Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:dsa:dsa-mini-tutorial [2023/04/27 11:46] – added a section about firewall zones for VLAN interfaces microraptordocs:guide-user:network:dsa:dsa-mini-tutorial [2023/10/19 02:58] – [Introduction] saudiqbal
Line 310: Line 310:
  list network 'lan'  list network 'lan'
 </code> </code>
 +
 +==== 6. Security Considerations with VLANs ====
 +
 +See [[https://en.wikipedia.org/wiki/VLAN_hopping#Double_tagging|Wikipedia - VLAN Hopping]]
 +
 +  * If using separated VLANs, it is often recommended not to use VLAN 1 for any data networks. This is because VLAN 1 is often hardcoded as a default on a lot of networking equipment and is therefore more often used in attacks and prone to accidental misconfiguration.
 +
 +  * It is also often recommended to change the native VLAN on all trunk ports to an unused VLAN ID to explicitly only allow tagged traffic on trunk ports. Note that some hardware doesn't allow to mix tagged with untagged VLAN on one port, so this method cannot be used on it.
 +
 +  * Similarly, for added security any unused LAN ports can be also added (as u|*) to an unused VLAN ID.
 +
 +As an example let's assume a setup where: 
 +  * VLANS 10, 20 and 30 are used for seperated VLANs without any layer 3 routing
 +  * the ports lan1 and lan2 are trunked ports with all VLANs 
 +  * port lan3 is only for untagged VLAN 1
 +  * port lan4 is unused
 +  * VLAN 90 is not used anywhere else and is only there for added security
 +
 +<code>
 ++---------+-------+------+------+------+------+
 +| VLAN ID | Local | lan1 | lan2 | lan3 | lan4 |
 ++---------+-------+------+------+------+------+
 +|    10          |    |  u|* |    |
 ++---------+-------+------+------+------+------+
 +|    20          |    |    |    |
 ++---------+-------+------+------+------+------+
 +|    30          |    |    |    |
 ++---------+-------+------+------+------+------+
 +|    90          u|* |  u|* |    |  u|* |
 ++---------+-------+------+------+------+------+
 +</code>
 +
 +<code>
 +config device 'switch'
 + option name 'switch'
 + option type 'bridge'
 + option macaddr 'REDACTED'
 + list ports 'lan1'
 + list ports 'lan2'
 + list ports 'lan3'
 + list ports 'lan4'
 +
 +config bridge-vlan 'lan_vlan'
 + option device 'switch'
 + option vlan '10'
 + list ports 'lan1:t'
 + list ports 'lan2:t'
 + list ports 'lan3:u*'
 +
 +config bridge-vlan
 + option device 'switch'
 + option vlan '20'
 + list ports 'lan1:t'
 + list ports 'lan2:t'
 +
 +config bridge-vlan
 + option device 'switch'
 + option vlan '30'
 + list ports 'lan1:t'
 + list ports 'lan2:t'
 +
 +config bridge-vlan
 + option device 'switch'
 + option vlan '90'
 + list ports 'lan1:u*'
 + list ports 'lan2:u*'
 + list ports 'lan4:u*'
 + option local '0'
 +
 +config interface 'lan'
 + option proto 'dhcp'
 + option device 'switch.10'
 +
 +config interface 'iot'
 + option proto 'none'
 + option device 'switch.20'
 +
 +config interface 'guest'
 + option proto 'none'
 + option device 'switch.30'
 +</code>
 +
 +Note: Because local is not checked for VLAN 90, OpenWrt won't even create a device for it and there should be no interface for it, unlike the other VLANs.
 +
  
  • Last modified: 2024/10/15 17:13
  • by palebloodsky