Basic networking/subnetting question.
-
The computers will be running OpenBSD. I am researching hardening methods for them and also seeing if it is feasible for me to get Corebooted hardware. I didn't mention it because I didn't think it was important.
I feel like my post is being taken very negatively with people finding faults in my words rather than in the networking concept. Would you happen to know why?
You are basically asking for people to solve a solved problem, there's no actual need for keeping the PCs separate since you control them both, and oh and you want it done cheap. A bespoke custom solution will not scale regardless if you need it to or not, you should know that.
https://hometechhacker.com/great-choices-for-opnsense-hardware/
A firewall device with as many ports as you need is your best bet.
-
That would be worse, because then it would send and receive traffic for multiple vlans.
Unless your switch uses that to refer to link aggregation instead of vlan trunking. Network terminology like that can mean different things to different vendors.
I'm using Cisco terminology so it likely means VLAN trunking unfortunately (unless I missed something)
-
You are basically asking for people to solve a solved problem, there's no actual need for keeping the PCs separate since you control them both, and oh and you want it done cheap. A bespoke custom solution will not scale regardless if you need it to or not, you should know that.
https://hometechhacker.com/great-choices-for-opnsense-hardware/
A firewall device with as many ports as you need is your best bet.
asking for people to solve a solved problem
Solved using devices that run proprietary software (which is, I imagine, frowned upon in such communities) which we don't control at all. Heck, even Mikrotik who has a good rapport with this community uses a proprietary Linux distro with a severely outdated kernel for their devices. For something as critical as internal networking, I'm surprised I do not see more dialogue on improving the situation.
Let me try and explain the problem. I want to build a setup where I have multiple clustered routers (I'm sure you've heard of the clustering features in PFSENSE/OPNSENSE/DIY approach using Keepalived). But if I want to use VLANs without using a switch running god-knows-what under the hood, I'm going to need a LOT OF ports. Unfortunately, 6+ port PCIe cards are quite expensive and sometimes have many other problems.
This is why I'm trying to find simpler solution. The solution that you mention doesn't seem to be a solution at all, but just the community giving up on trying to find one and accepting what is given. I was hoping for a better outcome.
-
asking for people to solve a solved problem
Solved using devices that run proprietary software (which is, I imagine, frowned upon in such communities) which we don't control at all. Heck, even Mikrotik who has a good rapport with this community uses a proprietary Linux distro with a severely outdated kernel for their devices. For something as critical as internal networking, I'm surprised I do not see more dialogue on improving the situation.
Let me try and explain the problem. I want to build a setup where I have multiple clustered routers (I'm sure you've heard of the clustering features in PFSENSE/OPNSENSE/DIY approach using Keepalived). But if I want to use VLANs without using a switch running god-knows-what under the hood, I'm going to need a LOT OF ports. Unfortunately, 6+ port PCIe cards are quite expensive and sometimes have many other problems.
This is why I'm trying to find simpler solution. The solution that you mention doesn't seem to be a solution at all, but just the community giving up on trying to find one and accepting what is given. I was hoping for a better outcome.
Not liking the solution you have doesn't mean you don't have a solution.
Anyway, watch the playlist I sent, it's a great overview of the OSI model with some other stuff. You mentioned not understanding some layers, once you do you will understand the limitations of the hardware you have.
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
Have you looked into Tailscale or an equivalent solution like Netbird?
You could set up a tailnet, make create unique tags for each machine, add both machines to the tailnet, and then set up each machine's network interface to only go through the tailnet.
Then you just use Tailscale's ACLs with the tags to isolate those machines, making sure they can only talk to whatever central device(s) or services you want them to, but also stopping them from talking to or even seeing each other.
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
If computers are in same network, even with different ip addresses, they still can see all broadcast and multicast traffic. This means for example dhcp.
If you fully trust your computers, and are sure that no external party can access any of them, you should be fine. But if anyone can fain access any computer, it is trivial to gain access to all networks.
If you need best security, multiple switches and multiple nics are unfortunately only really secure solution.
-
Have you looked into Tailscale or an equivalent solution like Netbird?
You could set up a tailnet, make create unique tags for each machine, add both machines to the tailnet, and then set up each machine's network interface to only go through the tailnet.
Then you just use Tailscale's ACLs with the tags to isolate those machines, making sure they can only talk to whatever central device(s) or services you want them to, but also stopping them from talking to or even seeing each other.
I never considered tailscale for my LAN, but it's certainly an intriguing idea. I suppose running Headscale as a VM on my router isn't that difficult. Thank you, I will think about it a bit more
-
If computers are in same network, even with different ip addresses, they still can see all broadcast and multicast traffic. This means for example dhcp.
If you fully trust your computers, and are sure that no external party can access any of them, you should be fine. But if anyone can fain access any computer, it is trivial to gain access to all networks.
If you need best security, multiple switches and multiple nics are unfortunately only really secure solution.
No, I do not trust my computers that much. Quite unfortunate, really that I'll have to build a whitebox switch to get what I want
-
I never considered tailscale for my LAN, but it's certainly an intriguing idea. I suppose running Headscale as a VM on my router isn't that difficult. Thank you, I will think about it a bit more
Yeah, and it's free for a basic account + up to 100 devices, so plenty for most home lab needs.
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
What is holding you back in regards to VLANs?
-
What is holding you back in regards to VLANs?
I'd either have to do it in the router (which would need a lot of PCIe network cards which can get expensive + difficult to accommodate enough physical PCIe lanes on consumer hardware) or run it on a switch running a proprietary OS that I can't control and don't know what it's doing underneath.
-
I'd either have to do it in the router (which would need a lot of PCIe network cards which can get expensive + difficult to accommodate enough physical PCIe lanes on consumer hardware) or run it on a switch running a proprietary OS that I can't control and don't know what it's doing underneath.
Can you elaborate why you think you need much more PCIe lanes? Technically you can do with 1 single LAN port with all your VLANs.
You configure the VLANs on the router then make a single trunk port to a switch. then have that switch divide the VLANs on the ports you desire. this can be a L2 switch.
-
I'd either have to do it in the router (which would need a lot of PCIe network cards which can get expensive + difficult to accommodate enough physical PCIe lanes on consumer hardware) or run it on a switch running a proprietary OS that I can't control and don't know what it's doing underneath.
As a heads up, almost all OpenWRT routers function as managed switches with vlan capabilities. Not truly all, but a very good number.
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
What you are asking will work. That's the whole point of subnets. No you don't need a VLAN to segregate traffic. It can be helpful for things like broadcast control.
However, you used the word "trust" which means that this is a security concern. If you are subnetting because of trust, then yes you absolutely do need to use VLANs.
-
As a heads up, almost all OpenWRT routers function as managed switches with vlan capabilities. Not truly all, but a very good number.
Thanks, yes I realised that OpenWRT devices can do this
-
Can you elaborate why you think you need much more PCIe lanes? Technically you can do with 1 single LAN port with all your VLANs.
You configure the VLANs on the router then make a single trunk port to a switch. then have that switch divide the VLANs on the ports you desire. this can be a L2 switch.
Thanks, but to make that work I would need a managed switch running a proprietary OS can I cannot trust.
-
What you are asking will work. That's the whole point of subnets. No you don't need a VLAN to segregate traffic. It can be helpful for things like broadcast control.
However, you used the word "trust" which means that this is a security concern. If you are subnetting because of trust, then yes you absolutely do need to use VLANs.
Could you elaborate why the question of trust invalidates using just subnets?
-
Can you elaborate why you think you need much more PCIe lanes? Technically you can do with 1 single LAN port with all your VLANs.
You configure the VLANs on the router then make a single trunk port to a switch. then have that switch divide the VLANs on the ports you desire. this can be a L2 switch.
Op specified they have a dumb switch
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
For simple cases you might be able to use 802.1x authentication if "trust" is the issue. This doesnt scale well as a solution on a larger network though.
-
For simple cases you might be able to use 802.1x authentication if "trust" is the issue. This doesnt scale well as a solution on a larger network though.
Hmm, I haven't heard of that before. Could you explain?
