The pfSense Store

Author Topic: TP-Link Easy Smart Switch security question  (Read 677 times)

0 Members and 1 Guest are viewing this topic.

Offline whosmatt

  • Full Member
  • ***
  • Posts: 246
  • Karma: +20/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #15 on: January 03, 2017, 05:59:46 pm »
I've got 2 of the TL-SG108E and while they're basic in function, they are inexpensive and do work as intended.  They will indeed provide the level of security you're looking for, as long as you have the networking knowledge to do so. 
pfSense on ESXi 6.5. 2 v cores, 512MB RAM, 8GB disk.  Host is MSI AM1I, Athlon 5350, 8GB DDR3, 60GB SSD, 320GB HDD, HP NC360T NIC.

Offline warheat1990

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #16 on: January 03, 2017, 08:39:09 pm »
A TL-SG108E is something like 25 Euros which should be $30 max, double that for a TL-SG1016DE
Where do you find 1016DE for $60? Here 1016DE is about $125 but it's currently on sale on Amazon for $100, 108E is about $25-30.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 1900
  • Karma: +88/-2
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #17 on: January 04, 2017, 02:54:17 am »
Where do you find 1016DE for $60?


I just looked here



but it seems that those are only TL-SG1016D, which is the unmanaged version.


The version in question isn't that much more expensive though:

That is including 19% VAT.


This isn't, that's dealer cost...
« Last Edit: January 04, 2017, 03:06:20 am by jahonix »
Chris

I'd tell you a joke about UDP, I'm just not sure you'd get it.

Offline n3by

  • Full Member
  • ***
  • Posts: 177
  • Karma: +20/-10
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #18 on: January 14, 2017, 03:17:36 pm »
Hi,
I just bought one TL-SG108E ( it is v2 with web management interface HTTP ) and price is ~30Euro.

PVID 1 it is default and can't be changed.

I defined 3 VLANS
101 for WIFI private
103 for WIFI guests
105 for LAN private

I wanted to use port 8 as Trunk & port 6 & 7 for AP:
port 8 from pfSense interface Tagged ( for VLAN 101 & 103 & 105 )
port 7 Tagged to AP1 CISCO 2602 ( for VLAN 101 & 103 ).
port 6 Tagged to AP2 CISCO 2602 ( for VLAN 101 & 103 ).
port 3-2-1 Untagged to LAN devices ( for VLAN 105 ).

It's working, but in this configuration watching with NTOPNG on each VLAN interface it reveal that all traffic, from other/all VLANs it is broadcasted / visible in every VLAN interface, not exactly what I wanted ... any ideas ?

Offline whosmatt

  • Full Member
  • ***
  • Posts: 246
  • Karma: +20/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #19 on: Yesterday at 04:22:20 am »

PVID 1 it is default and can't be changed.


Yes, it can.  I have a simple setup with two of the TL-SG108E (one of which is V1, the other V2) and I changed the PVID of all ports to my primary VLAN ID (not 1).  My primary VLAN is for my home LAN; the only other VLAN I have defined is for my guest network and that is provided entirely via wireless.  So I set the port for my Ubiquiti AP to tag that one, and the port for my ESXi box (which hosts pfSense) to tag both.  The tagged traffic is passed to the pfSense VM still tagged via a port group in ESXi with VLAN ID 4095 (which is ESXi's version of a trunk.  In other words, pass all traffic with tags intact).  I also have an uplink between the two switches, which tags both VLANS.  No problems here; everything works as expected and traffic is isolated.  It's not super intuitive if you've come from managing switches that have a Cisco-like CLI, but once you get it, it works.

I'm showing the web interface of the V2 switch here because I'm on my Mac and can only access the V1 switch with a Windows app (at least easily).

« Last Edit: Yesterday at 04:34:37 am by whosmatt »
pfSense on ESXi 6.5. 2 v cores, 512MB RAM, 8GB disk.  Host is MSI AM1I, Athlon 5350, 8GB DDR3, 60GB SSD, 320GB HDD, HP NC360T NIC.

Offline n3by

  • Full Member
  • ***
  • Posts: 177
  • Karma: +20/-10
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #20 on: Yesterday at 04:50:08 am »
For me it look like you can change PVID for any port, only if that port is member in that VLAN... if you can show the VLAN Configuration page we can see exactly what you set.

