|Router Security||Using VLANs for Network Isolation||
Website by |
Many computing devices need access to the Internet but do not need to interact with any other devices connected to the router. If you have ever used the Internet at a coffee shop, you fit this profile while drinking your coffee. Security increases when devices fitting this profile are prevented from seeing, let alone interacting with, any other devices connected to the same router. In coffee shop terms, this means your laptop is safer if the laptop computers of the other customers can't see it. Bad guys at the coffee shop can't hack into computers that are invisible to their network scans.
For lack of a better term, I refer to this as Network Isolation. Other may prefer to call it network segmentation.
Many devices in your home need nothing but Internet access. Among these would be a Roku box, an Amazon Alexa and an Internet Radio. I have a stereo receiver that can play Pandora and other streaming services. On a home network, the protection offered by isolating these devices is to minimize the impact of a hacked device. Likewise, a malware infested Windows machine can't spread its tentacles, if it can't see any other devices or computers.
A truly isolated malicious device is prevented from learning about the existence of any other devices in the home. It is fooled, by the router, into thinking its the only device connected to the router. All the other devices in the home are thus protected from being spied on. If the CIA hacks your smart TV, the router prevents the TV from seeing anything you do on your computer.
To be clear, allowing a wireless device to access nothing but the Internet means:
Truly isolated devices run inside a VLAN. Specifically, a VLAN that does not allow communication with other VLANs.
A VLAN is a virtual LAN. A network within a network. A logical (not necessarily physical) grouping of devices.
VLANs were not initially created for the type of network isolation I advocate here. As such, there is a configuration option for each VLAN that controls whether it is allowed to communicate with other VLANs or not. In addition, there is another configuration option that controls whether the devices in a VLAN can see and communicate with each other.
As an analogy, consider a pet store with many fish tanks full of fish. Since the fish in one tank can not interact with the fish in another tank, each tank can be thought of as a VLAN that does not allow communication with other VLANs. A better analogy would be if each tank had a curtain around it preventing the fish from even seeing any of the other tanks.
Devices that only need Internet access, are best isolated in a fish tank by themselves. They can't see the other fish tanks (VLANs) and they can't see any other fish (computers).
But, sometimes we do need the fish in a tank to interact with each other. If, for example, you want to use a mobile device to control a Roku box, then both devices have to be able to communicate. The same with Sonos speakers that can also be controlled by a mobile device. I am told that Chromecast is another example, as a mobile device needs to see the Chromecast to set it up initially.
The most secure setup would be to put the Roku, Sonos and Chromecast devices in their own VLANs, configured to allow the devices/fish to see other, and assign a single SSID to each of those VLANs. Then, when a mobile device needs to communicate with the Roku, for example, it logs into the dedicated Roku SSID. This is annoying, but security and convenience have always been enemies. Also, you may run out of SSIDs. Prior to firmware version 8, the Surf SOHO could create only three SSIDs. As of firmware 8, it can create 16.
If a particular device, such as a Roku box, can be totally isolated most of the time and only rarely needs to communicate with another device in your home, then you might have it totally isolated by default and just enable sharing within its VLAN on the rare exceptions when you need it (thanks to Zach for the idea). Of course, disable sharing when you are done.
Before leaving the fish tank analogy, any time the fish in a tank are allowed to see and interact with each other, a big fish may eat a small one.
ISOLATION WITHOUT VLANS
VLANs are only offered in professional grade routers. With consumer routers, there are two approaches that approximate VLAN segregation: Guest Wi-Fi networks and using two routers.
A Guest Wi-Fi network is somewhat isolated from the main network. I say "somewhat" because the isolation varies and may be configurable. The vast majority of consumer routers offer a single Guest network; some offer one on each Wi-Fi frequency band (2.4GHz and 5GHz). In contrast, a router that supports VLANs will probably let you create dozens of them. Also, Guest networks are Wi-Fi only, VLANs can also exist on wired Ethernet connections.
To illustrate how the isolation offered by a Guest network varies across vendors: when configuring a Guest network on a TP-Link router (screen shot) there is a checkbox for "Allow guests to see each other". TP-Link Guest networks also have a checkbox to "Allow guests to access my local network." Google Wi-Fi has no hard barrier between the Guest and private networks. The system supports shared devices, a feature that can not be disabled. Asus offers a choice as you can see here. I am pretty sure that the "Access Intranet" option breaks down the wall between Guest and private devices. Netgear is confusing. Their article How do I set up a guest network on my Nighthawk router? says nothing about this, but others have seen an option to "allow guests to access my local network" This PC Magazine article has a screen shot of a Netgear router with an option to "Allow guest to see each other and access my local network." Eero has no sharing options for a Guest network. Trendnet has two options: "Wireless client isolation" and "Internet Access Only". The Synology RT2600ac offers two Guest networks, but they share the same subnet, so they are not isolated from each other. You can learn more about Synology Guest networks in my review. D-Link has an option to "Enable routing between Zones" which you can see in this screen shot from this 2016 Gizmodo article.
Peplink does not offer Guest Wi-Fi networks per-se, but it does offer two isolation options. To prevent devices on the same Wi-Fi network (SSID) from seeing each other, you can enable "Layer 2 isolation". If a Wi-Fi network is assigned to a VLAN, you can isolate that VLAN from all other devices connected to the router by disabling "Inter-VLAN routing."
The other option, using two routers, should offer total isolation. In this case, you connect the WAN/Internet port of the inner router to a LAN port of the outer router. The outer router is either connected to a modem or is a combination modem/router device. The firewall of the inner router isolates devices connected to it from all the devices connected to the outer router. For someone working from home this is a fairly secure way to isolate their work devices from everything else in the home. One downside to this approach is that it does not scale. Another is that there will be no option to isolate devices connected to the inner router from each other. On the upside, it isolates Ethernet-connected devices, something Wi-Fi can not do. For more on this, see my September 2020 blog A second router can make working from home much more secure.
SIMPLE AND COMPLEX VLAN EXAMPLES
The fish tank in the previous analogy can be thought of as the boundary or scope of a VLAN. Stepping out of the analogy, the scope of a VLAN actually consists of Wi-Fi networks (SSIDs) and Ethernet ports. On the simplest level a VLAN can consist of a single SSID or a single Ethernet LAN port. You can mix and match too.
Type 1 is basically a Guest Wi-Fi network on steroids. The devices using that SSID will be walled off from all other devices connected to the router (assuming that inter-VLAN routing is not allowed). You might use one such isolated SSID for actual guests/visitors and another one for IoT devices such as a Roku box, an Apple TV, an Amazon Echo, a Nest thermostat or an Internet radio. This way you can change the Guest network password without impacting the IoT devices. And, the Guest network can be disabled when its not needed.
As an example, of Type 2, I use a VOIP service that provides a small telephone adapter box. One end plugs into a LAN port on my router and the other end plugs into a land-line telephone. The Ethernet port used by the telephone adapter is in its own, really tiny, VLAN.
Roommates could use Type 4. Each person could have their own SSID and two LAN Ports assigned to their personal VLAN. In effect, this chops the router in half and never the twain shall meet. Likewise, someone who works at home could use type 4 as a way to isolate the computers/printers/etc that are used for work from all the other devices in their home. Someone who works at home and wants the best possible security might use type 3 and limit themselves to 2 or 3 LAN ports and avoid Wi-Fi altogether.
Are VLANs overkill?
VLANs IN THE NEWSNeed some convincing before bothering with VLANs? See some stories in the news about bad things that a VLAN would have prevented.
On a more technical level, each VLAN gets its own subnet (sub-network) and subnet mask. So, one VLAN might use IP addresses in the 10.1.1.x range and another VLAN would use IP addresses that start with 10.2.2.x. Each VLAN also gets its own DNS servers. The router has a different IP address in each VLAN. They are, as the name implies, virtually LANs. All your VLANs can use the same DNS servers, or, each VLAN can use different DNS servers. If, for example, you put devices used by children into a VLAN, then that VLAN can use DNS servers that block porn.
NOTE: IF DNS forwarding is enabled in the Surf SOHO, then the router forces all old-style DNS queries to be answered by the router itself. This over-rides the DNS servers specified for a VLAN. Newer, encrypted DNS requests from router clients, specifically DoT and DoH, bypass the router entirely.
To help you keep track of your VLANs, the Surf SOHO lets you assign each VLAN both a name and a number. Some useful names might be IoTvlan, VOIPvlan or GuestVLAN. VLAN numbers should be between 2 and 4,094.
VLANs are first created, and then assigned to LAN ports and/or SSIDs. You do not assign an IP address or a MAC address to a VLAN.
VLANs do not get their own passwords. If you assign a Wi-Fi network to a VLAN, the Wi-Fi password does not change. Ethernet ports that are assigned to a VLAN are not password protected.
With consumer routers, all devices (wired, wireless, main network, Guest WiFi network) use the same DNS servers. On higher end business/professional routers, such as Peplink, Ubiquti UniFi, Cisco and Draytek, an SSID can be assigned to a VLAN and thus each SSID can use different DNS servers.
A common first problem after implementing VLANs is printing. Specifically, how do devices in a VLAN get to a shared network printer? Since this breaks some of the isolation that VLANs can offer, this topic is at the bottom of the page. It's also covered last because it's complicated.
Many routers can offer some isolation but the feature is often disabled and limited in scope.
Support for VLANs is rare. I have not seen it in any consumer routers. None of the consumer oriented mesh routers support it. My recommended router, the Pepwave Surf SOHO, fully supports VLANs, but it is an advanced feature and disabled out of the box. You have to know a secret handshake (see below) to enable VLANs on the Surf SOHO.
The high end Synology RT2600ac, which seems to offer every feature ever invented for routers, does not support VLANs (according to the user guide for SRM version 1.2).
The isolation offered by the RT2600ac is a hodgepodge. On a non-Guest network, devices may or may not be able to communicate with each other depending on an AP Isolation option. The manual does not address sharing between Ethernet devices and non-Guest Wi-Fi users. On a Guest network, devices on the 2.4GHz band can not see devices on the 5GHz band. The manual wasn't clear as to whether AP Isolation was available for Guest networks within one frequency band. And, like many routers, Guest devices can access non-Guest devices if you so choose.
I don't mean to downplay Guest networks, they are a great security feature, even without full network isolation. Having a different password from the main Wi-Fi network lets you periodically change the password so that Guests don't get a permanent pass. Guest networks can also be disabled when they are not needed. And, they can offer some isolation of Guest users/devices.
That said, many consumer routers offer just one guest network and I don't think that's enough. For example, I suggest having one Wi-Fi network for devices that need to see other devices, one for actual guests or visitors and another for IoT devices. Parents with small children, may also want to isolate devices used by the kids.
THE TOTAL REVERSE
While this page focuses on giving a computing device access to the Internet and nothing else, sometimes we need the reverse. That is, we want a device to be accessible locally but not have access to the Internet. The firewall in any router should prevent incoming access from the Internet, at least as long as UPnP is disabled. A router that supports firewall rules, will let you block the device from making any outgoing connections to the Internet. No phoning home for ET. Needless to say, my preferred router, the Pepwave Surf SOHO, supports outbound firewall rules. Generally speaking, consumer routers do not offer outbound firewall rules.
PEPWAVE SURF SOHO VLANs
To use VLANs on the Surf SOHO, you first define a VLAN (or two or three) and then you give the VLAN(s) a scope. By scope, I mean assign the VLAN to an SSID (Wi-Fi network) and/or an Ethernet LAN port. A VLAN that is defined but not assigned to anything can be deleted. A VLAN that has been assigned to either an SSID or a LAN port (or both), can not be deleted. The creation of VLANs starts at Network -> Network Settings (shown below).
Before creating new VLANs, there are two changes I suggest making. As noted earlier, VLANs were not created for total network isolation and, by default, at least with Peplink routers, communication is allowed between different VLANs and non-VLAN devices (that is, stuff on the untagged LAN). So, click on "Untagged LAN" and turn off the "Inter-VLAN routing" checkbox. This will prevent devices that are not part of any VLAN (untagged devices) from any and all communication with whatever VLANs you create.
Next, I would give the "Untagged LAN" a more descriptive name. This is the default name for the group of devices that are NOT in any VLAN. The default name is technically correct; chunks of data (called packets or frames) transmitted on a network with VLANs have an extra tag that identifies the VLAN each chunk/packet/frame belongs to. Devices that are not part of a VLAN do not have their network packets tagged. I suggest changing the name just because it is not helpful for people who are not experts at networking.The name you choose can be anything that makes sense to you. Consider something like PrivateLAN or PrivateNetwork or MikeysPrivateLAN. Then click the gray Save button at the bottom of the window and, again, Apply Changes.
