I am guessing more same sort of info that didn't get right either ;) Just Sayin…
I don't have one of the tplink to test with, but I have a netgear that is same sort of price point.. Dirt Cheap - and "smart" to the point it does vlans but not much else. Same thing you can not delete vlan 1 on the device. But you can for sure remove a port from being untagged in more than one vlan and can change its pvid..
It doesn't protect you from stupid configurations.. See last pic where I put port 2 in vlan 1 and vlan 20 as untagged.
-
On first top row, Delete box with VLAN 1 and ports 1-8 it is disabled.
It looks like always all switch ports are part of VLAN 1, even you assign them to other VLAN.
From my test in ALL configuration even you assign to the switch an management IP in another class; out of all your LAN / VLAN sub-net,
all port and clients connected to switch are allowed to access that management switch IP, without restriction.All you have to do is to change client IP in the same sub-net as switch IP, TPLink sw management utility will always display switch IP so is no need to scan for all IP range.
Because it is HTTP and management traffic is broadcasted on all ports it is easy to access/sniff the configuration account.This Chinese switch looks like a perfect Trojan horse.
p.s
in V2 ASIC is RTL8367c… maybe later a custom firmware will be ported. -
Yeah, as n3by says, you can't check that box or edit VLAN1 in any way. I even tried to edit the the HTML code surrounding that checkbox with Chrome's Development console to no avail.
Really.. That is not what I show, I show that the rebate is $30.. So puts the price at 80$ If there was a mistake and you got the switch for $30 sweet for you!! But I am guessing more same sort of info that didn't get right either ;) Just Sayin…
It must have been some sort of price mistake and it popped up on a deal site (https://slickdeals.net/f/9686276) for $35. I figured even with this "VLAN flaw" it would still work well as a "dumb" switch for a network contained to a single broadcast domain at that price.
in V2 ASIC is RTL8367c… maybe later a custom firmware will be ported.
I was going to look into this somewhat. Not necessary "custom" firmware, but I had hopes that there may be a way to port the Netgear firmware over (assuming they use the same or similar hardware).
Does anybody think we have any recourse with TP-Link support to get a new firmware released? In this day and age where some of the largest ever DDoS attacks are sourced from IP camera DVRs and other embedded devices, one would think that a company would make it a priority to resolve security issues of this nature.
-
I e-mailed a TP-Link engineer I met at a trade show last year. I'll report back what he responds.
Be gentle, I linked this thread to him. -
Not talking about editing the vlan 1, I am talking about removing the port from the vlan.. If you can not remove a port from being in vlan 1 as untagged then you have a problem sure.. The switch is doing what it says its going to do.. Port 1-8 are set to be untagged vlan 1.. So yeah any traffic on vlan 1 that is broadcast traffic should flood out those ports as untagged.
Does not matter that you set PVID to.. All this says that hey untagged traffic I see INBOUND to this port, this is the vlan that traffic is in..
So your using the webgui - can you try their utility software? Maybe their is bug in their code in the web gui for removal of ports from vlan 1? I have half a mind to just order one of these to play with.. But from what you posted the switch is doing what its configured to do.. All ports are in vlan 1 untagged. Any broadcast traffic that it see inbound to a port that has pvid of 1, will be flooded out every other port that as being in vlan 1..
Generate your broadcast traffic inbound to a port that has its pvid set to something other than vlan 1. That untagged traffic would be in that vlan and not broadcast out vlan 1 ports. But in the current config state any traffic ingress to ports 1 or 8 that have pvid of 1 would be flooded out all the ports since they are listed as being untagged in vlan 1.
If you set all the pvid to something else other than 1 - can you still get to the IP of the switch? Does the config software utility still work?
-
Johnpoz, I think you have the right idea. I have a TL-SG2008 and a couple of TL-SG3424's and removed all the ports from the default VLAN 1 when I set them up. I don't think you can delete VLAN 1, but on my models at least you can remove all the ports from it. All the PVID's are set to something other than 1 and I can still reach the IP of the switch. I've never seen any traffic bleeding from one vlan to another.
-
Not talking about editing the vlan 1, I am talking about removing the port from the vlan.. If you can not remove a port from being in vlan 1 as untagged then you have a problem sure.. The switch is doing what it says its going to do.. Port 1-8 are set to be untagged vlan 1.. So yeah any traffic on vlan 1 that is broadcast traffic should flood out those ports as untagged.
Does not matter that you set PVID to.. All this says that hey untagged traffic I see INBOUND to this port, this is the vlan that traffic is in..
So your using the webgui - can you try their utility software? Maybe their is bug in their code in the web gui for removal of ports from vlan 1? I have half a mind to just order one of these to play with.. But from what you posted the switch is doing what its configured to do.. All ports are in vlan 1 untagged. Any broadcast traffic that it see inbound to a port that has pvid of 1, will be flooded out every other port that as being in vlan 1..
Generate your broadcast traffic inbound to a port that has its pvid set to something other than vlan 1. That untagged traffic would be in that vlan and not broadcast out vlan 1 ports. But in the current config state any traffic ingress to ports 1 or 8 that have pvid of 1 would be flooded out all the ports since they are listed as being untagged in vlan 1.
If you set all the pvid to something else other than 1 - can you still get to the IP of the switch? Does the config software utility still work?
I'll have to double check, but I think all ports remain untagged in VLAN 1 no matter what we do. That could explain some of the behavior reported, but I've had no problem keeping traffic isolated. I have my PVID set to something other than VLAN1 on all ports and can still hit the management interface. There is no way to define a VLAN for the management interface that I can see.
-
Is there any update on this?
@jahonix, did the TP-Link engineer ever answer your questions? I'm especially interested in the option to be able to set a management VLAN on the Easy Smart switches.
-
-
Any updates on this thread? Seems like this is a serious problem.
-
Any updates on this thread? Seems like this is a serious problem.
I haven't seen any firmware updates that allow removing VLAN1 untagged from the switch ports. I'm guessing TP-Link sees this as a feature, so that the end user can avoid having to set up the management interface on a VLAN and perhaps locking themselves out of managing the switch, since there's no console or anything like that.
Of course I understand the implications, and obviously these switches are meant for home use. I'd be curious to hear what TP-Link says about it, but that's my guess.
-
I got one of these and immediately returned it.
I ended up with a zyxel gs1900-8hp, it's 70W of PoE over all 8 ports for $100. It didn't have the forced VLAN 1, and it even has a telnet CLI you can activate and a header for serial access. MUCH better GUI and many more features!
The non-PoE version is I think $60. So almost double the price of a tplink might not be interesting but I thought I'd throw it out there.
I actually kept my LAN on VLAN1. It's for home use and you can force HTTP/S only acces, that combined with a strong password keeps me from worrying about needing a management only interface.
-
Any updates on this thread?
Sorry, I didn't make it to CeBIT. Workload prohibited going there.
And the engineer I talked to last year never responded to my mails. -
For just a couple dollars more you can get a D-Link DGS-1100-08 that has a management VLAN setting and doesn't do all this VLAN 1 nonsense.
Not sure what the fascination with these TP-Link things is. They are garbage.
-
At least for me the fascination was the price. Also, before asking around in a forum like this they appear to be a great buy based on amazon reviews.
But I agree, better off getting something a little better.
-
I got one of these to play with since see a lot of threads about them.. You can not remove vlan 1 that is for damn sure, and there also seems to be a cosmetic issue with it reporting rxbadpkts on interface that tagged vlan traffic hits… But seems to just be cosmetic.
I have not had a chance to test the security if vlan 1 traffic is broadcasted out a port if you change the pvid to some other vlan. But pretty sure you can get to the management IP from any switch port.. When I get some play time do some testing. But for a home switch, that does vlans the price is attractive.
-
But pretty sure you can get to the management IP from any switch port.
How big of a security concern is this really? If the webgui is HTTP/S and you have a strong password on it then what is the security risk?
My setup is home use only so for me I'm not at all concerned about anyone on my network even caring to look for a switch or router on the network, I was just curious how much of an actual security vulnerability this would be on a larger network?
-
I have very little patience (read zero) for any flakiness in my layer 2 gear.
-
But pretty sure you can get to the management IP from any switch port.
If the webgui is HTTP/S
It's not, and I don't see any way to change it. I get it, these switches are basically the same price as a typical unmanaged switch. They're cheap and offer VLANs. That's about all I can say.
Right now all my ports are either trunk ports (two between switches, one to my AP, one to my ESXi box) or access ports on a single VLAN (not VLAN1) which uses a subnet that also happens to contain the management IP address. My other two VLANs / subnets are either wireless only or contained entirely in ESXi / pfSense. In other words, I don't have any wired devices on an access port in a VLAN / subnet that doesn't also contain the management IP.
As expected, my guest wireless network cannot access the management IP of the switch. It can access certain services on that subnet, but only because I explicitly allow that access in pfSense. In that regard, the switches behave exactly as I'd expect.
I suppose I should put a port into the VLAN for the guest network and test that way with a wired connection, but for my setup that test would be academic.
Next time I buy a switch for home use, I'll choose something different. If anyone can show me a 16 port fanless 1Gbps fully managed switch (with a proper CLI) I'd be ecstatic. For now, I'm not freaking out about it.
-
But pretty sure you can get to the management IP from any switch port.
How big of a security concern is this really? If the webgui is HTTP/S and you have a strong password on it then what is the security risk?
My setup is home use only so for me I'm not at all concerned about anyone on my network even caring to look for a switch or router on the network, I was just curious how much of an actual security vulnerability this would be on a larger network?
It's not, and I don't see any way to change it. I get it, these switches are basically the same price as a typical unmanaged switch. They're cheap and offer VLANs. That's about all I can say.
I just meant in general is it a security concern if you can force HTTP/S and put a good password on it.
I replaced my TP-Link with a Zyxel GS1900 and it allows you to force HTTP/S WebGUI.