This project came about while searching for a new housing arrangement, one involving housemates. You see, many housemates are not techies; most are open to you dropping in your hardware for the internet service and local network. They like it because their bills go down because they are no longer renting equipment from the ISP and also like the situation because they have on-site technical support. These type of arrangements are great for me because I like the control and my hardware performs better than the rented equipment. Also there is typically no threat in these non-techie situations that your equipment is going to be pen-tested. It is sort of like sitting your grandmother at a terminal and saying ‘go crazy’; no matter what she does, if she’s like most grandmothers, she’ll never run metasploit against your devices, or port scan the network, or innocently explore all the directories in your network shared folders. However, if you do decide to live with people that self identify as a ‘techie’, you do run the risk of one or all of those situations happening to some degree.
One possible solution to this, is to obfuscated tentacle hentai as a document folder full of PDF diary entries on a password-less network share to send a subtle message to that nosy/curious roommate. However this method only works to a point, before curiosity turns to interest. Instead, I’ve decided to avoid the situation all together and logically separate the networks with VLANs including using separate SSIDs.
This project, like many projects as of late is something I find really cool. Cool because it’s over most people’s head, including my own at first, so it was a fun challenge to setup. These articles further my own knowledge in the research required to fully understand it, they also document the process should I have catastrophic failure of hardware (brain, storage, and backups), and last I hope these articles provide instruction to at least one other person besides myself.
How does this VLAN stuff work?
VLANs allow isolation of physical hardware into logical groups, on switches this isolation is port based. However on a wireless access point, the VLAN isolation can be based on the SSID. VLANs are most apparent from the perspective of a switch. Managed switches are the heart of VLAN operation. Lets take a managed switch.
When you buy a managed switch, you plug it in and connect your network-printer, PC, and NAS; everything just works; it’s features are being wasted but it works out of the box.
We’ll say in this hypothetical situation, you get a dorm-mate. He has a PC and router he wants to use in conjunction with your switch. No big deal, you have extra ports, you know about VLANs, you don’t want interwebs, and there doesn’t need to be connectivity between your ports and the dorm-mate’s.
So you get on your managed switch and create two VLANs. VLAN33 is assigned to port 1 (network-printer), port 2 (PC), and port 3 (NAS.) On VLAN44 your dorm-mate’s PC is on port 4 and the router on port 5. The switch logically separates and groups ports 1,2,3 into one group; ports 4,5 are in another group. Communication between the two VLANs is impossible for two reasons; one, the switch is no longer bridging those ports and sees them as completely separate groups. Two, best practice says to put each VLAN on it’s own subnet; due to using multiple subnets, a router or a L3-switch is needed to communicate between the VLANs. With this demonstration your VLAN does not have internet access because the router is on the other VLAN. BUT wait, I just said you need a L3 device to communicate between VLAN, what’s different in this case? That will be answered next.
In the diagram above none of the devices except the managed switch are even aware VLANs are being used. But lets say your dorm-mate then wants to use your printer and you’d like to connect to the internet. This is possible by using switchport trunking and VLAN tagging. Tagging actually was occurring before in the last arrangement; when a frame enters a port it is tagged with which ever VLAN id is assigned to that port. But when the frames were leaving out to the destination port the frames were untagged. So why is tagging even used? Tagging is used to keep track of where a frame can and can’t go. The next question is, well if the tagging is stripped when it leaves the destination port (an access port to be more precise now), how then do frames that are tagged get to a router? The answer, is to configure the switch port going to the router as a trunk port and also configure which VLAN ids are allowed to be on that trunk port. The router’s interface is then configured to have sub-interfaces for each VLAN it’s going to handle. The sub-interfaces act as regular interfaces but share the same physical port.
Below is the new configuration in our hypothetical situation. The router is now acting as ‘router-on-a-stick’. This means that the router now handles communication between the VLANs, which personally to me is amusing considering the VLANs are on the same switch at least in this situation.
At this point you can access the internet and your dorm-mate’s PC and she can access your devices including your printer. A firewall rule on the router easily handles restricting traffic from your dorm-mate’s subnet to only your printer.
Another cool thing you can do with VLANs, tagging, and trunking is to carry VLAN traffic from one switch across a campus to another location. This effectively allows you to group individuals in an enterprise setting by department rather than geographical location. This might be extremely effective for a company that might have developers in a few buildings on their property that share network resources containing trade secrets but share their office space with other ‘less-secure’ employees such as interns. To further our example, lets say you want to play a LAN based multiplayer game such as CS1.6 with a friend in another dorm room. Setting up the routers and switches to pass VLAN tagged frames throughout the network would allow you to do this. As you can see below VLAN33 is in both your dorm room and your friends door room.
Lets now proceed to applying VLANs to wireless devices and instead of using ports as the VLAN boundary we’ll use the wireless SSIDs.
Hardware and software used
The hardware and software we’re using here: a Cisco Aironet 1040 Series wireless access point for radio communication and pfSense 2.1 whitebox to function as a router-on-a-stick for restricted access between the subnets/VLANs.
Network reference data
- Default Gateway, DNS, and DHCP server – 10.0.20.1
- SSIDs public and public-5G
VLAN30 – Your Network
- Default Gateway, DNS, and DHCP server – 10.0.30.1
- SSIDs epijunkie and epijunkie-5G
VLAN40 – Roommates Network
- Default Gateway, DNS, and DHCP server – 10.0.40.1
- SSIDs roommate and roommate-5G
The native VLAN is left with the default configuration of 1.
The WebGUI is located at 10.0.1.2 as configured through the BVI interface.
Configuring the Cisco Aironet
These are the bare minimum configurations need to get both the 2.4Ghz and 5.0Ghz radios working with VLAN segmentation between the SSIDs. This guide assumes you are using CLI to configure the AP and that you’ll be using WPA2-PSK for authentication.
This first block of configuration sets up the SSIDs and which VLAN to associate with it, the passwords (encrypted upon entry into the configuration but easily decrypted with this tool), and the key management method.
dot11 ssid public vlan 20 authentication open authentication key-management wpa version 2 wpa-psk ascii guestpassword mbssid Guest-mode dot11 ssid epijunkie vlan 30 authentication open authentication key-management wpa version 2 wpa-psk ascii temptemp mbssid Guest-mode dot11 ssid roommate vlan 40 authentication open authentication key-management wpa version 2 wpa-psk ascii temptemp mbssid Guest-mode dot11 ssid public-5G vlan 20 authentication open authentication key-management wpa version 2 wpa-psk ascii guestpassword mbssid Guest-mode dot11 ssid epijunkie-5G vlan 30 authentication open authentication key-management wpa version 2 wpa-psk ascii temptemp mbssid Guest-mode dot11 ssid roommate-5G vlan 40 authentication open authentication key-management wpa version 2 wpa-psk ascii temptemp mbssid Guest-mode
This block of configuration configures the base radio interfaces, which encryption scheme and cipher to use, defines the SSIDs names on the radio interface, and then turns on the radio.
interface dot11Radio 0 mbssid encryption vlan 20 mode ciphers aes-ccm encryption vlan 30 mode ciphers aes-ccm encryption vlan 40 mode ciphers aes-ccm ssid public ssid epijunkie ssid roommate no shutdown interface dot11Radio 1 mbssid encryption vlan 20 mode ciphers aes-ccm encryption vlan 30 mode ciphers aes-ccm encryption vlan 40 mode ciphers aes-ccm ssid public-5G ssid epijunkie-5G ssid roommate-5G no shutdown
This block of configuration sets up the subinterfaces for each VLAN, the bridge groups, and also points to the dhcp server to relay from.
interface Dot11Radio0.20 encapsulation dot1Q 20 bridge-group 20 interface Dot11Radio1.20 encapsulation dot1Q 20 bridge-group 20 interface GigabitEthernet0.20 encapsulation dot1Q 20 ip helper-address 10.0.20.1 bridge-group 20 no bridge-group 20 source-learning bridge-group 20 spanning-disabled interface Dot11Radio0.30 encapsulation dot1Q 30 bridge-group 30 interface Dot11Radio1.30 encapsulation dot1Q 30 bridge-group 30 interface GigabitEthernet0.30 encapsulation dot1Q 30 ip helper-address 10.0.30.1 bridge-group 30 no bridge-group 30 source-learning bridge-group 30 spanning-disabled interface Dot11Radio0.40 encapsulation dot1Q 40 bridge-group 40 interface Dot11Radio1.40 encapsulation dot1Q 40 bridge-group 40 interface GigabitEthernet0.40 encapsulation dot1Q 40 ip helper-address 10.0.40.1 bridge-group 40 no bridge-group 40 source-learning bridge-group 40 spanning-disabled
This configures the base ethernet device and also VLAN1 subinterface.
interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no keepalive interface GigabitEthernet0.1 bridge-group 1 encapsulation dot1Q 1 native exit
This configures the default Bridge Group Virtual Interface 1. This interface is where you configure the IP for managing the AP.
bridge irb bridge 1 route ip interface BVI1 ip address 10.0.1.2 255.255.255.0 exit
Not required but sure helpful for not getting interrupted while typing in commands.
line con 0 logging sync exit
This is a fairly straight forward configuration of pfSense. It just works and is pretty powerful. I highly recommend using pfSense as your router if you aren’t already. I actually spent most of the time wrestling the Cisco AP to communicate with pfSense; both of which use a standard called 802.1q which covers VLANs.
First you’ll need to create VLANs under Interfaces > (assign) > VLANs > “+”
Add each VLAN. In the case below we are configuring the guest VLAN.
Should look like this after you’ve created all the VLANs.
Next to create the sub-interfaces for each VLAN.
Now enable each sub-interface and configure an IP address. I used the 10.0.X.1 scheme, where X is the VLAN id. This can be done under Interfaces > OPTx.
After each sub-interface is enabled and IP address is configured, the DHCP service needs to be enabled on each of the sub-interfaces. Services > DHCP Server > Sub-interface Name.
For simplicity sake I have basic (highly insecure) firewall rules set in this guide. I do however recommend you create rules that restrict traffic between interfaces, especially your guest network. If you aren’t familiar, these rules are evaluated from top to bottom, the first rule to match is the one that is used to handle the packet (drop, reject, pass.) There is also an implicit deny all (catch all) at the end which will drop any packet that made it that far without matching another rule.
An allow any (bad practice) firewall rule.
Create rules as you see fit and keep your data safe from prying eyes.
While VLANs are not absolutely secure, they are a measure of deterrent. As with all security matters there is a trade-off of convenience and true security. In my case they provide decent separation of the LAN traffic while still providing the possibility of sharing resources.