In Firmware 7, support for VLANs was disabled out-of-the-box. In firmware 8, the ability to create VLANs is enabled by default.
Firmware 7 only: To enable VLAN support do Network -> Network Settings. In the "IP Settings" section at the top of the page, click on the white question mark in the blue circle. A small window pops up saying "If you need to define multiple VLANs, press here". Click on the word "here". A second window pops up that says "The LAN settings will be switch to advanced mode with VLAN support. Are you sure?" CLick on the Proceed button. Then, click on Apply Changes. This takes you back to the main Dashboard page.
Go to Network -> Network settings again. The gray button labeled "New LAN" really should say "New VLAN". Click the "New LAN" button to define a new VLAN and you will see the screen below (it looks exactly the same in firmware 7 and 8).
Previously I mentioned that each VLAN gets its own subnet (sub network or range of IP addresses), name, number and DNS servers. This is where we assign these attributes. It is also where we control whether the VLAN can talk to other VLANs and whether devices in this particular VLAN can see each other. Assigning most of these attributes is easy, assigning the subnet requires some techie knowledge.
The first field (IP Address) is not one I mentioned before. It is the IP address of the router, as seen from this VLAN. This is part of defining the subnet that the VLAN will use. In the example above, the VLAN is using the 10.22.22.x subnet. This means that all devices in that VLAN will have IP addresses that start with 10.22.22. All devices. Even the router itself. The first field is where you give the router an IP address in the new subnet used by the new VLAN. In the screen shot above, it is device number 2. For nerds, this is interesting. From the main network (untagged LAN), the router is addressed as 192.168.50.1 (using Peplink defaults), but from this new VLAN/subnet, it will be addressed as 10.22.22.2.
Why 2? Why not assign 10.22.22.1 to the router? Most people use 1. It is best to avoid an IP address that ends with 1 or 254. For more on this, see the IP address page.
The field next to the router IP Address is complicated. However, the value shown (255.255.255.0/24) should be fine in almost all cases. It means that the subnet used by this VLAN can have a maximum of 255 devices (numbered 0 through 254). If nerds ask, this is a subnet mask.
Another subnet related field is the "IP Range" in the DHCP Server section.
All computing devices on a network need a unique number. Here we are dealing with IP version 4 numbers/addresses. Devices can either be configured to always use a specific IP address/number or be assigned one on a temporary basis when they join a network. Most of the time, devices use temporary IP addresses assigned by the router. The router itself is an exception, it has a fixed, static IP address that we just configured. The system that loans out temporary IP addresses is called DHCP.
In the example above, devices that don't have a fixed IP address will be assigned one ending in 100 through 199 (10.22.22.100 through 10.22.22.199). This implies that we can use fixed/static IP addresses between 1 and 99 and between 200 and 254 for devices that need one that never changes. A network printer, for example, is best assigned a fixed IP address. This range of temporary IP addresses was an arbitrary choice, it could just as well have been 100-250 or 30-252. The lowest number can not be lower than the number given the router. The highest number is 254.
That's the hardest part. Now, it gets easier.
The name of the VLAN goes in the Name field (see, easier). In the example, the name is Guest-VLAN. The name should be whatever makes sense to you based on who or what will be using this VLAN. If you intend to use the VLAN with a single SSID, then perhaps name it after that SSID. For example, the VLAN for SSID "michael" might be called "michaelsvlan". A VLAN for IoT devices might be called IoTvlan. Personally, I have a VLAN that consists of a single Ethernet LAN port used by a VOIP telephone adapter. I call it VOIPvlan. It is not clear how long the name can be or what characters are allowed/disallowed, so don't go crazy.
In addition to names, VLANs are also assigned numbers. The important attribute of the number seems to be that it is unique. Peplink refers to the number as a "VLAN ID" but its a number.
The number does not have to be related to the subnet, but being neat simplifies things. For example, you might assign the VLAN using the 10.2.2.x subnet number 2. Or, if you like 192.168 subnets, then consider assigning the number 4 to the 192.168.4.x subnet and 8 to the 192.168.8.x subnet. VLAN numbers do not have to start at 1 and do not have be consecutive. In the Peplink manual they name the VLAN after its number. VLAN number 2, for example, is called VLAN2. Boring.
