Router Security VLANs Website by     
Michael Horowitz 
Home | Site Index | Router Bugs | Security Checklist | Tests | Resources | Stats | About | Search |
I spoke about Router Security at the O'Reilly Security Conference in New York City on Nov. 1, 2017. See a PDF of the slides
 

Many computing devices need access to the Internet but do not need to interact with any other devices connected to the router. If you have ever used the Internet at a coffee shop, you fit this profile while drinking your coffee. Security increases when devices fitting this profile are prevented from seeing, let alone interacting with, any other devices connected to the same router. In coffee shop terms, this means your laptop is safer if the laptop computers of the other customers can't see it. Bad guys at the coffee shop can't hack into computers that are invisible to their network scans.

For lack of a better term, I refer to this as Network Isolation.

On a home network, the protection works in reverse. Since all the networked devices belong to us, the goal of Network Isolation at home is to minimize the impact of a hacked IoT device or malware infested Windows machine. A malicious device on a truly isolated network is prevented from learning about the existence of any other devices in the home. It is fooled, by the router, into thinking its the only device connected to the router. All the other devices in the home are thus protected from being spied on. If the CIA hacks your smart TV, the router prevents the TV from seeing anything you do on your computer. And, malware on a PC can't spread over the network.

Many routers can offer some isolation but the feature is often disabled and limited in scope.

Overkill?

Most routers are single family homes, where everyone shares everything. A router that employs a Guest Wi-Fi network is converted into a two family home. Some isolation is offered by Guest Wi-Fi networks, but truly robust isolation requires VLANs (Virtual LANs). A VLAN converts a router into an apartment building with as many apartments as you need. Apartments (VLANs) can be large, to accommodate multiple devices, or small studios housing a single device.

Support for VLANs is rare. Hardly any consumer routers support VLANs. None of the consumer oriented mesh routers support it. My recommended router, the Pepwave Surf SOHO, fully supports VLANs, but it is an advanced feature and disabled out of the box. You have to know a secret handshake (see below) to enable VLANs on the Surf SOHO.

The high end Synology RT2600ac, which seems to offer every feature ever invented for routers, does not support VLANs (according to the user guide for SRM version 1.1.2).

The isolation offered by the RT2600ac is a hodgepodge. On a non-Guest network, devices may or may not be able to communicate with each other depending on an AP Isolation option. The manual does not address sharing between Ethernet devices and non-Guest Wi-Fi users. On a Guest network, devices on the 2.4GHz band can not see devices on the 5GHz band. The manual wasn't clear as to whether AP Isolation was available for Guest networks within one frequency band. And, like many routers, Guest devices can access non-Guest devices if you so choose.

I don't mean to downplay Guest networks, they are a great security feature, even without full network isolation. Having a different password from the main Wi-Fi network lets you periodically change the password so that Guests don't get a permanent pass. Guest networks can also be disabled when they are not needed. And, they can offer some isolation of Guest users/devices.

That said, many consumer routers offer just one guest network and I don't think that's enough. For example, I suggest having one Wi-Fi network for devices that need to see other devices, one for actual guests or visitors and another for IoT devices. Parents with small children, may also want to isolate devices used by the kids.

Specifically, allowing a wireless device to access nothing but the Internet means:

Truly isolated devices run inside a VLAN.

At the simplest level, VLANs are just a logical grouping of devices.

VLANs were not initially created for the type of network isolation I advocate here. So, each VLAN can either be allowed to communicate with other VLANs or not. I vote: not. Likewise, devices in a VLAN can be allowed to see other devices in the same VLAN. Don't.

Simple and Complex VLAN Examples

  1. An easy way to start with VLANs is to assign an SSID to a VLAN.
  2. Another simple setup is to assign a LAN port to a VLAN used just by that port.
  3. As a next step, you could take multiple LAN ports and group them into a VLAN
  4. Or, you could put some Ethernet ports and a Wi-Fi SSID into the same VLAN.
  5. Finally, the most complex setup involves a VLAN enabled switch, plugged into a LAN port

Type 1 is basically a Guest Wi-Fi network on steroids. The devices using that SSID will be walled off from all other devices connected to the router (assuming that inter-VLAN routing is not allowed). You might use one such isolated SSID for actual guests/visitors and another one for IoT devices such as a Roku box, an Apple TV, an Amazon Echo, a Nest thermostat or an Internet radio. This way you can change the Guest network password without impacting the IoT devices. And, the Guest network can be disabled when its not needed.

