VLAN Configuration for Home Network

I would like to provide some separation of devices in my home network using a managed switch. I've read other related questions/answers, but they have different requirements that get into VLAN routers or other equipment because they want different VLANs to talk to each other. I just want separation, and I want to know if I can do everything with a single managed switch.

• My goals:
  1. Isolate Internet-accessible server from rest of network to prevent compromised server from attacking internal nodes.
     
  2. Isolate computer used for sensitive data from rest of network.
     
  3. Allow all devices access to Internet.
     
  4. Restrict switch management to a single port.
     
     
• My planned switch configuration:
  • VLAN:
    • 10: ports 1 - 47 (Internet access)
    • 20: ports 1 and 2 (server)
    • 30: ports 1 and 3 - 46 (home devices)
    • 40: ports 1 and 47 (sensitive data machine)
    • 50: port 48 (switch management)
  • Port:
    • 1: untagged, pvid=10 (connected to Internet router)
    • 2: untagged, pvid=20 (connected to server)
    • 3 - 46: untagged, pvid=30 (connected to home machines)
    • 47: untagged, pvid=40 (connected to sensitive data machine)
    • 48: untagged, pvid=50 (connected to switch management machine)

In addition, the router is configured to forward port 80 to the server machine, which has a static IP address. The router uses DHCP to assign IP addresses to the rest of the machines.

When I set the switch up this way things seem to work, in the sense that I can access the Internet from machines on ports 2-47, I can access the server (through the external facing IP address of the router) from other VLANs, and I can't seem to access any other machines across VLANs. However, I've read some best practices such as the following:

1. Each VLAN is a different IP subnet
2. Access ports (e.g., 2-47) should be members of a single VLAN
3. Use tagging-aware router to filter traffic across VLANs

In my setup, I use a single IP subnet. I only have ~20 devices, so there is no issue with size, but I'm curious if there are other issues. For example, could different devices on different VLANs get the same IP address, and if so, would this be a problem? My understanding is that this is OK because they can't access each other, but if they both send Internet requests could the responses get mixed up?

In my setup, I also use VLAN 10 across nearly all ports as a way to allow Internet access. Is this a problem? It seems like maybe someone could use this VLAN to hop VLANs (e.g., compromised server to access home machines, or home machines to access sensitive data machine). Does the combination of untagged and pvid=X prevent this sort of behavior? Would a VLAN tag of 10 get rejected from a port other than Port 1 with this setup?

My router is the standard Verizon router, and I don't know how it handles VLAN tagging (probably not at all?). Is there any problem if it actually does handle tags (e.g., insecure defaults) or if it doesn't (e.g., allows routing between VLANs due to lack of knowledge about them)?

Is this an appropriate configuration for my goals, or do I need to change things or introduce more equipment to properly isolate and secure the network?

Abu Zaid, What you say is true if I eliminate VLAN 10 and plug the router into one of VLAN 20, 30, or 40. However, with VLAN 10 spanning all ports, I am able to simultaneously access the Internet from VLANs 20, 30, and 40 when I plug the router into VLAN 10.

davidgo, you mention that its all-or-nothing (no half measures), but I think that's exactly what I want. I don't want VLANs 20, 30, or 40 to be able to talk to each other. I just want to provide Internet access to all of them. This is working with my configuration as described, but it seems to violate some best practices, so I'm concerned there may be some hidden pitfalls.

It could only be one of the two. If you are able to access the Internet from all the VLANs, than they are not isolated at all. I assume you only have one connection from the Router back to the Switch, so the Router could be part of only one VLAN, in your case 10.

@juhraffe, this is a decent answer. the only other way to do what you want would be a router that has multiple physical interfaces that are configurable. Or just go the ol pfsense/opensense route. A router with ACL's will give you much better control of each network in either case

@juhraffe - I am skeptical that that you can do this with a half measure, and I'm very skeptical that your VLANS are correctly set up if this is working in your setup - and by working I mean including Internet access and the "firewalling" as you believe to be happening through your VLANS. If you have somehow fluked something (if it were working and not a fluke you would not be asking a question here), and it will come back and bite you/whoever comes after you hard. You really,really don't want to use half measures to achieve these goals.

