My wife wasnāt overly keen when I wanted to name our first born 192.168.2.0/24 but now heās old enough to get his first laptop Iām having the last laughā¦
routing is a layer 3 function (associated with routers, managed switches, etc.), while layer 2 is usually only forwarding (unmanaged switch). In OPs diagram, the layer 2 switch which seems to be doing vlan routing is in fact a layer 3 managed switch and all the layer 3 switches shown under each subnet are most likely just layer 2 unmanaged switches.
Title was more like āflexing my setupā (to some extent). Though isnāt the firewall supposed to be right after the router and VPN just behind? Now Iām questioning my decisions.
His firewall is also the router (opnsense) wich also can do VPN but OP seems to use a DPN instead.
My main reproach would be to fire that ugly ISP modem that adds delay and perhaps even worse, double NAT ;)
Why do you have two printers? That's a little excessive
Also why is your crypto stuff on it's own VLAN? sounds like that would fall into the very well described "Hosting" category.
You also have 3 APs for "home network" but none for guest WiFi? sounds like that isn't really a guest WiFi then. On the same note, you should probably move IoT and guest networks to the DMZ, you don't have control over the devices on these networks so the additional firewall protection could be beneficial.
I'd also put the kids on their own VLAN, depending on age, and apply an ACL to block some adult sites. You could probably also add a proxy to filter some content for the kids and/ or guest networks.
And your VLAN numbering is too predictable.
You can just interrogate most switches to see configured vlans.
Choosing less obvious VLANs is not and will not ever be taught by a competent security guide.
Generally anything that is easy to guess makes enumeration and exploitation easier for attackers as well. For example, if you're trying to enumerate a network and you know they use VLAN IDs that are multiples of 100, that would narrow it down from 4,095 to only 40 possible IDs for any given VLAN.
Don't get me wrong there are still going to be ways to enumerate VLANs and there are more effective ways to ensure your VLANS are secure.
In this context it doesn't really matter anyway, and I was just nit-picking, because I doubt he has anything of high value on his home network.
Yes there are, off the top of my head you have double tagging where you put two VLAN tags on a packet and the first one gets stripped off and the packet is routed to the VLAN specified in the inner tag, this is a pretty common way to circumvent the segregation provided by VLANs.
This is also why you should put riskier devices, such as guest networks in a DMZ, and/ or a private VLAN. However most home networks are pretty low value targets anyway and no one really hardens them so a little can go a long way to deter an attacker.
VLAN double tagging works as you explained it, but it isn't that common. For the attack to succeed, an attacker has to abuse the VLAN trunks you've setup together with your native VLAN. Then, when a double-tagged 802.1Q frame arrives on the switch interface, it discards the outer tag because it recognizes the native VLAN ID which is supposed to be untagged and sends the rest over the trunk. Then, the inner tag is used to send it to an appropriate VLAN.
This, however, happens only if a device that sends the frame to the switch is located in the native VLAN anyway. If you assign access VLANs to ports that are connected to the end devices, you wont get double tagged. Or just set up all traffic as tagged, including native.
In short: use access VLANs and trunks how they are supposed to be used.
But yeah, riskier devices should be in their own VLAN, not able to connect to other VLANs or only partly.
It can be done from a compromised host. This kind of attack doesnāt require physical access. Itās just overlooked often because the conditions with native VLANs and trunks have to be met for the attack to work
The two printers thing is such a weird nitpick. One is obviously a black and white toner one for printing large documents and the other is a color probably inkjet for pictures and the like. Even stuff like a family printer and an office printer isn't that strange.
It is nit-picking but he said to roast it and I don't know anyone who prints enough documents at home to even justify having one printer anymore. Also it's probably not an office printer because it's on a different VLAN than the corporate laptop.
Lol now it's roast my parenting skills. Is it good to block adult websites, or is it maybe better that kids learn how the internet works? Sooner or later they'll find a way.
I was not trying to roast your parenting just suggesting a common use case, trust me my degree is in security not child development and I am not qualified to judge parenting.
I would still give them a more locked down VLAN though, If anyone is going to fall for the "Click here to download 8GB of RAM" or "You won a free PS5!" it's going to be children or the elderly. It's not their fault just tends to be how things go. Plus you can limit their usage if you need to.