As an example, of Type 2, I use a VOIP service that provides a small telephone adapter box. One end plugs into a LAN port on my router and the other end plugs into a land-line telephone. The Ethernet port used by the telephone adapter is in its own, really tiny, VLAN.

Roommates could use Type 4. Each person could have their own SSID and two LAN Ports assigned to their personal VLAN. In effect, this chops the router in half and never the twain shall meet. Likewise, someone who works at home could use type 4 as a way to isolate the computers/printers/etc that are used for work from all the other devices in their home. Someone who works at home and wants the best possible security might use type 3 and limit themselves to 2 or 3 LAN ports and avoid Wi-Fi altogether.

Sonos speakers are another case for VLANs. In January 2018 networking flaws were revealed in Sonos speakers. On the January 2nd edition of Security Now, Steve Gibson first suggested isolating IoT devices, but was stumped by the problem with Sonos speakers. In this case, you want a device or two on the LAN to be able to talk to the Sonos speakers but you do not want anything else on the LAN to communicate with them. The solution is to wall off the speakers and the device communicating with them into a VLAN. In this case however, you would want the devices in the VLAN to be able to talk to each other. In Peplink terms, that means not using Layer 2 isolation (more on this below). Without VLANs you could give the Sonos speakers their own guest SSID but many routers can only create a single Guest network. The Pepwave Surf SOHO can create 3 Wi-fi networks. Some (many?) Asus routers can create eight SSIDs. I suppose you could also add a second router just for the Sonos speakers and whatever device or devices communicate with them.

This article, FREE zero-day for every reader: AT&T's DirecTV kit has a root hole - and no one wants to patch it (Iain Thomson Dec. 13, 2017) is a great illustration of the problem that VLANs can solve. "AT&T's DirecTV wireless kit has an embarrassing vulnerability in its firmware that can be trivially exploited ... to install hidden backdoors on the home network equipment..." A DirecTV installation includes a Linksys WVBR0-25 wireless video bridge that sends video and audio from a Directv Genie DVR over the air to multiple Genie client boxes that are plugged into your TVs. The bridge sets up a private wireless network, and acts as a virtual coaxial cable to your television sets. The wireless bridge runs a web server that is trivially easy to hack into. Someone with access to the home network could install malware on the box. When told of the flaw, AT&T did not respond, even after 180 days. What to do? The researcher who found this said "... users should protect themselves by limiting the devices that can interact with the WVBR0-25 to those that actually need to reach it." In other words, VLAN!

On a more technical level, each VLAN gets its own subnet. So, one VLAN might use IP addresses in the 10.1.1.x range and another VLAN would use IP addresses that start with 10.2.2.x. Each VLAN also gets its own DNS servers. All your VLANs can use the same DNS servers, but they don't have to. For example, if you put devices used by children into a VLAN, then that VLAN can use DNS servers that block porn and the KKK.

To help you keep track of your VLANs, the Surf SOHO lets you assign each VLAN both a name and a number. Some useful names might be IoTvlan, VOIPvlan or GuestVLAN. The highest allowable number is, I believe, 4,095.

THE TOTAL REVERSE

While this page focuses on giving a computing device access to the Internet and nothing else, sometimes we need the reverse. That is, we want a device to be accessible locally but not have access to the Internet. The firewall in any router should prevent incoming access from the Internet, at least as long as UPnP is disabled. A router that supports firewall rules, will let you block the device from making any outgoing connections to the Internet. No phoning home for ET. Needless to say, my preferred router, the Pepwave Surf SOHO, supports outbound firewall rules. Generally speaking, consumer routers do not offer outbound firewall rules.

PEPWAVE SURF SOHO VLANs

To use VLANs on the Surf SOHO, you first need to enable VLAN support, then define a VLAN (or two or three) and finally give the VLAN(s) a scope. By scope, I mean assign the VLAN to an SSID and/or a LAN port.

The secret handshake to enable VLANs

To enable VLAN support in firmware version 7, do Network -> LAN -> Network Settings (see above). In the "IP Settings" section at the top of the page, click on the white question mark in the blue circle. A small window pops up saying "If you need to define multiple VLANs, press here". Click on the word "here". A second window pops up that says "The LAN settings will be switch to advanced mode with VLAN support. Are you sure?" CLick on the Proceed button. Then, click on Apply Changes on the main menu bar (black horizontal stripe across the top of the screen).

