Go | New | Find | Notify | Tools | Reply |
W07VH5 |
I'm piecing together a home lab, one part at a time. I've got a NAS, a couple of PiHole servers a couple of switches (one managed one unmanaged). I plan to put a pfsense box in as soon as my 4 port gigabit card arrives. What I'd like to do is learn a bit more about running a secure network. How to set up VLANs and splitting subnets and other esoteric things that seem to confuse me. I tend to learn better from books that sites but videos can work, too. I've been watching Lawrence Systems and Craft Computing but often they talk over my head. I just don't know why they choose settings or how they arrive at getting a VLAN to work properly or even why I want a VLAN. Of course every time I watch or read a beginner guide I get really bored and stop if I already know what I'm looking at. Maybe I'm almost intermediate, not a beginner. I'm looking to try a bunch of ideas and break things and learn how to set things up. Any suggestions for learning how to get the most out of a home lab? | ||
|
Member |
Personally I've found that I learn best if I have some sort of objective. By that I don't mean "I want to learn XYZ" but more "I want to setup something for the purpose of ABC". For example, many years ago I had my first shiny new iPad (gen1). I also had a bunch (hundreds) of movies ripped onto my computer. I wanted to watch the movies that were on my computer from the comfort of bed on my ipad. At the time, there was no way to do it. If you wanted to do that, you had to physically connect the ipad to the computer... choose which movie you wanted... copy it over to the ipad... THEN you could watch it. Too many steps for my lazy ass. So... necessity being the mother of invention.. I went and taught myself some HTML - enough so that I could stream my movies from my computer (now a web server) to my ipad as long as I was on my home network. (woooo - now I know html basics!) Then I wanted to be able to do the same thing while traveling. My movies chillin on my home server... my ipad on some remote wifi network. Learned about port forwarding.. domain names..etc.. Then I showed a buddy. "Hey man I want access to that too!" So then I had to learn about http authentication and RBAC. Over time I started to flesh out the UI for all my movies. I loaded them all into a MYSQL database. This turned into me learning LAMP (linux apache mysql php). Then I had to learn some basic unix scripting if I wanted to make batch changes to the UI. That whole setup has long since been torn down and gone - but it was a helluva learning experience that I have used a lot since then. This is where my signature goes. | |||
|
W07VH5 |
I think my objective is to learn how to separate the insecure things from the trusted devices. I have a security camera box that connects to the local internet and I'm concerned that it's outdated so I don't want an insecure device on the local network where we type in CC numbers and passwords. And who knows how many times it pings China every day? | |||
|
Member |
If you want to be serious about it, go to eBay and get a router and a firewall. Find a Cisco router and a Palo Alto firewall on cheap on ebay. You can read this for the cisco stuff https://networklessons.com/cis...pment-for-cisco-ccna Palo Alto PA-220 for a few hundred. This is if your serious in leaning it. This how most people start. There are hundreds of Books, videos, free and paid classes on Cisco routers and Palo Alto firewalls. They are pretty much the industry standards. | |||
|
Drill Here, Drill Now |
I was thinking chemistry when I saw the title Ego is the anesthesia that deadens the pain of stupidity DISCLAIMER: These are the author's own personal views and do not represent the views of the author's employer. | |||
|
The One True IcePick |
This is a good reason to have 2 subnets/vlans. I have 3; my main LAN, IOT net, guest net. all 3 are subnets routed by my main firewall, and have rules restricting how they can talk to each other. I use tagged vlans to get it from the firewall (pfsense) to the managed ethernet switch and a UBNT access point.
