Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

agnos.is Forums

  1. Home
  2. Selfhosted
  3. Basic networking/subnetting question.

Basic networking/subnetting question.

Scheduled Pinned Locked Moved Selfhosted
selfhosted
65 Posts 15 Posters 465 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M [email protected]

    I'd either have to do it in the router (which would need a lot of PCIe network cards which can get expensive + difficult to accommodate enough physical PCIe lanes on consumer hardware) or run it on a switch running a proprietary OS that I can't control and don't know what it's doing underneath.

    K This user is from outside of this forum
    K This user is from outside of this forum
    [email protected]
    wrote on last edited by
    #24

    Can you elaborate why you think you need much more PCIe lanes? Technically you can do with 1 single LAN port with all your VLANs.

    You configure the VLANs on the router then make a single trunk port to a switch. then have that switch divide the VLANs on the ports you desire. this can be a L2 switch.

    M N 2 Replies Last reply
    1
    • M [email protected]

      I'd either have to do it in the router (which would need a lot of PCIe network cards which can get expensive + difficult to accommodate enough physical PCIe lanes on consumer hardware) or run it on a switch running a proprietary OS that I can't control and don't know what it's doing underneath.

      C This user is from outside of this forum
      C This user is from outside of this forum
      [email protected]
      wrote on last edited by
      #25

      As a heads up, almost all OpenWRT routers function as managed switches with vlan capabilities. Not truly all, but a very good number.

      M 1 Reply Last reply
      0
      • M [email protected]

        Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.

        Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.

        Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?

        What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.

        If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.

        Thanks!

        N This user is from outside of this forum
        N This user is from outside of this forum
        [email protected]
        wrote on last edited by
        #26

        What you are asking will work. That's the whole point of subnets. No you don't need a VLAN to segregate traffic. It can be helpful for things like broadcast control.

        However, you used the word "trust" which means that this is a security concern. If you are subnetting because of trust, then yes you absolutely do need to use VLANs.

        M 1 Reply Last reply
        0
        • C [email protected]

          As a heads up, almost all OpenWRT routers function as managed switches with vlan capabilities. Not truly all, but a very good number.

          M This user is from outside of this forum
          M This user is from outside of this forum
          [email protected]
          wrote on last edited by
          #27

          Thanks, yes I realised that OpenWRT devices can do this

          1 Reply Last reply
          0
          • K [email protected]

            Can you elaborate why you think you need much more PCIe lanes? Technically you can do with 1 single LAN port with all your VLANs.

            You configure the VLANs on the router then make a single trunk port to a switch. then have that switch divide the VLANs on the ports you desire. this can be a L2 switch.

            M This user is from outside of this forum
            M This user is from outside of this forum
            [email protected]
            wrote on last edited by
            #28

            Thanks, but to make that work I would need a managed switch running a proprietary OS can I cannot trust.

            N K 2 Replies Last reply
            1
            • N [email protected]

              What you are asking will work. That's the whole point of subnets. No you don't need a VLAN to segregate traffic. It can be helpful for things like broadcast control.

              However, you used the word "trust" which means that this is a security concern. If you are subnetting because of trust, then yes you absolutely do need to use VLANs.

              M This user is from outside of this forum
              M This user is from outside of this forum
              [email protected]
              wrote on last edited by
              #29

              Could you elaborate why the question of trust invalidates using just subnets?

              N possiblylinux127@lemmy.zipP 2 Replies Last reply
              0
              • K [email protected]

                Can you elaborate why you think you need much more PCIe lanes? Technically you can do with 1 single LAN port with all your VLANs.

                You configure the VLANs on the router then make a single trunk port to a switch. then have that switch divide the VLANs on the ports you desire. this can be a L2 switch.

                N This user is from outside of this forum
                N This user is from outside of this forum
                [email protected]
                wrote on last edited by
                #30

                Op specified they have a dumb switch

                1 Reply Last reply
                0
                • M [email protected]

                  Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.

                  Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.

                  Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?

                  What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.

                  If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.

                  Thanks!

                  N This user is from outside of this forum
                  N This user is from outside of this forum
                  [email protected]
                  wrote on last edited by
                  #31

                  For simple cases you might be able to use 802.1x authentication if "trust" is the issue. This doesnt scale well as a solution on a larger network though.

                  M 1 Reply Last reply
                  0
                  • N [email protected]

                    For simple cases you might be able to use 802.1x authentication if "trust" is the issue. This doesnt scale well as a solution on a larger network though.

                    M This user is from outside of this forum
                    M This user is from outside of this forum
                    [email protected]
                    wrote on last edited by
                    #32

                    Hmm, I haven't heard of that before. Could you explain?

                    N 1 Reply Last reply
                    0
                    • M [email protected]

                      Hmm, I haven't heard of that before. Could you explain?

                      N This user is from outside of this forum
                      N This user is from outside of this forum
                      [email protected]
                      wrote on last edited by
                      #33

                      https://en.m.wikipedia.org/wiki/IEEE_802.1X

                      802.1x are a set of protocols that allow port access to be locked to specific devices, which would preclude your need for multiple subnets. You would likely need a few extra physical ports on your white box router, the unmanaged switch could later become overwhelmed passing traffic in a more complicated setup, and you would still need to keep trusted and untrusted traffic separate at the gateway subnet.

                      Your use case is exactly why vlans were invented.

                      However, I suspect from your other answers that you are actually looking for an open source managed switch so your entire networking stack is auditable.

                      There are a few solutions like opx, but hardware supporting opx is prohibitively expensive and it is almost always cheaper to build a beige box and use Linux or get a 2nd hand supported device and use openwrt.

                      M 1 Reply Last reply
                      0
                      • N [email protected]

                        https://en.m.wikipedia.org/wiki/IEEE_802.1X

                        802.1x are a set of protocols that allow port access to be locked to specific devices, which would preclude your need for multiple subnets. You would likely need a few extra physical ports on your white box router, the unmanaged switch could later become overwhelmed passing traffic in a more complicated setup, and you would still need to keep trusted and untrusted traffic separate at the gateway subnet.

                        Your use case is exactly why vlans were invented.

                        However, I suspect from your other answers that you are actually looking for an open source managed switch so your entire networking stack is auditable.

                        There are a few solutions like opx, but hardware supporting opx is prohibitively expensive and it is almost always cheaper to build a beige box and use Linux or get a 2nd hand supported device and use openwrt.

                        M This user is from outside of this forum
                        M This user is from outside of this forum
                        [email protected]
                        wrote on last edited by
                        #34

                        Ah, is that something like sticky ports?

                        Indeed, I would like to run a switch with a FOSS OS, and I don't see any viable way of doing that. Unfortunate, but whitebox router + switch it is then

                        N 1 Reply Last reply
                        0
                        • M [email protected]

                          Could you elaborate why the question of trust invalidates using just subnets?

                          N This user is from outside of this forum
                          N This user is from outside of this forum
                          [email protected]
                          wrote on last edited by
                          #35

                          A VLAN is (theoretically) equivalent to a physically separated layer 2 domain. The only way for machines to communicate between vlans is via a gateway interface.

                          If you don't trust the operating system, then you don't trust that it won't change it's IP/subnet to just hop onto the other network. Or even send packets with the other network's header and spoof packets onto the other subnets.

                          It's trivially easy to malform broadcast traffic and hop subnets, or to use various arp table attacks to trick the switching device. If you need to segregate traffic, you need a VLAN.

                          M 1 Reply Last reply
                          0
                          • M [email protected]

                            Ah, is that something like sticky ports?

                            Indeed, I would like to run a switch with a FOSS OS, and I don't see any viable way of doing that. Unfortunate, but whitebox router + switch it is then

                            N This user is from outside of this forum
                            N This user is from outside of this forum
                            [email protected]
                            wrote on last edited by
                            #36

                            The effect is similar to sticky ports, but sticky ports is just filtering based on Mac address, which can be spoofed.

                            802.11x allows traffic from a device only if they also have the correct EAP certificate.

                            M 1 Reply Last reply
                            0
                            • M [email protected]

                              Thanks, but to make that work I would need a managed switch running a proprietary OS can I cannot trust.

                              N This user is from outside of this forum
                              N This user is from outside of this forum
                              [email protected]
                              wrote on last edited by
                              #37

                              What in the world is "a proprietary OS I cannot trust". What's your actual threat model? Have you actually run any risk analyses or code audits against these OSes vs. (i assume) Linux to know for sure that you can trust any give FOSS OS? You do realize there's still an OS on your dumb switch, right?

                              This is a silly reason to not learn to manage your networking hardware.

                              M 1 Reply Last reply
                              1
                              • ? Guest

                                If computers are in same network, even with different ip addresses, they still can see all broadcast and multicast traffic. This means for example dhcp.

                                If you fully trust your computers, and are sure that no external party can access any of them, you should be fine. But if anyone can fain access any computer, it is trivial to gain access to all networks.

                                If you need best security, multiple switches and multiple nics are unfortunately only really secure solution.

                                N This user is from outside of this forum
                                N This user is from outside of this forum
                                [email protected]
                                wrote on last edited by
                                #38

                                Broadcast traffic (such as DHCP) doesn't cross subnets without a router configured to forward it. It's one of the reasons subnets exist.

                                1 Reply Last reply
                                0
                                • N [email protected]

                                  What in the world is "a proprietary OS I cannot trust". What's your actual threat model? Have you actually run any risk analyses or code audits against these OSes vs. (i assume) Linux to know for sure that you can trust any give FOSS OS? You do realize there's still an OS on your dumb switch, right?

                                  This is a silly reason to not learn to manage your networking hardware.

                                  M This user is from outside of this forum
                                  M This user is from outside of this forum
                                  [email protected]
                                  wrote on last edited by
                                  #39

                                  Thank you for the comment.

                                  My threat model in brief is considering an attack on my internal networking infrastructure. Yes, I know that the argument of "if they're in your network you have other problems to worry about" is valid, and I'm working on it.

                                  I'm educating myself about Lynis and OpenVAS, and I tend to use OpenSCAP when I can to harden the OS I use. I've recently started using OpenBSD and will use auditing tools on it too. I still need to figure out how to audit and possibly harden the Qubes OS base but that will come later.

                                  Yes, I do realise that the dumb switch has an OS. And you raise a good point. I'm starting to feel uneasy with my existing netgear dumb switches too. Thank you for raising this, I think a whitebox router build might be the only way.

                                  I'd like to mention that I would use VLANs if I could use them on hardware and software I feel comfortable with. But I cannot. Whitebox build it is, I suppose.

                                  Thanks again for the comment and I'd like to hear any suggestions you have.

                                  1 Reply Last reply
                                  0
                                  • N [email protected]

                                    The effect is similar to sticky ports, but sticky ports is just filtering based on Mac address, which can be spoofed.

                                    802.11x allows traffic from a device only if they also have the correct EAP certificate.

                                    M This user is from outside of this forum
                                    M This user is from outside of this forum
                                    [email protected]
                                    wrote on last edited by
                                    #40

                                    I see. I didn't know about this. I have saved your comment, I'll come back to this in a bit

                                    1 Reply Last reply
                                    0
                                    • M [email protected]

                                      Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.

                                      Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.

                                      Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?

                                      What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.

                                      If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.

                                      Thanks!

                                      N This user is from outside of this forum
                                      N This user is from outside of this forum
                                      [email protected]
                                      wrote on last edited by
                                      #41

                                      As others have said: It will work as you've planned it. The subnetting will keep these two PCs separated (If they still need internet, just add a second IP in your router-PC to allow for communication with this subnet).

                                      VLANs aren't required, but are more relevant when you want to force network segregation based on individual ports. If you really want to, you can add tagged virtual interfaces on these two separated hosts so that the others hosts aren't able to simply change the address to reach these. The switch should ignore the VLAN tag and pass it through anyway. But again, it's not really needed, just something you can do if you really want to play with tagged VLAN interfaces

                                      M 1 Reply Last reply
                                      0
                                      • N [email protected]

                                        A VLAN is (theoretically) equivalent to a physically separated layer 2 domain. The only way for machines to communicate between vlans is via a gateway interface.

                                        If you don't trust the operating system, then you don't trust that it won't change it's IP/subnet to just hop onto the other network. Or even send packets with the other network's header and spoof packets onto the other subnets.

                                        It's trivially easy to malform broadcast traffic and hop subnets, or to use various arp table attacks to trick the switching device. If you need to segregate traffic, you need a VLAN.

                                        M This user is from outside of this forum
                                        M This user is from outside of this forum
                                        [email protected]
                                        wrote on last edited by
                                        #42

                                        Thank you for the great comment.

                                        This line cleared it up for me:

                                        802.1q aware switch and gateway to use VLANs effectively.

                                        It is indeed as you say. VLANs on a trunk port wouldn't really work for security either. This is making me reconsider my entire networking infrastructure since when I started I wasn't very invested in such things. Thanks for giving me material to think about

                                        1 Reply Last reply
                                        0
                                        • N [email protected]

                                          As others have said: It will work as you've planned it. The subnetting will keep these two PCs separated (If they still need internet, just add a second IP in your router-PC to allow for communication with this subnet).

                                          VLANs aren't required, but are more relevant when you want to force network segregation based on individual ports. If you really want to, you can add tagged virtual interfaces on these two separated hosts so that the others hosts aren't able to simply change the address to reach these. The switch should ignore the VLAN tag and pass it through anyway. But again, it's not really needed, just something you can do if you really want to play with tagged VLAN interfaces

                                          M This user is from outside of this forum
                                          M This user is from outside of this forum
                                          [email protected]
                                          wrote on last edited by
                                          #43

                                          Thank you. In theory, is there a mechanism which will prevent other hosts from tagging the interface with a VLAN ID common with another host and spoof traffic that way? Sorry, I need to study more about this stuff

                                          possiblylinux127@lemmy.zipP N 2 Replies Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • World
                                          • Users
                                          • Groups