VLAN + Firewall-Rules vs Firewall-Rules only



  • Hi,

    I am working on my network infrastructure with the aim of segmenting it.

    This is why I firstly thought about creating different VLANs and later setting up some Firewall rules to get the desired segmentation.
    But since I just have a small network with 13 + x (Guest Network easily to identify by using separate ip-adresses [dhcp]) devices, I thought about just creating firewall rules, so that they can only communicate with those devices I want them to communicate with.

    Perhaps you can help me understand, why creating VLANs in this situations would be favourable.
    Why schould I use VLANs and Firewall rules instead of using Firewall rules only?

    Best regards,
    Diego


  • LAYER 8 Netgate

    You need to study what OSI layers 2 and 3 are.

    A firewall, in most cases, regulates traffic at layer 3.

    If all your hosts are on the same layer 2 network they can communicate directly without any regulation or interference by the firewall.


  • LAYER 8 Global Moderator

    And before it comes up just giving them different IP networks doesn't stop them from talking to each other if on the same L2..

    If you want to segment your devices from each other and control what protocols/ports they are allowed to talk to each other on if any you need different L2 (vlans via switch or completely different physical networks) and then firewall allowing blocking traffic between the L3 network.

    Pfsense can route and firewall between your L3 network - but your going to need multiple physical interfaces and switches on pfsense to create the different L2 network - OR switch that can do vlans… Smart switches are very reasonable priced these days.  Entry level "smart" switches are couple of dollars more than same sort of dumb switch.. You can get a 8 port gig switch that does vlans for like $30 these days.  Where the same dumb switch might be 25 for example.

    There really is little reason to not have a switch that can do basic vlans ever.  Even if your just using it as 1 L2 network.. Having the smart switch allows you to isolate networks if the need/want presents itself.

    Biggest issue these days is getting Accesspoint that can do different vlans on its different SSIDs, etc. Pretty much all soho wifi routers lack this feature - while they might be able to create a normal and guest wifi networks - they only allow this if being used as the internet router, none of them allow for tagging the vlans for use with a different router or switches.

    This can sometimes be accomplished with 3rd party firmware for the wifi router - but if your wanting to segment wifi devices its best to get an AP that does vlans.



  • Hi Derelict, Hi johnpoz,

    Thank you for your answers.

    I understand, that devices still can communicate between each other on L2, even if there are Firewall rules set on L3.
    So I have to do the segmentation on L2 by using VLANs and afterwards defining adequate Firewall rules.

    Perhaps you could help me a little bit with my current configuration.

    Currently I am using the following network infrastructure:
    Modem <=> Router/Firewall (pfSense) <=> Managed Switch (Netgear GS108Ev3) <=> Devices
    Modem <=> Router/Firewall (pfSense) <=> Managed Switch (Netgear GS108Ev3) <=> Unifi AP AC Pro <=> 4 SSIDs

    Now I wanted to segment the Network. So I thought about the following configuration:
    Unifi AP AC Pro <=> 4 SSIDs:
    Each SSID gets its own VLAN-ID (71, 72, 73 and 74)

    Managed Switch (Netgear GS108Ev3):

    | Port | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 7 | 7 | 7 | 8 |
    | Device/SSID    | Device1    | Device2    | Device3    | Device4    | Device5    | Device6    | SSID1 (VLAN-ID 71)    | SSID2 (VLAN-ID 72)    | SSID3 (VLAN-ID 73)    | SSID4 (VLAN-ID 74)    | pfSense |
    | VLAN 1    | U | | | | | | | | | | T |
    | VLAN 2    | | U | | | | | | | | | T |
    | VLAN 3    | | | U | | | | | | | | T |
    | VLAN 4    | | | | U | U | | U | | U | | T |
    | VLAN 5    | | | | | U | U | | | | | T |
    | VLAN 6    | | | | | U | U | U | U | | | T |
    | VLAN 71    | | | | U | | U | U | | | | T |
    | VLAN 72    | | | | | | U | | U | | | T |
    | VLAN 73    | | | | U | | | | | U | | T |
    | VLAN 74    | | | | | | | | | | U | T |
    | VLAN 8    | T | T | T | T | T | T | T | T | T | T | U |

