How do I test if VLANs work correctly ?

4RR3N

Hi,

I'm setting up VLANs for a first time ever and need a bit of help to test if what I have setup is working correctly. Here's what I do and what the results are:

1. Pinging a different VLAN Gateway shows 100% packet loss.

2. Pinging current VLAN IP Address that is not assigned to anything returns "Destination Host Unreachable". To give you an example, let's say my IP is 192.168.3.5 but when I ping an IP Address that is not assigned to anything like 192.168.3.9, it return's "Destination Host Unreachable".

My three main questions are:

1. Are the above results correct for a properly isolated VLANs or did I messed up something ?

2. How can I check or test if my VLANs are set correctly ?

3. Are there any other methods or tools for testing VLANs or does using Ping command is the only thing I can use to test it ?

I want to make sure that my VLANs are implemented and isolated correctly so it doesn't pose any security risks.

Thanks

johnpoz

@4rr3n said in How do I test if VLANs work correctly ?:

and isolated correctly so it doesn't pose any security risks.

How did you isolate them on layer 2.. Are you using vlan switch? Are you using AP that supports vlans, or different switches and different AP for the different vlans.

Being able to ping another IP on pfsense would have do with the rules you placed the vlan enterface.

Not sure what trying to ping and IP that doesn't exist would test exactly?? If you want to see if your isolation at layer 2 is working.. you could sniff on device on your vlan - are you seeing broadcast traffic from other things that are not on this vlan.. Are you seeing arps for stuff that is not the current vlan, multicast, etc.

The actual isolation of vlans is done at layer 2 on your switch/ap infrastructure - pfsense would only allow or deny access between vlans at layer 3.

4RR3N

@johnpoz said in How do I test if VLANs work correctly ?:

@4rr3n said in How do I test if VLANs work correctly ?:
How did you isolate them on layer 2.. Are you using vlan switch? Are you using AP that supports vlans, or different switches and different AP for the different vlans.

I'm using a managed switch and Access Point that are VLAN aware.

Being able to ping another IP on pfsense would have do with the rules you placed the vlan enterface.

I have used other VLAN's Gateway IP and pinged it to see if I can communicate with it which in turn confirm that Firewall rules work but it's just a ping command.

Not sure what trying to ping and IP that doesn't exist would test exactly??

I just wanted to see what type of response I will get.

If you want to see if your isolation at layer 2 is working.. you could sniff on device on your vlan - are you seeing broadcast traffic from other things that are not on this vlan.. Are you seeing arps for stuff that is not the current vlan, multicast, etc.

So, basically I need to use Wireshark to sniff the traffic, are there any other easier ways of checking this ? I don't have a spare device that I could place on another VLAN to test it.

The actual isolation of vlans is done at layer 2 on your switch/ap infrastructure - pfsense would only allow or deny access between vlans at layer 3.

So, if my ports assign correct VLAN IPs and my firewall rules work as expected, this means that my VLAN setup works fine ?

the other

@4rr3n
hey there,
@4rr3n said in How do I test if VLANs work correctly ?:

I just wanted to see what type of response I will get.

Well, since there is nobody and nothing...there will be no response from anyone or anything, just your machine telling you it cannot reach anyone there... :)

You could use wireshark. Use pfsense for listening, send that data thru wireshark.

@4rr3n said in How do I test if VLANs work correctly ?:

I don't have a spare device that I could place on another VLAN to test it.

No smartphone, tablet, raspi...nothing? Are you looking into vlans only out of interest (which is absolutely fine with me)?

@4rr3n said in How do I test if VLANs work correctly ?:

So, if my ports assign correct VLAN IPs and my firewall rules work as expected, this means that my VLAN setup works fine ?

Yes, it should work fine and separate your VLANs as needed. If your vlan config is okay and your rules match your needs and are configured in the right way. Otherwise a lot of ppl will have a big problem now... :D ...including myself. Cause then the whole VLAN idea wouldn't work...

johnpoz

@4rr3n said in How do I test if VLANs work correctly ?:

So, basically I need to use Wireshark to sniff the traffic,

Well how else would you see stuff at layer 2, arp, broadcast, multicast.. and want to see if your actually isolating at layer 2.. Which has zero to do with pfsense, that is all on your switch and AP..

Your clients going to pretty much ignore it - but that would in just a few seconds tell you if your not isolated at layer 2.. If your seeing stuff from your other vlans on yours - then your switch is borked.. Or you AP..

You could on your own setup say a static arp entry for something in another vlan and see if you could talk to it - but clients are pretty noisy you should see in a a few seconds if your vlans are not isolated..

4RR3N

@the-other said in How do I test if VLANs work correctly ?:

Yes, it should work fine and separate your VLANs as needed. If your vlan config is okay and your rules match your needs and are configured in the right way. Otherwise a lot of ppl will have a big problem now... :D ...including myself. Cause then the whole VLAN idea wouldn't work...

I see. Did you do any additional checks to make sure that VLANs work as expected, well besides testing the Firewall Rules ?

I was gonna do some checks that @johnpoz suggested but they seem pretty advanced and complicated so I'm wondering if there are any more, simpler checks that I can do.

@johnpoz Just a quick question, how does one should monitor or know that Access Point or Managed Switch went faulty ? I mean when your network is running fine but then either AP or Managed Switch became faulty and doesn't handle VLANs properly anymore, it's unlikely that you would just know about it until there is some type of detection and notification system in place and so on.

johnpoz

@4rr3n in all my years of networking - have never seen such a failure.. 30 some years.. when I first started there wasn't even tcp or vlans ;)

And I can not recall such a failure mode.. Back in the day you on shitty switches you use to be able to overload them in such a way that you could some times jump vlans. This was flood of the mac address table, etc.

But in the field I have never seen a failure where multiple vlans became like 1 vlan, etc.

If for example lan started seeing traffic that was not lan, from source of say vlan X, then you should see blocks on the firewall because the source is not lan net, this would be broadcast traffic for example.

If your vlans broke down - you could also start seeing clients getting the wrong IP from your dhcp servers on your different vlans.

the other

@4rr3n
well, additional to having my home network running with vlans for some years now without ever having trouble as @johnpoz mentioned.

I listened with a packet sniffer between vlans (on each virtual interface)...nothing but traffic that is allowed. Nothing special, nothing serious...but hey, it is a home network, privatly used...
I tried to set pfense to separate between vlans, works fine for my needs. As important: configure your switches! No productive traffic on vlan1, change native vlan to something else but vlan1, use management vlans for access from outside (or better: do not have access from outside, I do not need that...as mentioned: private usage).

jm2c: the technical risks are manageable, more common (and dangerous) are risks on level 8 in front of the screen...meaning: it should take longer to draw up a good, usable and safe network structure than it should take to configure the machine(s).
:)