VLAN tagging for home network security?
January 8, 2023 2:22 PM Subscribe
So we’re building a new home, and I’m wiring it up for combined Cat6 / Wi-Fi, and I’d like to isolate my POE security cameras and various IOT devices from the rest of the LAN.
I understand that creating separate VLANs accomplishes this, but I don’t get how I can communicate with all the various VLANs from a single client device like my iPhone or laptop.
What I’ve read so far:
https://stevessmarthomeguide.com/vlans-home-networks/
https://thesmarthomejourney.com/2021/07/19/vlan-secure-smarthome-network/
Thanks in advance!
I understand that creating separate VLANs accomplishes this, but I don’t get how I can communicate with all the various VLANs from a single client device like my iPhone or laptop.
What I’ve read so far:
https://stevessmarthomeguide.com/vlans-home-networks/
https://thesmarthomejourney.com/2021/07/19/vlan-secure-smarthome-network/
Thanks in advance!
Like what sol said, it's not the vlan that creates security. It's that the vlan allows you to easily create a network that you can stop communicating with the rest of your network, or the internet, or whatever.
Adding a vlan introduces a lot of complexity. Will you put your TV on a separate vlan from your phones, laptops, and stuff? You may find casting to your TV on another subnet difficult, needing special software to enable it.
I often consult with customers on the security of their complex, multilayered applications. I don't think "vlans" give protective benefit for the home network that makes up for the added complexity.
posted by Geckwoistmeinauto at 3:01 PM on January 8, 2023 [2 favorites]
Adding a vlan introduces a lot of complexity. Will you put your TV on a separate vlan from your phones, laptops, and stuff? You may find casting to your TV on another subnet difficult, needing special software to enable it.
I often consult with customers on the security of their complex, multilayered applications. I don't think "vlans" give protective benefit for the home network that makes up for the added complexity.
posted by Geckwoistmeinauto at 3:01 PM on January 8, 2023 [2 favorites]
I did this with a Unifi Edgerouter and Unifi AP's. It was a bit of a slog in that I'm not a network engineer, I just know the basic lingo and TCP routing. 10-20 hours later of Youtube clips, setting up the Unifi controller and the Edgerouter and I had separate SSID's for different purposes. Doesn't mean I really have a handle on it.
It seems to me most modern mesh router systems will have a way to set up a guest SSID for IOT devices. Those devices can then talk to the Internet but cannot ping or see traffic on the trusted SSID network.
If your service is cloud-based, you're good to go. If you need to have a device on your trusted LAN access a device on the IOT SSID, then that's where you need to do a port map where you open up the untrusted network on selected ports and static IP's.
It seems to me VLANs are an overly complicated way to do this. Because I'm invested in Unifi and like to tinker, that's where I ended up. The Unifi AP's are not routers (unless you get a DreamMachine), so I had to do a VLAN to route multiple SSID's.
YMMV.
posted by diode at 5:37 PM on January 8, 2023
It seems to me most modern mesh router systems will have a way to set up a guest SSID for IOT devices. Those devices can then talk to the Internet but cannot ping or see traffic on the trusted SSID network.
If your service is cloud-based, you're good to go. If you need to have a device on your trusted LAN access a device on the IOT SSID, then that's where you need to do a port map where you open up the untrusted network on selected ports and static IP's.
It seems to me VLANs are an overly complicated way to do this. Because I'm invested in Unifi and like to tinker, that's where I ended up. The Unifi AP's are not routers (unless you get a DreamMachine), so I had to do a VLAN to route multiple SSID's.
YMMV.
posted by diode at 5:37 PM on January 8, 2023
Response by poster: Thanks y’all. This is good info.
Equipment is a Ubiquiti Edge X router and Brocade ICX6610 POE switch, so I have some programmability.
Cameras are 4 x Reolink and 1 x Amcrest, with a Nest doorbell.
The guest SSID idea for IOT stuff is a good one, but the cameras are hardwired; I don’t want them sending traffic anywhere but to my local recording server / laptop / mobile phone. Hopefully that helps to clarify.
And yes, I totally understand being 20 hours deep into YouTube videos and not really having a handle on, lol. With any luck I can avoid some of that by asking here.
posted by ZakDaddy at 6:00 AM on January 9, 2023
Equipment is a Ubiquiti Edge X router and Brocade ICX6610 POE switch, so I have some programmability.
Cameras are 4 x Reolink and 1 x Amcrest, with a Nest doorbell.
The guest SSID idea for IOT stuff is a good one, but the cameras are hardwired; I don’t want them sending traffic anywhere but to my local recording server / laptop / mobile phone. Hopefully that helps to clarify.
And yes, I totally understand being 20 hours deep into YouTube videos and not really having a handle on, lol. With any luck I can avoid some of that by asking here.
posted by ZakDaddy at 6:00 AM on January 9, 2023
Best answer: I understand that creating separate VLANs accomplishes this, but I don’t get how I can communicate with all the various VLANs from a single client device like my iPhone or laptop.
The best way to think of VLANs is as a way to pretend that you own more network cabling and Ethernet switches than you actually do.
For example, before VLANs were a thing, if you wanted to set up two separate LANs inside your home, you'd install separate Ethernet switches and physically separate cable runs for each of them. In your central closet you'd need two distribution switches instead of just one; you'd need two network outlets in each room instead of just one, and if you wanted to run multiple devices off any of those outlets you'd need separate edge switches for each outlet to do that.
Let's call the resulting physically isolated networks LAN A and LAN B. No traffic appearing on LAN A would ever make it to LAN B, and vice versa, because no connection physically exists over which such traffic could flow. So if you wanted to be able to control or monitor something connected to LAN B from a device connected to LAN A, you'd need to make such a connection.
If you were extremely naive you'd just get a patch cable and wire one of the LAN A outlets to a LAN B outlet. But now, Ethernet being what it is, all you've done is amalgamated your two LANs into one, making any device on any Ethernet outlet reachable from any other with no filtering whatsoever. You might as well never have bothered with the duplicated switches and cables to begin with.
So what you do instead is put a router somewhere in your network, with two Ethernet interfaces on it, one of which you patch to LAN A and the other to LAN B. The router will not mindlessly shovel traffic from one interface to the other the way an Ethernet switch would do. Instead, it will (a) manage each LAN as a separate IP subnet, each with its own separate range of IP addresses and (b) selectively forward traffic from one to the other as required, on the basis of Internet Protocol address forwarding and filtering rules set up by the router administrator.
With VLANs you do essentially the same thing, except that (a) the distribution switches in your central closet get combined into a single physical box (b) you need only one cable running from the distribution switch to each edge outlet and (c) the paired edge switches also get replaced with single physical boxes. And all the switches are now VLAN-aware.
Now you can do things like tell an Ethernet switch that e.g. its ports 1..3 belong exclusively to VLAN A, its ports 4..7 belong exclusively to VLAN B, and its port 8 belongs to both and carries tagged traffic back to the distribution switch. The way to think of any Ethernet interface and associated cabling that carries tagged traffic is as logically equivalent to a big thick bundle of separate cables, each one carrying only traffic tagged with one specific VLAN ID, that automatically plug themselves into the correct places at each end of the connection. You still get only one cable's worth of bandwidth, but you get potentially very large numbers of cables' worth of traffic isolation.
Typically the distribution switch would have all its Ethernet ports configured to belong to all VLANs and therefore also carry tagged traffic, you'd have one port on each edge switch set up as tagged as well, and that's the port you'd wire back to the distribution switch.
But say you had a room containing Ethernet outlets that people might fiddle with, and the intended use for those outlets was to provide connectivity for general purpose devices like desktops and laptops and printers and Internet gateways, and you wanted to make sure that nothing in that room could ever exchange traffic with any of your IoT devices except via rules defined in the router, no matter how malicious or incompetent are the people fiddling with what's plugged in where. In that case you could configure the distribution switch port connected to that room to belong to only the general purpose VLAN, and completely turn off all the VLAN functionality in that room's own edge switch, or even put a dumb non-managed switch in there that doesn't even support VLANs. That would work too.
So what you have now is a situation where you can set up any port on any edge switch as belonging exclusively to a particular VLAN; and the only traffic that you will ever see going in or out of that port will be for devices connected to other switch ports, wherever they might physically exist in the network, that also belong exclusively to that same VLAN. And instead of just your two separate physical LANs you can create up to four thousand separate VLANs if you want them, which is going to be enough isolation capability for most use cases.
And for traffic that does need to cross VLAN boundaries you still need that router, which does exactly the same job as would need to be done if the VLANs were instead physically separate.
You could even keep on using multiple Ethernet interfaces on the router, with each one patched back separately to its own dedicated port on the distribution switch, each such port having been set up to belong exclusively to just one of your VLANs. If you did that, then the router would have no way to know you were even using VLANs instead of physically separate networks, and your existing two-networks configuration would Just Work.
But pretty much any decent router is going to be able to support VLANs internally, which lets you use just one physical Ethernet interface on the router, connect it to a distribution switch port that's been set up to belong to multiple VLANs and therefore carry tagged traffic, and have the router split that across multiple virtual internal Ethernet interfaces, each one corresponding to one particular VLAN tag. Then you set up packet forwarding and distribution rules between those virtual interfaces that work the same way as those between the multiple physical interfaces in the multiple-patch-cables scenario.
This is particularly advantageous for routers like Ubiquiti's that also manage WiFi devices. It should be possible to set up multiple wireless SSIDs inside such a router and have each such SSID connect only to a specific VLAN. That way you end up with VLANs that can have both WiFi and Ethernet ports attached, which you're probably going to want for cameras and whatnot. With suitable configuration in the Ethernet switches, the Ethernet ports for that VLAN could potentially end up being any switch port in any room in your house.
So yeah, using VLANs does make your network more conceptually complicated, and it does mean that you'll really really really want to maintain an accurate document that shows you which switch port(s) in which room(s) belong to which specific VLANs and which have been configured as tagged distribution trunks. But it also means that as far as physical wiring for each room goes, you can get away with running just one Cat6 cable from your central distribution closet to one outlet in each room, into which you then plug an VLAN-aware edge switch. D-Link and TP-Link both make "web smart" switches that can do VLAN stuff and the five-, eight- and sixteen-port versions of those cost not much more than their "dumb" unmanaged relatives.
VLANs are way cool. I like, use and recommend them. But it really really helps to have a good idea of the differences between Layer 2 and Layer 3 networking, and a good idea of how the whole tagging business actually works. The Wikipedia articles on 802.1q and VLANs, the Network Fundamentals YouTube channel, and anything by Radia Perlman are good places to start.
posted by flabdablet at 7:54 AM on January 9, 2023 [7 favorites]
The best way to think of VLANs is as a way to pretend that you own more network cabling and Ethernet switches than you actually do.
For example, before VLANs were a thing, if you wanted to set up two separate LANs inside your home, you'd install separate Ethernet switches and physically separate cable runs for each of them. In your central closet you'd need two distribution switches instead of just one; you'd need two network outlets in each room instead of just one, and if you wanted to run multiple devices off any of those outlets you'd need separate edge switches for each outlet to do that.
Let's call the resulting physically isolated networks LAN A and LAN B. No traffic appearing on LAN A would ever make it to LAN B, and vice versa, because no connection physically exists over which such traffic could flow. So if you wanted to be able to control or monitor something connected to LAN B from a device connected to LAN A, you'd need to make such a connection.