    On VLAN 1 - 6 there are connected 1 device each
    On VLAN 71 there are connected 1 + x devices
    On VLAN 72 there are connected 3 devices
    On VLAN 73 there are connected 2 devices
    On VLAN 74 there are connected 0 + max. 10 devices

    Router/Firewall (pfSense):
    Each VLAN gets its own DHCP-Server and a static ipv4 mapping (except VLAN-ID 74, its without static mapping)

    What do you think? Would this work?
    Or do you have any suggestions for improving?


  • LAYER 8 Global Moderator

    Keep in mind that the IP you manage the AP is not tagged..

    You do not run more than 1 untagged vlan on a port.

    So to me looks like for example Port 6 you have vlans 5,6,71 and 72 as Untagged??  Doesn't work that way..

    Here I put together same sort of spreadsheet for my netgear gs108ev3 I have in my av cabinet

    So port 4 is the uplink to another switch.  vlan 1 is the untagged native vlan.  No reason to tag vlan 1

    Port 6 has a unifi AP AC-LR hanging off it that is in my kitchen.  The management vlan I use for the AP is vlan 20 this is untagged to the AP on port 6, the other vlans this AP uses SSID for is tagged.

    The other ports are in different vlans some are in 1 which is my 192.168.9/24 segment, others in 20 which is 192.168.2/24 in my netework and 100 have my directv DVR connected too.




  • Hi johnpoz,

    Thank you for your resonse. I made some modifications (see screenshot below).
    The AP Management (VLAN 70) would be from VLAN 5, so I put Device on port 5 together with my AP in VALN 70.
    So it should work, or am I wrong?

    If I only use 1 device on 1 port, I have to mark the port as untagged and if I use more than 1 device on 1 port (i.e. AP), then I have to mark the port as tagged, rigth?




  • If I only use 1 device on 1 port, I have to mark the port as untagged and if I use more than 1 device on 1 port (i.e. AP), then I have to mark the port as tagged, rigth?

    If the device supports (multiple) VLANs (e.g. pfSense, or an AP that does multiple SSID over VLANs on a single physical port, or some Hypervisor running a bunch of VMs) then you tag the VLAN traffic going to such a device, and that device knows how to see the VLAN tags on the packets and deal with them appropriately.

    If a device does not support VLANs, then the port has to be untagged - in that case for example the smart-switch might receive a packet from pfSense tagged for VLAN 42, and it has an untagged port in VLAN 42. So it will take the VLAN tag off the front of the packet and delivery an ordinary ethernet packet/frame to the untagged port. Similar in the reverse direction - it receives an untagged packet on the untagged port in VLAN42 that needs to go to pfSense, so it puts a tag on the front of the packet and sends it to pfSense. That way pfSense can receive lots of traffic on its physical port and understand which packet is for which VLAN.

    If you understand what is going on "underneath" in principle, then it will be much easier to know when to mark a port as tagged or untagged.


  • LAYER 8 Global Moderator

    "If you understand what is going on "underneath" in principle, then it will be much easier to know when to mark a port as tagged or untagged."

    QFT!

    It seems the very basics are lost on most users.. Not understanding how the vlans are isolated leads to just clicking on shit without knowing why ;)

    Since for example on port 5 you have multiple untagged vlans – so clearly your not understanding the basics..  phil.davis put together a nice quick synopsis for sure in the post above me..  You would never in any sort of normal setup have more than 1 untagged vlan on any switch port..

    Why are you sending untagged and tagged to devices, ports 1 to 3?  Do these devices have a vlan network setup on their interface as well?

    You list ports with AP but no untagged traffic - will repeat myself, the unfii AP management IP is untagged.. You can not use a tagged vlan to hit the managment IP.  So what vlan is the managmement vlan on when you have them all tagged... Is there a switch between this switch and the AP?  Yes normally uplinks between switches all vlans are tagged.  My native vlan on my uplink might of confused you?  Since I am using vlan 1 for managment (not something you see in an enterprise setup) I am leaving it untagged on the uplink - vlan 1 is normally not tagged.  The switch that uplink the gs108ev3 is pretty basic switch ;)  Might well just not tag its management vlan.



  • Hi,

    Thanks phil.davis and johnpoz for your replies.
    Indeed, actually I do not get the full logic of tagged and untagged ports right now.

    So generally I thought, that I could tag all ports, because then all packets would get the specific vlan-ids.
    But now, after your postings I get a little bit confused.

    Until now I understood, that it depends on the device/interface, whether I need to mark the specific port as tagged or untagged.
    So, for examle my PC need to be untagged, because the network adapter isnt able to understand the 802.1Q logic.
    But the access point can understand the 802.1Q logic and so this specific port gets tagged.
    Furthermore, the netgear switch uses pvids to put a vlan-id on packets from/to ports which are untagged as well.

    I have adjusted the picture a little bit. So now it should be improved ;)
    I.e. Port 1 and 3 are now only untagged.

    But perhaps it helps when I explain my infrastructure a bit better.
    I have a modem which is connected to the router/firewall (pfSense).
    The router/firewall is connected to a managed switch (netgear gs108) by cable.
    I have an wlan access point (unifi ap pro) which is managed by a locally on my pc installed controller.
    The wlan access point is connected to the managed switch by cable.
    => Port 7 (VLAN 70) … do I need to put the managing port in a separate vlan, so I still be able to use the locally installed controller to manage the AP?

    And I have some devices, which are connected to the managed switch by cable.

    What I want to do is:
    Device on Port 1 should only get internet acces (so port 1 is untagged and pfsense on port 8 is tagged)
    Device on Port 2 the same (so port 2 is untagged and pfsense on port 8 is tagged)
    Device on Port 3 the same (so port 3 is untagged and pfsense on port 8 is tagged)
    Device on Port 4 should get internet access and should be accessable from port 5 and 7 (but only vlan 72 and 74)
    Device on Port 5 should get internet access and to device on Port 6. It also could access the device on Port 4 and 7 (managing the ap [vlan 70])
    Device on Port 6 should get internet access and be accessable from devices on port 5 and 7 (but only vlan 71 and 72)
    Device on Port 7 (AP - vlan 70) is the managing vlan and only accessable by device on port 5 and should get internet access as well for updates (so pfsense on port 8 is tagged)
    Device on Port 7 (AP - vlan 71) should get access to devices on port 4 and 6 and should get internet access as well (so pfsense on port 8 is tagged)
    Device on Port 7 (AP - vlan 72) should get acces to the device on port 6 and should get internet access as well (so pfsense on port 8 is tagged)
    Device on Port 7 (AP - vlan 73) should get acces to the device on port 4 and should get internet access as well (so pfsense on port 8 is tagged)
    Device on Port 7 (AP - vlan 74) should only get internet acces (so port 7 is untagged and pfsense on port 8 is tagged)

    Thank you in advance .. you are supporting me a lot



  • LAYER 8 Global Moderator

    Why are you tagging so many vlans to ports 4,5 and 6 - are these other switches?  AP? Some sort of vm host that will use the tags to assign those vlans to VMs?

    You say 1 device - if so then there would be no reason to tag any vlans to them.. They would only be on1 vlan!!


  • Banned

    I was going to add a recommendation to this thread, but i got a headache from what i see here.

    I do hope you simplify things down before this becomes a production environment, otherwise troubleshooting it will become very tedious and confusing.



  • Hi,

    Thank you for your replies.

