DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Basic VLAN/Security question

  • philby
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
15 Mar 2010 20:16 #61190 by philby
Basic VLAN/Security question was created by philby
Hello

Just wanted to check my topology here:

I have a home wlan (one SSID, lots of folders shared between 3 machines, 2820n).

Sometimes I do disinfection work for friends' machines and would like to be able to isolate these from my own machines when I connect them to the network/internet.

So, I've done the following:

-created a second SSID (SSID2)
-set up a Vlan such that SSID2 is segregated to port 2, as below



When I connect an 'infected' machine to the wlan/internet via SSID2, it cannot see any of the other networked machines and they cannot see it - this is good :D

My question is whether this is adequate in terms of preventing infection passing from an infected machine to either the other boxes or the 2820n itself???

I don't want to falsely assume that machines on SSID are completely isolated from those on SSID2, but maybe they are and I'm just over-thinking this???

Thanks in advance.

Mark

Please Log in or Create an account to join the conversation.

More
06 Aug 2010 00:35 #63190 by alan.hancock
Replied by alan.hancock on topic VLAN is not so V
Using WAN2 on UK firmware 3.3.4_232201, I decided to try the same config as you did, and was pleased to find that i could not access my devices on the other VLAN whilst on the same physical Local area network.

However, i also have point-point VPN tunnels setup to my remote offices, and i nearly fell off my chair when i saw that the 'isolated' VLAN device could happily access my remote subnets even though the LOCAL subnet was isolated from it. This is not the expected behaviour, as it is no use being locally isolated if the majority of the remote-but-private subnets are wide open.

Oh dear...

Please Log in or Create an account to join the conversation.

More
09 Aug 2010 21:08 #63244 by voodle
Replied by voodle on topic Basic VLAN/Security question
I think there are plans to fix that vpn / vlan problem with some firmware in future, going by this guide: http://draytek.com/user/SupportAppnotesDetail.php?ID=898
I'm not sure when or if it would be coming to something like the 2820 but it would certainly be useful

Please Log in or Create an account to join the conversation.

More
09 Aug 2010 22:03 #63246 by admin
Replied by admin on topic Basic VLAN/Security question
Actually, the current method is logical default behaviour. The VLAN is at the Ethernet layer (L2), done by the Ethernet chip so the router's CPU doesn't control the data (that would be a lot of work, to process all LAN traffic). The VPN, on the other hand is a L3 IP thing, so just as members of isolated VLANs all have Internet access (routes), they also have access to VPN routes. You can't set up an IP filter relating to a hardware VLAN for the same reason you can't isolate it from a VPN.
That doesn't mean they couldn't develop integration in future.



Forum Administrator

Please Log in or Create an account to join the conversation.

More
03 Dec 2010 19:09 #65137 by ignatius
Replied by ignatius on topic Basic VLAN/Security question
I have a 2820n (firmware 3.3.0.1) but the VLAN configuration doesn't give the option to include SSIDs in the various VLANs as shown in the partial screenshot posted by the OP. I think I might have to upgrade the firmware but I'm reluctant to do so unless it's absolutely necessary, given the problems identified by several users.

Thanks in advance.

Please Log in or Create an account to join the conversation.

Moderators: Sami