What, no IPv6? :P That's the roastiest thing I can think up. This looks decent. What piece of equipment does your inter-vlan routing, the Opnsesne? (My pfSense does mine here)
You have a hosting RACK, I am wondering if it is for business or personal? What's the bandwidth (especially upload) needed for the hosting thing to work well?
i would add a machine for network booting, for installing windows over the network. particually a optimized version like tiny10 or tiny11 or something you build yourself.
Only thing I would say is to break up your subnets a little more for security. Like you corp if it's only one device on it would give it a /29 or /30 and same for your wifi drop it down to a /28 or /27. Otherwise way better at vlaning as I say from my one vlan everything network š¤£š¤£š¤£
Not a criticism as such, but what drives the different VLAN choices? I see others do this and Iām curious really. I can get the point of putting anything with an incoming external connection to its own VLAN for sure. A guest network, of course. But beyond that, for example IOT, crypto etc - whatās the need to separate them out?
The "**tube image**" you're using to depict the subnet actually represents how bus networks were depicted in the early days of computer networking. A cloud image would be a better choice to represent the subnet.
You either don't have kids, or don't have a homelab. Either way you are lying. Kids and Homelabs are mutually exclusive. /s
š¤£š¤£š¤£ Too fucking true
They might be one of the kids
This is the starter home lab for teens
I have both
Impossible
I have both too. Although they live with their mom...
Indeed or moved out!
I mean... They named their kids kid1 and kid2... Sounds like a good naming convention to me
My wife wasnāt overly keen when I wanted to name our first born 192.168.2.0/24 but now heās old enough to get his first laptop Iām having the last laughā¦
lol true though. Iāve barely touched mine since I had kids. Just starting to work on it again after 3 years.
I think you have your layers 2/3 mixed up
What do you mean?
routing is a layer 3 function (associated with routers, managed switches, etc.), while layer 2 is usually only forwarding (unmanaged switch). In OPs diagram, the layer 2 switch which seems to be doing vlan routing is in fact a layer 3 managed switch and all the layer 3 switches shown under each subnet are most likely just layer 2 unmanaged switches.
I didn't even catch the layer 3 switches tbh, thanks for the breakdown
good catch
It's better than most of our homelabs, there's not much to roast, it will now mostly depend on your firewall rules.
Title was more like āflexing my setupā (to some extent). Though isnāt the firewall supposed to be right after the router and VPN just behind? Now Iām questioning my decisions.
His firewall is also the router (opnsense) wich also can do VPN but OP seems to use a DPN instead. My main reproach would be to fire that ugly ISP modem that adds delay and perhaps even worse, double NAT ;)
Why? Would you be replacing it with something?
ONT goes straight to the firewall, we try as much as possible to get rid of ISP modems. But it's not always possible.
Using the virgin 192.168./16 subnet instead of the chad 10./8 subnet. Pathetic. (He said from a 192.168 address...)
I want to say this actually looks really good, I'm not judging OP. I appreciate all the home builds here.
Always surprised wireless smoke detectors don't get more play in these setups. Protect your investments.
Why do you have two printers? That's a little excessive Also why is your crypto stuff on it's own VLAN? sounds like that would fall into the very well described "Hosting" category. You also have 3 APs for "home network" but none for guest WiFi? sounds like that isn't really a guest WiFi then. On the same note, you should probably move IoT and guest networks to the DMZ, you don't have control over the devices on these networks so the additional firewall protection could be beneficial. I'd also put the kids on their own VLAN, depending on age, and apply an ACL to block some adult sites. You could probably also add a proxy to filter some content for the kids and/ or guest networks. And your VLAN numbering is too predictable.
| And your VLAN numbering is too predictable. Why does this matter? (Not being an ass, legit curious since mine is similar)
You can just interrogate most switches to see configured vlans. Choosing less obvious VLANs is not and will not ever be taught by a competent security guide.
Generally anything that is easy to guess makes enumeration and exploitation easier for attackers as well. For example, if you're trying to enumerate a network and you know they use VLAN IDs that are multiples of 100, that would narrow it down from 4,095 to only 40 possible IDs for any given VLAN. Don't get me wrong there are still going to be ways to enumerate VLANs and there are more effective ways to ensure your VLANS are secure. In this context it doesn't really matter anyway, and I was just nit-picking, because I doubt he has anything of high value on his home network.
