Setting up VPN/VLAN and Dual NIC

[duplo]

Looks good and easy, i like the way because its a mix out of vlan and physical seperation.
So you dont need to deal with firewall rules and it should be less problems with bandwidth limitations.

you should only use one 10G connection to the first switch and use it as trunk. dont see any reason using two physical connections to the router??


Because its omada you need at least one firewall rule

omada allows inter vlan traffic by default. you need to block this,
otherwise devices can communicate. also you could get crazy loops which can pull your whole network down, caused by the windows pc which can do both.

and the block cctv network from internet rule

 

[Sonnie]

Looks good and easy, i like the way because its a mix out of vlan and physical seperation.
So you dont need to deal with firewall rules and it should be less problems with bandwidth limitations.

you should only use one 10G connection to the first switch and use it as trunk.


Because its omada you need at least one firewall rule

omada allows inter vlan traffic by default. you need to block this,
otherwise devices can communicate. also you could get crazy loops which can pull your whole network down, caused by the windows pc which can do both.

What would I gain with the Trunk and how would I set it? I don't see any settings for this in the controller (router or switch).

How would I go about blocking inter vlan traffic? That would have to be a firewall rule, would it not?

 

[duplo]

i always use trunk ports when connecting to firewall, never did it like that. you can also add some fallback connections.


Hmm. Aha i see what MTL4 did,
Vlan 10 has no connection to the firewall, so internet and firewall rules are not possible for that specific vlan.

So there is no double connection over the firewall and physical.

so i deleted my old comment.
dhcp and all other functions the firewall do will not work on this vlan. ao everything have to be static.

 

[MTL4]

What would I gain with the Trunk and how would I set it? I don't see any settings for this in the controller (router or switch).

How would I go about blocking inter vlan traffic? That would have to be a firewall rule, would it not?

The trunk is just the connection between your switches/router where all the VLANs are carried. Sometimes they have a trunk you can tag on the VLAN table but just setting the VLANs correctly will have the same effect as selecting it as a trunk port (it just sets the VLAN tags on that port for you). Inter VLAN traffic is set on the VLAN table by tagging the ports correctly for the corresponding VLANs you want to handle or exclude from the port.

 

[MTL4]

you should only use one 10G connection to the first switch and use it as trunk. dont see any reason using two physical connections to the router??

The reason for using a separate connection on VLAN 1 vs VLAN 20 is that it creates a physical separation in the router for each VLAN. The lower bandwidth (10G vs 1G) on VLAN 20 isn’t an issue in this situation. If he never added anything more than the gate controller he could just connect the office switch directly to the router but I have a feeling the project may get additions so the way it’s drawn up it will allow more MyQ devices back at the house as well if the need arises later.

 

[MTL4]

Here’s a great video on understanding how VLANs work and how to set them up.

 

[duplo]

Inter VLAN traffic is set on the VLAN table by tagging the ports correctly for the corresponding VLANs you want to handle or exclude from the port.

Hmm ?? Dont understand.

Normally the device will ask the gateway if he knows where the other device is.
He knows and will forward the traffic.
Inter vlan communication is enabled by default on tplink omada devices
the traffic will go through the firewall/router (layer2 switch)

so in your example vlan 20 can communicate with vlan 1 and vice versa


if there would be firewall connection to vlan 10, communication would be possible.
you see it here after minute 12

you need acl rules to block this.

Here’s a great video on understanding how VLANs work and how to set them up.

i would suggest using a video for omada series.
it works bit different than normal , caused by the controller

 

[Sonnie]

The second 10G connection is to my switch in the AV/Theater room... it should be on VLAN 1 (Home Network).

 

[duplo]

P.S.
if its wired like MTL4 posted,
i would suggest not create any vlan 10 in the firewall/router
it may cause some problems.

in the example vlan10 is only handled by the office/outdoor switch.
for the firewall it does not exist.

 

[MTL4]

Hmm ?? Dont understand.

Normally the device will ask the gateway if he knows where the other device is.
He knows and will forward the traffic.
Inter vlan communication is enabled by default on tplink omada devices
the traffic will go through the firewall/router (layer2 switch)

A managed switch simply looks at the tags on the data as they come and go from the switch and the VLAN port tagging provide the rules it follows in use. The only time the gateway is involved is when it’s handing out an IP for a device or if you’re assigning certain VLANs to certain ports on the router.

This stuff is universal but if you want it on a TPlink setup then here it is (this is why I try to stay away from this stuff on residential installations, you really need to understand what’s going on to make it all work right)

 

[MTL4]

P.S.
if its wired like MTL4 posted,
i would suggest not create any vlan 10 in the firewall/router
it may cause some problems.

in the example vlan10 is only handled by the office/outdoor switch.
for the firewall it does not exist.

Yes exactly and the reason for that is because the IPs are handled by the BI PC’s NIC card and not the router. The router has no idea that other network even exists and for good reason (you don’t want that camera network to ever even get back to the gateway).

 

[tech_junkie]

Where Dahua and Hikvision Are Banned

See dozens of government entities and organizations who have banned or barred Dahua and Hikvision.

ipvm.com

Not sure what more you’re looking for? They are banning them for a reason (ie they are a security risk if you don’t set your network up right).

I absolutely agree any networking equipment at the pole should be physically secured but worst case I wouldn’t want anyone having remote access to my home network for any reason (hence a VLAN would prevent this). They could access the internet but that’s it.

