School me on VLans Please and Need Help w/Static IPs

IceDigger

[H]F Junkie
Joined
Feb 22, 2001
Messages
11,811
So never fooled around with VLans before and need some help.

Not really sure if this is where I would use VLans or not?

So the scenario is I have 5 static IP Addresses from Verizon.

My setup is this:

Verizon Cable -> Wan Port of TPLink ER605 Router/VPN -> Any port of TPLink TL-SG2210P POE Switch -> Rest of small Office

Is it possible to have the rest of the static IP addresses in the Router/VPN to each physical Port of it? Like one static IP per port? Or would I need something else to do this with?

How would you set this up?
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
877
First, vlans are a layer 2 thing and have nothing to do with IPs, static or otherwise.Now, did they actually give you 5 /32 IPs or a subnet? I ask this as 5 IPs is an odd number that doesn't align with a subnet mask

Generally the way this would work is you get a subnet and use one for a router interface and the rest for hosts. Another way would be to static NAT internal IPs to the 5 internal IPs. The second option requires no changes to internal routing.
 

BlueLineSwinger

[H]ard|Gawd
Joined
Dec 1, 2011
Messages
1,274
First, vlans are a layer 2 thing and have nothing to do with IPs, static or otherwise.Now, did they actually give you 5 /32 IPs or a subnet? I ask this as 5 IPs is an odd number that doesn't align with a subnet mask

I'm guessing the ISP set up the WAN side with a /29 (255.255.255.248). Subtract out the network, broadcast, and gateway addresses, that leaves five to the user.

If that's the case, then no, it's not possible to assign LAN hosts or any of the router's LAN interfaces any of these addresses. They would have to stay on the WAN side. You could:
  • Add a switch between the cable modem and router, and place more devices there.
  • Set up 1-to-1 NAT for a few specific LAN hosts (if the router supports this).
  • Create a few different NAT subnets and pin them to their own WAN address (also requires router support).
But unless you have some specific need, those all seem like more trouble than they're worth.
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,958
So never fooled around with VLans before and need some help.

Not really sure if this is where I would use VLans or not?
So the easiest way to think of vlans is to think of them as their physical lan equivalent. Would you want 5x different networks hanging off your router? If so, then vlans. If not, then no vlans.

I've actually only run across one scenario where I use vlans, and that's across a bunch of different networks. Either I use physical separation where I need it or just have everything flat.
 

ThatITGuy

Gawd
Joined
May 5, 2017
Messages
586
So the easiest way to think of vlans is to think of them as their physical lan equivalent. Would you want 5x different networks hanging off your router? If so, then vlans. If not, then no vlans.

I've actually only run across one scenario where I use vlans, and that's across a bunch of different networks. Either I use physical separation where I need it or just have everything flat.
I use VLANs at home. I have 3 networks set up to separate all IOT devices on their own, then one for guests/my kids/their Minecraft server, and one for my stuff.
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,958
I use VLANs at home. I have 3 networks set up to separate all IOT devices on their own, then one for guests/my kids/their Minecraft server, and one for my stuff.
I try to isolate IOT stuff to just its own lan airgapped and not even connected to the Internet. And I've thought about getting a separate super low bandwidth Internet connection for the ones that require internet and can't be walled off (stupid cloud clown crap).

Generally, having a management vlan for management tasks and then another one for all the normal traffic seems to be a best practice, but honestly if I'm worried about bad traffic, a vlan really doesn't provide me as much piece of mind as an air gap, and from a management standpoint, it's easy enough to have a second subnet on the same lan imo.
 

IceDigger

[H]F Junkie
Joined
Feb 22, 2001
Messages
11,811
I try to isolate IOT stuff to just its own lan airgapped and not even connected to the Internet. And I've thought about getting a separate super low bandwidth Internet connection for the ones that require internet and can't be walled off (stupid cloud clown crap).

Generally, having a management vlan for management tasks and then another one for all the normal traffic seems to be a best practice, but honestly if I'm worried about bad traffic, a vlan really doesn't provide me as much piece of mind as an air gap, and from a management standpoint, it's easy enough to have a second subnet on the same lan imo.
Good idea!
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,956
I try to isolate IOT stuff to just its own lan airgapped and not even connected to the Internet. And I've thought about getting a separate super low bandwidth Internet connection for the ones that require internet and can't be walled off (stupid cloud clown crap).

Generally, having a management vlan for management tasks and then another one for all the normal traffic seems to be a best practice, but honestly if I'm worried about bad traffic, a vlan really doesn't provide me as much piece of mind as an air gap, and from a management standpoint, it's easy enough to have a second subnet on the same lan imo.
a VLAN when properly done is as good as separate physical switches, but you want to use a proper firewall for it like PfSense or some other known 3rd party, not TPLink home soho crap or Asus or something to refine down proper ACL's to block access and allow whats needed
with a proper firewall you can have multiple IP's be used and you can bind them for specific outbound traffic also.
IP 1 - outbound for computer stuff
IP 2 - outbound for VLAN 123 IoT crap
IP3 - Outbound for specific application you use using source and dest ports / ip rulesIP
IP4 - outbound for VLAN 567 crap

You can do alot of fun stuff, but in the end, do you need to do it.

Lastly DO NOT do 1:1 NAT rule from Ext IP direct to an Internal server, and if you do plan to "host" something, get geo-ip filtering at least, and lock thigns down tight, and use a separate secured VLAN (dmz) for it...
 
Last edited:

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,958
a VLAN when properly done is as good as separate physical switches, but you want to use a proper firewall for it like PfSense or some other known 3rd party, not TPLink home soho crap or Asus or something to refine down proper ACL's to block access and allow whats needed
with a proper firewall you can have multiple IP's be used and you can bind them for specific outbound traffic also.
IP 1 - outbound for computer stuff
IP 2 - outbound for VLAN 123 IoT crap
IP3 - Outbound for specific application you use using source and dest ports / ip rulesIP
IP4 - outbound for VLAN 567 crap

You can do alot of fun stuff, but in the end, do you need to do it.

Lastly DO NOT do 1:1 NAT rule from Ext IP direct to an Internal server, and if you do plan to "host" something, get geo-ip filtering at least, and lock thigns down tight, and use a separate secured VLAN (dmz) for it...
It's supposed to be, but there have been some proof of concepts that show that parts of it are hackable like changing the vlan id in a packet.

You can do a lot of this in a good enterprise firewall, and honestly there's no excuse not to have one with how they used ones are. Yes, they are tougher to configure, etc, but the level of controls is necessary if you really want to lock out the baddies.

It's also possible to do advanced configurations like you've mentioned, but I've always been a cheapskate as well as a 'kiss principle first' type of designer. I will literally use the cheapest/easiest way to do something before working with an 'elegant' solution. :D Hence unmanaged 10Mb hub for the iot, haha. No Internet for you!
https://www.ebay.com/itm/2040996880...+U9KkWMohkmkBFph+bhsT23YY=|tkp:Bk9SR5aIwo2hYQ
 
Last edited:

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,956
Ya, I love my Brocade i got off ebay for like $150 bucks, could do the VLANs right on it and get wire speed vs sending things to my pfsense, but just been too lazy to set it all up (and other noted DHCP and such is a pain to get working still with pfsense even with helpers....)

The VLAN hoping issue is out there but very rare and takes a very specific set up to be able to do it as well i recall.
 

toast0

2[H]4U
Joined
Jan 26, 2010
Messages
2,160
It's supposed to be, but there have been some proof of concepts that show that parts of it are hackable like changing the vlan id in a packet.

Yeah, if your network equipment allows stuff like that, it's not really a security barrier. I have some TP-Link 'easy smart' managed switches that do vlans and it's useful for separating cooperative devices, but the management interface is insecure (there's the easy, I guess), and you can't limit the management to only some vlans or anything useful. It's still useful enough in my home network, but it wouldn't be useful where security was actually needed (although, I've seen someone who would purposefuly crash the management interface, then it would still work as configured, but a malicious agent couldn't change the configuration, I guess that's the smart part)

But I think most vlan enabled equipment isn't nearly so dumb, at least I'd hope so.
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,958
Yeah, if your network equipment allows stuff like that, it's not really a security barrier. I have some TP-Link 'easy smart' managed switches that do vlans and it's useful for separating cooperative devices, but the management interface is insecure (there's the easy, I guess), and you can't limit the management to only some vlans or anything useful. It's still useful enough in my home network, but it wouldn't be useful where security was actually needed (although, I've seen someone who would purposefuly crash the management interface, then it would still work as configured, but a malicious agent couldn't change the configuration, I guess that's the smart part)

But I think most vlan enabled equipment isn't nearly so dumb, at least I'd hope so.
Yeah, and that's why I just avoid the whole vlan thing to begin with if a physical lan will do, especially if it's cheaper. :D
 
Top