Security difference between unchecking diagonal vs separate VLANs

[Rocket88]

I intend to extend my network by using moca ethernet to a second access point in my home. Since this secondary access point is not a pcWRT device (at least not for now) I understand I will only be extending one VLAN to the second WiFi access point.

Originally my plan was to use separate VLANS for my IOT devices and my Guest network.

It appears that as long as I go to Settings/Network VLAN section and uncheck the diagonal box for Guest to Guest I should have the same degree of protection.

-Am I correct? Or possibly this gives Layer3 isolation but no Layer 2 isolation?

I am very pleased with this purchase, but it requires careful consideration and setup so I may be asking a number of questions. Thanks for the product and the support.

[support]

Unchecking the diagonal box prohibits communication between devices connected to the same VLAN (e.g. Guest). It turns on Wireless Client Isolation for WiFi and blocks communication to/from devices connected the VLAN via Ethernet.

On the other hand, VLAN separation could block communication across VLANs but give you the option to allow communication between devices on the same VLAN.

[bambina]

i have read the posts many times and played around many times yet i still fail to properly understand the VLAN / PORT section listed under; SETTINGS – NETWORK – VLAN and i would really love much help please.

Firstly please help me understand, what exactly is meant by LAN ?

Secondly;
I want to use all VLANS & Ports as follows;
LAN = i dont know what this means in this instance, i understand what it stands for though.
GUEST = I want to grant 1 SSID Broadcast only & keep Sandboxed from everything else.
X1 = I want to grant a VLAN SSID Broadcast + Port1 yet keep Sandboxed from everything else.
X2 = I want to grant a VLAN SSID Broadcast + Port2 yet keep Sandboxed from everything else.
X3 = I want to grant a VLAN SSID Broadcast yet keep Sandboxed from everything else.
—————
I can do all the SSID Broadcasting VLANS easy but just cant get my head around the Tagging of ports or what to tick where in the Columns and rows for it all to work correctly. I have listed what i think i need to do below & if someone could kindly confirm or correct me that would be amazing please?
————–
PORT1 = Tagged to X1
PORT2 = Tagged to X2
PORT3 =
LAN GUEST X1 X2 X3
LAN / / / / / i am confused as to why all are ticked on LAN?
GUEST /
X1 /
X2 /
X3 /

[bambina]

Please also note that when i tried to tag a port whilst plugged into the port on Ethernet then that port stopped working on the router until i untagged it and i noticed that on the router hub settings it showed the Port as tagged to LAN even though i kept changing it to X1 it just keeps flicking back to LAN after saved, is this a known glitch maybe?

[support]

First of all, do not tag any ports unless you’re connecting another router (with a tagged port) to the ports you’re tagging.

There are 5 preconfigured VLANs on the router, they are named: “LAN”, “Guest”, “X1”, “X2”, and “X3”. By default, “LAN” has the highest privilege and it can initiate communication to any other VLAN (thus all boxes with source “LAN” are ticked). And, only devices connected to “LAN” can log in the router management console.

In your case, assign Port 1 to X1, assign Port 2 to X2, leave Port 3 on LAN. Only computer connected to Port 3 can log in the router. No tagging!

Create SSIDs for Guest, X1, X2, X3 as you need, but you have to keep the SSIDs for LAN as they cannot be deleted. You can have up to 4 SSIDs per band, so you can’t run all SSIDs on both bands.

[Rocket88]

Just a bit of terminology for you. Lets assume the case of an Ethernet switch that supports VLANs (virtual LANS).

Lets assume that it supports 20 ports and you wish to run 5 completely separate networks. In that case you could/would configure 5 VLANs and each VLAN has 4 ports (just an example, the number of ports could be different for each VLAN). In effect you actually now have 5 ethernet switches!

To keep things clean the devices on each of these would have IP addresses assigned to them with differing subnets. If the device NEVER need to communicate across VLANs you don’t have to do this, but if they do it is necessary.. SO in that case you also have 5 separate IP networks, each on its own virtual switch.

