Basic networking/subnetting question.
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
I've done this. I have 3 subnets on a single L2 switch without vlans, and the device isolation works. There's a few caveats:
- I used a 4-port NIC on my router so I could have each subnet on its own interface. They all go directly into the L2 switch.
- You can only have one DHCP server broadcasting. If you have two, there is no way of predicting which subnet you land on.
- My guest subnet is only accessible via Wifi. I have specifically set up my access points so that a particular SSID is assigned to a particular subnet. The access point can broadcast DHCP on a single SSID.
- My third subnet is for my security cameras. It's IPv6-only, and each camera has a static IP address. There is no DHCP. It means my cameras never physically use the same cables as my primary LAN, although they are on the same L2 switch.
All traffic between subnets seems to go through the router, so I have some nftables rules to ensure my guest wifi can only see its own subnet and the public internet.
-
Thank you. Now I just need to learn to do all of this on Linux/BSD lol
https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
You create an device called interface.vlanid
Something like eth0.1
-
https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
You create an device called interface.vlanid
Something like eth0.1
Ooh, would it be similar on other Linux distros/Unixes? I'm trying to decide between Debian, VyOS, Alpine and OpenBSD for my main firewall. All of them have strengths but I think it'll be between VyOS and OpenBSD for me.
-
Ooh, would it be similar on other Linux distros/Unixes? I'm trying to decide between Debian, VyOS, Alpine and OpenBSD for my main firewall. All of them have strengths but I think it'll be between VyOS and OpenBSD for me.
Anything that uses the Linux kernel
I would strongly suggest OpenWRT
-
Sorry for being such a noob. My networking is not very strong, thought I'd ask the fine folks here.
Let's say I have a Linux box working as a router and a dumb switch (I.e. L2 only). I have 2 PCs that I would like to keep separated and not let them talk to each other.
Can I plug these two PCs into the switch, configure their interfaces with IPs from different subnets, and configure the relevant sub-interfaces and ACLs (to prevent inter-subnet communication through the router) on the Linux router?
What I'm asking is; do I really need VLANs? I do need to segregate networks but I do not trust the operating systems running on these switches which can do L3 routing.
If you have a better solution than what I described which can scale with the number of computers, please let me know. Unfortunately, networking below L3 is still fuzzy in my head.
Thanks!
You don't have to apologize for being a noob, we were all once noobs (& we still are to some extent)