All these remote connect systems (software port forwarding) from cameras, no-ip forwarding to VPNs that are using a web entry point have in their software or hardware programmed initiate a persistent connection to the web endpoint and none of them are truly hacker proof. That is why hosting the machine on an ip ( hardware port forwarding) or what you guys shortened to the vague term "port forwarding" would be the most secure providing that the DVR's authentication method is secure and utilizing a public CA SSL/TLS certificate. Because the second you go there to log in your communications are instantly encrypted so when you log in the credentials are encrypted. I would provision it out so its on a different IP and you can lease ip addesses from most ISP to make this happen.

Well I will tell you my side of things with governments coming from a server farm/isp/internet registrar point of view. If they have a warrant or have passed a law to allow them to snoop on anyone, the server farm in that country have to allow them access. As well as any ICANN directives if claims were filed in parallel. China , The British Empire, and The United States passed laws allowing them to snoop on people. So if clients host any cloud connect app from DVR viewing software to VPN connects, they can access it. So it really makes me think that these phone app hosted remote connects while added convenience, added a way for others to intrude and created a bigger attack surface for hackers to exploit. This is without saying to include those bad actors in cybersecurity that get contracted by governments playing all sides of the fence for profit.

I'm not going to go in detail on how a hacker would gain access if they had physical access to the switch. But it is possible. Also the switch/node count is maxed out so even with a VLAN the network clock is going to be intermittent at the device at the gate and consequently, its internet access will be intermittent. Which is the common symptom of too many switches in series. That is why I offered two options that have establish a new network clock.

 

[tech_junkie]

This is the preferred method of hardware port forwarding:

From the ONT, in this case Cspire 10G, you inset an unmanaged switch then the existing router's wan port connects to this switch and for every outside ip address you add a new router and its WAN port to this switch. Its not going to slow down anything as unmanaged switches have more non-blocking bandwidth than a single connection it provides. 90% of the ISPs allow leasing of ip addresses on their system.

 

[duplo]

I'm not going to go in detail on how a hacker would gain access if they had physical access to the switch. But it is possible. Also the switch/node count is maxed out so even with a VLAN the network clock is going to be intermittent at the device at the gate and consequently, its internet access will be intermittent. Which is the common symptom of too many switches in series. That is why I offered two options that have establish a new network clock.

If you are the hardcore tech guy you pretend to be, you should know everything about network diameter, spanning tree etc. Then you should know how many switches you could daisy chain easy. Also you should know that daisy chaining more will work, because there is no hardcoded limit.

Maybe start reading
Cisco LAN Switching by Kennedy Clark and Kevin Hamilton

It may help you.

Ive already seen the other posts about vpn, hosting servers etc in the other thread. lol

 

[tech_junkie]

If you are the hardcore tech guy you pretend to be, you should know everything about network diameter, spanning tree etc. Then you should know how many switches you could daisy chain easy. Also you should know that daisy chaining more will work, because there is no hardcoded limit.

Ive already seen the other posts about vpn, hosting servers etc in the other thread. lol

Actually there is a switch limit on a network segment. Its how you get around that is the real question. 3 is the hardware node limit and 7 hops on a logical spanning tree.

 

[MTL4]

Actually there is a switch limit on a network segment. Its how you get around that is the real question. 3 is the hardware node limit and 7 hops on a logical spanning tree.

Ok now I understand why you kept mentioning that. That limit is on legacy STP stuff, the limits on modern RSTP using VLANs is way higher (ie in this situation it’s literally irrelevant). The only thing you need to be careful of is creating too many redundant loops and also limiting devices to their VLAN (esp if the device likes to blast the network with communication requests).

 

[duplo]

Actually there is a switch limit on a network segment. Its how you get around that is the real question. 3 is the hardware node limit and 7 hops on a logical spanning tree.

Maybe i am blind, i dont see more than 3 switches daisy chaned in the MTL4 diagram

even if

You can rewire some parts

You can add some L3 switches

or use RSTP like @MTL4 already mentioned. Should have network diameter of 30 or 40.

 

[tech_junkie]

Maybe i am blind, i dont see more than 3 switches daisy chaned in the MTL4 diagram

I'm not familiar with the fiber media converter they are using, but if it has an arp/mac table its going to take up a switch/node count.

 

[MTL4]

I'm not familiar with the fiber media converter they are using, but if it has an arp/mac table its going to take up a switch/node count.

I think alot of this network limitation stuff is getting thrown around without really understanding how it applies. Again the big issue here isn’t using STP (or RSTP or MSTP) even with tons of daisy chained switches, the problem is looping or multiple paths to the same place. If you eliminate this then you won’t have this issue at all. Unlike a corporate or institutional situation we don’t need crazy redundancy in a home network so we can aim to minimize hops and eliminate loops so that everything plays nicely really without the use of STP at all. So if it works without STP it certainly won’t have an issue with running it.

This video lays out the issues pretty well.

 

[tech_junkie]

I think alot of this network limitation stuff is getting thrown around without really understanding how it applies. Again the big issue here isn’t using STP (or RSTP or MSTP) even with tons of daisy chained switches, the problem is looping or multiple paths to the same place.

Its not really a loop because the camera network is a separate static network. Its not like the BI machine has its interfaces bridged.
The two common ways is using a bridging router or use managed switches at both ends with the ports divided into two vlans and a cable patched across. Either way Mac filtering should be used, but of course if someone physically gets a hold of the switch at the gate they can figure out how to clone the mac address of the myQ and gain access. That is why securing the switch at the gate is more important than mac filtering.

I also want to point out since the camera on the camera network is statically address, so its not going to know the gateway address and if it did, it couldn't communicate because its on a 256 ip address subnet.