T2600G-28TS: How to setup DMZ with VLAN and ACL
Hello all,
and sorry for this obviously rookie question. I have searched google to and fro, but did not come up with a solution so far. I have a T2600G smart switch and a FritzBox 9470 for Internet Access
I need
- a VLAN10 as Untrusted/DMZ extending the IP Adress Range of the Fritz, say 192.168.2.0/255.255.255.0 for a subset of the ports including the fritz trunk. All traffic from Fritz/Internet including WLAN is considered external/untrusted, guest at best. (VLAN is defined, works well)
- a VLAN20 as trusted VLAN, different IP Adress Range (say 192.168.20.0/255.255.255.0) for a different subset of the ports but including the trunk port of the Fritz, static route from Fritz pointing back to defined VLAN-Interface (DHCP pool 192.168.20.0 provided by T2600, Router-on-a-stick, defined, works well)
Resut: both VLANS can access the internet, clients can talk to each other. Unfortunately, due to the route/VLAN-Interface, between the VLANs in question too.
I would like to filter (ACL) the VLANs so that
- VLAN10 can talk to the internet and traffic stays stay within its VLAN (DMZ)
- VLAN20 can talk to the internet and between its clients as well and additionally access ressources in VLAN10 (e.g. printer, open NAS, mail server) if the connection originates in VLAN20
- access originating from internet or VLAN10 should be dropped by VLAN20
so that VLAN20 can use/see the contents of VLAN10, but only "replys" are allowed. VLAN10 shall not talk to VLAN20 uninvited.
I found some notions of "dynamic ACL" with cisco products, but cannot imagine how to transfer this idea to the TPLINK. Any other idea?
Thanks for your patience
-Michael
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
One possible solution to have an untrusted and a trusted network is to use kind of a DMZ-like topology:
Router 1 is the FritzBOX, router 2 another router for the LAN. NATing on router 2 will allow trusted-to-untrusted access out of the box, port forwarding could be used to share a network printer in the LAN with DMZ clients. This way you have an isolated DMZ and a trusted zone LAN with minimal efforts. Double-NAT is no issue if you don't do gaming.
Since the FB with native firmware doesn't support VLANs – »it's a too sophisticated technique« I was once told by AVM :-) – I see no other way as to use two cables between the FB and a managed switch for an isolated LAN and an isolated guest network. You could then use VIFs for the VLANs and ACLs to block traffic from the untrusted zone to the trusted zone. Just allow access to the network printer from the untrusted VLAN to the trusted one and then block all other traffic. As for the reverse direction from trusted to untrusted network you would need ACLs with IPs and destination ports only, while for replies you would use ACLs with IPs and the source ports (this is why I prefer a stateful firewall – much easier to set up and even more flexible).
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Why don't you just remove the route between DMZ and other networks?
If you have a route in the router, block it there; if you defined VIFs in the switch, remove the VIFs. Normally, neither the router nor the switch have Inter-VLAN routing enabled for different networks, so Inter-VLAN routing has to be explicitely allowed in the router or in the switch.
Also be aware that a real DMZ is firewalled from the rest of the network by two firewalls – one between the WAN and the DMZ and one between the DMZ and the rest of the network. You would not physically connect the DMZ to any of the devices managing the remaining network such as switches. Reason for this is that if a hacker gains access to a system inside the DMZ (e.g. a server connected to a switch), he could use it to further explore the LAN network by trying to hack the switch. Other devices in the LAN should be only connected to the second firewall which isolates the DMZ from the WAN. This can be another router, too.
- Copy Link
- Report Inappropriate Content
@R1D2 Thank you for your thoughts.
I am aware that my intended solution is a poor mans DMZ just to keep kids and guests from accessing my internal ressources. This would not stop a real hacking attempt.
My goal, however, is to provide some ressources used in both VLANS, most notably the network printer. I thought to handle my kids as untrusted with their PCs, put them into DMZ along the printer but access these from the trusted VLAN in order to do some remote management of the kids PCs.
So, from the trusted network, I would like to use the DMZ ressources. If I remove the routes (either static of the VIFs), I cannot do so as far as I understood.
- Copy Link
- Report Inappropriate Content
@Mike63 ok, so I think you don't actually want a DMZ, but a guest network. Maybe my »HowTo set up a guest network« recipe (method 2) can show you a way of setting up an isolated network using VLANs. You can see the principle there, it's not only related to wireless APs/EAPs, but shows how to set up isolated VLANs for wired devices, too. Maybe this helps.
You could implement this using ACLs in the switch, too, but it will be much harder to maintain over time, e.g. when devices are being replaced, MAC addresses/IP changes etc. I prefer to use routers for isolation/routing/sharing resources.
- Copy Link
- Report Inappropriate Content
@R1D2 I will take a look later on. Currently, I am not in the vicinity of the switch.
Thank you so far - will report results.
