Basic networking/subnetting question.
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
-
S [email protected] shared this topic
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
I would just get a basic layer 2 managed switch and use VLANs. The 5 port and 8 port switches are super cheap these days.
-
I would just get a basic layer 2 managed switch and use VLANs. The 5 port and 8 port switches are super cheap these days.
It's not that they are expensive, it's that they run archaic proprietary OSes which the consumer cannot control. I cannot trust such a switch when the rest of my network depends on it. Please let me know if something in the post didn't make sense.
-
It's not that they are expensive, it's that they run archaic proprietary OSes which the consumer cannot control. I cannot trust such a switch when the rest of my network depends on it. Please let me know if something in the post didn't make sense.
Put a multi port NIC in your router PC and use a separate unmanaged switch for each network then.
-
Put a multi port NIC in your router PC and use a separate unmanaged switch for each network then.
Thanks but as I mentioned that will not scale. I'm interested in if separating computers by subnets will work. Have you tried something like this?
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
Ok, so you are trusting the PCs which you need to keep separate.
There's no way to know if one of them is hoovering all the traffic from the other, if they are both connected to the same unmanaged switch.
https://youtube.com/playlist?list=PLjVwd8FlHBASO5vLBtMYNOzm8Q9DegSjO
-
Thanks but as I mentioned that will not scale. I'm interested in if separating computers by subnets will work. Have you tried something like this?
It's been a long time since I actually used subnets, but IIRC you will need a physical interface for each network on the router regardless.
So let's say you set up your /24 network into 2x /25's, you will need an interface for the .0 network, and another for the .128 network
If you just have an interface for the switch, and another for the WAN connection, I don't think subletting will work for what you're trying to do
-
I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
Ok, so you are trusting the PCs which you need to keep separate.
There's no way to know if one of them is hoovering all the traffic from the other, if they are both connected to the same unmanaged switch.
https://youtube.com/playlist?list=PLjVwd8FlHBASO5vLBtMYNOzm8Q9DegSjO
The computers will be running OpenBSD. I am researching hardening methods for them and also seeing if it is feasible for me to get Corebooted hardware. I didn't mention it because I didn't think it was important.
I feel like my post is being taken very negatively with people finding faults in my words rather than in the networking concept. Would you happen to know why?
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
One of the PCs can spoof the MAC of the other and receive its Ethernet frames.
-
It's been a long time since I actually used subnets, but IIRC you will need a physical interface for each network on the router regardless.
So let's say you set up your /24 network into 2x /25's, you will need an interface for the .0 network, and another for the .128 network
If you just have an interface for the switch, and another for the WAN connection, I don't think subletting will work for what you're trying to do
Hmm, so virtual interfaces on the router won't work? I admit I'm a bit stumped, would you be able to give me an ELI5 on why this is the case? I will try and read up more, of course
-
One of the PCs can spoof the MAC of the other and receive its Ethernet frames.
Thank you for that. I'd also like to ask you: is that a possibility too if one were to configure a trunk port on a switch and plug the PCs in?
-
Thank you for that. I'd also like to ask you: is that a possibility too if one were to configure a trunk port on a switch and plug the PCs in?
That would be worse, because then it would send and receive traffic for multiple vlans.
Unless your switch uses that to refer to link aggregation instead of vlan trunking. Network terminology like that can mean different things to different vendors.
-
The computers will be running OpenBSD. I am researching hardening methods for them and also seeing if it is feasible for me to get Corebooted hardware. I didn't mention it because I didn't think it was important.
I feel like my post is being taken very negatively with people finding faults in my words rather than in the networking concept. Would you happen to know why?
You are basically asking for people to solve a solved problem, there's no actual need for keeping the PCs separate since you control them both, and oh and you want it done cheap. A bespoke custom solution will not scale regardless if you need it to or not, you should know that.
https://hometechhacker.com/great-choices-for-opnsense-hardware/
A firewall device with as many ports as you need is your best bet.
-
That would be worse, because then it would send and receive traffic for multiple vlans.
Unless your switch uses that to refer to link aggregation instead of vlan trunking. Network terminology like that can mean different things to different vendors.
I'm using Cisco terminology so it likely means VLAN trunking unfortunately (unless I missed something)
-
You are basically asking for people to solve a solved problem, there's no actual need for keeping the PCs separate since you control them both, and oh and you want it done cheap. A bespoke custom solution will not scale regardless if you need it to or not, you should know that.
https://hometechhacker.com/great-choices-for-opnsense-hardware/
A firewall device with as many ports as you need is your best bet.
asking for people to solve a solved problem
Solved using devices that run proprietary software (which is, I imagine, frowned upon in such communities) which we don't control at all. Heck, even Mikrotik who has a good rapport with this community uses a proprietary Linux distro with a severely outdated kernel for their devices. For something as critical as internal networking, I'm surprised I do not see more dialogue on improving the situation.
Let me try and explain the problem. I want to build a setup where I have multiple clustered routers (I'm sure you've heard of the clustering features in PFSENSE/OPNSENSE/DIY approach using Keepalived). But if I want to use VLANs without using a switch running god-knows-what under the hood, I'm going to need a LOT OF ports. Unfortunately, 6+ port PCIe cards are quite expensive and sometimes have many other problems.
This is why I'm trying to find simpler solution. The solution that you mention doesn't seem to be a solution at all, but just the community giving up on trying to find one and accepting what is given. I was hoping for a better outcome.
-
asking for people to solve a solved problem
Solved using devices that run proprietary software (which is, I imagine, frowned upon in such communities) which we don't control at all. Heck, even Mikrotik who has a good rapport with this community uses a proprietary Linux distro with a severely outdated kernel for their devices. For something as critical as internal networking, I'm surprised I do not see more dialogue on improving the situation.
Let me try and explain the problem. I want to build a setup where I have multiple clustered routers (I'm sure you've heard of the clustering features in PFSENSE/OPNSENSE/DIY approach using Keepalived). But if I want to use VLANs without using a switch running god-knows-what under the hood, I'm going to need a LOT OF ports. Unfortunately, 6+ port PCIe cards are quite expensive and sometimes have many other problems.
This is why I'm trying to find simpler solution. The solution that you mention doesn't seem to be a solution at all, but just the community giving up on trying to find one and accepting what is given. I was hoping for a better outcome.
Not liking the solution you have doesn't mean you don't have a solution.
Anyway, watch the playlist I sent, it's a great overview of the OSI model with some other stuff. You mentioned not understanding some layers, once you do you will understand the limitations of the hardware you have.
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
Have you looked into Tailscale or an equivalent solution like Netbird?
You could set up a tailnet, make create unique tags for each machine, add both machines to the tailnet, and then set up each machine's network interface to only go through the tailnet.
Then you just use Tailscale's ACLs with the tags to isolate those machines, making sure they can only talk to whatever central device(s) or services you want them to, but also stopping them from talking to or even seeing each other.
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
If computers are in same network, even with different ip addresses, they still can see all broadcast and multicast traffic. This means for example dhcp.
If you fully trust your computers, and are sure that no external party can access any of them, you should be fine. But if anyone can fain access any computer, it is trivial to gain access to all networks.
If you need best security, multiple switches and multiple nics are unfortunately only really secure solution.
-
Have you looked into Tailscale or an equivalent solution like Netbird?
You could set up a tailnet, make create unique tags for each machine, add both machines to the tailnet, and then set up each machine's network interface to only go through the tailnet.
Then you just use Tailscale's ACLs with the tags to isolate those machines, making sure they can only talk to whatever central device(s) or services you want them to, but also stopping them from talking to or even seeing each other.
I never considered tailscale for my LAN, but it's certainly an intriguing idea. I suppose running Headscale as a VM on my router isn't that difficult. Thank you, I will think about it a bit more
-
If computers are in same network, even with different ip addresses, they still can see all broadcast and multicast traffic. This means for example dhcp.
If you fully trust your computers, and are sure that no external party can access any of them, you should be fine. But if anyone can fain access any computer, it is trivial to gain access to all networks.
If you need best security, multiple switches and multiple nics are unfortunately only really secure solution.
No, I do not trust my computers that much. Quite unfortunate, really that I'll have to build a whitebox switch to get what I want
