-
Notifications
You must be signed in to change notification settings - Fork 0
Virtual Local Area Networks (VLANs)
I like VLANs. They help me reason about the network in smaller bites and segment traffic in an orderly way. I tend to consider a few VLANs when I set up a network:
- Management - for reaching firewalls, web controllers, etc. Very limited access.
- Guest network - for parents, guests, and kids. Siloed from all other traffic, often throttled.
- Daily drivers - for trusted devices, small office / home office (SOHO) equipment
- IoT - Internet of Things (broken toys) have no business seeing traffic anywhere else on the network
I learned about the concept of micro-segmenting a network from the article Ubiquiti - Configure micro-segmentation for IoT devices by Rob Pickering. He felt the same way I do about IoT devices; they need a home of their own on the network. When you consider how many toasters, refrigerators, washers, thermostats, game consoles, etc. are connected to the Internet and how many of them might still be using Telnet to phone home, you'll want to segment them too.
If you're wondering, Telnet is an unencrypted communication protocol. Usernames and passwords are transmitted in plain text. Which doesn't mean your network is going to be compromised, but it doesn't help. I would rather any devices squawking across the Internet be in a locked digital room. By creating an IoT VLAN and restricting RFC 1918 traffic in or out, I improve the security stance by only letting IoT VLAN devices talk amongst themselves.
This was my first foray into VLANs for pfSense (the homelab). I opted for open-vSwitch bridges because they are easy to set up and create TAP ports for monitoring all traffic using tools like Security Onion. This section is specific to my experience setting up pfSense VLANs on Proxmox, but should dovetail nicely for ESXi or other hypervisors. YMMV.
I followed the guide VLANs with Proxmox and pfSense to establish 4 VLANs. These give me a nice division of labor for management, SIEM, servers, and a vuln lab. Having traffic segmented by responsibility allows me to write granular firewall rules for each firewall and retain the ability to write a global inter-VLAN reject all rule.