But what if you want some or all devices to be able to talk to each other? IN that case you need a router and that gets intimidating quickly.

If the switch has “Layer3” capabilities that means it has a router built in. So in that case you can can use the router to route traffic across networks, just like on the Internet proper.

If you want to keep this simple, and avoid learning about the details of routing (or even VLANs) you buy a pcWRT router! You will notice that your pcWRT router is assigning completely different IP addresses on the different VLANs (LAN, Guest, X1, X2,a and X3). So you don’t need to do that. A bit mysterious if you don’t have this background info.

Then the routing is configured using those check boxes. All very simple. I understand the 1000 foot view, but don’t have the time or interest to learn about routing. I am very pleased to have it all with an EZ button like here!

It would be even simpler if there were a user manual, but with the search function on the forums here you can general find the answer. Or ask the question and generally get a prompt answer.

[bambina]

Thanks for that.
1. So just to be clear, if i want all VLANS sandboxed from each other then im i correct in saying that only 1 tick is needed per VLAN such as X1 ticked for X1 and X2 ticked for only X2 etc and obviously just select the port you want with which VLAN?

2. As LAN is the Sudo then how do i make secure Port3 as surly someone using VLAN X2 (Port2) could simply just connect an ethernet cable to Port3 & gain access to the LAN (sudo) Hub interface?

[support]

1. If you want all VLANs to be isolated from each other, then only the diagonal boxes should be checked (i.e., source LAN -> destination LAN, etc.). If you further want client isolation, i.e., no cross talk between devices on the same VLAN, then you should uncheck the diagonal box too.

2. It’s preconfigured such that devices on LAN can access devices on other VLANs, but you can untick the boxes from LAN to other destinations so that LAN cannot access other VLANs either. By default settings, only devices connected to LAN can manage the router. If you are concerned that someone can gain LAN privilege by connecting to Port 3, then you can assign Port 3 to Guest (for example).

[bambina]

1. So when you say No cross talk between devices does that mean its the correct setting for multiple strangers using 1 VLAN like in a cafe for example?

2. If i uncheck all LAN ticks & allocate Port3 to Guest then how will i access the router hub as i normally only use the Ethernet wire when im there and when im not there i intend to use the Cloud?

[Rocket88]

Answer 1. There are two ways wifi device can interact. In addition to unchecking that box you also need to check the box “Enable WiFi client isolation” in the wifi connection section. This is adjustable for each wifi network.

Answer 2. A device connected to the LAN ethernet port always has config access, I believe. To configure over the web (WAN side) is completely independent of these VLAN settings which pertain to the LAN side only.

Trust me, pcWRT is easier than pro grade equipment, but it is still a bit complicated. Just keep asking questions.

Personally I will administer locally over Ethernet as it is the most secure option. Even if pcWRT is totally trustworthy (which I believe they are) they could be hacked and if you open up remote access that allows a hack to thir service, or a direct attack on your server as “remote possibilities” (pun intended).

I just read an article that many of the devices on botnets are located in cafes and small businesses where they are left un-touched for year. Presumably it would be better to remotely access and update (and monitor) them. It all depends on your security profile.

Good luck

[support]

@bambina Additional info for Question 2. You can leave Port 3 on LAN. But you can restrict router access to selected devices or users (could be proxy or VPN users): check the “Restrict router access” box under the Administration section on the System Settings page, then add the devices and users that are allowed to manage the router. Don’t lock yourself out!

