I am running what I perceive to be a very standard setup. 3 VLAN's (internal, guest, utility) with wired and wireless support. My router (Archer A7) and 1 my indoor AP (Archer A6) are running OpenWRT supported by two TP-Link EAP110 outdoor access points and a TP-Link managed switch (TL-SG108E).
However, as you can see I have avoided trunking the home/internal VLAN out to the access point in my front yard. My reasoning is that anyone could come by, unplug the access point and plug in another device and gain access to my internal network. I've considered MAC-based controls and discounted since it sounds like that is easy to spoof and 802.1x which I've set aside due to complexity. I actually don't need that access point for personal use, it is only for 3rd party devices (car, sprinkler, etc). However, I would like to be able to manage the AP from the internal network. My current workaround is to temporarily trunk the internal VLAN to the port on the managed switch that connects to the outdoor AP which enables me to access it and then remove afterwards. I am fairly new to this and I can't help but think my lack of understanding is the reason why I can't get this to work, not a technical constraint. Is there a good way to accomplish this?
Fundamentally, it depends on how knowledgeable/determined potential adversaries might be in terms of the physical access. I would think that it is likely that most casual attempts of unplugging your AP and connecting would be from people who do not even know what a VLAN is. Therefore, simply tagging the trusted lan on the trunk would foil basic attempts.
You could go a few steps further in the same vein... for example:
if there is no untagged network, a user plugging in (without knowledge of VLANs) would simply see a physical link but no address or logical network connection. That would make the port appear to be functionally dead.
you could setup a VLAN that is a black-hole and have that untagged. It could provide DHCP, but no route to the internet or any other networks.
or do the above but allow internet access... thus making it appear that the entire network is otherwise isolated, but internet access makes it look like things are working.
But short of more complex methods (like 802.1x / RADIUS authentication), if someone is determined, they can likely probe and get onto your network.
At that point, you might also look at two other aspects:
Physical security -- there are some methods to mechanically secure APs such that they are exceedingly difficult (but obviously not impossible) to remove (or to open the cable hatch), and/or to secure the physical ethernet cable into the port. These become a pain for you, too, but as long as you have the right tools for the job, you can deal with that. This will certainly slow down an adversary, but may not stop them... depends how determined they are.
Upgrade your switch. The TL-SG1xxE series devices have some inherent security issues -- you can actually manage the switch from any VLAN, among other issues. If physical access to a cable is likely, you may want a better switch which can have more granular control for port isolation and the like... you could set it up so that the port can only communicate with certain other ports, thus limiting exposure.
You could also setup a management VLAN rather than your trusted LAN. Obviously this still puts your infrastructure devices on a common network and at risk to any serious attacks, but you can further lock things down by usng ssh keys (instead of username/password) and disabling the LuCI web interface.
Maybe some type of sabotage control can be made that pings the outdoor AP and kills the port until manual reset if the ping fails once since then the cable has been disconnected.
Not a bad idea, but if the AP restarts or has any other brief network interruption (such as a network or firewall reload) for any reason, the upstream port would then shutdown. But that said, some event filtering could be used to make the criteria more forgiving but still likely to be exceeded by an attacker.
But the current managed switch is not capable of these things... a better switch would be required.
Improving the physical security (e.g. no really mounting it outside, but inside the eaves) and a more capable managed switch are certainly (easy-) points to consider, but I don't really understand the problem here?
According to your topology, the A7 OpenWrt router is your central router and managing all your VLANs, if so it's easy to add a firewall rules to allow access from your family VLAN to the utility/ front-yard EAP110 - either card blanche (all traffic from family to --> utility (but NOT the reverse)) or more fine grained allowing access from a single IP in your family network to the front-yard EAP110 in the utility network.
The best approach is probably a combination of all these, hide the AP, make it and (at least) its cables inaccessible by normal means (anything that isn't already equivalent than breaking the windows of your house and breaking in that way), tighten the switch side and allowing fine-grained management access from the inside to the eap110.
According to your topology, the A7 OpenWrt router is your central router and managing all your VLANs, if so it's easy to add a firewall rules to allow access from your family VLAN to the utility/ front-yard EAP110 - either card blanche (all traffic from family to --> utility (but NOT the reverse)) or more fine grained allowing access from a single IP in your family network to the front-yard EAP110 in the utility network.
Ya that's what I'm struggling as well. Pretty confident I have the firewall setup correctly (forward from family to guest and utility) and can ping devices and access services on the utility VLAN from the family VLAN. The other suggestions (physical deterrence, physical link monitoring, switch upgrade) all seem useful but fundamentally I want to allow access guest/utility access via the access point (already working) and access to the AP from the family VLAN (not working) and I'm hoping there is a way to make it work without those. It's almost like I need to remove the L2 security in order to be able to use the L3 firewall but I want to keep the VLAN separation of the two SSID's so I can't simply make traffic untagged (well I could but I don't want to ).
I added some more detail to the network topology in case that is useful.
After thinking about it a bit more I would expect that moving the “Front Yard” AP to the utility subnet (e.g. 192.168.3.10) would make this work. The router should accept traffic from my client on the family subnet and then forward it to the AP HTTP management portal/web-app on the utility subnet. However this does not seem to work. I guess it’s not a router issue because I can access a different HTTP service on the utility subnet (from family subnet). Perhaps it’s some quirk of the EAP110 that I need to figure out.
).