Applying the changes takes you back to the main Dashboard page. Go back to Network -> Network Settings. Before creating new VLANs, there are two changes I suggest making.

As noted earlier, VLANs were not created for total network isolation and, by default, at least with Peplink routers, communication is allowed between different VLANs and non-VLAN devices (that is, stuff on the untagged LAN). So, click on "Untagged LAN" and turn off the checkbox for Inter-VLAN routing. This will prevent devices that are not part of any VLAN (untagged devices) from any and all communication with whatever VLANs you create.

Next, I would give the "Untagged LAN" a more descriptive name. This is the default name for the group of devices that are NOT in any VLAN. The default name is technically correct. Chunks of data (called packets or frames) transmitted on a network with VLANs have an extra tag that identifies the VLAN each chunk/packet/frame belongs to. Devices that are not part of a VLAN do not have their network packets tagged.

The name you choose can be anything that makes sense to you. Consider something like PrivateLAN or PrivateNetwork or MikeysPrivateLAN. Then click the gray Save button at the bottom of the window and, again, Apply Changes.

Back to Network -> Network settings. Now that VLAN support is enabled, the router will display a new gray button labeled "New LAN". It really should say "New VLAN". Click the New LAN button to define a new VLAN and you will see the screen below.

Defining a new VLAN

Previously I mentioned that each VLAN gets its own subnet, name, number and DNS servers. This is where we assign these attributes. It is also where we control whether the VLAN can talk to other VLANs and whether devices in this particular VLAN can see each other. Assigning most of these attributes is easy, assigning the subnet requires some techie knowledge.

The first field (IP Address) is not one I mentioned before. It is the IP address of the router, as seen from this VLAN. This is part of defining the subnet that the VLAN will use. In the example above, the VLAN is using the 10.22.22.x sub network. This means that all devices in that VLAN will have IP addresses that start with 10.22.22. All devices. Even the router itself. The first field is where you give the router an IP address in the new VLAN. In the screen shot above, it is device number 2. From the main network, the router is (using Peplink defaults) addressed as 192.168.50.1, but from this new VLAN/subnet, it will be addressed as 10.22.22.2.

Why 2? Most people use 1. It is best to avoid an IP address that ends with 1 or 254. For more on this, see the IP address page.

The field next to the router IP Address is complicated. However, the value shown (255.255.255.0/24) should be fine in almost all cases. It means that the subnet used by this VLAN can have a maximum of 255 devices (numbered 0 through 254). If nerds ask, this is a subnet mask.

Another subnet related field is the "IP Range" in the DHCP Server section.

All computing devices on a network need a unique number. Here we are dealing with IP version 4 numbers/addresses. Devices can either be configured to always use a specific IP address/number or be assigned one on a temporary basis when they join a network. Most of the time, devices use temporary IP addresses assigned by the router. The router itself is an exception, it has a fixed, static IP address. The system that loans out temporary IP addresses is DHCP.

In the example above, devices that don't have a fixed IP address will be assigned one ending in 100 through 199 (10.22.22.100 through 10.22.22.199). This implies that we can use fixed IP addresses between 1 and 99 and between 200 and 254 for devices that need one that never changes. A network printer, for example, is best assigned a fixed IP address. This range of temporary IP addresses was an arbitrary choice, it could just as well have been 100-250 or 30-252. The lowest number can not be lower than the number given the router. The highest number is 254.

That's the hardest part. Now, it gets easier.

The name of the VLAN goes in the Name field (see, easier). In the example, the name is Guest-VLAN. The name should be whatever makes sense to you based on who or what will be using this VLAN. If you intend to use the VLAN with a single SSID, then perhaps name it after that SSID. For example, the VLAN for SSID "michael" might be called "michaelsvlan". A VLAN for IoT devices might be called IoTvlan. My VLAN, that consists of a single Ethernet LAN port used by a VOIP telephone adapter might be called VOIPvlan. It is not clear how long the name can be or what characters are allowed/disallowed, so don't go crazy.

In addition to names, Peplink also assigns numbers to VLANs. The important attribute of the number seems to be that it is unique. Peplink refers to the number as a "VLAN ID" but its a number.

The number does not have to be related to the subnet, but being neat simplifies things. For example, you might assign the VLAN using the 10.2.2.x subnet number 2. Or, if you like 192.168 subnets, then consider assigning the number 4 to the 192.168.4.x subnet and 8 to the 192.168.8.x subnet. VLAN numbers do not have to start at 1 and do not have be consecutive.