    I tagged vlans 72 and 73 on port 4 because these are ssids on the AP.
    I tagged vlans 4, 6 and 70 on port 5 because you said, that only one untagged vlan per Port is reasonable. And because vlan 70 is the AP (managing vlan).
    I tagged vlans 5, 71 and 72 on port 6 because you said, that only one untagged vlan per Port is reasonable. And because vlan 71 and 72 are ssids on the AP.

    Since now I am very confused, perhaps a simple example helps me to get the logic behind tagging and untagging.

    If you have 3 Devices: 2 PCs and 1 Printer
    How would you realize vlaning the following szenario:

    The Printer shall be available to PC 1 and PC 2
    But PC 1 and PC 2 shouldn't be able to communicate.


  • LAYER 8 Netgate

    @Diego_12345:

    Hi,

    Thank you for your replies.

    I tagged vlans 72 and 73 on port 4 because these are ssids on the AP.
    I tagged vlans 4, 6 and 70 on port 5 because you said, that only one untagged vlan per Port is reasonable. And because vlan 70 is the AP (managing vlan).

    Ubiquiti gear needs the management traffic to arrive UNTAGGED. You can TAG vlans to the APs to assign SSIDs but, as far as managing them, it needs to hit them UNTAGGED. ALL Ubiquiti gear (Cloud Key, Management VM/Host, and APs) need to be on the same management VLAN. All ports to Ubiquiti gear need to be UNTAGGED for that VLAN. It can be any VLAN you want, such as 70, but it needs to be UNTAGGED. Did I mention that the Ubiquiti management VLAN needs to be UNTAGGED? It needs to be UNTAGGED.

    I tagged vlans 5, 71 and 72 on port 6 because you said, that only one untagged vlan per Port is reasonable. And because vlan 71 and 72 are ssids on the AP.

    I think you might be missing UNTAGGED vlan 70 there for management purposes.

    Since now I am very confused, perhaps a simple example helps me to get the logic behind tagging and untagging.

    If you have 3 Devices: 2 PCs and 1 Printer
    How would you realize vlaning the following szenario:

    The Printer shall be available to PC 1 and PC 2
    But PC 1 and PC 2 shouldn't be able to communicate.

    On the same layer 2 network? That would have to be done in the switch. See Asymmetric VLANs and Private VLANs and protected ports.

    Else they would have to be on separate layer 3 networks with proper rules blocking access between the two PCs.


  • LAYER 8 Global Moderator

    "I tagged vlans 72 and 73 on port 4 because these are ssids on the AP."

    What is on port 4??  An AP???  You say 1 device - and your AP are being listed as being on port 7… So why do you have all those untagged ports??  How come you list so many Port 7 columns?


  • LAYER 8 Netgate



  • Sorry, but I do not get it.
    I do not know how to do all of this … that is why I am asking you ... If you just ask me, why I tagged or untagged some ports and why I have so many Port 7 colums and so on .. it do not help me understanding vlan tagging and/or how to configure my netgear switch. I explained what I want to do. So thats why I have so many vlans on Port 7 ... its because there are different ssids with devices whcih should not communicate to each other.

    I described what I want to do in one of my posts and I ask you for a short explanation of this very easy example in a later post, to get the logic.
    But now you tell me, that I do the segmentation on layer 3 with firewall rules ... I do not understand you, since I ask exectly this and you said:

    A firewall, in most cases, regulates traffic at layer 3.
    If all your hosts are on the same layer 2 network they can communicate directly without any regulation or interference by the firewall.

    So …. and why I have so many tagged vlans/ports is a result of this:

    You would never in any sort of normal setup have more than 1 untagged vlan on any switch port.

    Since now I know, that Unifi AP needs an UNTAGGED management vlan … I can change this ...
    But I think this wont help me .. and is just time consuming without great benefits to all of us ...

    I try to get help elsewhere.

    Thanks a lot for your time, support and trying to help me with my network segmentation.