If you were extremely naive you'd just get a patch cable and wire one of the LAN A outlets to a LAN B outlet. But now, Ethernet being what it is, all you've done is amalgamated your two LANs into one, making any device on any Ethernet outlet reachable from any other with no filtering whatsoever. You might as well never have bothered with the duplicated switches and cables to begin with.
So what you do instead is put a router somewhere in your network, with two Ethernet interfaces on it, one of which you patch to LAN A and the other to LAN B. The router will not mindlessly shovel traffic from one interface to the other the way an Ethernet switch would do. Instead, it will (a) manage each LAN as a separate IP subnet, each with its own separate range of IP addresses and (b) selectively forward traffic from one to the other as required, on the basis of Internet Protocol address forwarding and filtering rules set up by the router administrator.
With VLANs you do essentially the same thing, except that (a) the distribution switches in your central closet get combined into a single physical box (b) you need only one cable running from the distribution switch to each edge outlet and (c) the paired edge switches also get replaced with single physical boxes. And all the switches are now VLAN-aware.
Now you can do things like tell an Ethernet switch that e.g. its ports 1..3 belong exclusively to VLAN A, its ports 4..7 belong exclusively to VLAN B, and its port 8 belongs to both and carries tagged traffic back to the distribution switch. The way to think of any Ethernet interface and associated cabling that carries tagged traffic is as logically equivalent to a big thick bundle of separate cables, each one carrying only traffic tagged with one specific VLAN ID, that automatically plug themselves into the correct places at each end of the connection. You still get only one cable's worth of bandwidth, but you get potentially very large numbers of cables' worth of traffic isolation.
Typically the distribution switch would have all its Ethernet ports configured to belong to all VLANs and therefore also carry tagged traffic, you'd have one port on each edge switch set up as tagged as well, and that's the port you'd wire back to the distribution switch.
But say you had a room containing Ethernet outlets that people might fiddle with, and the intended use for those outlets was to provide connectivity for general purpose devices like desktops and laptops and printers and Internet gateways, and you wanted to make sure that nothing in that room could ever exchange traffic with any of your IoT devices except via rules defined in the router, no matter how malicious or incompetent are the people fiddling with what's plugged in where. In that case you could configure the distribution switch port connected to that room to belong to only the general purpose VLAN, and completely turn off all the VLAN functionality in that room's own edge switch, or even put a dumb non-managed switch in there that doesn't even support VLANs. That would work too.
So what you have now is a situation where you can set up any port on any edge switch as belonging exclusively to a particular VLAN; and the only traffic that you will ever see going in or out of that port will be for devices connected to other switch ports, wherever they might physically exist in the network, that also belong exclusively to that same VLAN. And instead of just your two separate physical LANs you can create up to four thousand separate VLANs if you want them, which is going to be enough isolation capability for most use cases.
And for traffic that does need to cross VLAN boundaries you still need that router, which does exactly the same job as would need to be done if the VLANs were instead physically separate.
You could even keep on using multiple Ethernet interfaces on the router, with each one patched back separately to its own dedicated port on the distribution switch, each such port having been set up to belong exclusively to just one of your VLANs. If you did that, then the router would have no way to know you were even using VLANs instead of physically separate networks, and your existing two-networks configuration would Just Work.
But pretty much any decent router is going to be able to support VLANs internally, which lets you use just one physical Ethernet interface on the router, connect it to a distribution switch port that's been set up to belong to multiple VLANs and therefore carry tagged traffic, and have the router split that across multiple virtual internal Ethernet interfaces, each one corresponding to one particular VLAN tag. Then you set up packet forwarding and distribution rules between those virtual interfaces that work the same way as those between the multiple physical interfaces in the multiple-patch-cables scenario.
This is particularly advantageous for routers like Ubiquiti's that also manage WiFi devices. It should be possible to set up multiple wireless SSIDs inside such a router and have each such SSID connect only to a specific VLAN. That way you end up with VLANs that can have both WiFi and Ethernet ports attached, which you're probably going to want for cameras and whatnot. With suitable configuration in the Ethernet switches, the Ethernet ports for that VLAN could potentially end up being any switch port in any room in your house.