The next field, "Inter-VLAN routing" is why you are reading this. Do not check the box. With this disabled, devices in this VLAN can access the Internet but can not access anything outside of their VLAN. Even if some other VLANs want to share stuff, this VLAN will not come to the sharing party.

The latest firmware has an option now shown here for a Captive Portal. Leave it un-checked.

I suggest enabling the DHCP server and disabling (not checking) DHCP Server logging. These can always be changed later. A Lease Time of one day should be fine. This is how long a device can use an IP address before it has to go back to the router and ask for another one. Opt to assign DNS servers automatically and do not check Bootp. There is no need to deal with the Extended DHCP option or DHCP Reservation.

When done, click the SAVE button at the bottom of the window and then Apply Changes, yet again.

To assign our newly minted VLAN to an SSID, go to AP -> Wireless SSID and click on the SSID name. As shown below, click on the drop down list box in the VLAN ID field. VLANs are identified both by name and number.

Assigning a VLAN to an SSID

Isolating devices on this SSID/VLAN from each other, requires simply checking the box for "Layer 2 isolation" as shown below.

Layer 2 Isolation for an SSID

But, the Layer 2 Isolation option is not shown by default. As with VLANs, the router defaults to a simple mode and you need to know the secret handshake to see the advanced settings. As shown below, the secret handshake, in this case, is the white question mark in the blue circle. You need to click it, and then click again, where instructed (see below).

Enabling advanced configuration options for an SSID

Be sure to click the Apply Changes button on the top of the screen, when you are done making changes.

At this point, you have a single, totally isolated, SSID. Congratulations.

NOTE: The advanced SSID settings stick around for a while, but you may have to do this again the next time. SSID configuration was split up into simple and advanced settings as of firmware version 7. Anyone using version 6 (which is the only supported firmware on the first hardware edition of the Surf SOHO) will see the "Layer 2 isolation" without needing a secret handshake.

The Surf SOHO allows for more than one isolated SSID. Simply create another VLAN for the second wireless network. The Surf SOHO can create a maximum of three SSIDs.

PENDING QUESTION: If a VLAN is assigned to two LAN ports and a single SSID that has Layer 2 isolation enabled, can devices plugged into the LAN ports see the wireless devices? Can the wireless devices see the Ethernet devices? Can the Ethernet devices see each other? I don't yet know....

ETHERNET PORTS

When assigning Ethernet ports to a VLAN, you are presented with a choice that the User Manual does not explain - whether the LAN port is "Access" or "Trunk". Recall from earlier, that network packets/frames that are part of a VLAN are "tagged" with the identifier of that VLAN. Who does the tagging is determined by the type of port.

An Ethernet port designated to run in "Access" mode expects to have a computing device (laptop computer, desktop computer, network printer, etc) connected to it. The computing device is unaware of VLANs, so in Access mode, the router adds the VLAN tags. Access mode is the default, and represents the simplest case.

An Ethernet port in Trunk mode expects data flowing into it to already be tagged for VLAN use. You would use Trunk mode when a VLAN aware smart switch is plugged into the LAN port. Smart switches are step up from dumb switches and a step down from a router. The Netgear GS105E is a smart switch with 5 Ethernet ports and VLAN support. It cost about $40 in January 2018.

As shown below you can let the smart switch send traffic from any VLAN to the Trunk port, or limit the port to a single VLAN.

Ethernet ports and VLANs

FINAL NAIL

The final nail in the total isolation coffin, is limiting the VLANs that can login to the router's web interface. For the best security, restrict router access to the private network. That is, prevent all VLANs from having direct access to the router.

To do this, go to System -> Admin Security -> Allowed LAN Networks (see below).

Configuring the VLANs that are allowed to access the router

The "Allowed LAN Networks," defaults to Any which means users on all VLANs can login to the router. In the screen shot above, this has been changed and only MikeysPrivateLAN is allowed access to the router. Continuing the earlier example, this prevents anyone on the 10.22.22.x subnet/VLAN from logging on to the router using IP address 10.22.22.2. They won't even be able to view the logon page.

Interestingly, this setting also blocks the Peplink mobile app from talking to the router, if the app connects to an SSID/VLAN that is not allowed in. I learned that the hard way.

Note: This topic was originally part of the Pepwave Surf SOHO page but got too big for its britches.

Top 
This page was last updated: January 8, 2018 11PM CT     
Created: December 15, 2017
Viewed 982 times since December 14, 2017
(28/day over 35 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2018