Offline whosmatt

  • Full Member
  • ***
  • Posts: 246
  • Karma: +20/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #21 on: Yesterday at 04:52:00 am »
For me it look like you can change PVID for any port, only if that port is member in that VLAN...
Then change the PVID to whatever VLAN you want that port to be a member of.

Here's my tagging config for my V2 switch.  Port 1 is the trunk between the two switches.  Port 4 is connected to my Ubiquiti AP.  Bear in mind I have another V1 switch connected to this one, so you're not seeing the whole picture:

« Last Edit: Yesterday at 04:57:59 am by whosmatt »
pfSense on ESXi 6.5. 2 v cores, 512MB RAM, 8GB disk.  Host is MSI AM1I, Athlon 5350, 8GB DDR3, 60GB SSD, 320GB HDD, HP NC360T NIC.

Offline n3by

  • Full Member
  • ***
  • Posts: 177
  • Karma: +20/-10
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #22 on: Yesterday at 05:27:26 am »
Exactly how I anticipated I already tested this model of config and for my config will not solve that all traffic is mirrored on all VLANs.

Now when you have time have a look with NTOPNG in every VLAN interface you defined and let us know if you see all tagged traffic from all VLAN.

For example in your VLAN 11 you will see all traffic from 44, for me this is not normal to be seen there.

In my test all traffic from all clients on LAN, WIFI can be seen also on GUESTS... etc.

Offline whosmatt

  • Full Member
  • ***
  • Posts: 246
  • Karma: +20/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #23 on: Yesterday at 02:00:57 pm »
The only thing I can see wrong with your config is that some of your ports are still set to PVID 1.

I'm coming from a world where I manage Dell Powerconnect switches.  In Dell CLI parlance (and I think Cisco is similar), there are two main switchport modes, access, and trunk.  Setting a switchport to access with the command "switchport access vlan 44" tells the switch to tag any incoming traffic on that port with VLAN 44, and to send any traffic on VLAN 44 out of that port, removing the tag in the process.  In reality it's a bit more than that, since it is, after all, a switch, and learns MAC addresses, thereby avoiding sending all VLAN 44 traffic over all VLAN 44 ports.  But let's ignore that for now.

So, to mirror that behavior on the TP-LINK switch, you need to set the port as an untagged member in VLAN 44, but you also need to set the PVID to 44.  The reason for this, as I understand it, is that the untagged setting tells the switch to send VLAN44 out of the port, but it doesn't tell it what to do with incoming untagged traffic.  That's what the PVID setting does.  For a port with PVID 44, any incoming traffic that's not already tagged with a VLAN ID will get tagged with 44.  (someone correct me if I'm wrong on this, please).

The other mode on the Dell switch is trunk.  This is used in a situation where we want to send traffic with VLAN tags intact, so that the device on the other end can handle the VLANs.  That device could be anything:  a pfsense router with multiple VLAN interfaces, another switch, whatever.  In that case, we set the port with "switchport trunk allowed vlan add 44" and "switchport trunk allowed vlan add 11".  (I'm using my own VLAN IDs here, obviously).  So, that works in the case where all the traffic on the port is tagged.  But what if we want to handle untagged traffic on a trunk port as well?  In that case, we also set "switchport trunk native vlan 15" and then any untagged ingress traffic will get VLAN ID 15. [EDIT:  and egress traffic for VLAN 15 would be sent over the port as well, untagged.]  That's roughly equivalent to the PVID setting on the TP-LINK switch.  That comes in handy in the case of a device like the Ubiquiti AP, where the management network is untagged, but the SSIDs handle tagged traffic in different VLANs than the management network.

To mirror the trunk allowed setting on the TP-LINK switch, you just need to set the port as a tagged member of whichever VLANs you want to trunk.  The PVID will still be in place, and will handle any untagged traffic coming into the port, if there is any.   The PVID setting comes in handy again for devices like the Ubiquiti AP.  My own has its management interface in VLAN44 and also serves an SSID in that VLAN.  So the port it's connected to is untagged 44 and PVID 44.  But it also serves an SSID in VLAN 11, so the port is also set to tag VLAN 11.  That's port 4 in the screenshots I've posted.


I've checked with ntopng and also with tcpdump and I don't see any untoward traffic on any of my interfaces.

« Last Edit: Yesterday at 09:01:55 pm by whosmatt »
pfSense on ESXi 6.5. 2 v cores, 512MB RAM, 8GB disk.  Host is MSI AM1I, Athlon 5350, 8GB DDR3, 60GB SSD, 320GB HDD, HP NC360T NIC.