1/27/2024 0 Comments Verizon router removem vlan![]() This is generally done by having a separate IP address per VLAN on the router, with each address in the associated subnet used by the VLAN. Thus even if you have a router, the machines won't know to speak to it when trying to reach other machines, and indeed won't be able to see it in most cases.Īn untagged port can be viewed as a port with a "default" tag - when you have a port with multiple tags, it carries the data inside tagged packets, so the router needs to know how to remove the tags for data to be interpreted. You really need subnets and routing - if you put machines on different vlans in the same subnet they will not be able to find or talk to each other. ![]() If you think of each VLAN as a virtual unmanaged switch you will be well on your way to understanding the problem - it either the ports are connected and can freely transmit to each other, or they are not connected and can't see each other - there are no half measures. There are multiple reasons for this, one of which is that your server needs internet access while not being being directly accessible to other devices which also need Internet access, meaning a router/firewall is needed to interface the 2 types of devices. You can't do this without a VLAN capable router/firewall. Is this an appropriate configuration for my goals, or do I need to change things or introduce more equipment to properly isolate and secure the network? Is there any problem if it actually does handle tags (e.g., insecure defaults) or if it doesn't (e.g., allows routing between VLANs due to lack of knowledge about them)? My router is the standard Verizon router, and I don't know how it handles VLAN tagging (probably not at all?). Does the combination of untagged and pvid=X prevent this sort of behavior? Would a VLAN tag of 10 get rejected from a port other than Port 1 with this setup? Is this a problem? It seems like maybe someone could use this VLAN to hop VLANs (e.g., compromised server to access home machines, or home machines to access sensitive data machine). In my setup, I also use VLAN 10 across nearly all ports as a way to allow Internet access. For example, could different devices on different VLANs get the same IP address, and if so, would this be a problem? My understanding is that this is OK because they can't access each other, but if they both send Internet requests could the responses get mixed up? I only have ~20 devices, so there is no issue with size, but I'm curious if there are other issues. ![]() ![]() Use tagging-aware router to filter traffic across VLANs.Access ports (e.g., 2-47) should be members of a single VLAN.However, I've read some best practices such as the following: When I set the switch up this way things seem to work, in the sense that I can access the Internet from machines on ports 2-47, I can access the server (through the external facing IP address of the router) from other VLANs, and I can't seem to access any other machines across VLANs. The router uses DHCP to assign IP addresses to the rest of the machines. In addition, the router is configured to forward port 80 to the server machine, which has a static IP address. 48: untagged, pvid=50 (connected to switch management machine).47: untagged, pvid=40 (connected to sensitive data machine).3 - 46: untagged, pvid=30 (connected to home machines).2: untagged, pvid=20 (connected to server).1: untagged, pvid=10 (connected to Internet router).40: ports 1 and 47 (sensitive data machine).Restrict switch management to a single port.Isolate computer used for sensitive data from rest of network.Isolate Internet-accessible server from rest of network to prevent compromised server from attacking internal nodes.I just want separation, and I want to know if I can do everything with a single managed switch. I've read other related questions/answers, but they have different requirements that get into VLAN routers or other equipment because they want different VLANs to talk to each other. I would like to provide some separation of devices in my home network using a managed switch.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |