Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17
  1. #11
    Untangler
    Join Date
    Jan 2020
    Location
    San Jose, CA
    Posts
    89

    Default

    Quote Originally Posted by Armshouse View Post
    The wider point I was attempting to make is that I find Untangle to be far better at managing that side of things than anything my core switch can do. Obviously, it depends what L3 switch you're using and how many bells and whistles it has, but at my end of the market, Untangle wins hands down.
    If your point is that Untangle is much easier to configure and maintain than some of this enterprise gear, you'll have no argument from me.

    My main point (though in retrospect obfuscated by other arguments) was that trying to use Untangle to parse intra-VLAN traffic (presumably for security or analysis reasons) would be futile. And I'm not sure how useful it is to parse inter-VLAN traffic for that purpose either.

    But on the ease-of-configuration front Untangle wins hands down, it isn't even a serious contest there.

    I haven't personally hammered my home network that hard as to saturate the links, but in some setups what you describe might well be a concern.

    I guess for me it's about keeping things in one place and flexibility. Unless there's some huge gain in performance, I don't really like the idea of managing rules for LAN traffic in one place (the switch), rules for WAN traffic in another (Untangle).
    Yeah, I haven't hammered my network that way either. In my case I got this L3 enterprise-grade switch, not because I really need it (I don't), but because it would be an interesting new thing to learn, while being stuck at home. But for folks getting an L3 capable switch because they need it, performance is obviously a concern.

    Also... What if the time comes that you outgrow that switch and want more ports, move from 1G to 10G, POE etc, move to another switch vendor. Do you really want to rewrite all those ACLs again or rather just setup VLANs, trunks, default route and be done with it?
    Well, I already got a switch with for SFP+ ports, so it's less of a personal concern. But in general I'd say that by the time you advance to serious 10G traffic between VLANs, performance concerns might come into the foreground and the option to use Untangle on an appliance device might no longer viable. Unless of course a few years down the road even smaller applicance devices will ship routinely with multiple SFP+ ports instead of 1G Ethernet ports.

    Quote Originally Posted by tangofan View Post
    To my mild embarrassment I must admit though, that I am actually doing exactly that.
    Same here! It works well though, so when I think of the alternative of doing that on the switch, I just feel it would be not as nice of an experience for little (if not less) return - but maybe I've completely misunderstood the point and embarrassed myself!
    I think you got my point very well. I was joking about being "mildly embarrassed" because - as mentioned above - I particularly got this switch to dip my toes into enterprise-grade gear and learn something new, but I've been stalling going further than I have so far, which is the basic setup and enabling tagged VLANs on certain ports of my switch. Well, perhaps I'll try the L3 routing setup on this switch in August (of a yet unnamed year).

  2. #12
    Untangler
    Join Date
    Jan 2020
    Location
    San Jose, CA
    Posts
    89

    Default

    Quote Originally Posted by azdesert View Post
    Thanks for the responses all! Yeah - the vault does not do POE - bummer! I've decided to put my Emby server in the IOT-Wired VLAN so it can talk to the Nvidia Shield. So it will exist with my Blue Iris/HomeSeer server.
    Something that worked for me on my Ruckus R610 wireless AP: It has a bonjour server integration, so I'm able to have my Chromecast on the 192.168.11.0/24 subnet being advertised to my tablet on the 192.168.1.0/24 subnet. And with some limited inter-VLAN pass rules in Untangle, I can control the Chromcast as well from my tablet.

    I haven't tried how this works with my Roku server trying to reach Plex across VLANs yet, but perhaps it'll work in a similar fashion. So if your Unifi AP has a similar feature and you rather have your Emby server in the main VLAN, it might be worth looking into this.

    For at least a managed switch - I'm thinking of getting the TP-Link TL-SG108PE for these non-trusted/non-vlan1 wired devices.. This isn't the pro grade L3 switches everyone is suggesting - will it suffice? I don't think my wired vlan tagging is going to be heavy demand at all - 90% of wired will be on the trusted vlan1.
    Funny that you mention this, I actually watched a Youtube review of the non PoE version of that switch (TL-SG108E) yesterday. In the review Tom, the reviewer, mentions that there is some weirdness with him being able to access the management interface from a certain VLAN, but according to the comments this is due to a configuration error on his part, because he assigned an untagged port to his special VLAN, but left the same port as untagged in the main VLAN 1. Not sure, why TP-Link would allow to have a single port untagged in two different VLANs, but then again I'm just beginning to dip my toes into VLANs.

    BTW please note that only 4 out of the 8 ports on that model support PoE and that they only support 802.3af (15.4W per device). Also I recommend to check what the latest hardware revision of that switch is and then make sure that that's the version you are getting. But perhaps I'm just stating the obvious here.

    I guess I'm going to rely most on my Unifi AP doing the SSID based vlanning for the IOT fleet.
    That's how I am doing it. VLAN 1 assigned to the SSID for my trusted subnet, the guest SSID and the IoT SSID have their own dedicated VLANs. The only issue I ran into was some hiccup with setting up filter rules in Untangle. But if you don't need inter-VLAN routing at all, you can just let NAT do the heavy lifting with NAT being done on the internal interfaces.

  3. #13
    Master Untangler
    Join Date
    Oct 2013
    Posts
    202

    Default

    Just so that we're not confusing terms:

    Inter-VLAN - VLAN-to-VLAN traffic passing through a Layer-3 switch or router
    Intra-VLAN - Traffic that is confined within the VLAN. Typically, traffic within the same subnet or broadcast domain

    Whether to have Untangle do inter-VLAN traffic or not depends on your use case and preference. While it's true that you lose a bit of simplicity if you factor in a Layer-3 switch, however, the flexibility it affords makes it worthwhile. It's not like you're changing your VLAN configuration everyday. It basically comes down to set and forget, either way.