[bambina]

Thanks so much for your replies but im still left confused, maybe my questions are erroneous or just poor quality or maybe im just a dizzy blond, or maybe all of the above yet i would love some clarity so i shall try and re-prase my questions please help reassure me.
Summary =
> My plan is to bridge the ISP router straight into the back of pcWRT router.
> LAN = I shall have 2.4Ghz & 5Ghz SSIDs which will be Not Broadcasting anything (disabled)
> X1 = I want many different people (who dont know each other) in the building to use just 1 VLAN SSID Broadcast & I shall also dedicate/link 1 port to the said Broadcast for a smart TV which they will all use only. (X1 to Port 1)
> Guest = I shall have a Guest SSID Broadcast 2.4ghz sandboxed for just Guests & No Port.
> X2 = I shall have this SSID Broadcast of 2.4Ghz set up to Port 2 so that i can connect my own IOTT Nany cameras to it as well as a Ethernet connection feeding a CCTV hub all just for me to access only.
> X3 i shall set up & keep sandboxed from everything until i allocate it a good use.
> Port 3 i shall risk leaving on LAN as i understand if anyone plugs into Port 3 on LAN then they will need a password to access anything on LAN anyway if i am correct in thinking this so i shall rely on this password as the chance of the Port3 being physically attacked is Low.
———————–
Sorry for the LongStory i just needed to know you understand my intentions incase you see any flaw in my set up.
———————–
> So i have gone through all the WIRLESS Wifi Networks and ticked ENABLE WIFI ISOLATION.
> I have in total 2 5Ghz & 4 2.4Ghz broadcasts, i am thinking i need to remove 1 of the 5Ghz Broadcast being the LAN as i never intend to use it & i think i cant have it anyway?
> SETTINGS – NETWORK = only things i have altered are in VLAN
LAN = Everything Ticked
GUEST Source to Guest Destination Ticked
X1 Source to X1 Destination Ticked (port1 selected)
X2 Source to X2 Destination Ticked (port2 selected)
X3 Source to X3 Destination Ticked

I don’t see any diagonal tick options now know what is meant by diagonal as i just see Rows & Columns
I just want everything to be isolated from everything as possible as no one using the internet there should be able to see anyone else using the internet there, i just want to give everyone the use of the internet Only yet whilst me having full control over everything & i don’t want someone with no password to be able to use LAN Port3 to view anything without even needing a password, yet when i do go to the building i will want port 3 for me to be able to plug into to do what-ever is needed that i couldn’t do via the cloud for example.
I don’t want someone to easy be able to plug into port3 and view the CCTV footage for example.

I am a Linux newbie & i use QubesOS with a auto Mac address and IP address randomize active & use burner Qubes for most things so i dont think i can set up the Administration for adding a specific device or user can i?

When or if i ever manage to get everything set up and running at this building i will then need to add more pcWRT router to extend the network as there are lots of dead spots in the building but thought to 1st complete the 1st pcWRT before setting out to sail on the open waters…lol

[bambina]

i have also noticed today that when i type into the search bar the router IP address 192.168.1.250 which i changed the router to then it wont connect, it just flicks to another IP address starting with 10.etc and wont show me the splash page, is this normal?

[support]

If your device is connected to a VLAN other than “LAN”, then you’ll be redirected to a 10.x page without the login form. That’s what I said before, only devices connected to “LAN” are able to log in the router.

1. You can’t disable WiFi on LAN. If you are not using WiFi on LAN, then just set a very complex password for the SSIDs and disable SSID broadcast.
2. If you want to restrict devices on a VLAN to Internet only with no internal network connectivity, then you should untick all boxes on that row. For example on your X1, you should untick all boxes with source X1, including to destination X1.
3. You can leave all boxes on the LAN row ticked, which means when you connect a device to LAN, it will be able to communicate with any device connected to other VLANs (including LAN itself). So your device connected to Port 3 will be able to view CCTV footage on X2. But that also means anyone plugging in a device to Port 3 will be able to see the CCTV footage if the CCTV feed isn’t password protected.

[Rocket88]

> I have in total 2 5Ghz & 4 2.4Ghz broadcasts, i am thinking i need to remove 1 of the 5Ghz Broadcast being the LAN as i never intend to use it & i think i cant have it anyway?

Turning off broadcast just prevents the name of the WiFi network from showing up on peoples devices. If you don’t need it I would suggest turning it off entirely bu going to settings/wifi.

Then click on LAN. A small “x” will appear to the right of it. That will remove this WiFi network entirely.

[Author]

Posts