VLAN Setup Possible?

by Tenatious   Last Updated August 10, 2018 13:01 PM

I want to see if the following is possible using VLAN:

I have the following equipment:

  • Ubiquiti EdgeRouter Lite
  • TP-LINK TL-SG1016PE Switch
  • Home Server
  • 4 x IP Cameras

Is it possible to set up VLAN's in the following configuration with just the one switch:

  • Have the normal home network (i.e all the home computers, mobiles etc.) on say VLAN1.

  • Have the Home Server on VLAN 2.

  • Have the IP Cameras on VLAN 3.

Then have the ability for: VLAN 1 to communicate with VLAN 2. VLAN 3 to communicate with VLAN 2. Not allow connection for VLAN 3 back to VLAN 1 but allow connection from VLAN 1 to VLAN 3.

Basically to split the cameras from the normal home network so no one can attach to their ethernet ports and access the network but at the same time still be able to access the home server which is acting as the NVR both by the cameras and by the home network.



Answers 1


I will gloss over the VLAN configuration briefly. I'm using a TP-Link Smart Switch for reference - the Easy Smart Switch range is a bit different but this should be more or less doable in the same way. Refer to Chapters 6.3 and 6.4 in the manual.

  1. You want to configure 802.1Q VLANs, not the more basic "port-based" ones.
  2. Enter the VLAN ID you want to configure (e.g. 1)
  3. Select the tagged ports. This means the ports that frames belonging to this VLAN will be sent through, with the VLAN tag. Use this for ports leading to other VLAN-aware devices, like your router or other managed switches.
  4. Select the untagged ports. Frames belonging to the VLAN will also be sent to these ports, but the VLAN tag is stripped on the way out. Use this for ports leading to hosts (including your computers, servers and cameras).
  5. Set up your PVIDs so incoming frames on untagged ports get a default tag.

In your case, VLAN 1 would be tagged on the router port and untagged on any port your computers connect to (with PVID 1 on those same ports). VLAN 2 would be tagged on the router port and untagged on the server port (with PVID 2 on that port). VLAN 3 would be tagged on the router port and untagged on the camera ports (with PVID 3 on those ports).

You will also need to configure EdgeOS:

  1. Add the VLAN interfaces, giving them each their own IP address and subnet (I will assume 192.168.1.1/24, 192.168.2.1/24 and 192.168.3.1/24 for simplicity. This means the router is using the address 192.168.3.1 in the 192.168.3.0/24 subnet on its VLAN 3 interface.)
  2. Add DHCP servers serving each VLAN, giving them their own subnet.
  3. Configure the DHCP servers to set the gateway ("router") to the EdgeOS device. This should match the IP addresses you specified in #1.
  4. Add the VLANs as DNS listen interfaces if you want them to have access to the router's caching DNS server.

Now, by default, EdgeOS will route packets between all its interfaces. You want to block this in specific scenarios, which can be done using the EdgeOS firewall.

  1. The first thing you'll want to do is add a ruleset blocking VLANs (2 and 3?) from accessing the router's management interface. It should look something like:

    1. Default action: Drop
    2. Edit the ruleset and set it to apply to Interfaces => add your VLAN interfaces in direction local. Make sure the VLAN you want to manage the router from still has access!
    3. Add rule to accept TCP and UDP on port 53 to allow DNS
    4. Add rule to accept TCP and UDP in Established and Related states (advanced tab)
  2. Create a new ruleset for one-way 1 => 3, default Accept. Make sure you edit it and apply it only to the VLAN 1 and 3 interfaces. Now you need to add your rules in order. I would suggest:

    1. Add a rule to Accept from Source 192.168.1.0/24 to Destination 192.168.3.0/24. This allows 1 => 3 to initiate connections.
    2. Add a rule to Accept from Source 192.168.3.0/24 to Destination 192.168.1.0/24 in state Established or Related. This allows 3 => 1 responses (network is bidirectional!) for TCP and UDP.
    3. Add a rule to Drop from Source 192.168.3.0/24 to Destination 192.168.1.0/24. This is the fallback which rejects anything not allowed by rule #2, meaning 3 => 1 cannot initiate new connections.
  3. You might also want to add firewall rules blocking VLAN 3 from accessing the internet.

There is a bit of discussion here: https://community.ubnt.com/t5/EdgeRouter/One-way-firewall-rules/td-p/1505691

If you do not do anything to block it, 1 <=> 2 and 2 <=> 3 should have worked from the start. Keep in mind that this does open the possibility for an attacker to bypass your router firewall by going 3 => 2 => 1 if something is vulnerable on 2.

Also keep in mind that this example setup is actually allow by default with an explicit block from 3 => 1 -- but 3 can still access any future VLANs you set up. A safer (but slightly more complex) config is to block by default (block 192.168.0.0/16 as the last rule in a ruleset) and explicitly allow 1 <=> 2, 2 <=> 3 and 1 => 3. It follows the same general principles; you'll just need to add rules explicitly allowing 2 and blocking the rest.

Bob
Bob
August 10, 2018 14:00 PM

Related Questions



TPLINK TL-SG108E / TL-SG105E VLANS & Trunks

Updated June 25, 2017 15:01 PM