Help to find proper switch and configuration for home made door access system

Hardware Questions and Recommendations
1

Hi everybody,

As a software developer and an electronic hobbyist, I am working on my own door access system.
This is going pretty well and I could already implement most of the required parts, but I am facing a last challenge: the network.

This is a critical part of the security of my system and I need to make sure it is properly configured. However, my knowledge in the subject is quite limited. I tried to document myself as much as possible on internet but I cannot get the whole picture right and I don't want to invest some money in the wrong hardware.

Here is a schema of my system:

Unlock_Network_Concept.drawio (3)
Unlock_Network_Concept.drawio (3)881×551 35.1 KB

Terminals are esp32 microcontrollers (more precisely wESP32 modules) that read RFID tags (Mifare Desfire EV1) containing a secret and sending it to a central unit that does all the authorisation/validity checks and sends an HTTP request to a relays controller to actually open the doors. The central unit can also communicate through HTTPS to a NFC device to configure the NFC cards.

Terminals are outside the building and thus highly insecure, but the rest is all in a secure room.

The communication between the central unit and the relays is insecure (the device I am using doesn't handle SSL) and thus it is very important that one cannot just plug its laptop instead of the terminal and send a command to open the door to the relays controller... This would defeat the whole purpose of my system... I thus want that terminals see as less as possible and can only communicate on port 443 with the central unit and doesn't see any other traffic (not even the one of other terminals).

I would then need to find a switch with at least 8 PoE outputs, 3 normal ones and one for internet. And I would need to be able to define rules in the switch to ensure that:

  • eth0..7 can only communicate with eth8 (and not between each other) on port 443
  • eth9 can only communicate with eth8 on port 443
  • eth10 can only communicate with eth8 on port 80
  • Only eth8 can access internet on eth11

Would someone have hints of which hardware I could use to fulfil my requirements ? And how to define the firewall rules I need ?

Thanks a lot in advance for your precious help.

2

There aren't many switches supported by openwrt, and even less with PoE.
Those which are, are mostly RTL838x based.

Here's a list:

Those devices aren't very fast, when it comes to routing, I'd probably get a proper router, instead
of using one of the ports for WAN.

Check Support for RTL838x based managed switches and https://svanheule.net/switches/ , there might be more switches coming.

3

This is usually done at layer 2 with VLANs.

The IP addresses or other contents of the packets are not inspected by the switch. When a packet enters the switching matrix it is tagged with a VLAN number, and only allowed to leave on ports that are configured as part of that same VLAN.

Cables that go to only one device such as the code reader would have the tags removed on exit. Cables that continue to share networks (the one to the central unit) would have the tags retained-- thus the device on the other end of the cable needs to be VLAN aware. On Linux this is simple to set up so you have a port like eth0.1 which is one VLAN and eth0.2 which is another. These ports are separate like they were different hardware. They each have their own network and firewall rules. The port that is connected to the untrusted network would have a strict firewall.

The effect is to have virtually separate parallel networks of switches and cabling-- though it is is actually running on the same hardware.

4

Hi mk24,

Thank you for your answer !

Are packets tagged based on the port they came in ? That would mean each port is assigned to a VLAN and a packet coming on a port assigned to a specific VLAN can only leave on a port belonging to the same VLAN ?

Can we assign a port to multiple VLANs ?

How flexible is the VLAN to port assignation ? Come switches with ports hardcoded to specific VLAN or can we assign them to any VLAN we want ?