So yeah, using VLANs does make your network more conceptually complicated, and it does mean that you'll really really really want to maintain an accurate document that shows you which switch port(s) in which room(s) belong to which specific VLANs and which have been configured as tagged distribution trunks. But it also means that as far as physical wiring for each room goes, you can get away with running just one Cat6 cable from your central distribution closet to one outlet in each room, into which you then plug an VLAN-aware edge switch. D-Link and TP-Link both make "web smart" switches that can do VLAN stuff and the five-, eight- and sixteen-port versions of those cost not much more than their "dumb" unmanaged relatives.
VLANs are way cool. I like, use and recommend them. But it really really helps to have a good idea of the differences between Layer 2 and Layer 3 networking, and a good idea of how the whole tagging business actually works. The Wikipedia articles on 802.1q and VLANs, the Network Fundamentals YouTube channel, and anything by Radia Perlman are good places to start.
posted by flabdablet at 7:54 AM on January 9, 2023 [7 favorites]
Response by poster: That. Was. Amazing. I’m smarter than I was five minutes ago.
I still have a lot more reading to do, lol. Thank you!
posted by ZakDaddy at 2:14 PM on January 9, 2023
I still have a lot more reading to do, lol. Thank you!
posted by ZakDaddy at 2:14 PM on January 9, 2023
Best answer: If you want to give your laptop temporary access to your IoT VLAN without creating any possibility of perhaps-exploitable cross-VLAN router misconfiguration, you can do that simply by telling whichever edge switch your laptop is patched back to that the port it's connected to now belongs to the IoT VLAN instead of the one that the laptop would normally use.
This is logically equivalent to physically unplugging the laptop's Ethernet cable from the LAN it normally connects to, and plugging it into another outlet wired only to the IoT LAN instead. Much more straightforward, and much less error prone, than setting up packet forwarding and/or application-level relay servers inside a router.
You could do much the same thing with phones, if you set up per-VLAN WiFi SSIDs. Just disconnect from the normal SSID and connect to the IoT one instead. Best practice would be to use different WPA2 keys for each of those and forget the IoT connection when you're done with it, just to make sure the phone won't ever end up connected to the IoT VLAN by accident.
If the use case for VLANs at your site is to create an isolated LAN-only network with no Internet connection, so that IoT devices on that network will be able to talk amongst themselves but won't be able to call home to their motherships, nor UPnP their way to a presence on the public Internet, nor in fact to talk to anything at all outside their own little isolated LAN, but you need to use the laptop to set those devices up as you install them, then this is a way that you could achieve that.
You'd probably still want a DHCP server and perhaps an NTP server connected to the sandbox VLAN, but you'd configure it without a default gateway, and the only DNS service available would be the one your router's DHCP server uses to publish the names of the hosts it allocates DHCP leases to.
And you could set up other VLANs - perhaps even one per device vendor, if you wanted to e.g. stop a hacked thermostat from ever being able to talk to your door locks and/or security cameras - that do have an Internet gateway available, but set up never to loop IoT VLAN traffic back into any of your other VLANs, so the only thing an IoT device can use the gateway for is talking to the outside world.
Point is, though, you really do only need one run of Cat6 from the central closet to one Ethernet jack per room, provided you're happy to put an edge switch in each room and always connect via that. This makes the physical part of installing the network very forgiving: you can cater to a lot of unanticipated needs later on, purely by fooling with switch configuration settings, rather than needing to pull extra cables.
If you spend a bit of extra money to buy Power over Ethernet (PoE) versions of your switch gear, your edge switches won't even need a wall wart each - they can be powered from the grunty central PoE supply built into the distribution switch, over the same Cat6 cable that connects them back to the closet.
