VLAN or aliases or? best way to isolate untrustable hosts in a small network

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

VLAN or aliases or? best way to isolate untrustable hosts in a small network

Denis Lapshin-2
Some hosts should be limited in internet access and/or local access or
simply be restricted in some way because they are untrusted.

I'm looking for a possibility to isolate untrusted inside LAN using any
approach applicable. How do people isolate undesirable hosts in their
networks?

Cheers!

Reply | Threaded
Open this post in threaded view
|

Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

Christian Weisgerber
On 2020-02-03, Denis <[hidden email]> wrote:

> Some hosts should be limited in internet access and/or local access or
> simply be restricted in some way because they are untrusted.
>
> I'm looking for a possibility to isolate untrusted inside LAN using any
> approach applicable. How do people isolate undesirable hosts in their
> networks?

Put hosts with different trust requirements into different networks
at the IP level, connected to a central gateway where you can easily
permit/deny traffic between them.  Use VLANs to separate the IP
networks.

For example, my home network is split into three networks:

* Trusted hosts.  These are allowed to initiate traffic to the
  Internet and to the other networks.

* Untrusted hosts with outside access.  These are allowed to initiate
  traffic to the Internet at large, but not to the other networks.
  This is mostly my wi-fi.  Also a RIPE Atlas probe.

* Untrusted hosts without outside access.  These cannot initiate
  traffic to any destination outside their network.  Includes my
  printer and the SIP phone[1] for my "landline".

That's three vlan(4) interfaces on my gateway, which provides basic
DHCP/SLAAC, DNS, NTP services on all of them and has a small pf(4)
ruleset to enforce the restrictions above about who can start talking
to whom.


[1] A SIP phone that is not allowed to talk to the outside may seem
    surprising, but it only needs to talk to siproxd on the gateway,
    and siproxd is required for NAT traversal anyway.
--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

Denis Lapshin-2
Hi Christian,

I've made two VLANs to automatically assign random IPs from a pool by dhcpd:

# /etc/hostname.vlan100
description 'LAN attached untrusted hosts'
inet 192.168.155.0/24 255.255.255.0 vlandev em0

# /etc/hostname.vlan101
description 'WLAN attached untrusted hosts'
inet 192.168.156.0/24 255.255.255.0 vlandev run0

Going to filter access from these VLANs by PF.

My 'real' LAN and WLAN _trusted_ devices get IPs from preregistered MACs
in /etc/dchpd.conf. No free IP registration is available for _trusted_
devices.

For _untrusted_ devices I'd like to set IPs by dhcpd from address pools
vlan100 192.168.155.2 192.168.155.200, and
vlan101 192.168.156.2 192.168.156.200

# echo 'dhcpd_flags="em0 run0 vlan100 vlan101' >> rcctl.conf.local
# . rc.conf.local

Added address ranges for vlan100 and vlan101 to /etc/dhcpd.conf and
restarted daemon.

DHCPd tries to assign address for _untrusted_ from real subnet with no
free leases available instead from vlan100 or vlan101 pool provided.

How do you set IPs for your trusted/untrusted devices using dhcpd?

Could you share your dhcpd.conf setup for vlans you're using?

Thanks,
Denis

On 2/4/2020 8:03 PM, Christian Weisgerber wrote:

> On 2020-02-03, Denis <[hidden email]> wrote:
>
>> Some hosts should be limited in internet access and/or local access or
>> simply be restricted in some way because they are untrusted.
>>
>> I'm looking for a possibility to isolate untrusted inside LAN using any
>> approach applicable. How do people isolate undesirable hosts in their
>> networks?
>
> Put hosts with different trust requirements into different networks
> at the IP level, connected to a central gateway where you can easily
> permit/deny traffic between them.  Use VLANs to separate the IP
> networks.
>
> For example, my home network is split into three networks:
>
> * Trusted hosts.  These are allowed to initiate traffic to the
>   Internet and to the other networks.
>
> * Untrusted hosts with outside access.  These are allowed to initiate
>   traffic to the Internet at large, but not to the other networks.
>   This is mostly my wi-fi.  Also a RIPE Atlas probe.
>
> * Untrusted hosts without outside access.  These cannot initiate
>   traffic to any destination outside their network.  Includes my
>   printer and the SIP phone[1] for my "landline".
>
> That's three vlan(4) interfaces on my gateway, which provides basic
> DHCP/SLAAC, DNS, NTP services on all of them and has a small pf(4)
> ruleset to enforce the restrictions above about who can start talking
> to whom.
>
>
> [1] A SIP phone that is not allowed to talk to the outside may seem
>     surprising, but it only needs to talk to siproxd on the gateway,
>     and siproxd is required for NAT traversal anyway.
>

Reply | Threaded
Open this post in threaded view
|

Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

Christian Weisgerber
Denis, I suspect the fundamental problem is that you don't understand
what VLANs are.  There should be a lot of articles about this topic
on the net; maybe somebody here can recommend a good one.

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

Janne Johansson-3
In reply to this post by Denis Lapshin-2
Den ons 5 feb. 2020 kl 13:07 skrev Denis <[hidden email]>:

> I've made two VLANs to automatically assign random IPs from a pool by
> dhcpd:
>

[...]


> # /etc/hostname.vlan101
> description 'WLAN attached untrusted hosts'
> inet 192.168.156.0/24 255.255.255.0 vlandev run0
>

VLANs and wifi sounds like a non-starter.

