John's Musings


Yeah, Me Neither

Network Switches

It's a wifi world, it really is but I've just figured out that you really need to go back to basics and get a switch. Why? It's called the "Internet of Things" (IOT for short). It's where every thing has a wifi interface in it and it all lives on the same network. Remember a while back when there was a gigantic baby monitor hack? Imagine you buy an appliance and it has full access to the internet but the people who made it weren't really computer security experts and left some gaping holes in it. Once that device is hacked, depending on the Operating System or the Operating System kernel your whole network could be compromised.


So a decent managed network switch these days has the ability to do 801.1q which allows you to segregate your networks through something called a virtual Lan (VLAN). Below is a TP-Link SG1016DE_V2 switch I got for about $70

Lets say my router gives me a local address of 192.168.0.1 Everything I connect to that router (wifi or wired) pulls an address like 192.168.0.2 or .3 or .4 and so on and so forth. Now lets say you could assign different address ranges to different ports. Make another port 192.168.10.1 and hang another wifi router off that. Then you can make it so both networks cannot see each other but both can reach the internet. True segregation.


Here's how it is done with pfSense and your switch (using my TP-Link SG1016DE_V2 as an example).


First tag the ports. My firewall is plugged into port 2 (most will probably plug into port 1, port 2 is on top) so you tag port 2 and untag the ports you want on your VLAN. Under VLAN ID type 10 or 20 or whatever number you want to use. You have to make sure you keep your tagging consistent though. So if you look at the bottom of the pic below I have tagged port 2 for both VLAN 10 and 20 and untagged port 16 for VLAN 10 and ports 3, 4, and 15 for VLAN 20. (This just happens to be the way I plugged stuff in and works best for my wire management).


Then go to the PVID settings page. Set port 16 for VLAN 10 and ports 3, 4, and 15 for VLAN 20.


Then in pfSense make two new interfaces, VLAN 10 and 20 under Interfaces > Interface Assignments.




Then (I'm using VLAN 20 as an example) enable the interface and set the address for 192.168.20.1 20 for VLAN 20, 10 for VLAN 10



Finally set the DHCP server to give out DHCP addresses. The only configuration not depicted here is the gateway setting (192.168.20.1)




And that should about do it. Plug into port 16 and you'll pull an address from 192.168.10.x range. Plug into 3, 4, 15 and you'll pull from 192.168.20.x range.


Folks, the challenges with computer security are not just software. Sometimes improved security involves the physical connection to the device (along with segregation and firewalling).


I'm aware this is beyond the scope of most casual computer users abilities but hey.......I'm for sale.

34,375