LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Blogs > Musings on technology, philosophy, and life in the corporate world
User Name
Password

Notices

Hi. I'm a Unix Administrator, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: Unix.
Rate this Entry

home network vlan fun!

Posted 12-23-2013 at 02:24 PM by rocket357
Updated 12-23-2013 at 02:37 PM by rocket357

I recently posted about carving out /30 vlans for the Windows machines on my network at home. It's been working well, so I decided to carve up the remaining network to provide some layer of separation between devices.

My wife picked up a Buffalo N600 dual-band wireless access point for me recently. I have dd-wrt running on my old AP (because open-wrt won't run on it), so I figured I'd flash the Buffalo with openwrt and roll with it. I configured both 2.4 and 5.0 GHz bands with WPA2 PSK with randomly generated 63 character keys (pwgen 63 1 on my OpenBSD laptop), set it up in vlan6 (more on vlans in a second), with a /24 carved out of the 192.168.x.y address space, set it up in bridged mode and turned dhcpd off. I then added the wireless devices to my firewall's dhcpd.conf to have static addresses. I left the entertainment stuff (wii, ps3, rokus, etc...) associated with the old AP, but migrated all of the android devices over to the new (5 GHz where devices supported it, 2.4 if they didn't).

Then I decided to fire up pfstatd on the firewall and point a beat up old laptop to it. I configured pfstat and nginx on the laptop, wrote a few quick -n- dirty html pages to display the graphs, and set the laptop up in a dmz vlan (vlan7). Yay.

So, I have the following vlans: wired vlan (2), an entertainment vlan (3), my wife's desktop's /30 (4), my daughter's desktop's /30 (5), android devices (6), and dmz (7).

On the firewall, I configured vlans 3, 6, and 7 to only be able to access the internet, and I turned off unbound listening on those vlan interfaces. dhcpd serves them with Google's public dns server. I suppose that's a privacy/security tradeoff, and that's a fair argument against my implementation, but the fewer listening services on potentially hostile vlans, the better.

Now, I watch.

My wife's note3 tablet is flittering about the www...looks like my son may have gotten a hold of it and is playing his favorite pbskids games. The roku2 is doing it's usual dns chattery. vlan2, composed of only Cisco and OpenBSD devices, is pretty quiet minus the CDP/STP stuff you typically see there.

(ladvd, by the way, is some cool stuff:

Code:
## FIREWALL...fxp0 is the internal interface that all of the vlan devices "hang" from...
# ifconfig fxp0
fxp0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:01:29:0c:00:89
        description: connected to JAB034607H6(Cisco2948) (2/1)
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::201:29ff:fe0c:89%fxp0 prefixlen 64 scopeid 0x1
It's pretty neat that you can "show cdp neighbors" on the switch and see what version of OpenBSD and interface each port has connected)

Alrighty...that's enough nonsense for one day =)
Posted in Uncategorized
Views 448 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 09:47 PM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration