Netgate SG-1000 microFirewall

Author Topic: TP-Link Easy Smart Switch security question  (Read 8318 times)

0 Members and 1 Guest are viewing this topic.

Offline whosmatt

  • Sr. Member
  • ****
  • Posts: 432
  • Karma: +27/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #15 on: January 03, 2017, 05:59:46 pm »
I've got 2 of the TL-SG108E and while they're basic in function, they are inexpensive and do work as intended.  They will indeed provide the level of security you're looking for, as long as you have the networking knowledge to do so. 
home:  pfSense on ESXi 6.5. 2 v cores, 512MB RAM, 8GB disk.  Host is MSI AM1I, Athlon 5350, 16GB DDR3, 60GB SSD, 320GB HDD, HP NC360T NIC.

Offline warheat1990

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #16 on: January 03, 2017, 08:39:09 pm »
A TL-SG108E is something like 25 Euros which should be $30 max, double that for a TL-SG1016DE
Where do you find 1016DE for $60? Here 1016DE is about $125 but it's currently on sale on Amazon for $100, 108E is about $25-30.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2404
  • Karma: +144/-14
  • volunteer since 2006
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #17 on: January 04, 2017, 02:54:17 am »
Where do you find 1016DE for $60?


I just looked here



but it seems that those are only TL-SG1016D, which is the unmanaged version.


The version in question isn't that much more expensive though:

That is including 19% VAT.


This isn't, that's dealer cost...
« Last Edit: January 04, 2017, 03:06:20 am by jahonix »
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline ecfx

  • Full Member
  • ***
  • Posts: 221
  • Karma: +28/-11
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #18 on: January 14, 2017, 03:17:36 pm »
Hi,
I just bought one TL-SG108E ( it is v2 with web management interface HTTP ) and price is ~30Euro.

PVID 1 it is default and can't be changed.

I defined 3 VLANS
101 for WIFI private
103 for WIFI guests
105 for LAN private

I wanted to use port 8 as Trunk & port 6 & 7 for AP:
port 8 from pfSense interface Tagged ( for VLAN 101 & 103 & 105 )
port 7 Tagged to AP1 CISCO 2602 ( for VLAN 101 & 103 ).
port 6 Tagged to AP2 CISCO 2602 ( for VLAN 101 & 103 ).
port 3-2-1 Untagged to LAN devices ( for VLAN 105 ).

It's working, but in this configuration watching with NTOPNG on each VLAN interface it reveal that all traffic, from other/all VLANs it is broadcasted / visible in every VLAN interface, not exactly what I wanted ... any ideas ?

Offline whosmatt

  • Sr. Member
  • ****
  • Posts: 432
  • Karma: +27/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #19 on: January 15, 2017, 04:22:20 am »

PVID 1 it is default and can't be changed.


Yes, it can.  I have a simple setup with two of the TL-SG108E (one of which is V1, the other V2) and I changed the PVID of all ports to my primary VLAN ID (not 1).  My primary VLAN is for my home LAN; the only other VLAN I have defined is for my guest network and that is provided entirely via wireless.  So I set the port for my Ubiquiti AP to tag that one, and the port for my ESXi box (which hosts pfSense) to tag both.  The tagged traffic is passed to the pfSense VM still tagged via a port group in ESXi with VLAN ID 4095 (which is ESXi's version of a trunk.  In other words, pass all traffic with tags intact).  I also have an uplink between the two switches, which tags both VLANS.  No problems here; everything works as expected and traffic is isolated.  It's not super intuitive if you've come from managing switches that have a Cisco-like CLI, but once you get it, it works.

I'm showing the web interface of the V2 switch here because I'm on my Mac and can only access the V1 switch with a Windows app (at least easily).

« Last Edit: January 15, 2017, 04:34:37 am by whosmatt »
home:  pfSense on ESXi 6.5. 2 v cores, 512MB RAM, 8GB disk.  Host is MSI AM1I, Athlon 5350, 16GB DDR3, 60GB SSD, 320GB HDD, HP NC360T NIC.

Offline ecfx

  • Full Member
  • ***
  • Posts: 221
  • Karma: +28/-11
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #20 on: January 15, 2017, 04:50:08 am »
For me it look like you can change PVID for any port, only if that port is member in that VLAN... if you can show the VLAN Configuration page we can see exactly what you set.

Offline whosmatt

  • Sr. Member
  • ****
  • Posts: 432
  • Karma: +27/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #21 on: January 15, 2017, 04:52:00 am »
For me it look like you can change PVID for any port, only if that port is member in that VLAN...
Then change the PVID to whatever VLAN you want that port to be a member of.

Here's my tagging config for my V2 switch.  Port 1 is the trunk between the two switches.  Port 4 is connected to my Ubiquiti AP.  Bear in mind I have another V1 switch connected to this one, so you're not seeing the whole picture:

« Last Edit: January 15, 2017, 04:57:59 am by whosmatt »
home:  pfSense on ESXi 6.5. 2 v cores, 512MB RAM, 8GB disk.  Host is MSI AM1I, Athlon 5350, 16GB DDR3, 60GB SSD, 320GB HDD, HP NC360T NIC.

Offline ecfx

  • Full Member
  • ***
  • Posts: 221
  • Karma: +28/-11
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #22 on: January 15, 2017, 05:27:26 am »
Exactly how I anticipated I already tested this model of config and for my config will not solve that all traffic is mirrored on all VLANs.

Now when you have time have a look with NTOPNG in every VLAN interface you defined and let us know if you see all tagged traffic from all VLAN.

For example in your VLAN 11 you will see all traffic from 44, for me this is not normal to be seen there.

In my test all traffic from all clients on LAN, WIFI can be seen also on GUESTS... etc.

Offline whosmatt

  • Sr. Member
  • ****
  • Posts: 432
  • Karma: +27/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #23 on: January 15, 2017, 02:00:57 pm »
The only thing I can see wrong with your config is that some of your ports are still set to PVID 1.

I'm coming from a world where I manage Dell Powerconnect switches.  In Dell CLI parlance (and I think Cisco is similar), there are two main switchport modes, access, and trunk.  Setting a switchport to access with the command "switchport access vlan 44" tells the switch to tag any incoming traffic on that port with VLAN 44, and to send any traffic on VLAN 44 out of that port, removing the tag in the process.  In reality it's a bit more than that, since it is, after all, a switch, and learns MAC addresses, thereby avoiding sending all VLAN 44 traffic over all VLAN 44 ports.  But let's ignore that for now.

So, to mirror that behavior on the TP-LINK switch, you need to set the port as an untagged member in VLAN 44, but you also need to set the PVID to 44.  The reason for this, as I understand it, is that the untagged setting tells the switch to send VLAN44 out of the port, but it doesn't tell it what to do with incoming untagged traffic.  That's what the PVID setting does.  For a port with PVID 44, any incoming traffic that's not already tagged with a VLAN ID will get tagged with 44.  (someone correct me if I'm wrong on this, please).

The other mode on the Dell switch is trunk.  This is used in a situation where we want to send traffic with VLAN tags intact, so that the device on the other end can handle the VLANs.  That device could be anything:  a pfsense router with multiple VLAN interfaces, another switch, whatever.  In that case, we set the port with "switchport trunk allowed vlan add 44" and "switchport trunk allowed vlan add 11".  (I'm using my own VLAN IDs here, obviously).  So, that works in the case where all the traffic on the port is tagged.  But what if we want to handle untagged traffic on a trunk port as well?  In that case, we also set "switchport trunk native vlan 15" and then any untagged ingress traffic will get VLAN ID 15. [EDIT:  and egress traffic for VLAN 15 would be sent over the port as well, untagged.]  That's roughly equivalent to the PVID setting on the TP-LINK switch.  That comes in handy in the case of a device like the Ubiquiti AP, where the management network is untagged, but the SSIDs handle tagged traffic in different VLANs than the management network.

To mirror the trunk allowed setting on the TP-LINK switch, you just need to set the port as a tagged member of whichever VLANs you want to trunk.  The PVID will still be in place, and will handle any untagged traffic coming into the port, if there is any.   The PVID setting comes in handy again for devices like the Ubiquiti AP.  My own has its management interface in VLAN44 and also serves an SSID in that VLAN.  So the port it's connected to is untagged 44 and PVID 44.  But it also serves an SSID in VLAN 11, so the port is also set to tag VLAN 11.  That's port 4 in the screenshots I've posted.


I've checked with ntopng and also with tcpdump and I don't see any untoward traffic on any of my interfaces.

« Last Edit: January 15, 2017, 09:01:55 pm by whosmatt »
home:  pfSense on ESXi 6.5. 2 v cores, 512MB RAM, 8GB disk.  Host is MSI AM1I, Athlon 5350, 16GB DDR3, 60GB SSD, 320GB HDD, HP NC360T NIC.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11885
  • Karma: +461/-15
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #24 on: January 17, 2017, 07:11:07 pm »
@n3by Are you sure ntopng is not listening on the parent interface in pfSense?

Even if the switch were leaking traffic from VLANs you don't have 103 or 101 untagged or set as PVID anywhere so it's hard to believe that traffic could end up on those?

Steve

Offline ecfx

  • Full Member
  • ***
  • Posts: 221
  • Karma: +28/-11
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #25 on: January 18, 2017, 03:22:49 am »
I was really surprised and I double checked, also on history traffic log:
As you can see all VLAN 101-103-105 had the same high traffic spike ( one week ago ) but on VL103 = Guest I don't had / have any client.

At the moment I am using SG-108E only as L3 switch for LAN.
Next day I disabled VL105 and moved back to separate network interface ( this is why in history log now is showed as opt2 instead of VL105 ).
I moved back on another separate network interface VL101 & VL103 managed only by pfSense ( and a no-managed switch as trunk to connect the APs to pfSense ) so no more problems with unwanted traffic on VLANs.

Offline CanYaHearMeNow4

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #26 on: January 19, 2017, 08:39:35 pm »
I want to restate what's being said here because I believe that these TP-Link "Easy Smart Switches" do indeed have a fundamental flaw with their VLAN implementation. I hope this can serve as a warning for future prospective buyers.

I am a networking professional and I have been using pfSense appliances in my personal network for years. Power consumption is something that I'm trying to minimize as of late, so I wanted to purchase a low power switch that supported VLANs so that I could implement a "pfSense on a stick" style network with a slightly older low power Intel NUC that only has one 1gbps port. It was to be a fairly simple deployment with one "access port" on a VLAN designated for the "WAN" (external network, VLAN99), several "access ports" designated for the "LAN" (internal network, VLAN10) and one "trunk" port which would trunk these two networks into the pfSense appliance.

Flaw #1: The first flaw with this switch is that you have no control over the management interface with regard to VLANs. On a Cisco switch, there is the concept of an "Interface VLAN" where you can select what VLAN you wish to attach a layer-three interface. Not only do these TP-Link switches switch lack that functionality, they instead allow access to their management IP interface from all ports on the switch regardless of the VLAN or PVID configured.

Here is how to test this: For anyone who has this switch configured with multiple VLANs, plug a computer into any port on the switch and hard-code your IP to be in the same subnet as the switches management IP and ping the switch. I am able to access the management IP of the switch from any port regardless of changes made to the "802.1Q VLAN Configuration" tab or the "802.1Q PVID Setting" tab. This is a huge security issue in router on a stick deployment such as the one outlined above

When I noticed this behavior, I quickly pulled out my old WireShark PC and the results were simply baffling:

Flaw #2: Any broadcast received on a port whose PVID is set to VLAN1 will be flooded out of all ports regardless of the VLAN or PVID settings. Easy enough, just don't use VLAN1 right? This was verified by injecting ARP requests into port 8 and monitoring every other port with WireShark (see photos which contain my configuration settings).

Flaw #3: Traffic sourced from the switch's management IP address is flooded out of all ports regardless of the destination MAC address or the VLAN or PVID settings. This was verified by opening a browser and pointing it to the switches web based management while connected to a port set to PVID of VLAN 10. This resulted in WireShark showing a flood of HTTP traffic sourced from the MAC address of the switch egressing a port whose PVID and untagged VLAN setting was set to VLAN99 or VLAN1.

I purchased two of these TP-Link switches over the past few weeks. The first was the 8 port model: TL-SG108E 2.0, which I promptly returned upon the discovery of this "flaw". The second was model: TL-SG1024DE 2.0 which was on sale for the ridiculously low price of 35$ after mail-in rebate at Amazon. Both exhibited the same behavior.

I guess that why they always say: caveat emptor!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14299
  • Karma: +1331/-194
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #27 on: January 20, 2017, 06:59:14 am »
Why do you not remove the ports from vlan 1.. Clearly from your shot showing that you have multiple untagged ports on a port then yeah if you send broadcast traffic on vlan 1, and the port is a member of vlan 1 it should see that traffic..

If your saying there is no way to remove a port from untagged 1 then sure that would be an issue, but looks like you can do it on the screen you posted above - you just didn't do it.. Not talking about delete vlan 1, talking about taking port out of the vlan vs it being a member of 2 in an untagged state.

"which was on sale for the ridiculously low price of 35$ after mail-in rebate at Amazon"

Really.. That is not what I show, I show that the rebate is $30.. So puts the price at 80$  If there was a mistake and you got the switch for $30 sweet for you!!  But I am guessing more same sort of info that didn't get right either ;) Just Sayin...

I don't have one of the tplink to test with, but I have a netgear that is same sort of price point.. Dirt Cheap - and "smart" to the point it does vlans but not much else.  Same thing you can not delete vlan 1 on the device.  But you can for sure remove a port from being untagged in more than one vlan and can change its pvid..

It doesn't protect you from stupid configurations.. See last pic where I put port 2 in vlan 1 and vlan 20 as untagged.

« Last Edit: January 20, 2017, 07:16:48 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline ecfx

  • Full Member
  • ***
  • Posts: 221
  • Karma: +28/-11
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #28 on: January 20, 2017, 08:16:43 am »
On first top row, Delete box with VLAN 1 and ports 1-8 it is disabled.

It looks like always all switch ports are part of VLAN 1, even you assign them to other VLAN.

From my test in ALL configuration even you assign to the switch an management IP in another class; out of all your LAN / VLAN sub-net,
all port and clients connected to switch are allowed to access that management switch IP, without restriction.

All you have to do is to change client IP in the same sub-net as switch IP, TPLink sw management utility will always display switch IP so is no need to scan for all IP range.
Because it is HTTP and management traffic is broadcasted on all ports it is easy to access/sniff the configuration account.

This Chinese switch looks like a perfect Trojan horse.

p.s
in V2 ASIC is RTL8367c... maybe later a custom firmware will be ported.

Offline CanYaHearMeNow4

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #29 on: January 20, 2017, 09:46:32 am »
Yeah, as n3by says, you can't check that box or edit VLAN1 in any way. I even tried to edit the the HTML code surrounding that checkbox with Chrome's Development console to no avail.

Really.. That is not what I show, I show that the rebate is $30.. So puts the price at 80$  If there was a mistake and you got the switch for $30 sweet for you!!  But I am guessing more same sort of info that didn't get right either ;) Just Sayin...

It must have been some sort of price mistake and it popped up on a deal site (https://slickdeals.net/f/9686276) for $35. I figured even with this "VLAN flaw" it would still work well as a "dumb" switch for a network contained to a single broadcast domain at that price.

in V2 ASIC is RTL8367c... maybe later a custom firmware will be ported.

I was going to look into this somewhat. Not necessary "custom" firmware, but I had hopes that there may be a way to port the Netgear firmware over (assuming they use the same or similar hardware).

Does anybody think we have any recourse with TP-Link support to get a new firmware released? In this day and age where some of the largest ever DDoS attacks are sourced from IP camera DVRs and other embedded devices, one would think that a company would make it a priority to resolve security issues of this nature.