WiFi SSIDs on different VLANs

Taking a different direction here and trying out a more HowTo style post. I thought I’d do a quick write-up covering WiFi SSIDs on multiple VLANs, something that might be useful in a home setup, separating SSIDs better from one another. While I usually prefer the CLI, a lot of the devices mentioned here only (or mainly) use a web GUI for configuration management, so this posting will include a lot more screenshots than my usual postings. This posting won’t contain anything exciting for people who run and support networks professionally (mostly just a “so what options are available on SOHO hardware?”), and may even be overly simple and assume settings you wouldn’t do in a professional setup. But it is useful for homelab enthusiasts looking to build a more complex setup than “everything on the same VLAN/network” or trying to figure out “how do I use VLANs, give me an example”.

Ubiquiti and Netgear have some reasonable priced network gear that I’ve written about in the past that behave decent in home networks. For out little setup today we will have a WiFi access point with multiple SSIDs, two switches, and a firewall/router. We will be focusing on the configuration of the WiFi Access Point (UniFi AP) , the two Netgear switches (GS105Ev2 / GS108Ev3) and the Ubiquiti Router (Edgerouter X).

Our goal is to have two SSIDs on the access point, one for the “normal” devices (VLAN 1), and one for separate devices (VLAN 178). Since the router to VLAN 178 is on a different switch than the access point we also need to trunk both VLANs across the network. Another way of looking at it, is that we are expanding Subnet/VLAN 178 into our network (but limiting it to the WiFi Access points). 178 doesn’t hold any special meaning, you can use any VLAN number you want, just chose 178 because the subnet in this test setup was 10.0.178.0/24.

Here is a diagram of our test setup:

VLAN 1: The management and main client VLAN
VLAN 178: Subnet 178, 2nd WiFi network

Netgear 1

Port 1: Connection to Netgear 2
Port 5: Access Point

Netgear 2

Port 1: Connection to Netgear 1
Port 8: Edgerouter

Edgerouter

eth0: Connection to Subnet 178
eth1: Connection to Netgear 2

 

Wireless Configuration

In the UniFi controller go to Settings->Wireless Networks either create a new network or edit an existing one. If you go into the advanced options area, you will find the VLAN setting for that SSID. Activating the option and setting a value means the access point will tag all packets from that SSID to the specified VLAN number.

In the network overview below we see that packets from one network are tagged with VLAN 178, and packets from the other network are untagged (the switch configuration will take care of deciding which VLAN untagged packets are part of).

 

Netgear Configuration

The Netgear devices only have a VLAN 1 defined by default, so the first step will be to add VLAN 178 to both of them. Enable Advanced 802.1q (VLAN->802.1Q->Advanced->VLAN Configuration), enter the VLAN ID 178 in the box and click on “Add” at the top.

Now let’s move on to the VLAN Membership configuration. To switch settings, just click on the port and it will switch from tagged->untagged->none.

Netgear 1 device

For VLAN 1 we want port 1 to be (T)agged since it is the trunk to the next switch, and all other ports (U)ntagged since they will be dealing with untagged VLAN 1 traffic. The PVID will also be set to 1 for all ports.

For VLAN 178 we want port 1 to be (T)agged since it is the trunk to the next switch, port 5 (T)agged since it is the connection to the access point, and all other ports “none” since none of those ports are part of VLAN 178.

 

 

VLAN overview after changing all the settings:

 

For this scenario it is sane to leave the Port PVID configuration to PVID 1 on all ports. You could change a port to 178 if you are expecting untagged traffic on that port that needs to be in VLAN 178.

Netgear 2 device

Similar configuration as the first switch so I’ll skip the screenshots. Port 1 is the connection to the Netgear 1 device, port 8 is connected to the Edgerouter.

    • all ports PVID 1
    • VLAN 1 Tagged port 1 and 8, all other ports untagged
    • VLAN 178 Tagged port 1 and 8, all other ports none

 

Edgerouter Configuration:

Make sure the interface switch0 spans all ports you want to use VLANs on. Add the two VLANs 1 and 178. They should show up in the list as switch0.1 and switch0.178, and you can apply firewall rules to these interfaces to restrict traffic if you are doing any routing between the two networks.
We will want to tag everything from Subnet 178 as VLAN 178 on the interface connected to that network (eth0 in our setup), and allow VLAN 178 on the outgoing interface (eth1 in our setup). The Edgerouter doesn’t need us to specifically allow VLANs already set by the PVID, only additional VLANs need to be specified in the vid field.

 

Where to go from here?

You could put servers or virtual machines in their own subnet/VLAN and then use a firewall to restrict access between the different networks.

Adding more Access Points is straightforward, UniFi automatically applies the wireless configuration to all Access Points it manages, so all you need to do is take care of the switch port configuration.

Odroid HC1

I finally got my new Odroid SBC and have migrated all the services from my Odriud XU4 over to the new HC1. The HC1 is based on the XU4 but drops multimedia interfaces like the HDMI port and instead adds a SATA connector and the black aluminium case fits a 2.5″ hard drive. The case is stackable and acts as a passive cooling heat sink. Since the HC1 is based on the XU4, software that runs on a XU4 will run on a HC1 without any fiddling.

It doesn’t have an eMMC connector, but you can assign the /  partition to the hard drive/SSD, only the /boot  partition needs to be on the SD Card.

Selfhosting email, and sending email to Microsoft.

About once a year one of my outgoing email servers will magically pop up on Microsofts blacklist of email servers. The exact status in SNDS is “Blocked due to user complaints or other evidence of spamming“, which is a bit ironic since the weekly volume of emails that go to Microsoft controlled domains seldom is higher than 5 and they are all personal emails.
The error message the MTA recieves is “550 5.7.1 Unfortunately, messages from [xxx.xxx.xxx.xxx] weren’t sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.” in case anyone ends up here via google.

I’m not going to bitch and moan or attempt to guess why the server ends up on the list since it isn’t something I can influence
 (just submit a support request and wait), instead I’ll post some tips and pointers to useful tools you should be using:

SPFSender Policy Framework
Specify which IPs are allowed too send mail for your domains, also determine what should happen with mail that is recieved from unauthorized IPs.

DKIMDomainKeys Identified Mail
Outgoing mail servers for a domain can sign the emails and thereby allow recipients to verify that the email really came from a valid mail server and is not from a spoofed sender.

DMARCDomain-based Message Authentication, Reporting & Conformance
DMARC allows you to specify policies for domains or subdomains in regards to “what should happen if an email fails DKIM or SPF” and where/if to send reports for Emails recieved by other mail servers.

SNDSSmart Network Data Service
Allows you to monitor the IPs of your mailservers as viewed by the Outlook.com system.

JMRPJunk Email Reporting Program
Forwards the full message with headers of any email marked as “junk” or “phishing”  by Outlook.com users

MX Toolbox
MXtoolbox is a great website for testing your mail server settings, they also have a free_monitoring service for one IP,  so you can get alerted if your IP shows up on a Blacklist.

Last but not least I use the following small script to monitor the status of my servers according to Microsoft. I call the script via a daily cronjob, and if a server is blacklisted, it sends an alert. Go to Automated Data Access first to generate an API key.

And if all else fails and your IP does end up blacklisted in SNDS, you can go here to submit a ticket to get back off (although I’d suggest checking your mail server logs and the status of the IP on other RBLs first, just to make sure).

http://go.microsoft.com/fwlink/?LinkID=614866

 

Odroid XU4 case

It’s been quiet here lately. I moved back to Germany and have taken on new responsibilities at work. We are slowly getting settled in, although i still have to get the network at the new apartment up and running the way I want it. I expect to post here more often once I have more time for side projects.

Odroid Xu4

One thing I recently acquired and really like, is a new case for my Odroid XU4.
The small 5v Noctua fan fits very nicely in it and is virtually silent, together with the large heatsink it stays cool enough and seldom has to throttle the CPU.
I prefer the odroid over a raspberry pi for “small server” tasks since it has a Gbit interface (that isn’t¬†shared on the USB bus) and supports eMMC modules (no one enjoys waiting on I/O).

A short list of cheap but useful network devices to have handy.

Here is a snort list of useful, off the shelf, network devices that sell for around $50. Not necessarily stuff that you would want use long-term in production, but more for the one-off projects or for troubleshooting. 

First off is a 5-Port Gigabit switch from Netgear (the GS105Ev2).
It is interesting because it supports port mirroring and only costs about $35. That’s a really good price. It obviously isn’t going to replace a real network tap and you will lose traffic if the upstream plus downstream you are copying are together more than 1Gbit of traffic (but that’s a problem you always have when mirroring ports 1:1). It is dirt cheap, fanless and small enough to throw in a bag, can’t go wrong with this one. Need a temporary tap to monitor traffic? Just pop it inline and you are good to go.

 

If you are more of a DIY kind of person, I’d suggest the ESPRESSObin.
It sells for about $50 and is a single board computer with Gigabit network interfaces and a SATA interface. It is based on ARM architecture and runs Linux.
Since it has multiple Gbit interfaces and you can hook a HDD up to it you have a wide array of possibilities you could use it for. A lot of network traffic monitoring situations come to mind, where you would want to keep copies of the traffic in question for later analysis.

 

Another little useful device is the EdgeRouter X from Ubiquiti.
As the name suggests it’s a router and sells for about $55 The nice thing about this device is that it runs Linux (or more specifically a fork of Vyatta), so you can dig into it to get it to do things not available on the GUI.
5 Gbit ports, RIP and OSPF routing protocols, usual SOHO features like Firewall, VPN, QoS. Behaves a lot like a switch with some routing functionality. Unfortunately I couldn’t get port mirroring to work reliably but aside from that it’s still an impressive little router.