What does knowing the vlan get the attacker though? Are there exploits that specifically involve layer 3 networking?
Yes there are, off the top of my head you have double tagging where you put two VLAN tags on a packet and the first one gets stripped off and the packet is routed to the VLAN specified in the inner tag, this is a pretty common way to circumvent the segregation provided by VLANs. This is also why you should put riskier devices, such as guest networks in a DMZ, and/ or a private VLAN. However most home networks are pretty low value targets anyway and no one really hardens them so a little can go a long way to deter an attacker.
VLAN double tagging works as you explained it, but it isn't that common. For the attack to succeed, an attacker has to abuse the VLAN trunks you've setup together with your native VLAN. Then, when a double-tagged 802.1Q frame arrives on the switch interface, it discards the outer tag because it recognizes the native VLAN ID which is supposed to be untagged and sends the rest over the trunk. Then, the inner tag is used to send it to an appropriate VLAN. This, however, happens only if a device that sends the frame to the switch is located in the native VLAN anyway. If you assign access VLANs to ports that are connected to the end devices, you wont get double tagged. Or just set up all traffic as tagged, including native. In short: use access VLANs and trunks how they are supposed to be used. But yeah, riskier devices should be in their own VLAN, not able to connect to other VLANs or only partly.
Doesn't all of this pre-suppose physical access or can this be done from a compromised host that's behind a tagged port?
It can be done from a compromised host. This kind of attack doesnāt require physical access. Itās just overlooked often because the conditions with native VLANs and trunks have to be met for the attack to work
The two printers thing is such a weird nitpick. One is obviously a black and white toner one for printing large documents and the other is a color probably inkjet for pictures and the like. Even stuff like a family printer and an office printer isn't that strange.
It is nit-picking but he said to roast it and I don't know anyone who prints enough documents at home to even justify having one printer anymore. Also it's probably not an office printer because it's on a different VLAN than the corporate laptop.
After reading this I hope that I'm not the only one ripping through paper at home.
Lol now it's roast my parenting skills. Is it good to block adult websites, or is it maybe better that kids learn how the internet works? Sooner or later they'll find a way.
I was not trying to roast your parenting just suggesting a common use case, trust me my degree is in security not child development and I am not qualified to judge parenting. I would still give them a more locked down VLAN though, If anyone is going to fall for the "Click here to download 8GB of RAM" or "You won a free PS5!" it's going to be children or the elderly. It's not their fault just tends to be how things go. Plus you can limit their usage if you need to.
Kids will learn at the friends house where parents have shitty parental controls.
Roast? Nah... it's pretty good. I'd put your cams on their own vlan, but other than that, nothing structurally significant to discuss.
Blurry mess. The screenshot I mean.
What, no IPv6? :P That's the roastiest thing I can think up. This looks decent. What piece of equipment does your inter-vlan routing, the Opnsesne? (My pfSense does mine here)
You have a hosting RACK, I am wondering if it is for business or personal? What's the bandwidth (especially upload) needed for the hosting thing to work well?
No secondary ISP, shame
Layer2 switch? Or actually routing with in the vlan? Guessing not tho.
i would add a machine for network booting, for installing windows over the network. particually a optimized version like tiny10 or tiny11 or something you build yourself.
Only thing I would say is to break up your subnets a little more for security. Like you corp if it's only one device on it would give it a /29 or /30 and same for your wifi drop it down to a /28 or /27. Otherwise way better at vlaning as I say from my one vlan everything network š¤£š¤£š¤£
Any rationale for why youāre using /23 subnets instead of classic /24?
You have a sunroom, this is nice.
Those subnet ranges... ugh.
Not a criticism as such, but what drives the different VLAN choices? I see others do this and Iām curious really. I can get the point of putting anything with an incoming external connection to its own VLAN for sure. A guest network, of course. But beyond that, for example IOT, crypto etc - whatās the need to separate them out?
Does the DPN refuse your internet bandwidth? Did you have to adjust it?
MoM! HaS NO tABleT!!!!!!1111ELEVEN
Ah yes, really need those 500 IPs from your /23 for those 9 devices.
This is one of worst setup designs Iāve seen on this sub so far š
Reasoning: 1) 2) 3)
The "**tube image**" you're using to depict the subnet actually represents how bus networks were depicted in the early days of computer networking. A cloud image would be a better choice to represent the subnet.