Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN security question

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    8 Posts 3 Posters 604 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PM_13
      last edited by

      Hi,
      I am very new to VLANs so please excuse the rudimentary nature of my question:

      1. VLAN's basic principle is cutting off network communications based on MAC address at L2...hopefully this is a correct interpretation!! So depending on port of physical connection a device cannot spoof MAC address to get extra privileges!

      2. But VLAN only writes an extra frame over TCP packet, and re-writing a TCP packet seems pretty routine to me.......please correct me if I am wrong here.

      So still struggling about what makes VLANs more secure?
      Thanks!

      bingo600B JKnottJ 3 Replies Last reply Reply Quote 0
      • bingo600B
        bingo600 @PM_13
        last edited by bingo600

        @pm_13

        Vlan is all about tagging, at Layer2 level.
        I gave a brief expl. here
        https://forum.netgate.com/post/944383

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        1 Reply Last reply Reply Quote 1
        • bingo600B
          bingo600 @PM_13
          last edited by bingo600

          @pm_13 said in VLAN security question:

          So still struggling about what makes VLANs more secure?
          Thanks!

          Vlans are not more secure than multiple std. interaces with networks defined.
          Multi Lan segments can be more secure, as you can divide them in to zones of different trust and network access.

          Vlan is just a way of running multi (Virtual Lan segments .. VLAN) down the same cable (tagging) , and not having to have a physical interface port for each lan segment.

          So Vlan makes multi Lan segments easy to do , and therefor makes multi zone security easier to implement.

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          P 1 Reply Last reply Reply Quote 2
          • P
            PM_13 @bingo600
            last edited by PM_13

            @bingo600 Ok that makes sense so let me summarize it in my newbie ways!

            1. If there are two physical ports on a router that connects "wireless" and "wired" through VLANs then it is not possible for any wireless device to get on "wired network" by spoofing MAC or re-writing the packet with VLAN header....correct?

            2. But if there are shades of gray within "wireless" say "guest" and "printers" then it is possible for a malicious "wireless' client who is a "guest" to pose as a "printer" and VLAN would largely be useless because damage is done upstream way ahead of VLAN.....correct or wrong here?

            Thanks!

            bingo600B JKnottJ 2 Replies Last reply Reply Quote 0
            • bingo600B
              bingo600 @PM_13
              last edited by bingo600

              @pm_13 said in VLAN security question:

              @bingo600 Ok that makes sense so let me summarize it in my newbie ways!

              1. If there are two physical ports on a router that connects "wireless" and "wired" through VLANs then it is not possible for any wireless device to get on "wired network" by spoofing MAC or re-writing the packet with VLAN header....correct?

              Vlans are L2 separating , so no you can't traverse Vlans by spoofing a Mac. Technically you would even be able to use the same mac on 2 different vlans , but it's prob not advisable. As Mac should be unique.

              If you are connecting a device via a Vlan capable/enabled port. Then the "bad" device could in theory try to do tagging w. another vlan id , and thereby "hop" to another vlan.
              That is why you would only allow the vlan's you know to be on that specific wire. upstream or downstream.

              If a device receives a "tag" that is not enabled on that specific port , the tag (package) would just be dropped.

              For simple end devices like printers or google/apple devices, i would always connect them via an untagged port that already is member of the vlan i chose for the device. That way any bogous tags could be "killed" on entry to the untagged switch-port.

              1. But if there are shades of gray within "wireless" say "guest" and "printers" then it is possible for a malicious "wireless' client who is a "guest" to pose as a "printer" and VLAN would largely be useless because damage is done upstream way ahead of VLAN.....correct or wrong here?

              A network is a network and it's transporting packets.
              It doesnt give a .... about if its transporting for a WiFi guest or a Printer.
              The security is up to the pfSense "driver"

              A work of advise right now ...
              Stop worrying about Vlan hopping, and Vlan (leaking) security right now.
              Just trust it ...

              Once you get more experienced w. Vlans and tagging, you can begin thinking about that.

              A few rules of thumb:

              1: On Vlan trunks (tagged ports), make sure you are setting your "Native Vlan / PVID" to something you control. Native Vlan is where untagged packets on a tagged port ends up. I use Vlan 666 for PVID , and it's a pure garbage vlan (catch untagged packages) , not used for anything else.

              2:
              If possible.
              Always connect end devices to an untagged port that is member of the vlan you want it to belong to. That way it can't escape to another vlan. As tagging would be discarded.

              3:
              Never enable more Vlans on a tagged port then you need for it to operate the end devices.

              And now the security lesson is over for today 😊

              /Bingo

              If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

              JKnottJ 1 Reply Last reply Reply Quote 1
              • JKnottJ
                JKnott @PM_13
                last edited by

                @pm_13

                "VLAN" means Virtual LAN. That is they behave as though you have separate networks, even though they're on the same physical network. It has nothing to do with MACs and does not rewrite an IP packet. It adds an extra 4 bytes to the Ethernet frame for the VLAN tag. Switches and NICs use that tag to separate traffic. The usual method is to use 802.1q.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 1
                • JKnottJ
                  JKnott @PM_13
                  last edited by

                  @pm_13

                  VLANs have nothing to do with the MAC address. It's possible to have the same MAC in multiple VLANs. With Wifi, VLANs are used to connect multiple SSIDs to a network. For example, I have a guest WiFi, as well as main SSID. Both connect over the same cable to my switch.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 1
                  • JKnottJ
                    JKnott @bingo600
                    last edited by

                    @bingo600 said in VLAN security question:

                    As Mac should be unique.

                    Well, any router that's connected to multiple VLANs will have the same MAC on those VLANs. On the other hand the IP addresses will be different, as they're on different subnets.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.