--
May the most significant bit of your life be positive.
Reply | Threaded
Open this post in threaded view
|

Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

Christian Weisgerber
On 2020-02-05, Janne Johansson <[hidden email]> wrote:

>> # /etc/hostname.vlan101
>> description 'WLAN attached untrusted hosts'
>> inet 192.168.156.0/24 255.255.255.0 vlandev run0
>
> VLANs and wifi sounds like a non-starter.

Yep, if you're building your access point with OpenBSD.

More generally, though, any AP in the business segment has support
for multiple SSIDs that can be assigned to different VLANs on the
Ethernet side.

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

Brian Brombacher
In reply to this post by Denis Lapshin-2
The OP’s hostname.vlan* files never specify a vnetid.  I get an error trying to configure and bring up the second vlan interface the same way without vnetid specified.  Regardless of my error, the ifconfig(8) man page says without vnetid specified, vlan tag 0 will be used.  You need to specify two different vlan tags.

All of that aside: VLANs don’t give you any more security.  If the client host is on the same physical network as your two VLANs, the only thing stopping them from jumping between VLANs would be physical devices (switches, etc.) configured to prevent that.  From what I gathered, you don’t have this level of control.  Therefore, you gain nothing by segmenting the networks with VLANs.

-Brian

> On Feb 5, 2020, at 11:58 AM, Christian Weisgerber <[hidden email]> wrote:
>
> On 2020-02-05, Janne Johansson <[hidden email]> wrote:
>
>>> # /etc/hostname.vlan101
>>> description 'WLAN attached untrusted hosts'
>>> inet 192.168.156.0/24 255.255.255.0 vlandev run0
>> VLANs and wifi sounds like a non-starter.
>
> Yep, if you're building your access point with OpenBSD.
>
> More generally, though, any AP in the business segment has support
> for multiple SSIDs that can be assigned to different VLANs on the
> Ethernet side.
>
> --
> Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

Denis Lapshin-2
In reply to this post by Christian Weisgerber
Thank you for all the replies.

Christian right, I didn't familiar with VLANs before my conceptual
question about IoT isolation, so I have no knowledge how do VLANs work
before his answer.

Thanks to documentation, articles, and vlan(4), in OpenBSD for any of
physical Ethernet device can be attached multiple VLANs but L3 switch
with IEEE 802.1Q protocol supported must be present.

Hopefully, GS110TP has L3 compatibility but requires to point "Tagged" &
"Untagged" for each of VLAN port during VLANs allocation. If I
understand the concepts right, I should _tag_ each /etc/hostname.vlan1xx
outgoing traffic and connect physical Ethernet cable to specially
allocated port on L3 switch for "Tagged" VLAN traffic. I'd like to call
it as "Uplink" port on L3 switch to connect to OBSD box physical
Ethernet port. Any group of ports intended for IoT connection (L3 switch
ports 1-3 in my case) should be marked as "Untagged" to connect IoT
devices. Please correct me if I've been mistaken.

As for "access point", it works well and actively use for a long time.
Second SSID is a good idea to make some isolation for untrusted and
filter in PF by some indication but I don't know which indication for
now. I think it will be the next step forward to wireless IoT isolation.

Denis

On 2/5/2020 5:53 PM, Christian Weisgerber wrote:

> On 2020-02-05, Janne Johansson <[hidden email]> wrote:
>
>>> # /etc/hostname.vlan101
>>> description 'WLAN attached untrusted hosts'
>>> inet 192.168.156.0/24 255.255.255.0 vlandev run0
>>
>> VLANs and wifi sounds like a non-starter.
>
> Yep, if you're building your access point with OpenBSD.
>
> More generally, though, any AP in the business segment has support
> for multiple SSIDs that can be assigned to different VLANs on the
> Ethernet side.
>

Reply | Threaded
Open this post in threaded view
|

Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

Denis Lapshin-2
In reply to this post by Brian Brombacher
Brian,

I'm going to set vnetid 100 to tag VLAN and connect physical em0 to L3
switch "uplink" port (port 10 in my case) with "Tagged" mark.

# /etc/hostname.vlan100
description 'Untrusted'
inet 192.168.155.1 255.255.255.240 192.168.155.15 lladdr
32:f6:02:c4:1A:88 vlandev em0 vnetid 100

Ports 1-3 on L3 switch will be used for IoT connection and marked as
"Untagged".

Do you think will it be right?

Denis

On 2/5/2020 10:19 PM, Brian Brombacher wrote:

> The OP’s hostname.vlan* files never specify a vnetid.  I get an error trying to configure and bring up the second vlan interface the same way without vnetid specified.  Regardless of my error, the ifconfig(8) man page says without vnetid specified, vlan tag 0 will be used.  You need to specify two different vlan tags.
>
> All of that aside: VLANs don’t give you any more security.  If the client host is on the same physical network as your two VLANs, the only thing stopping them from jumping between VLANs would be physical devices (switches, etc.) configured to prevent that.  From what I gathered, you don’t have this level of control.  Therefore, you gain nothing by segmenting the networks with VLANs.
>
> -Brian
>
>> On Feb 5, 2020, at 11:58 AM, Christian Weisgerber <[hidden email]> wrote:
>>
>> On 2020-02-05, Janne Johansson <[hidden email]> wrote:
>>
>>>> # /etc/hostname.vlan101
>>>> description 'WLAN attached untrusted hosts'
>>>> inet 192.168.156.0/24 255.255.255.0 vlandev run0
>>> VLANs and wifi sounds like a non-starter.
>>
>> Yep, if you're building your access point with OpenBSD.
>>
>> More generally, though, any AP in the business segment has support
>> for multiple SSIDs that can be assigned to different VLANs on the
>> Ethernet side.
>>
>> --
>> Christian "naddy" Weisgerber                          [hidden email]
>