    Later on, if you do need to add more VLANs, you're not tied up to Untanlge's NIC ports or system limitations. Do note that Untangle does inter-VLAN traffic in software. An L-3 switch does it at "wire speed" in hardware (ASIC chip).

    But it's really up to the OP to decide. I have a rather unusual network setup so to me, an L-3 switch is indispensable. We all live in a compound... 4 families total (parents and siblings).

    Overall setup:



    VLANs:


    I should add that a modular approach also makes troubleshooting easier.
    Last edited by oj88; 07-19-2020 at 07:35 PM.

  4. #14
    Newbie
    Join Date
    Jul 2020
    Location
    Fountain Hills, AZ
    Posts
    8

    Default

    Wow oj88 that is a sweet setup! Thx for sharing - it does make sense about the futureproof aspect! I'll give it some thought.. Just cautiously experimenting now - I figure anything is better than the years of not locking down anything.

    Since everyone saw my setup in progress... I'm curious what I'm doing wrong for what I expected filter rules to block..

    I decided to 'poke a hole' just for one my wireless IP cams RTSP video feed to my IoT-WiFi network.. I tried to open the RTSP stream in VLC from the IoT-WiFI network and it didn't even work - and worse.. I went checking for open or blocked sessions and find out the IP cam was talking to the internet.. I had a rule to block the IP cam's wifi interface to Any WAN.. I'm confused why it got allowed? I expected Rule ID 4 to only allow port 554 between IP cam and the destination interface and Rule ID 5 to block anything else... I must be missing something

    What would I do different to really make sure the IP cams can only do inter-VLAN but nothing more.

    To explain some of the rules.. "WiFi" interface is my untagged Unifi AP trusted traffic, "Internal" is the wired trusted... WiFi-IoT is proposed as WAN capable but not allowing traffic to the trusted.

    2020-07-19_213235.png2020-07-19_213005.png

    Thx!

  5. #15
    Untangler
    Join Date
    Jan 2020
    Location
    San Jose, CA
    Posts
    89

    Default

    Quote Originally Posted by azdesert View Post
    To explain some of the rules.. "WiFi" interface is my untagged Unifi AP trusted traffic, "Internal" is the wired trusted... WiFi-IoT is proposed as WAN capable but not allowing traffic to the trusted.
    I'm not sure that just posting the rules will help solving the problem without having an updated logical diagram of your network. In the diagram in your first post the IP cameras are in the internal subnet and that appears to have WAN access, since I don't see a filter rule that blocks WAN access for that interface.

    Also: Where do you have NAT activated, on the internal interfaces or on the WAN interface? See this WIKI page on why that matters.
    Last edited by tangofan; 07-19-2020 at 11:10 PM.

  6. #16
    Newbie
    Join Date
    Jul 2020
    Location
    Fountain Hills, AZ
    Posts
    8

    Default

    Quote Originally Posted by tangofan View Post
    I'm not sure that just posting the rules will help solving the problem without having an updated logical diagram of your network. In the diagram in your first post the IP cameras are in the internal subnet and that appears to have WAN access, since I don't see a filter rule that blocks WAN access for that interface.

    Also: Where do you have NAT activated, on the internal interfaces or on the WAN interface? See this WIKI page on why that matters.

    Sorry.. I will have to update the diagram as it is already modified and wasn't done real clearly as I take a 3rd look at it. i've added a wifi vlan for a couple wireless IP cams that I dont want having internet access.

    NAT is only activated on the WAN.. The IP cam in my testing tonight is on the new wifi vlan (WiFi-Cams interface in the screenshot).. I have a rule to block "Any Wan" from WiFi Cams. I'll work on the updated diagram. So since I'm not natting out of VLANs I have the block any non-wan to any non-wan filter rule in place to let me try to control what little traffic can traverse the vlans.

    Not sure how important it is to know the parent interface for my vlans, maybe this breakdown will help:

    eth0-WAN
    eth1-Internal (WAN + eth2) want trusted wired and trusted wifi (eth2 untagged SSID) to be passed)
    eth2-WAP SSID-1 "WiFi" untagged (WAN + eth1 inter-vlan)
    eth2.100 SSID-2 "WiFi-IoT" (main goal - WAN + inter-vlan only with eth3)
    eth2.200 SSID-3 "WiFi-Cams" (main goal - No-WAN, specific ip/port inter-vlan only)
    eth2.300 SSID-4 "WiFi-Guest" (main goal -WAN only)
    eth3-IoT/Media Server/NVR
    Last edited by azdesert; 07-20-2020 at 12:40 AM.

  7. #17
    Untangler
    Join Date
    Jan 2020
    Location
    San Jose, CA
    Posts
    89

    Default

    Quote Originally Posted by azdesert View Post
    Sorry.. I will have to update the diagram as it is already modified and wasn't done real clearly as I take a 3rd look at it. i've added a wifi vlan for a couple wireless IP cams that I dont want having internet access.

    NAT is only activated on the WAN..
    That is good.

    The IP cam in my testing tonight is on the new wifi vlan (WiFi-Cams interface in the screenshot).. I have a rule to block "Any Wan" from WiFi Cams. I'll work on the updated diagram. So since I'm not natting out of VLANs I have the block any non-wan to any non-wan filter rule in place to let me try to control what little traffic can traverse the vlans.
    I've recently had some weird trouble myself, when using the interface parameters in filter rules, The only thing that I can think of at this point is to split that block rule #5 into two separate rules, one per source interface and see, if that will block the traffic.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2