The hard part was finding a cheap managed switch which does _not_ expose the management interface on every vlan. This is a specific product feature (wtf?) and often the only difference between two product lines.
Ended up with a netgear GS308T - the internet is full of rage at the device requiring you to log into netgear and register it, but I can confirm that I didn't have to do anything. I set it up with it connected directly to a laptop and have never signed up for a netgear account, though they may lock this down in the future. I was even able to upgrade the firmware. Would've preferred a model with ssh access but tp-link wasn't selling them at the time?
Wanted to be able to mix multiple ISP's together (but ended up only having one for now), which would've been 2+ USB NICs and not great for perf.
The other reason why I ended up here is because OpenWRT/etc support for wifi6 routers wasn't/isn't coming, and I want to be able to place my WAP in a different location than the router and main switch... so the WAP is a wifi6 thing running stock firmware but in "WAP mode" which turns everything off.
Anyway, works fine. Image your SD card when you're done configuring it. I need to go back and put it in read-only mode but haven't cared.
* The proprietary management interface listens to all VLANs no matter what.
* The VLAN separation is fake, multicast leaks freely across segments.
* The proprietary management protocol is obfuscated by a hard coded XOR string.
* Administrating the switch sends the admin password, "encrypted" only by the very same obfuscation.
* This most bizarre proprietary management protocol uses only broadcast for all communications, even though the switch has an IP assigned.
You do the math putting the above together... it's a mess bordering on genius, but there's more.
The switch will spew out various arcane, undocumented, probably providing more backdoors, not even IP protocols, including some Realtek proprietary protocol (0x8899), something used for HomePlug (0x893a) and TIPC (0x88ca), which sounds like the last thing you'd want a device of this caliber to use searching for more friends to talk to.
God knows what this monstrosity of a firmware hides and its reasons. It's just what I remember by heart, I have not had it powered up for some time. Still, this is just the surface and it's already a tire fire, it must be chock full of vulnerabilities, bugs and design flaws. It's the managed Ethernet switch which doesn't fulfill correct management nor implements actual Ethernet switching.
However, in this particular setup/context, I think the risk of this is minimal, as the actual interface should be using a private-IP address on your home network.
I also want to be able to set up a DMZ'ed VLAN to hook up an old NUC to host something like a valheim/minecraft/whatever server if I wanted. So having the VLAN be safe was a goal for me.
Because the interface listens on a private IP-address on your home network. And if you want to be able to talk to that IP-address, you need some device that you control (as an attacker) connected to the switch, and be able to add an IP-address in the same range as your home network and then attack the managment interface?
The most likely scenario would indeed be the DMZ machine as a stepping-stone.
From a practical standpoint, I just don't want any not-me traffic hitting the management interface for any reason (intentional or not), as I assume they're poorly written and can easily be crashed or even bricked. I've locked myself out of very expensive enterprise switches in past lives by ssh'ing to them too many times.
So if IE someone can poke my management VLAN by sending an ICMP packet with a spoofed return address and my RPI doesn't filter that right because I did something wrong... I'm happier if that can't tickle the management interface at all.
I wouldn't have thought to do it with a Pi, though. Neat.
That BH presentation is 20 years old now, and almost completely Cisco specific. I would not make security decisions on such data alone.
This depends on the type and quality of the SD card does it not? Also you can setup the PI's OS to be read-only, so no writes to the SD card. This should extend the life of the SD card by quite a lot.
In regards to the suggestions for the better hardware, would you use an old laptop or desktop with a network card for the same purpose? It could act as a server as well, no need to get this hardware if you are going to just use it on a server you need anyway, unless you are using the hardware as a server.
Edit: I am posting too fast, but to the person under me, there are much stronger SBCs that are the same size, and with the fan requirements on the Pi4, it isn't as small as it was, nor is is power efficient as other SBCs that would be much better. If using a server at home, having a router with custom FW would save much more space (the pi hole project could be easily served with a hosts blocker and custom firmware), having a blade server with virtualiziation would save even more space in terms of computation if you are comfortable with virtualized compututing, an old laptop isn't going to make a significant size difference, but if it does the Pi 4 still isn't the best hardware for the job.
That, and at least in the USA, its really the only SBC most people can buy locally because best buy, microcenter, and various other stores actually stock them.
Which Pi 4 model are you comparing it to? What defines "trash"? You can easily use an older laptop since everyone actually uses x86 and likely has spare hardware.
>you stick to the rpi because someone else has already done the heavy lifting.
I wouldn't buy hardware with no support, and x86 has the most support.
Why does local stores matter for SBCs? People don't really buy hardware at stores since newegg, arrow/digikey/mouser and amazon exist. Online retail killed radioshack, and is currently decimating local buying. Cyber monday deals aren't excluding anyone when most people have amazon prime.