-Michael
- Copy Link
- Report Inappropriate Content
@Mike63 I did a quick check of your howto. I did try some of these concepts before, and they unfortunately did not work out as intended.
The fritz (or Horst 😉) is not VLAN-aware, so I would have to resort either to using the guest lan of the fritz with two cables/ports, which is not configurable enough (routing between normal and guest LAN will fail, as the fritz hijacks all return packets), does not provide a pass-through to the other network in any direction and would restrict anything to 2 VLANs. I was hoping to extend the concept later on to lets say a home office environment or some dedicated NAS-based cloud storage of my own, again in additional VLANs.
The usage of additional routers seems to be the only solution so far. However, I fail to see how I could initiate a communication from trusted to untrusted, but not allow initiating from untrusted to trusted. The net result seems to be isolated VLANs, or did I miss something here?
My hope was that the L3-routing of the T2600 would render the physical router unnecessary for controlled inter-VLAN-comunication.
I could move the shared ressources to a third, Shared-VLAN, but then I would lose management ability towards my kids PCs. If the shared ressources can reach the internet out of their VLAN, all would be open for each other VLAN to see again. So, no private cloud there...
Heck... it seems that my simple wishes are really complicated 😌
-Michael
- Copy Link
- Report Inappropriate Content
One possible solution to have an untrusted and a trusted network is to use kind of a DMZ-like topology:
Router 1 is the FritzBOX, router 2 another router for the LAN. NATing on router 2 will allow trusted-to-untrusted access out of the box, port forwarding could be used to share a network printer in the LAN with DMZ clients. This way you have an isolated DMZ and a trusted zone LAN with minimal efforts. Double-NAT is no issue if you don't do gaming.
Since the FB with native firmware doesn't support VLANs – »it's a too sophisticated technique« I was once told by AVM :-) – I see no other way as to use two cables between the FB and a managed switch for an isolated LAN and an isolated guest network. You could then use VIFs for the VLANs and ACLs to block traffic from the untrusted zone to the trusted zone. Just allow access to the network printer from the untrusted VLAN to the trusted one and then block all other traffic. As for the reverse direction from trusted to untrusted network you would need ACLs with IPs and destination ports only, while for replies you would use ACLs with IPs and the source ports (this is why I prefer a stateful firewall – much easier to set up and even more flexible).
- Copy Link
- Report Inappropriate Content
@R1D2 Yes, thank you.
I did try the 2-Cable-Solution, but I wanted to avoid the fully isolated guest config.
Regarding the second router, I thought that a VLAN with L2+-Routing could work as a virtual stand-in. It seems for that to work I would need a VLAN-aware Router first hand.
So, I will try to stage my older Horst 9370 as second router and see my mileage. Gaming might be an issue, though. Kids and their Dad do this sometimes 😎. Are there special requirements to activate NAT on the second router? If so, I would rather invest in some older discounted pfsense firewall or mikrotik router. Unfortunately, as the fritz is also the telephone hub, I cannot easily replace it.
You were very helpful. Thanks for your patience.
All the best wishes
Michael
- Copy Link
- Report Inappropriate Content
@R1D2 Oh, I guess adding a second VLAN in the trusted environment for e.g. the isolated home office workplace would then work out-ofxthexbox.
-Michael
- Copy Link
- Report Inappropriate Content
Mike63 wrote
I did try the 2-Cable-Solution, but I wanted to avoid the fully isolated guest config.
Regarding the second router, I thought that a VLAN with L2+-Routing could work as a virtual stand-in. It seems for that to work I would need a VLAN-aware Router first hand.
Not necessarily, but it can make setups somewhat harder if you only have ACLs. A stateful firewall also allows blocking/accepting as with ACLs, but it allows many more functions not necessarily found in managed switches.
For example, in my network I use VLANs for isolation and for separation of broadcast domains. I do use switch ACLs on my T1600G to grant a single management laptop access to the management VLAN and to permit access from wireless EAPs in the guest VLAN (not a DMZ) to an EAP controller running in the management VLAN, both without sending the traffic through the router. ACLs and Inter-VLAN routing in the switch is a very nice feature, but an L2+ switch is not meant to replace a router, it rather takes some load away from the router in big networks.
Now, I would like to set up a routed port on the switch to the router so that I can restrict traffic between my local VLAN-splitted networks and the router to Internet traffic only. That's a scenario where switch ACLs have to be used anyway, since for such a setup access control can't be done on the router.
My switch is a T1600G-28TS HW V1, it has VLANs, VIFs and routing features. But it has no DHCP server. This means I can not use routed ports for this use case, so I need to still use a VLAN trunk for passing all other LAN traffic to the router, just b/c of DHCP. You see, I'm in a similar situation like you are.
OTOH I could use an external DHCP server, but hey, costs for mains power will increase again next year. That could be a reason for me to upgrade to a switch with L2+ services when I become rich :-), probably a T2600G, but maybe preferably a T1700G-28TQ. They both have real cool features for a very good price nowadays.