There is only one connection to the router through port 1 (VLANs 10, 20, 30, and 40), and my fear is that you're right about the lack of isolation. Can you help me see how the VLANs are not isolated? Ping requests and HTTP requests across VLANs fail now. Is there another simple test that would show, for example, that a machine on port 3 (VLANs 10 and 30) is accessible from the server on port 2 (VLANs 10 and 20)?

@Tim and davidgo, I agree davidgo's solution is a good one. Using a VLAN-aware router would not only provide what I want, but also the ability to filter traffic between VLANs. However, I'm still trying to figure out where my proposed solution breaks down. My limited testing shows that everyone can get to the Internet, and no one can hop VLANs. Is there a simple test that would confirm that the VLANs are not isolated?

If you can ping Router from each VLAN, then they are not isolated. Now, I am not sure what you mean when you say "Port 3 (VLANs 10 and 30). Does the port belong to VLAN 10 or VLAN 30?

VLAN 10 includes ports 1-47 and VLAN 30 includes ports 3-46, so port 3 is a member of both VLAN 10 and VLAN 30. The pvid on port 3 is set to 30, so untagged traffic from the machine attached to port 3 will be sent to VLAN 30, which will reach the router (which is on port 1, also a member of VLAN 30). Responses from the router will come into port 1, which has pvid 10, and these will be able to make it back to the requester on port 3, which is also a member of VLAN 10.

So the router would receive traffic on VLAN 30 and send it Back on VLAN 10? Is that what you are assuming?

@juhraffe, use NMAP to scan whole subnets from each vlan. Scan vlan 20,30&40 from vlan10. 10,30,40 from vlan20 etc. See what comes up, I would scan both tcp/udp when you do.

I think the switch internally uses VLAN 30 to send the request to the router, but it strips the VLAN tag because all ports are set to be untagged. The router response goes to the requester using VLAN 10 in a similar manner.

There can only be one untagged VLAN on a port. For example, if router is getting traffic for VLAN 30 untagged, then it will not be able to send untagged traffic back to Switch on VLAN 10. Based on the information you have provided so far, it looks like all the traffic is untagged and sharing same VLAN, which would defeat the purpose of isolation. The best solution would be to get a router which supports VLANs and then configure one Subnet for each VLAN to isolate the traffic.

@Tim, using nmap from VLANs 20, 30, and 40 I see the router and machine(s) on the same VLAN but not the machines on the other VLANs. However, I also see machines connected directly to the router through Wi-Fi. That definitely breaks my isolation goals. However, it seems like I could fix this by disabling the router Wi-Fi and connecting APs to the switch on VLAN 30. I'm still not convinced there isn't a way to cross VLANs, but the nmap scans I'm seeing match the desired VLAN isolation goals.

My switch gives me four options for tagging: tagAll (trunk), untagAll (access), tagPvidOnly, and untagPvidOnly. I selected untagAll (access) for all ports.

OK, then I would suggest removing VLAN 10 from all Ports, and see if it still works. If it does, then you do have Isolated your VLANs.

When I remove VLAN 10 I lose Internet on all remaining VLANs. If I connect the router to a different port (e.g., port 5 with pvid = 30) or reconfigure the pvid on port 1 (the router connection) to be a particular VLAN, I get Internet on that VLAN but not the others.

OK, so the VLANs are not isolated, since it only works if everything is on VLAN 10. At this point, I would say that the better option is to get a router that supports Trunk Port (tagged VLAN), and assign each VLAN/Segment a separate IP Subnet.

I attached to the router Wi-Fi and nmap found all the machines on all VLANs. I could connect from Wi-Fi to VLAN and VLAN to Wi-Fi. So, it looks like the only isolation I'm getting from the VLANs is between the VLANs themselves, but VLAN-to-nonVLAN connections are wide open. I still think I might be able to disable the router Wi-Fi and connect everything through the switch to get isolation. However, this would be risky because enabling router Wi-Fi (perhaps upon reset or by accident) would compromise the entire network.

@juhraffe, don't jump through hoops over it. Get a router.