Redoing Home Network
-
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
Thats why I planned things out the way I did. I had setup vlans before and wanted to do it the other way now, since I was under the impression it accomplished the same thing.
It does. One is just the virtual version of the other. In the old days, we always had physically separated hubs. Once we got big switches, people wanted to recreate the physical separation sometimes, hence VLANs.
Ok cool, thanks. If I have to end up separating traffic, I'll just use a vlan and be done with it.
No, there is really no scenario where that would make sense. You can't separate the traffic on a single network.
Ok. Hopefully it won't be an issue with her boss.
-
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@jt1001001 said in Redoing Home Network:
Question: does it make sense to segment certain traffic because of security concerns? I'm thinking of the blanket statements (never backed up with fact, by the way) I've seen to segment "IoT" devices in the home because of lack of security (E.G they get hacked and said hacker now has access to your entire network).
Well in my readings, they say either method will increase security, as traffic is not supposed to travel between vlans for example. However, as I've learned today, not everything you read in cert books is accurate. So definitely get a few opinions with details.
They don't, unless those VLANs go into a ROUTER! LOL
What about routing VLAN traffic on an L3 switch? Does that then classify as a "router"?
-
@scottalanmiller wouldn't use use firewall rules to separate the traffic? (either separate firewall or rues in router if we're using a router/firewall combo,and yes I know today firewall/router are essentially the same thing)
-
@jmoore said in Redoing Home Network:
@JaredBusch said in Redoing Home Network:
Yes, if the router has a switch chip like the ER-X does, it could be your core switch, but you seriously should not think like that.
Got it, I won't forget this lesson either. I was going to do the separate lans for a learning exercise in getting it set up, but from what it sounds like, it is pretty worthless even as an exercise. Thanks for your opinions!
Do it as a learning exercise, yes. But don't leave it like that for your house. Go back to a single LAN after you've learned what it does and how to set it up.
But really, there's nothing to learn. It's so simple. It's barely more than plugging it all in.
-
@jmoore said in Redoing Home Network:
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
Thats why I planned things out the way I did. I had setup vlans before and wanted to do it the other way now, since I was under the impression it accomplished the same thing.
It does. One is just the virtual version of the other. In the old days, we always had physically separated hubs. Once we got big switches, people wanted to recreate the physical separation sometimes, hence VLANs.
Ok cool, thanks. If I have to end up separating traffic, I'll just use a vlan and be done with it.
No, there is really no scenario where that would make sense. You can't separate the traffic on a single network.
Ok. Hopefully it won't be an issue with her boss.
Her boss doesn't know what a VLAN is, or a LAN, or anything of the sort. Either it's an issue to her boss no matter what, or it's not no matter what. The one thing you know for certain, is that nothing you do will make a difference either way.
-
@brandon220 said in Redoing Home Network:
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@jt1001001 said in Redoing Home Network:
Question: does it make sense to segment certain traffic because of security concerns? I'm thinking of the blanket statements (never backed up with fact, by the way) I've seen to segment "IoT" devices in the home because of lack of security (E.G they get hacked and said hacker now has access to your entire network).
Well in my readings, they say either method will increase security, as traffic is not supposed to travel between vlans for example. However, as I've learned today, not everything you read in cert books is accurate. So definitely get a few opinions with details.
They don't, unless those VLANs go into a ROUTER! LOL
What about routing VLAN traffic on an L3 switch? Does that then classify as a "router"?
It absolutely is a router, anything that routes at L3 is a router. That's why L3 switches are technically "multi-port routers". However, in the real world, all L3 "switches" use specialty hardware to make it able to do the routing extremely fast. Never as fast as an L2 true switch with similar hardware, but fast enough to hit line speed.
-
@jt1001001 said in Redoing Home Network:
@scottalanmiller wouldn't use use firewall rules to separate the traffic? (either separate firewall or rues in router if we're using a router/firewall combo,and yes I know today firewall/router are essentially the same thing)
No, the traffic is still mixed in the router. "Separating traffic" is never a thing. What is a thing is "ability to attack each other". You already do that, right? You have firewalls on each device to already limit what device can talk to each other.
The VLAN + Firewall combination is only ever a secondary security tool to do a very rudimentary duplication of what should already exist on a per machine basis. That doesn't make it bad, we just have to be realistic. It's not about separating traffic (that's done in the switch on every network anywhere), nor about providing a block to attacks, it's about attempting to block an attack on another layer of attack blocking.