But you wouldn't see people posting about their successes doing this with a atomicPi, chuwi herobox, or the dozens of other inexpensive x86 machines that might be considered competitors because its assumed one can install $RANDOM_OS and configure vlan+routing with them.
OTOH, while the rpi's support is weak they guarantee supplies for a fairly long time. Which actually makes them a reasonable choice for this kind of thing if you plan on designing it once, sticking it on box somewhere and expect to be able to buy another in 5-8 years when it dies. Chuwi like random android vendors churns their product lines every couple months with upgrades.
I used to think this way but technology moves at a breakneck speed sometimes that the old ways are outdated. I remember being excited for the Pi because it could play quake 3 and had 1080p playback. https://www.raspberrypi.org/forums/viewtopic.php?t=18853 Now stuff like this exists. http://www.quakejs.com/ https://openarena.live/
On the one hand, the Pi 4 Model B is absolutely amazing and the support is outstanding.
On the other hand, for each role it can fulfil, there are probably much better options. As in: better price, performance, capabilities, and so on.
But in some sense, the Pi isn't about actual practical usability. Jeff Geerling has shown with his youtube channel how much fun can be had with them.
Without a purpose before an impulse purchase, its usually stuck in the limbo of the paradox of choice.
I have a stack of 10 RPI4's in a case on my left, a lot smaller. Deadly quiet. That's 40 cores and 80GB of RAM. Not loud at all. Bought them for $75 each. I use them as physical hosts for a number of things.
I treat them the same. General compute. One cluster is more convenient than the other.
Article touches on but doesn't clearly explain the bandwidth impact of a 1-armed router: Every routed packet is traversing the same link twice (in+out), so usable aggregate bandwidth is halved.
If you're fortunate enough to have a symmetrical Internet connection > 500Mb/s that means you can't upload and download at the maximum rate simultaneously. If you run multiple VLANs that also means the cross-VLAN traffic is competing with Internet traffic for bandwidth on the router's interface.
A while back I made some potato-quality charts to illustrate because this comes up all the time when discussing Ubiquiti's MediaTek-based routers that are architected as a switch with an internal router-on-a-stick.
Depends on the modem, but since many of them are also routers you just set them up to do single-nat to a static IP corresponding to the "WAN" address of your pi and otherwise not act as a DHCP server at all. Otherwise you could also get a static IP from your ISP so nothing ever changes.
> Are you going to make every host on the LAN a static IP?
No, they get DHCP addresses from the pi.
> Ignoring the security implications.
I said it was possible, not that it was a good idea.
If your modem is doing NAT there's literally no reason for this setup. And it would cause even more issues because you'd have two DHCP servers on the same subnet offering up more than one IP. Even if you set the LAN side of the modem to disable DHCP and only offer a static address, you've still got both the "public" NAT address and "private" in the arp table of all of your hosts. You will absolutely run into issues.
>No, they get DHCP addresses from the pi.
If you have the modem spitting out DHCP addresses and the PI spitting out DHCP addresses you cannot force your end hosts to grab them from one or the other, they get whichever responds first.
Unless you wanted more options than your crappy router/modem gives you.
> And it would cause even more issues because you'd have two DHCP servers on the same subnet offering up more than one IP.
No, I specifically said the modem would have to not act as a DHCP server at all, just turn it off.
> Even if you set the LAN side of the modem to disable DHCP and only offer a static address, you've still got both the "public" NAT address and "private" in the arp table of all of your hosts.
Incorrect on two counts. 1) ARP tables only store address translations for your subnet precisely because all addresses not on your subnet must be reached through a gateway. 2) there are only two addresses in the modem<->pi subnet because the pi is performing NAT/PAT for your "LAN" subnet.
> You will absolutely run into issues.
Maybe, it has been a while since I've done anything this silly, but as I recall from doing stuff like this in a lab I had no issues shoving as many subnets as I wanted to on the same network without VLANs.
> If you have the modem spitting out DHCP addresses and the PI spitting out DHCP addresses [...]
You don't. You disable DHCP on the modem.
As for the security implications, i agree.. It surely is a crappy design for the network but it can be done..
This. No point in creating a Pi4 Router solution of this type unless you really must.
You can do this right now with an CM4 attached to the seeed studios dual ethernet carrier:
For $120ish I'm not sure you could beat the value prop of one of these boards with a used laptop. Supply is certainly an issue and was even before COVID. Waiting until 2022 sucks, but I'd argue they are by far the best overall option for a DIY whitebox router I've personally seen.
Yes, its absolute overkill for any sort of hobbyist use, and its not cheap. But it certainly has potential to be a networking powerhouse.
I'm not sure what's the heat is like if you do gigabit NAT with them though :)
RK3568 has 2xGbe built-in, and the board has additionally a Wifi 6 chip (broadcom), seems like pretty ideal router platform to me. There are even some hints that it might have half-decent mainline support, but who knows really though..