But for now I use what I have and I'm really happy with that. 30 years ago such switches did cost around 10k to 15k.
So, I will try to stage my older Horst 9370 as second router and see my mileage. Gaming might be an issue, though. Kids and their Dad do this sometimes 😎.
Double NAT might cause problems ony for multi-user games connecting to a game server outside your network, which need a smooth and fast connection to the server (see this FAQ as an example). Double-NAT increases latency somewhat. But it causes no problems at all for games inside the local network. Also, double NAT affects port forwarding (you need two forwardings, one for each router) or UPnP (which I always turn off anyway).
Are there special requirements to activate NAT on the second router?
NAT in the topology shown above was meant only as a protection of the LAN against accesses from within the DMZ if a server would become exploited by Hugo Hacker.
The alternative if you don't use a DMZ at all would be to turn off NAT in the second router and use a simple static network route on the horstBOX to pass traffic from the Internet to the LAN over the second router.
Most SOHO routers which have a port labeled »WAN« or »Internet« always do NAT out of the box. Multi-purpose routers allow to enable/disable NAT. There are even multiple NAT functions to choose from (DNAT, SNAT, MASQUERADE). See the iptables / netfilter documentation for examples how NATing is done on Linux-based routers.
In case of horstBOX SNAT is always activated, but can't be turned off, thus making the horstBOX a vollhorstBOX. :-)
I need to use this router for telephony too, but I use it also as the cable modem for my main router running under a second public IP. Thus, my main router runs in parallel to the horstBOX, whose LAN is unused except for access to the horstBOX's web UI.
If so, I would rather invest in some older discounted pfsense firewall or mikrotik router.
pfSense is based on FreeBSD Unix, which has an excellent stability. FreeBSD is often used for critical services running on Internet servers and it is also the base system in Apple's MacOS. MikroTik runs the proprietary RouterOS, I have no experience with this. I did choose EdgeRouter-X which is based on Debian Linux and runs Vyatta. Vyatta is somewhat more difficult to config in my opinion, but the ER-X uses a MIPS CPU and thus has a stunning I/O performance (≥ 930 Mbps NAT throughput with hardware off-loading turned on). MIPS CPUs have been originally designed for SGI supercomputers and some CPU types have been scaled down for use in embedded systems, that's why they are so fast compared to ARM CPUs, which come from the other, power-save side and had been scaled up for speed. I'm definitely biased here, since I worked with SGI MIPS systems most part of my life, still use them today.
Last but not least there is OpenWRT, which runs on 1.500+ embedded platforms such as WLAN routers including TP-Link WDR and Archer series. OpenWRT is a full-fledged Linux, but stripped down for embedded systems. It is very versatile as well as very user-friendly at the same time. I use OpenWRT on another router in my network, too.
Mike63 wrote
Oh, I guess adding a second VLAN in the trusted environment for e.g. the isolated home office workplace would then work out-ofxthexbox.
All routers/OSes mentioned above lets you freely create any network you want including VLANs, yes.
- Copy Link
- Report Inappropriate Content
@R1D2 Hello and good morning.
From your Vollhorst-reference I assume that you are at least german speaking 🤪
Thank you for the additional clarifications. As for the second router, I stumbld across the relatively cheap EdgeRouter on a large retailer site but was unsure whether this would be an appropriate tool. I think I follow your implicit advise and order one.
If I may be so bold as to expand on my initial question my final wanted configuration and my thoughts so far
- I use the fritz at the ISP as DMZ1 as proposed (network 192.168.2.0/24) and untrusted WLAN-access for guests too
- I activate the guest LAN on port 4 (no WLAN) to provide a DMZ2 which I will connect with the double-cable solution to the T2600 into a dedicated VLAN with just one port, no interface, to provide a NAS into the web totally isolated from all other internal networks (only management VLAN should have emergency access)
- with the proposed EdgeRouter I connect into a regular LAN outlet of the fritz (one of the 192.168.2.x-Adresses) and provide a VLAN-aware switch toward the T2600 on the other side
- currently, only 1 VLAN will be configured, own DHCP, different IP adress range as fritz/DMZ, to be the trusted environment of my internal ressources.
- possibly, a second totally isolated VLAn with the home office environment might be opened later on
The T2600 must then physically be connected to
-fritz-guest (fritz port plus one port for NAS, DMZ2-VLAN isolated and management access)
- Edge-Router as a kind of proxy-router to generally reach internet and DMZ (trunk) with tagged ports for each additional VLAN excluding DMZ2 (directly connected to fritz, see above)
The Edge-Router
- must be connected to fritz (regular lan outlet) in order to forward all traffic to DMZ1 and internet
The main assumption would be that the Edge-Router is VLAN-aware.
Is this correct so far?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 7846
Replies: 30
Voters 0
No one has voted for it yet.