DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1 Week Ago
Zmyrgel Zmyrgel is offline
Port Guard
 
Join Date: May 2008
Posts: 30
Default VLAN's with OpenBSD router

Hi,

I have functional OpenBSD 6.4-current router (apu2b4) connected to my WAN, Wireless AP and dumb switch. I used vether0 and bridge0 interface to make router function like a switch. This system works fine but I recently got devices in the connected to the switch which I don't want accessing rest of my network so I thought to bring in some VLAN to aid securing my network and to learn a bit about them in the process.

I purchased Netgear GS110TP smart switch to play with some VLANs etc but I can't wrap my head around how all this should be set up so everything runs smoothly.

So my working gateway config was following:
em0 ( connected to internet )
em1 ( connected to wireless AP)
em2 ( connected old unmanaged switch)
vether0 on 10.0.0.1/24 network
bridge0 ( bridge members em1, em2. vether0 )

LAN daemons listened on vether0, stuff like httpd, dhcpd, nsd etc.

My plan is to improve things in three steps so to minimize downtime and chance on misconfigurations. Step 1 was the easy one, I replaced the unmanaged switch with the managed switch but didn't configure any VLAN's etc. Everything worked fine still.

Step 2 is where I'm currently stuck, add two VLAN10 for trusted and VLAN20 to untrusted devices and keep things working with wired connections while keeping the wireless AP working with old connection.

So I made following adjustments to Netgear switch:
port1 - port4 members of VLAN10, port1 connected to OpenBSD gateway em2. Port1 tagged and ports 2,3,4 untagged.
Ports5 -8 VLAN20 all untagged.

I connected my desktop to port5 on the switch so it should get assigned to VLAN20.

I added 2 vlan interfaces to the OpenBSD gateway:
Code:
hostname.vlan10:
inet 10.0.10.1 255.255.255.0 10.0.10.255

hostname.vlan20:
inet 10.0.20.1 255.255.255.0 10.0.10.255
I changed my dhcpd daemon to assign addresses on those subnets and bind to vlan10, vlan20 and vether0 interfaces and restarted it.

I added "pass on { vlan10 vlan20 }" rule to /etc/pf.conf and reloaded pf rules.

I assigned IP's manually on my desktop and tried to ping 10.0.20.1 but I can't get even ping to go through. Wireless AP still functions and I can connect from there to 10.0.10.1 and 10.0.20.1 so vlan interfaces are up and reachable.

But more general questions:
I assigned VLAN10 to switch port1 and set it to "tagged". My understanding is that tagging interface on Netgear devices should send the VLAN id's to my OpenBSD router. I did see vlan10 ids with tcpdump but I didn't see any mentions for vlan20. Should the VLAN20 stuff go through port1 with my above configuration or does it require some other tweaks on Netgears side?

Do I need to make anything special on my gateway side? My understanding is that once traffic flows from switch it comes from em2 to vlan10 and vlan20 interfaces on router and then pf rules NAT those forward with following rules:

Code:
match out on egress from !egress nat-to (egress) set prio (2, 5)
pass on { vlan20 vlan10 }
And once I move my AP from gateway to switch vlan20 I can drop the vether0/bridge0 interfaces from my gateway. Is the above correct reasoning or should I do things differently.
Reply With Quote
  #2   (View Single Post)  
Old 1 Week Ago
Zmyrgel Zmyrgel is offline
Port Guard
 
Join Date: May 2008
Posts: 30
Default

Small improvement, tweaked the switch settings and set port1 to vlan1 but set it to tagged interface on both vlan10 and vlan20.
Now looking at tcpdump for em2 on gateway I see the arp requets coming to gw but if I'm looking at the traffic correctly it seems nothing flows back to clients from gw.
Reply With Quote
  #3   (View Single Post)  
Old 1 Week Ago
Zmyrgel Zmyrgel is offline
Port Guard
 
Join Date: May 2008
Posts: 30
Default

And just noticed that my vlan interfaces had wrong parent interface in gateway configuration.
After setting vlan10/20 parent to em2 my ping packets go through.
Reply With Quote
  #4   (View Single Post)  
Old 1 Week Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,459
Default

It's hard from me to follow your provisioning changes. But...
Quote:
I did see vlan10 ids with tcpdump but I didn't see any mentions for vlan20.
At that time, you stated that all assigned VLAN 20 ports were untagged. Unless port 1 was also assigned to the same VLAN, you would not see any of its tagged traffic.

Whenever I've provisioned VLANs, I've always drawn diagrams to plan my layouts. I've found it helpful.
Reply With Quote
  #5   (View Single Post)  
Old 1 Week Ago
Zmyrgel Zmyrgel is offline
Port Guard
 
Join Date: May 2008
Posts: 30
Default

Yeah, I haven't worked with VLAN's before so thats one reason for these changes.
I didn't realize I needed to tag the port1 on all VLAN's for it to pass the traffic. I assumed once port gets tagged it will pass traffic for all vlans.

Once I have more time to tinker I'll work on giving select clients in vlan20 access to vlan10. I was thinking on setting up VPN on the gateway.
Reply With Quote
  #6   (View Single Post)  
Old 1 Week Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,459
Default

Quote:
I assumed once port gets tagged it will pass traffic for all vlans.
No, the switch is used to assign VLANs to specific physical ports. VLANs can be used in place of physical isolation for many use-cases.
Reply With Quote
Reply

Tags
networking, openbsd, vlan

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
arp, vlan issues after upgrade to 5.6 moviuro OpenBSD General 6 3rd November 2014 04:14 PM
bringing up vlan interfaces xiphias FreeBSD General 3 5th March 2010 04:04 PM
OpenBSD IRC channel chat about DMZ and vlan J65nko General software and network 3 25th December 2009 11:15 PM
How to make it work with VLAN-trunking? Seb74 OpenBSD Security 4 28th June 2008 02:08 PM
Bridge VLAN + Catalyst espenfjo FreeBSD General 2 6th June 2008 05:16 PM


All times are GMT. The time now is 02:25 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick