DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Basic VLAN/Security question
- philby
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
15 Mar 2010 20:16 #61190
by philby
Basic VLAN/Security question was created by philby
Hello
Just wanted to check my topology here:
I have a home wlan (one SSID, lots of folders shared between 3 machines, 2820n).
Sometimes I do disinfection work for friends' machines and would like to be able to isolate these from my own machines when I connect them to the network/internet.
So, I've done the following:
-created a second SSID (SSID2)
-set up a Vlan such that SSID2 is segregated to port 2, as below
When I connect an 'infected' machine to the wlan/internet via SSID2, it cannot see any of the other networked machines and they cannot see it - this is good
My question is whether this is adequate in terms of preventing infection passing from an infected machine to either the other boxes or the 2820n itself???
I don't want to falsely assume that machines on SSID are completely isolated from those on SSID2, but maybe they are and I'm just over-thinking this???
Thanks in advance.
Mark
Just wanted to check my topology here:
I have a home wlan (one SSID, lots of folders shared between 3 machines, 2820n).
Sometimes I do disinfection work for friends' machines and would like to be able to isolate these from my own machines when I connect them to the network/internet.
So, I've done the following:
-created a second SSID (SSID2)
-set up a Vlan such that SSID2 is segregated to port 2, as below
When I connect an 'infected' machine to the wlan/internet via SSID2, it cannot see any of the other networked machines and they cannot see it - this is good
My question is whether this is adequate in terms of preventing infection passing from an infected machine to either the other boxes or the 2820n itself???
I don't want to falsely assume that machines on SSID are completely
Thanks in advance.
Mark
Please Log in or Create an account to join the conversation.
- alan.hancock
- Offline
- Junior Member
Less
More
- Posts: 16
- Thank you received: 0
06 Aug 2010 00:35 #63190
by alan.hancock
Replied by alan.hancock on topic VLAN is not so V
Using WAN2 on UK firmware 3.3.4_232201, I decided to try the same config as you did, and was pleased to find that i could not access my devices on the other VLAN whilst on the same physical Local area network.
However, i also have point-point VPN tunnels setup to my remote offices, and i nearly fell off my chair when i saw that the 'isolated' VLAN device could happily access my remote subnets even though the LOCAL subnet was isolated from it. This is not the expected behaviour, as it is no use being locally isolated if the majority of the remote-but-private subnets are wide open.
Oh dear...
However, i also have point-point VPN tunnels setup to my remote offices, and i nearly fell off my chair when i saw that the 'isolated' VLAN device could happily access my remote subnets even though the LOCAL subnet was isolated from it. This is not the expected behaviour, as it is no use being locally isolated if the majority of the remote-but-private subnets are wide open.
Oh dear...
Please Log in or Create an account to join the conversation.
- voodle
- Offline
- Big Contributor
Less
More
- Posts: 1139
- Thank you received: 0
09 Aug 2010 21:08 #63244
by voodle
Replied by voodle on topic Basic VLAN/Security question
I think there are plans to fix that vpn / vlan problem with some firmware in future, going by this guide: http://draytek.com/user/SupportAppnotesDetail.php?ID=898
I'm not sure when or if it would be coming to something like the 2820 but it would certainly be useful
I'm not sure when or if it would be coming to something like the 2820 but it would certainly be useful
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank you received: 0
09 Aug 2010 22:03 #63246
by admin
Forum Administrator
Replied by admin on topic Basic VLAN/Security question
Actually, the current method is logical default behaviour. The VLAN is at the Ethernet layer (L2), done by the Ethernet chip so the router's CPU doesn't control the data (that would be a lot of work, to process all LAN traffic). The VPN, on the other hand is a L3 IP thing, so just as members of isolated VLANs all have Internet access (routes), they also have access to VPN routes. You can't set up an IP filter relating to a hardware VLAN for the same reason you can't isolate it from a VPN.
That doesn't mean they couldn't develop integration in future.
That doesn't mean they couldn't develop integration in future.
Forum Administrator
Please Log in or Create an account to join the conversation.
- ignatius
- Offline
- Junior Member
Less
More
- Posts: 19
- Thank you received: 0
03 Dec 2010 19:09 #65137
by ignatius
Replied by ignatius on topic Basic VLAN/Security question
I have a 2820n (firmware 3.3.0.1) but the VLAN configuration doesn't give the option to include SSIDs in the various VLANs as shown in the partial screenshot posted by the OP. I think I might have to upgrade the firmware but I'm reluctant to do so unless it's absolutely necessary, given the problems identified by several users.
Thanks in advance.
Thanks in advance.
Please Log in or Create an account to join the conversation.
Moderators: Sami
Copyright © 2024 DrayTek