  • Please close .. unresolved


  • LAYER 8 Netgate

    Scale your project down on the bench.

    One controller, one AP, and one or two tagged vlans for SSIDs.

    Figure that out first then add more. I think you started a bit too ambitiously.


  • LAYER 8 Global Moderator

    This makes ZERO sense in your spreadsheet

    What exactly is connected to port 4,5 and 6?  You list 1 device..  Why would you have tagged an untagged vlans to 1 device.  1 Device would be in only 1 vlan.. Unless this is another switch or some vm host?  Something that would identify the tags.. Guess it could be a PC, with vlan tagging on its nic - but why would you be putting a pc in more than 1 network at the same time?

    Why do you have so many port 7 listed?  There is only 1 port 7 on your switch..  If so which one of those is correct for the tag and untagged vlans?




  • Ok … perhaps it would help to focus on a little example....

    I have 6 devices:

    • PC 1
    • PC 2
    • Printer
    • Server
    • Switch (managed)
    • Router (is able to handle vlans)

    Purpose is, that only these devices can communicate with each other, where it is necessary.

    PC 1 need to communicate with:

    • Printer
    • Server
    • Switch
    • Router

    PC 2 need to communicate with:

    • Printer
    • Server
    • Switch
    • Router

    The printer need to communicate with:

    • PC 1
    • PC 2
    • Switch
    • Router

    The Server need to communicate with:

    • PC 1
    • PC 2

    How would you do this tagging and untagging of vlans here?
    I could imagine, that there is the need, that one device is part of more than one vlan.


  • LAYER 8 Netgate

    Edge devices (PCs, servers, printers) are generally not members of more than one VLAN.

    You really have two choices:

    Put the PCs on different firewall segments (VLANs) with probably a different segment for the printer and server. Use firewall rules to determine what can talk with what.

    Use your switch. Put the PCs on protected ports and put the firewall/printer/server on unprotected ports on that VLAN.


  • LAYER 8 Global Moderator

    "I could imagine, that there is the need, that one device is part of more than one vlan."

    I think this is what is confusing you..

    Lets do it this way

    PC - vlan 100, 192.168.1.0/24
    Printer vlan 200 192.168.2.0/24
    Server vlan 300 192.168.3.0/24

    So these ports would be UNtagged in those vlans on your switch for the ports connected to those devices.

    Now the port connected to pfsense could either have 1 of those vlans untagged and to the naked interface.  Or you could tag all 3 and run vlans on top of your naked interface.  I do believe Derelict is the fan of tagging in such a case where your naked interface would not have any network on it.  Your 3 vlans would just sit on the naked interface.  Lets call it em2 on pfsense..

    So you would create 3 vlans that sit on pfsense em2, vlan 100, 200 and 300.

    vlan 100 - 192.168.1.254
    vlan 200 - 192.168.2.254
    vlan 300 - 192.168.3.254

    Now your port on your switch that connects to em2 would be tagged 100,200,300

    If PC wants to talk to printer, he sends traffic to pfsense IP on vlan 100 (his gateway 192.168.1.254)  Pfsense would route that traffic if allowed by firewall rules out vlan 200 interface to the printer.  Printer would send his answer back to pfsense vlan 200 IP 192.168.2.254

    Does that make more sense for your simple example?  Or you could do it this way

    pfsense em2 naked with 192.168.1.0/24 on it (vlan 100) in our example
    vlan 200 and 300 would be vlans that sit on em2

    Now your port connected to pfsense would have vlan 100 untagged (same as your PC) and vlans 200,300 would be tagged.

    I think your confusing that devices need to be in same vlan to talk to each other.. No that is what the router/firewall does it routes the traffic between your vlans.  If your just going to put all the devices in the same vlans..  Might as well just be 1 vlan then..



  • Hi johnpoz,

    Thank you very much for these explanaitions. I will try this.
    Thanks to Derelict as well.


Log in to reply