Still, I'll note it and will try to search for some protection against it, thank you.Īre there any other downsides of using pure firewall-based separation for "guest" wifi devics comparing to VLAN that comes to your mind? I guess there may be an attempt to steal it, but that seems to be quite "personalized" type of attack (and maybe even expensive atm), so as home/homelab user, I would not really count on it. For both my PCs and phones I do use randomized MAC addresses "by default", and only real MAC for trusted WiFi. So, it's not like I'm actively "advertising" real MAC addresses of my "trusted" devices. I'll try to "qualify"/"quantify" the drawback. It also "nails" an intention to have single-SSID and MAC-based VLAN tag assignment, if I understood it correctly. Inability to withstand "faking MAC" is a drawback for non-VLAN approach. So no matter what users try, playing with fake MAC address, or anything, they are still isolated, and you don't need to think about it too muchĪs I'm indeed interested in rather practical/pragmatic answer, I'll need some extra help. It all depends on what exactly you want to achieve. For example devices that use some kind of layer 2 discovery protocol, you will see that they only reach devices in the same VLAN and only. Ofcorse that will not change if you have a router, it was an example for simplicity, even on interVLAN routing, under layer 2, only devices in the same VLAN will be able to communicate with each other. ( you need Routing to connect different networks ) This is an example where you need the Firewall to block the communication between different VLANs.įinally, if for example in a network that only a switch exists and no router is used to Inter connect your VLANs, then VLAN10 would be able to communicate with devices on the same VLAN only. Spoof mac address for chromecast Pc#That way, your PC for example that exists on VLAN10 will be able to communicate with an IP camera on VLAN20, but at the same time you are able to block the guest wifi on VLAN30 to reach VLAN20 that is your IP Camera ( example of increased security ). In case you need some VLANs to be able to communicate with each other, you just don't block them through the Firewall. In a network where you have InterVLAN Routing setup, meaning a Router that inter connects different VLANs that do exist on a switch(es), unless you block those VLANs through the Routers Firewall, they will be able to communicate with each other on the Layer 3 Level ( IPs / Packets ) but not on Layer 2 ( MACs / Frames ). We use VLANs to create separate broadcast domains in our Networks, which has a lot of benefits, like increased security, smaller broadcast domains, better management, low latency and more. VLANs indeed work on Layer 2 of the OSI model. What are downsides of using pure firewall-based separation for "guest" wifi devics comparing to VLAN? Performance, severe security issues. I'm not that knowledgeable if that's an obvious question, I have heard VLAN is L2 and firewall works on 元, but I couldn't yet translate all I've found into practical/pragmatic answer to my question. I'm also considering to get rid of multiple SSIDs and replace them with single SSID (that by itself may not be a limit for multiple VLANs if to base that on MAC, but should be simpler in pure firewall-based isolation). Now, as I'm moving to Audience, I'm wondering, what's the downside of getting rid of VLANs and replacing them with firewall rules based on address lists (so clients will drop to respective address list)? And I still had to have extra firewall rules in place for VLANs. That had it's own cost, like inability to keep Chromecast in a separate VLAN (from home NAS), etc. I have been using VLANs on my home/homelab AP (separate SSID per VLAN) for quite a while to separate "trusted" and non-trusted devices (primarily wifi clients).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |