VLAN or aliases or? best way to isolate untrustable hosts in a small network
Some hosts should be limited in internet access and/or local access or simply be restricted in some way because they are untrusted. I'm looking for a possibility to isolate untrusted inside LAN using any approach applicable. How do people isolate undesirable hosts in their networks? Cheers!
Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network
On 2020-02-03, Denis wrote: > Some hosts should be limited in internet access and/or local access or > simply be restricted in some way because they are untrusted. > > I'm looking for a possibility to isolate untrusted inside LAN using any > approach applicable. How do people isolate undesirable hosts in their > networks? Put hosts with different trust requirements into different networks at the IP level, connected to a central gateway where you can easily permit/deny traffic between them. Use VLANs to separate the IP networks. For example, my home network is split into three networks: * Trusted hosts. These are allowed to initiate traffic to the Internet and to the other networks. * Untrusted hosts with outside access. These are allowed to initiate traffic to the Internet at large, but not to the other networks. This is mostly my wi-fi. Also a RIPE Atlas probe. * Untrusted hosts without outside access. These cannot initiate traffic to any destination outside their network. Includes my printer and the SIP phone[1] for my "landline". That's three vlan(4) interfaces on my gateway, which provides basic DHCP/SLAAC, DNS, NTP services on all of them and has a small pf(4) ruleset to enforce the restrictions above about who can start talking to whom. [1] A SIP phone that is not allowed to talk to the outside may seem surprising, but it only needs to talk to siproxd on the gateway, and siproxd is required for NAT traversal anyway. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network
Hi Christian, I've made two VLANs to automatically assign random IPs from a pool by dhcpd: # /etc/hostname.vlan100 description 'LAN attached untrusted hosts' inet 192.168.155.0/24 255.255.255.0 vlandev em0 # /etc/hostname.vlan101 description 'WLAN attached untrusted hosts' inet 192.168.156.0/24 255.255.255.0 vlandev run0 Going to filter access from these VLANs by PF. My 'real' LAN and WLAN _trusted_ devices get IPs from preregistered MACs in /etc/dchpd.conf. No free IP registration is available for _trusted_ devices. For _untrusted_ devices I'd like to set IPs by dhcpd from address pools vlan100 192.168.155.2 192.168.155.200, and vlan101 192.168.156.2 192.168.156.200 # echo 'dhcpd_flags="em0 run0 vlan100 vlan101' >> rcctl.conf.local # . rc.conf.local Added address ranges for vlan100 and vlan101 to /etc/dhcpd.conf and restarted daemon. DHCPd tries to assign address for _untrusted_ from real subnet with no free leases available instead from vlan100 or vlan101 pool provided. How do you set IPs for your trusted/untrusted devices using dhcpd? Could you share your dhcpd.conf setup for vlans you're using? Thanks, Denis On 2/4/2020 8:03 PM, Christian Weisgerber wrote: > On 2020-02-03, Denis wrote: > >> Some hosts should be limited in internet access and/or local access or >> simply be restricted in some way because they are untrusted. >> >> I'm looking for a possibility to isolate untrusted inside LAN using any >> approach applicable. How do people isolate undesirable hosts in their >> networks? > > Put hosts with different trust requirements into different networks > at the IP level, connected to a central gateway where you can easily > permit/deny traffic between them. Use VLANs to separate the IP > networks. > > For example, my home network is split into three networks: > > * Trusted hosts. These are allowed to initiate traffic to the > Internet and to the other networks. > > * Untrusted hosts with outside access. These are allowed to initiate > traffic to the Internet at large, but not to the other networks. > This is mostly my wi-fi. Also a RIPE Atlas probe. > > * Untrusted hosts without outside access. These cannot initiate > traffic to any destination outside their network. Includes my > printer and the SIP phone[1] for my "landline". > > That's three vlan(4) interfaces on my gateway, which provides basic > DHCP/SLAAC, DNS, NTP services on all of them and has a small pf(4) > ruleset to enforce the restrictions above about who can start talking > to whom. > > > [1] A SIP phone that is not allowed to talk to the outside may seem > surprising, but it only needs to talk to siproxd on the gateway, > and siproxd is required for NAT traversal anyway. >
Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network
Denis, I suspect the fundamental problem is that you don't understand what VLANs are. There should be a lot of articles about this topic on the net; maybe somebody here can recommend a good one. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network
Den ons 5 feb. 2020 kl 13:07 skrev Denis : > I've made two VLANs to automatically assign random IPs from a pool by > dhcpd: > [...] > # /etc/hostname.vlan101 > description 'WLAN attached untrusted hosts' > inet 192.168.156.0/24 255.255.255.0 vlandev run0 > VLANs and wifi sounds like a non-starter. -- May the most significant bit of your life be positive.
Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network
On 2020-02-05, Janne Johansson wrote: >> # /etc/hostname.vlan101 >> description 'WLAN attached untrusted hosts' >> inet 192.168.156.0/24 255.255.255.0 vlandev run0 > > VLANs and wifi sounds like a non-starter. Yep, if you're building your access point with OpenBSD. More generally, though, any AP in the business segment has support for multiple SSIDs that can be assigned to different VLANs on the Ethernet side. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network
The OP’s hostname.vlan* files never specify a vnetid. I get an error trying to configure and bring up the second vlan interface the same way without vnetid specified. Regardless of my error, the ifconfig(8) man page says without vnetid specified, vlan tag 0 will be used. You need to specify two different vlan tags. All of that aside: VLANs don’t give you any more security. If the client host is on the same physical network as your two VLANs, the only thing stopping them from jumping between VLANs would be physical devices (switches, etc.) configured to prevent that. From what I gathered, you don’t have this level of control. Therefore, you gain nothing by segmenting the networks with VLANs. -Brian > On Feb 5, 2020, at 11:58 AM, Christian Weisgerber wrote: > > On 2020-02-05, Janne Johansson wrote: > >>> # /etc/hostname.vlan101 >>> description 'WLAN attached untrusted hosts' >>> inet 192.168.156.0/24 255.255.255.0 vlandev run0 >> VLANs and wifi sounds like a non-starter. > > Yep, if you're building your access point with OpenBSD. > > More generally, though, any AP in the business segment has support > for multiple SSIDs that can be assigned to different VLANs on the > Ethernet side. > > -- > Christian "naddy" Weisgerber na...@mips.inka.de
Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network
Thank you for all the replies. Christian right, I didn't familiar with VLANs before my conceptual question about IoT isolation, so I have no knowledge how do VLANs work before his answer. Thanks to documentation, articles, and vlan(4), in OpenBSD for any of physical Ethernet device can be attached multiple VLANs but L3 switch with IEEE 802.1Q protocol supported must be present. Hopefully, GS110TP has L3 compatibility but requires to point "Tagged" & "Untagged" for each of VLAN port during VLANs allocation. If I understand the concepts right, I should _tag_ each /etc/hostname.vlan1xx outgoing traffic and connect physical Ethernet cable to specially allocated port on L3 switch for "Tagged" VLAN traffic. I'd like to call it as "Uplink" port on L3 switch to connect to OBSD box physical Ethernet port. Any group of ports intended for IoT connection (L3 switch ports 1-3 in my case) should be marked as "Untagged" to connect IoT devices. Please correct me if I've been mistaken. As for "access point", it works well and actively use for a long time. Second SSID is a good idea to make some isolation for untrusted and filter in PF by some indication but I don't know which indication for now. I think it will be the next step forward to wireless IoT isolation. Denis On 2/5/2020 5:53 PM, Christian Weisgerber wrote: > On 2020-02-05, Janne Johansson wrote: > >>> # /etc/hostname.vlan101 >>> description 'WLAN attached untrusted hosts' >>> inet 192.168.156.0/24 255.255.255.0 vlandev run0 >> >> VLANs and wifi sounds like a non-starter. > > Yep, if you're building your access point with OpenBSD. > > More generally, though, any AP in the business segment has support > for multiple SSIDs that can be assigned to different VLANs on the > Ethernet side. >
Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network
Brian, I'm going to set vnetid 100 to tag VLAN and connect physical em0 to L3 switch "uplink" port (port 10 in my case) with "Tagged" mark. # /etc/hostname.vlan100 description 'Untrusted' inet 192.168.155.1 255.255.255.240 192.168.155.15 lladdr 32:f6:02:c4:1A:88 vlandev em0 vnetid 100 Ports 1-3 on L3 switch will be used for IoT connection and marked as "Untagged". Do you think will it be right? Denis On 2/5/2020 10:19 PM, Brian Brombacher wrote: > The OP’s hostname.vlan* files never specify a vnetid. I get an error trying > to configure and bring up the second vlan interface the same way without > vnetid specified. Regardless of my error, the ifconfig(8) man page says > without vnetid specified, vlan tag 0 will be used. You need to specify two > different vlan tags. > > All of that aside: VLANs don’t give you any more security. If the client > host is on the same physical network as your two VLANs, the only thing > stopping them from jumping between VLANs would be physical devices (switches, > etc.) configured to prevent that. From what I gathered, you don’t have this > level of control. Therefore, you gain nothing by segmenting the networks > with VLANs. > > -Brian > >> On Feb 5, 2020, at 11:58 AM, Christian Weisgerber wrote: >> >> On 2020-02-05, Janne Johansson wrote: >> # /etc/hostname.vlan101 description 'WLAN attached untrusted hosts' inet 192.168.156.0/24 255.255.255.0 vlandev run0 >>> VLANs and wifi sounds like a non-starter. >> >> Yep, if you're building your access point with OpenBSD. >> >> More generally, though, any AP in the business segment has support >> for multiple SSIDs that can be assigned to different VLANs on the >> Ethernet side. >> >> -- >> Christian "naddy" Weisgerber na...@mips.inka.de >