| |||
|
W07VH5 |
Ahh, that brings up another question. What is tagged and untagged ports? | |||
|
The One True IcePick |
tagged allows you to transport multiple vlans across a single link between devices. Usually this is between networking devices, switches, routers, access points. Servers sometimes use tagged uplinks if they need to support multiple vlans/subnets - like hypervisor hosts. another exception is when a voice lan is "tagged on top" of a computer connection in offices. If you plug a computer into the port it ignores the voice tagged vlan and just uses the untagged network, a VoIP phone will be configured to use the tagged vlan. your standard home ethernet switch only do untagged, unmanaged switches only have the one lan that all traffic uses. a managed switch with vlan support allows you to create multiple virtual-LANs that can co-exist in the device without intermixing the traffic. through the management interface you can assign a port to a single untagged vlan, or you can tag several vlans on a port, the other end of that connection needs to be configured to use these tags. Like in most things there are exceptions and corner cases but in general thats tagged and untagged. | |||
|
W07VH5 |
Sorry, you'd have to explain it as if I were 4 years old. I have no idea what any of that means. If a port is neither tagged nor untagged then it's not in that VLAN, I think. I don't know why I should mark a port tagged or untagged when I want it in the VLAN though. | |||
|
quarter MOA visionary |
You look at a trial subscription to Pluralsite and check out some of their training. You can learn a lot with trial and error but getting some technical info as a foundation can go a long way especially in Networking aka TCP/IP. | |||
|
The One True IcePick |
I can help with that Email is in my profile. | |||
|
Power is nothing without control |
The port it’s self isn’t really tagged or untagged. For each port on a network switch, you can tell it what to do with any traffic that comes in with no VLAN information on it. This is what is referred to by ‘untagged’ traffic. You can usually tell each port on a switch, that it belongs to one, and only one, VLAN for untagged traffic. That means, any traffic that comes into that port (not out of it, only in from whatever device is plugged into it) and it doesn’t already have any VLAN information, tag it with the ID of the ports ‘untagged’ VLAN. To put it another way, the untagged VLAN is the default VLAN for anything coming into a port. This really only gets confusing because some switches also have a literal default VLAN option as a convenience so you don’t have to go set the untagged property on every port. Since you can only have one default, but you may want a single port to allow traffic from multiple VLANs, you can also make a port on a switch a tagged member of many other VLANs. All this means is that the port will allow traffic through it if that traffic is already tagged with the ID of a VLAN the port is a tagged member of. Making a port a tagged member of a VLAN is just telling the port not to throw away traffic if the traffic is explicitly marked as belonging to that VLAN. Untagged is something you use at lot at the very end of a network. So, if you have a bunch of work PC’s plugged into you switch, you might make the ports they are plugged into untagged members of your VLAN for internal PCs. If you have dumb IoT devices, or security cameras, or some other device that you do NOT want to be part of your main VLAN and set them as untagged members of whatever other VLAN you want to stick that equipment in. Tagged membership usually shows up more the closer you get to the core of a network. Say your switch out at the end has cameras, user PCs, and one server all plugged into it on different VLANs. You plug that switch into one port on your core switch, and the core switch needs to know that it should expect and allow traffic from those three VLANs. So, you make that port on your core switch a tagged member of all three VLANs. The access switch out at the end will deal with making sure everything is tagged, so the core switch only needs to worry about making sure no one is sneaking in traffic from VLANs that shouldn’t be coming from there, so you tell it which VLANs to expect tags from, and it throws away any others. Why do VLANs exist at all? They started to cut down on broadcast packet traffic, but now they also get used for basic access control. Turns out, when you have 10,000 computers all on the same network segment, the amount of bandwidth eaten up by PCs begging for DHCP info, or servers advertising that they exist for some protocol or another can eat up a ton of bandwidth. So, we can use VLANs to keep that broadcast traffic from spamming a bunch of client devices and switches that don’t care about it. You aren’t on the same VLAN? No broadcast traffic from that VLAN for you, even if you are on a port on the same switch. - Bret | |||
|
W07VH5 |
OK, I think I understand why they exist but I just can't seem to make it work in my situation. What I have is VLAN 1 default VLAN 50 insecure I have everything (wifi router, wired computers) except port 15 untagged on VLAN 1 and only port 15 (security camera box) untagged on VLAN 50. The network works except the security cameras don't stream. What can I do to allow me to view the security system via my phone? BTW, I'm using a Netgear Prosafe 24 port Gigabit M4100-26G L2+ Edge Managed Switch. | |||
|
W07VH5 |
I was able to set up my pfSense box over the weekend. I've got the built in to the motherboard port set to WAN and the four ports on the network card are set as LAN, Trusted devices, Wireless IoT, Wired IoT. I'll put guests on the Wireless IoT if necessary. Ok, it's not in my main network yet so I just stuck the WAN onto my current switch and everything is able to access the main network (192.168.1.x). I suppose that's correct and once I switch the main network over to the LAN or Trusted Devices, it should be fine. The main network is NAS, PiHole, PiHole backup and trusted wireless router. I definitely want the NAS to only be accessible via the Trusted Devices network. I've got the firewall set so that Wireless IoT and Wired IoT cannot access the LAN or Trusted Devices. They still are able to access the network at WAN. My issue is still with VLANs though. Once I switch over everything to use the pfSense routing and firewalls, I'll need to use part of the switch for Trusted devices and part for Wired IoT and I can't seem to get it to do what I want. Email sent. This message has been edited. Last edited by: mark123, | |||
|
W07VH5 |
Ok, i got the VLANs working by going to Switchport Mode Config, I switched all the ports on the separate VLAN to Trunk and now everything works. I don't get it but I'll take it. | |||
|
Powered by Social Strata |
Please Wait. Your request is being processed... |