The next field, "Inter-VLAN routing" is why you are reading this page. Turn this off (it is on by default in firmware 8). With this disabled, devices in this VLAN can not access anything outside of their VLAN. Even if some other VLANs want to share stuff, this VLAN will not come to the sharing party. Disabling this does not block access the Internet.
I suggest enabling the DHCP server and DHCP Server logging. These can always be changed later. A Lease Time of one day (the default) should be fine. This is how long a device can use an IP address before it has to go back to the router and ask for another one. The Surf SOHO has been giving the same device the same IP address for years now, but that may change in the future. Opt to assign DNS servers automatically and do not check Bootp. There is no need to deal with the Extended DHCP option or DHCP Reservation.
When done, click the SAVE button at the bottom of the window and then Apply Changes, yet again.
To assign our newly minted VLAN to an SSID, go to AP -> Wireless SSID and click on the SSID name. As shown below, click on the drop down list box in the VLAN ID field. VLANs are identified here both by name and by number.
At this point, you do not see the option that isolates devices on this SSID/VLAN from each other. The router defaults to a simple mode and you need to know the secret handshake to see the advanced settings. As shown below, the secret handshake is the white question mark in the blue circle. You need to click it, and then click again, where instructed (see below).
Now you should see a checkbox for "Layer 2 isolation" as shown below. This is what isolates devices within this one VLAN/SSLID.
Be sure to click the Apply Changes button on the top of the screen, when you are done making changes.
At this point, you have a single, totally isolated, SSID. Congratulations.
The Surf SOHO allows for more than one isolated SSID. Simply create another VLAN for the second wireless network. The Surf SOHO can create a maximum of eight SSIDs.
PENDING QUESTION: If a VLAN is assigned to two LAN ports and a single SSID that has Layer 2 isolation enabled, can devices plugged into the LAN ports see the wireless devices? Can the wireless devices see the Ethernet devices? Can the Ethernet devices see each other? I don't yet know....
When assigning Ethernet ports to a VLAN, you are presented with a choice that the User Manual does not explain - whether the LAN port is "Access" or "Trunk". Access mode used to be the default, as of firmware v8, Trunk is the default. Access is the simplest case and thus I suggest starting with it.
Recall from earlier, that network packets/frames that are part of a VLAN are "tagged" with the identifier of that VLAN. Most devices plugged into an Ethernet LAN port (laptop computer, desktop computer, VOIP telephone adapter, network printer, stereo receiver, Roku box) do not understand VLANs so the responsibility of tagging stuff falls to the router. In this case, the LAN port type should be Access.
A device that does understand VLANs would be a smart switch. Smart switches are step up from dumb switches and a step down from a router. When a smart switch is plugged into a LAN port, then the type should be Trunk. This tells the router not to bother adding VLANs tags, the smart switch has already done so.
The Netgear GS105E is a smart switch with 5 Ethernet ports and VLAN support. It cost about $40 in January 2018 and from $40 to $55 in March 2020.
Whatever device is plugged in to a LAN port of type ACCESS, is assigned the profile you specify here. In the screen shot below, anything plugged into LAN port 3 will be assigned to the Guest VLAN and anything plugged into LAN port 2 will not be assigned to any VLAN. I use "MikeysPrivateLAN" as the name of my non-VLAN untagged network. An Ethernet-only network printer would belong in LAN port 2.
TRUNK ports are more complicated. The smart switch plugged into a TRUNK port can send data for multiple VLANs, depending on how its configured. But, the router is not bossed around by the smart switch. You can control which VLANs the router will accept from the smart switch. In the screen shot below, LAN port 1 allows the smart switch to send data for any VLAN, while LAN port 4 will only accept data for the IoT VLAN from the smart switch that is plugged into it.
The final nail in the total isolation coffin, is limiting the VLANs that can login to the router's web interface. For the best security, restrict router access to the private network. That is, prevent all VLANs from having direct access to the router.
To do this, go to System -> Admin Security -> Allowed LAN Networks (see below).
The "Allowed LAN Networks," defaults to Any which means users on all VLANs can login to the router. In the screen shot above, this has been changed and only MikeysPrivateLAN is allowed access to the router. Continuing the earlier example, this prevents anyone on the 10.22.22.x subnet/VLAN from logging on to the router using IP address 10.22.22.2. They won't even be able to view the logon page. After changing this, click the SAVE button, then the APPLY CHANGES button.
Continuing with the previous screen shot, the one in the Ethernet Ports section above, this means a computer plugged into LAN port 2 (MikeysPrivateLAN) can access the router, while one plugged in to LAN ports 3 (Guest-VLAN) and 4 (IoT-VLAN) can not.
Interestingly, this setting also blocks the Peplink mobile app from talking to the router, if the app connects to an SSID/VLAN that is not allowed in. Learned that the hard way.
PRINTERS (added April 11, 2021)
Shared devices, such as network printers, can be a problem after setting up VLANs for isolation. In the simplest case, a shared network printer is on the untagged LAN and so are all the devices that need to print. But, once you want to print from a device in a VLAN, things get complicated.
One solution is to move the device that wants to print to the untagged LAN, temporarily, and then move it back to its VLAN afterwards. If the device is Wi-Fi, then it needs to disconnect from the SSID assigned to its VLAN and connect instead to an SSID assigned to the untagged LAN. If the device is Ethernet-connected, then it either needs to be plugged into a different LAN port (one assigned to the untagged LAN) or the LAN port it is using, needs to be re-assigned to the untagged LAN, temporarily.
Another solution is to put the printer into its own dedicated VLAN, one used just by the printer and nothing else. This printer-only VLAN should allow incoming requests from router clients but be blocked from making outbound requests. We block it in case the printer is malicious. To set this up:
There are a number of items on the Peplink Forum about shared printing with isolated VLANs. This is not something I have personally dealt with. The steps above come from the Peplink Forum item called Guide to setting up VLANs for Printing with Firewall isolation by Marcus Dowling. The examples there assume the use of InControl2, but the concepts are the same without it.
The competition: Creating Isolated Networks with Ubiquiti UniFi by Christian Mohn (August 2019). Ubiquiti has two VLAN configuration options, Network purpose and Network Group, that its not clear to me what they are/do. Ubiquiti can not assign names to VLANs. Isolating a VLAN requires firewall rules rather than a single checkbox.
The competition: Mike Potts documented on GitHub Using the Ubiquiti EdgeRouter X and Ubiquiti AP-AC-LR Access Point to create VLANs for each of 3 LAN ports and three different SSIDs. Here is an overview in PDF format. The heart of this is a 105 page PDF document with the full instructions. Compare that to this page. Seems much more complicated than the Surf SOHO (or any Peplink router). For example, look at all these firewall rules. Ugh. The EdgeRouter X is about $50 and the Access Point is about $100, so its roughly $50 cheaper than a Surf SOHO. That said, there are many costs other than financial. For example, Mr. Potts said "The only trouble with this router is that it is meant for professionals to use. You have to scrounge around forums for postings on how to configure specific items." Peplink routers are also targeted at professionals, yet the user interface is fairly easy to use.
A Pepwave Surf SOHO limitation: This Feb. 2019 Forum question asks: "I have segregated printers into a separate VLAN. To make them broadly accessible from other VLANs with iOS devices (etc), I need to enable Inter-VLAN Bonjour ... How do I enable Bonjour on the SOHO MK3?". You can not. Bonjour forwarding is only supported on the higher end Balance and HD routers.
- - - - - -
This is unlikely to happen often, but understanding the question shows a good grasp of things.
A regular switch (as opposed to a smart switch or a managed switch) is a relatively dumb Ethernet-only device that takes chunks of Ethernet data (packets/frames) in on one port and sends it out another port. Conceptually, a switch is the opposite of the network isolation described above on this page. Rather than prevent devices from seeing each other, it always lets all connected devices see each other. That's its job. That's why people buy switches. So, what do you think happens when worlds collide?
Suppose the Surf SOHO has a LAN port port assigned to an isolationist VLAN. That is, the VLAN has Layer 2 Isolation enabled and it is not allowed to talk to any other VLANs. Any device directly plugged into that LAN port can only see the Internet. It will be blissfully ignorant and shielded from other devices using the router. That's easy.
But, what if you plugged a switch into that LAN port? What then of the devices plugged in to the switch? Can they see each other as per the switch or can they not see each other as per the router and the isolationist VLAN assigned to the LAN port? When the router and the switch arm wrestle, who wins?