That said, if you're going to the trouble of running conduit through your walls, use oversize conduit with nice easy bends, and put some pull strings in there alongside the Cat6 - mainly because once the upgrade treadmill has made it de rigeur to consume all video content in 1024K Every Pore A Moon Crater O Rama, you might at some point want to pull fibre. And you might want some Ethernet outlets inside your ceiling space as well, perhaps adjacent to light fixtures or perhaps just mounted high in corners to allow for e.g. connection of PIR sensors.
posted by flabdablet at 4:43 AM on January 10, 2023 [1 favorite]
This is logically equivalent to physically unplugging the laptop's Ethernet cable from the LAN it normally connects to, and plugging it into another outlet wired only to the IoT LAN instead. Much more straightforward, and much less error prone, than setting up packet forwarding and/or application-level relay servers inside a router.
You could do much the same thing with phones, if you set up per-VLAN WiFi SSIDs. Just disconnect from the normal SSID and connect to the IoT one instead. Best practice would be to use different WPA2 keys for each of those and forget the IoT connection when you're done with it, just to make sure the phone won't ever end up connected to the IoT VLAN by accident.
If the use case for VLANs at your site is to create an isolated LAN-only network with no Internet connection, so that IoT devices on that network will be able to talk amongst themselves but won't be able to call home to their motherships, nor UPnP their way to a presence on the public Internet, nor in fact to talk to anything at all outside their own little isolated LAN, but you need to use the laptop to set those devices up as you install them, then this is a way that you could achieve that.
You'd probably still want a DHCP server and perhaps an NTP server connected to the sandbox VLAN, but you'd configure it without a default gateway, and the only DNS service available would be the one your router's DHCP server uses to publish the names of the hosts it allocates DHCP leases to.
And you could set up other VLANs - perhaps even one per device vendor, if you wanted to e.g. stop a hacked thermostat from ever being able to talk to your door locks and/or security cameras - that do have an Internet gateway available, but set up never to loop IoT VLAN traffic back into any of your other VLANs, so the only thing an IoT device can use the gateway for is talking to the outside world.
Point is, though, you really do only need one run of Cat6 from the central closet to one Ethernet jack per room, provided you're happy to put an edge switch in each room and always connect via that. This makes the physical part of installing the network very forgiving: you can cater to a lot of unanticipated needs later on, purely by fooling with switch configuration settings, rather than needing to pull extra cables.
If you spend a bit of extra money to buy Power over Ethernet (PoE) versions of your switch gear, your edge switches won't even need a wall wart each - they can be powered from the grunty central PoE supply built into the distribution switch, over the same Cat6 cable that connects them back to the closet.
That said, if you're going to the trouble of running conduit through your walls, use oversize conduit with nice easy bends, and put some pull strings in there alongside the Cat6 - mainly because once the upgrade treadmill has made it de rigeur to consume all video content in 1024K Every Pore A Moon Crater O Rama, you might at some point want to pull fibre. And you might want some Ethernet outlets inside your ceiling space as well, perhaps adjacent to light fixtures or perhaps just mounted high in corners to allow for e.g. connection of PIR sensors.
posted by flabdablet at 4:43 AM on January 10, 2023 [1 favorite]
This thread is closed to new comments.
There are ways to do this, but it depends on the equipment you are using for your network. Your router/gateway needs to have capabilities to create and manage VLANs. With sophisticated access rules, you can isolate devices on a VLAN but allow one way access. For example, all of your security cameras could be on a VLAN that cannot see or communicate to other VLANs. However, you can allow other devices so initiate traffic into the camera VLAN, and allow responses.
I have a setup using Ubiquiti’s UniFi network gear to achieve this for both wired and wireless devices. More info here. https://help.ui.com/hc/en-us/articles/9592924981911
If you provide more info about your current equipment, more specific responses are possible. Or if you are looking for new equipment, and can manage some complexity, you should take a look at UniFi products.
posted by sol at 2:49 PM on January 8, 2023 [1 favorite]