-
@scottalanmiller Ok appreciate the video. That was enlightening. Half of what I studied is probably wrong lol. I didn't realize that cert was so bad, or I would have just skipped it entirely. Their blanket statements about things definitely caused me to make some bad decisions. However, I should have dug deeper into the material. I just figured I would encounter deeper info in later certs. So, thanks for the explanation!
-
@jmoore said in Redoing Home Network:
@scottalanmiller Ok appreciate the video. That was enlightening. Half of what I studied is probably wrong lol. I didn't realize that cert was so bad, or I would have just skipped it entirely. Their blanket statements about things definitely caused me to make some bad decisions. However, I should have dug deeper into the material. I just figured I would encounter deeper info in later certs. So, thanks for the explanation!
So in what situation do vlans make the most sense and what is their purpose there? Just security to keep machines from talking to each other?
-
@jmoore said in Redoing Home Network:
@scottalanmiller Ok appreciate the video. That was enlightening. Half of what I studied is probably wrong lol. I didn't realize that cert was so bad, or I would have just skipped it entirely. Their blanket statements about things definitely caused me to make some bad decisions. However, I should have dug deeper into the material. I just figured I would encounter deeper info in later certs. So, thanks for the explanation!
CompTIA doesn't do later certs, as those would require, you know, hiring IT people that actually know material lol
-
@jmoore said in Redoing Home Network:
So in what situation do vlans make the most sense and what is their purpose there? Just security to keep machines from talking to each other?
Correct, that is essentially their only function. In some extreme cases, they can be used to isolate broadcast traffic, or to do "LAN level" performance tweaking, but most of that is just ridiculous in practice. Nearly the only legitimate role of VLANs is to provide isolation containers for networks.
That means.... provide the isolation one gets from isolated, dedicated hardware, but without the physical performance benefits of having isolated hardware (or the cost.)
-
@jmoore said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@scottalanmiller Ok appreciate the video. That was enlightening. Half of what I studied is probably wrong lol. I didn't realize that cert was so bad, or I would have just skipped it entirely. Their blanket statements about things definitely caused me to make some bad decisions. However, I should have dug deeper into the material. I just figured I would encounter deeper info in later certs. So, thanks for the explanation!
So in what situation do vlans make the most sense and what is their purpose there? Just security to keep machines from talking to each other?
Correct. Here is an ER-4 at a client.
- eth0 = WAN
- eth1 = Unused
- was LAN until I moved it to eth3 (SFP)
- eth2 = Credit card machine.
- Outbound NAT makes it X.X.X.138
- This could easily have been a VLAN if needed, but I had the extra port, meh.
- eth3 = LAN & WiFi
- Outbound NAT makes it X.X.X.138
- eth3.10 = Guest WiFi
- Outbound NAT makes it X.X.X.140
- eth3.20 = IoT shit
- Outbound NAT makes it X.X.X.140
None of the local subnets are allowed to talk to each other by firewall rules.
-
@Grey said in Redoing Home Network:
The Ubiquiti USG can handle 1gig connections without a problem.
The original USG most certainly cannot handle it if you have traffic shaping or QoS or a number of other things that kill offloading.
-
@Grey said in Redoing Home Network:
Either get an AP that matches the rest of the system, or get the rest of the Ubiquiti equipment.
FFS, are you on crack?
EdgeMax is Ubiquiti equipment.
The EdgeMax line has no wireless at all. So you have to provide a separate device for an access point.
-
@JaredBusch Ok thanks for the sample config. I see what your talking about with the rules.
-
@JaredBusch said in Redoing Home Network:
None of the local subnets are allowed to talk to each other by firewall rules.
This is the scenario I think of when you want (need?) to isolate and segment LAN traffic, yet each segment needs Internet access and you have only one WAN connection.
-
-
-
Thanks Scott for all these videos. You cleared up a lot of actual and implied questions, along with correcting my erroneous thought process. Much appreciated. I'll be questioning things I read much more now.
-
@JaredBusch said in Redoing Home Network:
@Grey said in Redoing Home Network:
Either get an AP that matches the rest of the system, or get the rest of the Ubiquiti equipment.
FFS, are you on crack?
EdgeMax is Ubiquiti equipment.
The EdgeMax line has no wireless at all. So you have to provide a separate device for an access point.
Ok, I should have been more clear in that. I wouldn't go to a product line that not designed for home use.
