I want to add a VLAN network for guest/public user traffic 'over the top' of the existing infrastructure at a local installation. All the switches are un-managed 'dumb' switches so are not VLAN aware. There are 8 APs all running OpenWRT and an OpenWRT router.
The 'private' network will be the untagged network as there are devices connected to this that are not VLAN aware (CCTV). I plan to create a DHCP server enabled soft-VLAN network interface (eth1.100) on the Router and the equivalent bridge (eth1.100 <-> wlan_public) on the Access Points to tag any public WiFi traffic to this VLAN network. The router would not forward traffic between the Public and Private network.
A few questions around the security of this.
Does OpenWRT strictly adhere to VLAN tags? So I know if a packet tagged for vlan100 (public network) is received on an interface eth1.100 it will forward it to it's destination interface. But if a packet tagged for vlan100 is received on eth1 (the untagged interface - private network) will it be forwarded or dropped?
Do the dumb switches represent any security concerns? If a client on the public network sends a packet to the Access Point on the Public wlan but with an IP destination on the Private network, the AP will tag this packet with vlan100 and send it upstream to the switch (as it's just bridged, no routing). If the destination node were attached to this switch presumably the dumb switch would ignore the VLAN ID and forward the packet directly to the destination node? The response packet would presumably then get sent untagged, so the AP would forward it to the wrong wireless network?
Unmanaged switches are not designed to carry VLANs. The behavior is undefined and thus may have unexpected results. If you want to use VLANs, you must use a managed switch.
Totally not related to OpenWRT, as much as ethernet is concerned 4095 vlans and main lan are isolated from eachother. Ie vlan ethertype is not parseable as ip ethertype and vice versa
For dumb switch - you have to test if >1500 octet "mini-jumbo" frames are forwarded undamaged.
Yes, using VLANs and a managed switch. Or... if the wiring allows it, you can directly connect your APs to your router so that there is no switch between. If that's possible, you can still presumably have your unmanaged switches in place and carrying only the single network for which they were designed.
Thanks. This is for a local charity, there is no money to replace the switches and I donated all the APs! The APs cannot all be connected to the router due to the wiring of the building (and the number of ports on the router).
Could the traffic be tunneled from the AP wlan to the correct Router interface over a common network?
You could look at GRE-TAP as a method, although that is considerably more complicated.
Managed switches can be relatively inexpensive, although the most basic entry level ones do have some implementation flaws that can make them vulnerable in an environment that isn't 100% trusted.
Depending on the physical topology of the network and wiring, you might actually be able to get a small managed switch specifically for the APs and VLANs. So, for example, let's say the network is currently using a 48 port switch, but you only have 4 APs and they all terminate in the same location -- you could connect them to a 5 or 8 port managed switch that connects to the router and the APs. This can keep the costs down (not zero, but still pretty low -- in the sub $50 USD range).
I appreciate the willingness to find a solution! The issue is that the 'building' is actually 3 separate old buildings, with single ethernet cables run between them and a switch in each building. The dumb switches were also donated and provide the PoE for the APs. Replacing all three switches with PoE Managed switches is beyond what they can pay for, unless we can find another donor.
The reason for wanting the separation is they've just installed IP cams in the buildings (also PoE powered) but don't want the guest wifi users to be able to access the IP cams.
There are some ways this could still be done inexpensively with creative use of small switches that can be pretty inexpensive...
If there's literally zero (or close enough to call it zero) funding for it, I'd recommend that you simply stick with the flat network. With unmanaged switches, there is the potential that pushing VLANs through them can actually break the network. But there are other considerations including the inability to control port-VLAN memberships and to tag/untag as needed on a per-port basis. All of this means that you could end up with both security and functionality issues on your network, and it's just not worth the risk.
That said, if you'd like to draw up a topology diagram with enough detail to understand the layout of the buildings -- how many switches and ports exist now, how many of them are PoE, how many ports would use different VLANs, etc... we might be able to come up with a list of equipment to minimize cost.
Given that you are thinking in a step-wise manner, you can start to draw up plans for a phased approach to improving the network. For example, if you think through the evolution, you can say "hey, when we have $x to spend on the network or when someone can donate xyz... let's allocate it to upgrade this part of the network", and so on.
Depending on the cameras you can probably use TLS? Some also have encrypted video options. Would mean your DVR would need to be able to handle encrypted video? Or using something like mediamtx as a bridge haha.
I would go for vxlan, another point to point tunnelling (Or tailscale or other VPN mesh, if you don't mind the performance hit) technology depending on whether the unmanaged switches can handle >1500 mtu. Or if you have access to the entire environment, get everything else on a < 1500 mtu.
If you just want a dumb "user can't access the internet when they plug in a network cable" (which is also likely if you went the managed switch, no PVID and no untagged port access) there are options like having the entire network layer 2 only with no IP. For example my security cameras can do PPPoE.
If budget approximates zero and the cost of time (like a volunteer organisation =P) is free then I guess there are options like above.
IMO used managed switches are cheap so I would go for that. I've been burnt on absolutely ancient switches which had a broken STP implementation. Another issue becomes having to become proficient in all the different vendors. Which then becomes an issue if you want to train someone else. i.e. an incredibly mixed environment. I'm backtracking and working on putting OpenWRT capable switches everywhere. With Cisco as the alternate just so I can get back to two vendors...
I was pondering VXLAN, at minimum I could encapsulate the guest network traffic in a VXLAN tunnel back to the router, this would stop a 'curious' user on the guest WiFi being able to probe the IP cams and AP interfaces.
Does every VXLAN link have to be point to point? Or can you have a multipoint VXLAN, so there is a single VXLAN interface on the router and all the APs can connect to this?
You should be able to do vxlan with multicast yes. edit: (to clarify, no experience with multicast vxlan myself)
Using that on unmanaged switches might be a problem haha. A dumb switch might send multicast out as broadcast traffic?
vxlan would be nice even in point to point as it means you can tunnel all the traffic easily?
You have other inelegant solutions. One I've used is configuring a L2 transparent or / L3 firewall on the guest wifi? (i.e. if you needed roaming / willing to sacrifice roaming between AP's etc). Or tunnel everything on guest wifi tunnelled back to the main router. (I assume you're not expecting much STA<->STA traffic on the guest wlan?)
mm. Well if you can handle a slow roam where the client loses its IP address then a separate layer 3 network per AP plus appropriate firewall rules would also work?
I've also experimented with transparent bridges on guest wifi to stop wireless to wired client communication? (like the STA isolation stuff but also to stop wireless talking to wired). But I haven't tried to mix guest and non guest in the same IP range, and nor done roaming with that... Plus that was ages ago so I'll have to re-learn. I don't have an implementation for you.
I've seen a couple implementations that do weird things with shared IP ranges on ISP modems? I'd have to go look at their rules.
When you say a separate layer 3 network, you mean each AP is it's own DHCP server and assigns IPs itself, then firewalled so egress traffic is only allowed to the router (gateway) IP?
How does the router know how to handle this traffic? You then do rules for source-network and do not permit it to access local resources?
Yep next hop from the guest network is only to the primary router and that's it. But what I did was a deny everything except the gateway rather than allow just the router but same difference.
Again, I'd have to do some experimentation to confirm the firewall rules. Don't have a ready made config for you =) I think tunnels is the way to go, especially if you aren't worried about STA<->STA traffic on the guest network.
Agreed, I think tunnels are the answer, I'm just hunting for the easiest to manage solution.
Ideally I want to be able to deploy a single config to the APs without having to customize for each one (other than hostname obviously) so I'd like a solution where the tunnel config doesn't have to be specific to each device.
The only technology I know how to do this with is OpenVPN but that seems overkill for this situation. There must be a tunneling technology that can auto-configure client tunnel connections like OpenVPN server does but without all the encryption overhead.
Edit: just to elaborate what I mean, with OpenVPN in tun mode I can deploy one static server config on the router (with duplicate-cn option), and one static client config on every AP and OpenVPN server will manage the multiple inbound connections and the assignment of tunnel IPs to 1 to N clients (provided N is smaller than the allocated subnet of course). Is there an equivalent tunnelling technology without the VPN element?