Monitor Network Separation with VLANs
-
Hi everybody,
I'm using pfSense as main router and also as firewall between some internal lan networks (e.g. development team, manufacturing computers, administrative computers, servers, etc.). It works perfectly fine and we can nicely add rules for services that need to cross the lan boundaries. The whole setup is VLAN based to easily configure which network is available on which wall port. On the switches and wall ports where the final devices are connected we then always have untagged ports. Of course it happens that we have ports of different networks close together, let's say the network for unsafe devices, and the one for development machines.
How can I still make sure that all networks are kept separated and there isn't a cable somewhere, connecting the "development lan" to the "unsafe devices lan"? I'd like to have something that sends me an email or directly shuts down a port when such a 'shortcut' circumventing the firewall was detected. Is there something based on MSTP or similar protocols that can achieve this shortcut detection on ethernet level?
Best Regards,
Rainer -
You do that on your switches with port security. Or setup actual NAC, etc.
If you want a poor mans notification of what is on your network, etc. and when new stuff joins so you can see if it on wrong network - look to the arpwatch package.
Pfsense can also be setup with static arp.. So even if a device plugs into wrong vlan it wouldn't get an IP - or pfsense would not talk to it, etc. If you set it up that way.
Common practice for switches, especially when your worried about plugging into an open port is all ports not in use are disabled at the switch.. This way its way more difficult to plug into the wrong vlan, etc.
Also your switch should be able to do simple port security where you can limit what mac can be on that port, etc. If you want to setup NAC, look at free https://packetfence.org/
-
Another tactic is putting all the unused switchports on a BS VLAN with nothing on it other than the other BS ports.
That way you can be at your desk and have someone connect to the switch port, look at the logs, and see what port it is so you can VLAN it as necessary.
If the port is disabled, you'll have no way to know. (unless your documentation is impeccable, the jack is properly-labelled, the user isn't an idiot, etc.) :)
You could also put something like a captive portal or a web redirect on it that tells people whom they need to call for access.
-
Thanks for the good inputs! I like packetfence, but it looks a bit too big for what i want. Having no unassigned ports makes sense; that should really help a lot. And I also found another solution right now: I just add a few block rules that should never catch any traffic (e.g. when an interface catches traffic not originating from its subnet), and enable logging on these rules, together with sending the firewall logs to a syslog server, which can then send emails to me :-)
-
"not originating from its subnet)"
It would not be possible for an interface to see traffic from a different subnet as source - unless your running multiple layer 3 on the same layer 2 - which is just borked out of the gate.
If someone plugs into the wrong port and get put on a vlan/subnet - then they would be on the subnet/vlan for that interface on pfsense. So that scenario should never happen.
Out of the box lan rules are source lan net - how would that interface ever see non lan net as source?
-
Ouch, indeed, you're right. I just tested the notifications with another rule, and wanted to try the entire setup today. But you have saved me some work on finding this on my own. Indeed any host configured to another subnet couldn't even send any ip packet if it's on the wrong interface because the initial ARP would already fail… ok, I'll try some of the other options... Thanks!
-
I just tried the arpwatch package. It would help to solve my task, but unfortunately it lacks a few configurations: it must send alerts by email (why!), and the syslog messages which I could filter on the rsyslog server do not contain the interface information for the discovered arp assignments :-( Otherwise I could simply use regexes to check if IP assignments match the interface…
But maybe I do stick with my previous solution, because I do get traffic for the rules with traffic "not originating from the interface subnet"! We do have some windows machines in almost every network and they are usually chatty and always send some broadcasts (e.g. 10.0.0.123/24 -> 10.0.0.255/24), which actually doesn't rely on ARP, and so these packets really hit the pfSense rule filtering on "source !LAN1_NET" when I connect the different VLANs together.
I think that's good enough for now, because I only want to detect accidental VLAN 'short circuits'; I don't want/need to protect against internal attackers.
Thank you all for the quick help!
-
"because I only want to detect accidental VLAN 'short circuits'"
What?? How exactly are you connecting your vlans together.. Someone takes a cable from port A on a switch and puts it in B?? So now you have a loop?
-
Well, yes. That could happen on some locations where different VLANs exit on untagged ports. Is that uncommon?
-
Well, yes. That could happen on some locations where different VLANs exit on untagged ports. Is that uncommon?
Connecting 2 ports on the same switch has always been bad practice. Why would you ever do it? As for "short circuits", decent switches run something called spanning tree or similar, to prevent that from happening. Even my cheap TP-Link managed switch has it's own proprietary method to block loops.
-
Yeah it would be uncommon.
Why would anyone connect port A to B? Are these users just complete idiots?
Do you not have STP (spanning tree) running on your switches? Spanning tree whole point is to prevent such problems.
I can see a user connecting a device to the wrong port and being on the wrong vlan.. But why would they interconnect switch ports? If they connect a device to vlan A port, then the device would be on vlan A - it would get a IP from the dhcp server on vlan A.. If they connect to B then it would be on vlan B and get an IP from that dhcp server, etc. If you have dhcp running.
If they setup an IP for A, and connect it to B then it wouldn't work, etc.
I assume you have had such issues in the past? Reason they have to put such nonsense like don't drink on the bottle of bleach ;) Is because some idiot, or multiple idiots have actually done it… hehehe
If they are interconnecting switches.. You would see all broadcast traffic on all other devices from both vlans.. How are you going to track that down? You would need to look in the mac address tables on the switches to see which ports show all the macs on them, etc.
I thought you were wanting to prevent user from connecting their device to the wrong port and getting access to stuff they are not suppose to have access to. This would be done with disable unused ports or put them in dummy vlan or both options, and or port security on your ports. Static Arp setup, etc. etc.. Run a full blown NAC, etc. etc.
Your wanting to stop a user from unplugging a cable from port A (vlan A) and B (vlan B) and connecting them together?
I would suggest you keep these idiot monkeys away from the switches ;)
-
Indeed you are right. The thing I wanted to protect me from is actually already done by STP :-)
I didn't know STP is on cable level, I rather assumed it was on Ethernet/VLAN leven, so it couldn't really detect the 'VLAN loops'. But in fact, the switch blocks one of the looping ports if I configure the cables badly.
I guess this obsoletes the whole discussion :-P Sorry for bugging you with this! But still the idea of making unused ports part of a specific VLAN is nice. I think I'll do that.
-
Even on my home switches I put unused ports into dummy vlan (10) in my case and shut them down..
The dummy vlan goes nowhere - its not connected to pfsense at all. Its just a place holder of sorts. One thing this does do is allow for easy see which ports are open for use..
sg300-28#sho vlan tag 10 Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN Vlan Name Tagged Ports UnTagged Ports Created by –-- ----------------- ------------------ ------------------ ---------------- 10 disabled gi2,gi15,gi20-23 S
I have 6 ports not doing anything on this switch currently ;)
-
I didn't know STP is on cable level, I rather assumed it was on Ethernet/VLAN leven
Actually, it is on a LAN/VLAN level. Depending on the version, it's possible to have different Spanning Tree root switches on a VLAN basis. There's nothing on the cable level, other than carrying bits from one port to another.
Spanning tree works by sending out Ethernet frames containing the "cost" to the root switch, with the cost increasing with each hop. Higher bandwidth links have a lower cost than lower bandwidth links. The root switch is determined by the lowest MAC address, unless priority is assigned to a switch.
https://en.wikipedia.org/wiki/Spanning_Tree_Protocol
Incidentally, Spanning Tree is one of the few protocols that uses the IEEE 802.3 Ethernet frames these days. Everything to do with IP, including ARP uses Ethernet II (DIX) frames
-
Per-VLAN Spanning Tree is a thing.