Gatekeeping people because they never learned about or worked with the VLANs found in more expensive hardware is stupid. If you know you way around VLANs but don't know how to properly configure a firewall, you're much more of a danger to the outside world than the other way around.
I agree that there is some minimum skill level people should have before they hook stuff up to the public web (how to prevent being part of a botnet/DDoS amplification, how to block insecure/IoT management interfaces from the outside world, that stuff), but VLANs are an arbitrary and irrelevant thing to require people to know about.
> Gatekeeping people because they never learned about or worked with the VLANs found in more expensive hardware is stupid.
I'm not sure I agree with VLANs being limited to more expensive hardware. Like in comments, there are some very cheap switches (£40 netgear) that support it and tonnes of older managed switches on ebay for £10. I don't necessary think that a price-point is the gateway and didn't really mean to 'gatekeep' people.
> I agree that there is some minimum skill level people should have...
This was the point I was meaning, though maybe VLAN is not a globally perceived this way, I had thought it was a fairly core concept that I'd considered would be part of this, but maybe it's due to personal experience.. I'm absolutely sure there's tonnes of protocols that I don't know that other's would feel the same way the other way around. But hey, without the comment and this discussion being had, I wouldn't know if others felt the same way :) And I appreciate you writing the final paragraph, even if you overall disagree :)
I think that even people who do have some interest in running their own firewall, may not be familiar with VLANs.
If someone is interested in weapons or guns, you wouldn't want them to try out their skills by putting them straight into a war zone.
If someone put a tutorial on a forum for gas-engineers, about how great and easy redoing the pipes in their house because they bought a blow torch, they'd be concerns for the safety of them and the people/houses around them, surely.
> I think that even people who do have some interest in running their own firewall, may not be familiar with VLANs.
Even the all-in-one appliances/disros provide a lot of documentation on the topic
In the past, even small 8-port managed switches were upward of $70+.
That may not be for everyone, it's more for tinkering. You can also run other things like VPN services, DNS, DHCP and all that shit, fully configured to your likening / needs.
Someone mentioned above, and so I ask: have you given banana-pi r1 with openwrt a try? Would that setup be simpler than the current one with VLAN and netplan?
Speaking of netplan: I didn't quite catch head or tail of it.
What does it do and why is it required (in the context of the setup).
dhcp4: no # only dhcp6 allowed?
# or, is dhcp now handled by wifi-ap?
link: enp2s0f0 # down-link?
- 220.127.116.11/24 # is this modem's public-ip subnet?
# or, could be anything?
gateway4: 18.104.22.168 # modem's public-ip?
link: enp2s0f0 # up-link?
- 192.168.0.1/24 # subnet for the internal network?
# what does dhcp for this one?
The managed-switch NATs traffic? Or, you mean to say that rpi4 does? Or, am I misunderstanding how all of this actually works?
I’ve benchmarked both models with NAT and they will do 1G just fine.
It might be a usefull part of a RPi LAMP server setup I suppose.
I feel like it's the other way around. A Pi 4 is cheaper and more performant than many (Most?) consumer grade routers. They'll do cake at gig if you set the clock speed to 2 GHz.
At $30 and with all accessories needed it's hard to beat the price and user-friendliness of a used router that supports openwrt out of the box.
I have many raspberry pi devices on my network but at the end of the day I still one of these because of their reliability.
Edit: can't reply but show the specs to the Pi4 model that you want me to compare, and I didn't know about the new fanless Pi4, but they are still not stronger than many other SBCs that exist, and don't have fast interfaces in comparison to other SBCs, the Pine rockchip SBC comes to mind as one that has great performance for cheaper prices.
> ...there are better spec SBC, lower price ones...
Show me another SBC that will do cake at gig, runs OpenWrt proper, and is cheaper than a Pi 4. :P
Which Pi4 model are you talking about, at which price?
(For this reason, OpenWRT implements software offloading which skips a lot of the Linux network stack, but is partially broken in the latest release)
A quick perusal of /r/openwrt will show that most power users suggest fanless X86 boxes instead of consumer gear to handle modern GB fiber connections at full use.
I dont stream anything on my LAN side at 4K(or even own a 4K capable TV)
So I suppose yes a family of 5 with an infuencer Mom and 3 hard gaming kids and a sports addicted dad on a Sunday afternoon might overload a cheap router but I bet anyone with hardware capable of capping out a WRT would probably already have a far more expensive top of the line router and would literally "Laugh" at a RPI and Switch based non wireless setup.
But yes I could see a few good reasons for setting up one of these, if for just a learning experiment.
What is adequete, what is a standard home setup and what is the comsumer grade router you are using as a standard?