Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VLAN hopping

    Routing and Multi WAN
    3
    6
    7068
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonnytabpni last edited by

      Hi There,

      I have 2 HP Procurve switches 1800-24G and have a pfsense box. I'd like to make use of VLANs to make multiple LANs (As secure from each other as possible)

      Can someone please give me any advice on how secure VLANs are with pfSense, regarding VLAN hopping etc..

      How can I prevent these? Also, does anyone here have any experience with the HP switches, as the configuration is confusing…

      Thanks

      1 Reply Last reply Reply Quote 0
      • P
        Perry last edited by

        does anyone here have any experience with the HP switches, as the configuration is confusing…

        A wink guide of the 1800-8G http://pfsense.site88.net/mysetup/index.html might help.

        1 Reply Last reply Reply Quote 0
        • J
          jonnytabpni last edited by

          Hi Perry,

          That's an excellent link, Thanks!

          Just a few questions:

          By unchecking "VLAN aware enabled", does this stop the infamous "double tagging" attacks that can be done?

          Also, what settings are you supposed to use for the link between 2 procurve switches, for best security

          Thanks

          1 Reply Last reply Reply Quote 0
          • P
            Perry last edited by

            The basic security steps I follow is.
            Only vlan traffic on the parent nic.
            Don't use vlan1
            All ports are assigned.

            By unchecking "VLAN aware enabled", does this stop the infamous "double tagging" attacks that can be done?

            I would say the Port ID takes care of that. http://www.docs.hp.com/en/5992-0538/ar01s01.html explains vlan aware

            Also, what settings are you supposed to use for the link between 2 procurve switches, for best security

            I tend to say just make sure you only allow traffic you need and set pid to none. But then I'm no security expert / hacker :).  Another question you could ask yourself do my design need it. In your case with a giga switch I would not use more than 10 vlan pr pfSense nic.

            1 Reply Last reply Reply Quote 0
            • K
              kc8apf last edited by

              @jonnytabpni:

              Hi There,

              I have 2 HP Procurve switches 1800-24G and have a pfsense box. I'd like to make use of VLANs to make multiple LANs (As secure from each other as possible)

              Can someone please give me any advice on how secure VLANs are with pfSense, regarding VLAN hopping etc..

              How can I prevent these? Also, does anyone here have any experience with the HP switches, as the configuration is confusing…

              Thanks

              The general idea is to use a single port on the switch with only tagged traffic.  This port connects to the upstream device (pfSense, another switch, whatever).  It carries the various networks over a single physical link, but each is tagged independently.

              On the switch, each port is assigned to groups of VLANs.  For most devices, you want them to exist on a single VLAN.  For those ports, you specify the VLAN to use for untagged traffic and remove the port from all other VLANs.  That way, even if the device sends a tagged packet, the switch won't allow the traffic onto the VLAN.

              For some devices, you may wish to have it be accessible on multiple VLANs, but not route between them.  To do that, you setup the port to use only tagged traffic and only make the port a member of the VLANs that it should be allowed to participate in.  The device is then configured to set an IP per VLAN and disallow routing.  Unless you are doing something really complex, this probably isn't something you will need to do.

              The main gotcha with VLANs is that VLAN tag 1 is almost always special in some way.  For the HP switch I have (2800), VLAN 1 is the default VLAN and is the one on which all the management services run.  That particular setting is configurable on my switch, but many other switches don't offer a way to change it.  To be on the safe side, use VLAN tags other than 1 for your actual networks.

              1 Reply Last reply Reply Quote 0
              • J
                jonnytabpni last edited by

                Folks, thanks for your help!

                The general idea is to use a single port on the switch with only tagged traffic.  This port connects to the upstream device (pfSense, another switch, whatever).  It carries the various networks over a single physical link, but each is tagged independently.

                If my switch was in the middle of a chain of 3 switches, i guess 2 ports would be ok for this? (At the minute, I only have 2 switches, so this question I'm asking doesn't really apply atm)

                On the switch, each port is assigned to groups of VLANs.  For most devices, you want them to exist on a single VLAN.  For those ports, you specify the VLAN to use for untagged traffic and remove the port from all other VLANs.  That way, even if the device sends a tagged packet, the switch won't allow the traffic onto the VLAN.

                So in terms of our HP switch (Mine is a 1800-24G layer2 only), what setting does your quote above refer to? Uncheck VLAN aware? Or/And just make the port a member of NO VLANs but ONLY set the PVID? (See where I'm getting confused here?)

                For some devices, you may wish to have it be accessible on multiple VLANs, but not route between them.  To do that, you setup the port to use only tagged traffic and only make the port a member of the VLANs that it should be allowed to participate in.  The device is then configured to set an IP per VLAN and disallow routing.  Unless you are doing something really complex, this probably isn't something you will need to do.

                No need for this at the minute, but thanks for explaining. My switch is only layer 2 so it's probably a bad idea for this anyways (Unless I didn't care about the single device routing between the 2 VLANS)

                The main gotcha with VLANs is that VLAN tag 1 is almost always special in some way.  For the HP switch I have (2800), VLAN 1 is the default VLAN and is the one on which all the management services run.  That particular setting is configurable on my switch, but many other switches don't offer a way to change it.  To be on the safe side, use VLAN tags other than 1 for your actual networks.

                Understood :)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy