I have Raspi 4 with OpenWRT. (21.02.0-rc3) I use just this single ethernet port for wan and lan (=a few vlans), put a managed switch SG108PE. Several APs are connected with them, they are mainly Unifi APs with multiple SSIDs associated with VLANs.
I have three vlans, each with different subnet. I created them by just typing in something like eth0.11. (on Luci)
I had thought that vlans are separated by nature. I used to have firewall rules to drop the access from each VLAN to the others. But then after I learned a bit more about vlan, I had thought that they shouldn't necessary, so I deleted them. Then it turned out that the vlans can now see each other. (i.e. I run IP scanner and I see the devices on aother VLAN when I'm in one VLAN) Someone told me that it's because I'm using Raspi4 with single ethernet port, in that case vlans are all bridged.
Now, I don't understand why they have to be all bridged. Aren't they supposed to be separated without additional trick? Otherwise, what are they for ? I used to use a Fritzbox 4020 with OpenWRT with the same vlans. I think vlans weren't visible from each other without additional firewall rules (but not sure anymore.) I don't understand why (or if at all) the two systems:
Raspi4 --Trunk---switch--Trunk---APs
and
Fritzbox--Trunk---APs
are not equivalent to each other. But I did notice that on Fritzbox, the interfaces were called "br-lan" "br-guest" etc, so I suppose each of them is a bridge interface, so each vlan is a separate bridge (??), and on RPi, they are like eth0.11, and I guess it's a bit different, but I don't really know the detail. I tried to look it up but couldn't find anywhere.
Another question is, I didn't change the MAC address on additional interfaces. Is it bad? I thought, if arp table is closed within a vlan, then it shouldn't matter, but if there is just one arp table per device, it can cause a confusion. But I looked at a few "how to" guides and I don't recall anyone saying that you have to have different MAC addresses.
I would appreciate if someone could please explain that to me, or tell me what to read.
VLANs provide a degree of separation on a single ethernet port that allows you to have firewall policies among them in the first place.
Since all VLANs terminate on a router (OpenWrt running on your PI), the router will happily route traffic between them. To inhibit this default forwarding behavior, you need to use iptables or ip policy rules.
So in short, you do need firewall rules, even with VLANs. In a router context, using VLANs over a single RJ45 port is the same as having multiple ports representing multiple interfaces.
Thank you for your reply! So, in the end, do you mean that even with Fritzbox, I would have needed the firewall rules anyway, as far as I put vlans as a trunk on a single port? So the only "separation" vlans provide is that a switch wont forward the traffic on its own, it goes through the router, so we are able to regulate traffic on the router?
But, without vlans or any additional things, ports don't separate traffic, all the devices on different ports are visible from each other. Then shouldn't it matter if there is just one port or there are many?
I watched Cisco exam lecture videos, there they set up vlans, and without firewall rules, the devices on different vlans couldn't ping each other. Are cisco-systems made very differently from OpenWRT, or cisco does have a certain firewall to separate vlans by default ? (the lectures are not yet so far to talk about firewalls.)
I'll make a silly and very high level analogy here:
Imagine your networks constitute a school. Each VLAN represents a grade level (say 9th, 10th, 11th, 12th). They are generally separated by nature, each grade has its own classes/curriculum. Once they have entered the school building, there is nothing that prohibits a 9th grade student from walking into a senior math course or a senior from sitting down in a 10th grade history class, etc.
If, however, you make a rule that says "students may only attend classes designated for their grade level" and then enforce it, you would obviously be able to prevent the students from dropping in on the wrong grade level courses.
The router sets up multiple networks and has the capability of routing between those networks. It doesn't actually matter if they are multiple networks on one physical port, or each network on its own in the case of a multi-port router -- they behave the same from the routing perspective (Layer 3).
There are several purposes for VLANs, but one of the original reasons for the development was to help limit the size of any individual network, specifically the broadcast domain. Broadcast traffic can become quite a nuisance and actually degrade the efficiency of an entire network. Back to the school analogy -- if each class has its own email list to use for communications (or for that matter it could be physical spaces), there is less 'noise' as compared to making all students use a single large mailing list (or physical space).
The router will gladly route across the VLANs, since the goal of a router is to route. However, firewall rules allow you to isolate the VLANs such that they cannot communicate with each other and/or you can define the parameters of that communication. For example, let's say you had 3 networks -- trusted LAN, IoT, guest. You could completely isolate a guest network. You might want to allow the trusted LAN to communicate with the IoT network, but you might also feel that you don't want the IoT network initiating any connections to the trusted network because IoT devices can't necessarily be trusted. Or maybe you want to allow that network to communicate with exactly one device on the trusted LAN. And so on... the firewall is responsible for this. If you don't setup your firewall appropriately, the networks are only isolated in terms of their broadcast traffic, but they can easily communicate across the different networks because the router will otherwise allow it.
Thank you for the explanation! So VLANs should be isolated in term of broadcast traffic, then I still don't understand why ping from one VLAN to another seems to work unless I block it: it comes with arp request broadcastig ? Or, since the device in another VLAN is already using internet through the router, it's already in the arp table of the router, thus pingable without broadcast arp? So, if a device has a static address, connected to the router but hasn't done anything, then this device will be not pingable from another vlan ? If that's so, that makes sense, in the cisco-video the PCs had static addresses.
In all, VLANs are meant to be just "sorting out", that would enable separation, but will be separated only if I set firewall rules, otherwise they just, say, pupils carry their tags for vlans but do whatever they want. And, is it right then, it would be the same if the router is RasPi4 with single port, or Fritzbox 4020 ?
The point I didn't understand was that, it looked like the matter is different between FB4020 and RasPi. But if it's actually the same, then I can understand that that's the way it is with vlans in general.
So going back to my analogy with high school students being separated by class... let's imagine a set of email lists, one per year. Only seniors have access to the senior mailing list for sending or receiving email, and likewise juniors with the junior list, etc. The mailing lists go to all students of that class, so when any student sends a message to their list, it is a effectively a broadcast since all other members of that class will get that message. Students can also directly email any one of their classmates -- a 1:1 conversation. So we have broadcast and unicast messages happening within each class.
Now, the freshman class cannot send a message to the seniors's mailing list (broadcast), and they are not members of the senior class, so they can't cannot receive the broadcast traffic that is happening on the seniors' mailing list.
There is nothing stopping a freshman from directly emailing a senior, though -- direct messaging (unicast) is still possible. The classes are separated, but not isolated. They can communicate on a 1:1 basis, but they do not participate in broadcast traffic exchanges.
Unless, of course, we specifically create rules that members of one class cannot exchange any messages with members of other classes. This rule would isolate the classes -- they are now both separated and prohibited from communicating.
This is what the firewall does. It allows or prohibits, or selectively allows/prohibits connections between networks.
I thought that pinging a specific device requires that the arp table has to have the Mac address of the device already. (i.e. a student can email anyone directly as long as the other student is on the arp table) If not, arp message has to be broadcasted first, so that arp table can have the Mac of that device, so if the broadcast message doesn't get to another vlan by default, then a device on that vlan is not pingable.... that's what I thought, after watching cisco lecture videos;;
But like I said, in that scenario of cisco video, the PC had a static address, that's why it wasn't on arp table, but if a PC get an IP address from the router's DHCP, then the router probably has it already in the table.
In the bottom line, am I right that, regardless of whether I use Raspi4 or Fritzbox, the separation of the VLANs should be addressed by firewall rules ?
ARP is relevant for L2 connections (i.e. switched), whereas routing and the firewall are L3 constructs. A devices on one network trying to ping a host on another network will do this as a layer 3 operation via the router. Therefore, the first device doesn't need to have any idea of the ARP table for any hosts on another network, nor does it need to be concerned with the question of if that host even exists or is online. The initiating device is pinging an IP address and it doesn't care what hardware (MAC) is using that IP, nor does it need to perform any lookups or consult any ARP tables to initiate that ping.
For any host that is connected to just a single network, if you look at the arp tables on any host, you will notice that the table only contains entries for the other hosts on the same network. It does not cross VLAN boundaries.
Yes. The firewall rules will handle the separation of the VLANs. But, the firewall rules must be present on the gateway device that routes traffic between those VLANs. In the vast majority of cases, it is the router. If you have multiple routers in a network infrastructure, you need to make sure that the firewall rules are applied on the correct gateway(s).
Probably not relevant to your situation, but as an aside: it is possible to do some routing on more advanced managed switches -- these are known as L2+ or L3 switches. They blur the lines between routing and switching, but typically they have less granularity than a router. This approach is most useful when the intent is to allow the VLANs to connect with each other and it is desirable to offload this specific type of routed traffic from the main router.
Thank you very much for your clarification. Now I understood much better. In Cisco video, ping was using arp table, but I guess that's probably not necessarily the case with other devices. I just have one router, and my thing is pretty small scale, I would just need an L2 switch.
I have been watching cisco ccna videos and practicing using packet tracer, thinking that in this way I can learn about networking better in general. (one has to practice with concrete devices, and since it's impossible to make lecture videos for every device, I thought it should be enough if I learn cisco. These videos, as well as packet tracer, don't cost anything) Now I see that cisco has its peculiarity (or perhaps OpenWRT!) and I have to be careful, because I am not going to buy any cisco device, very most likely just keep using OpenWRT. (I thought about using Unifi Security gate way, though)
I just realized that I was just dumb, I looked at the practice lab on cisco packet tracer again, the PCs in different VLANs ARE able to ping each other ! Cisco lectures indeed didn't say anything but that VLANs give separate broadcast domains and enables traffic control by the router. I was just being stupid and created a false memory.... sorry!!!