How do you access a vlan from a computer that's not part of the vlan?

In a same way you access one LAN from another. You need something that will route packets between them. Either router, managed switch, computer with multiple NICs connected to both and configured for routing, etc.
 
Google Gemini provided a pretty decent response based on your exact question:

There are a couple of ways to access a VLAN from a computer that's not part of the VLAN, but it depends on your network setup and desired level of access:

Using a Router:

The most common and secure way is by using a router. The router acts as a Layer 3 device, meaning it can route traffic between different networks, including VLANs. You'll need a router configured to route between the VLAN you're on and the target VLAN. This allows your computer to send and receive traffic to/from devices in the other VLAN.

Using VLAN Trunking and Software Configuration:

For advanced users, if your network equipment supports it, you can configure a switch port for VLAN trunking (also known as a trunk port). This port can carry traffic for multiple VLANs. You'll then need to configure your computer's network interface card (NIC) to handle VLAN tagging. This creates virtual interfaces for each VLAN you want to access.

Important Considerations:

  • Security: Bypassing VLAN segmentation can be a security risk. Make sure you understand the security implications before allowing access between VLANs.
  • Technical Expertise: Configuring VLAN trunking and software interfaces requires technical knowledge of networking and your specific equipment.
Alternatives (Use with Caution):

  • VPN: In some cases, a VPN can be used to create a secure tunnel to a device on another VLAN. However, this typically requires specific server-side configuration and may not be suitable for all scenarios.
Remember: VLANs are designed to isolate network traffic. Only connect VLANs if you have a specific need and understand the security implications.
 
Dopamin3 said:
Google Gemini provided a pretty decent response based on your exact question:

There are a couple of ways to access a VLAN from a computer that's not part of the VLAN, but it depends on your network setup and desired level of access:

Using a Router:

The most common and secure way is by using a router. The router acts as a Layer 3 device, meaning it can route traffic between different networks, including VLANs. You'll need a router configured to route between the VLAN you're on and the target VLAN. This allows your computer to send and receive traffic to/from devices in the other VLAN.

Using VLAN Trunking and Software Configuration:

For advanced users, if your network equipment supports it, you can configure a switch port for VLAN trunking (also known as a trunk port). This port can carry traffic for multiple VLANs. You'll then need to configure your computer's network interface card (NIC) to handle VLAN tagging. This creates virtual interfaces for each VLAN you want to access.

Important Considerations:

  • Security: Bypassing VLAN segmentation can be a security risk. Make sure you understand the security implications before allowing access between VLANs.
  • Technical Expertise: Configuring VLAN trunking and software interfaces requires technical knowledge of networking and your specific equipment.
Alternatives (Use with Caution):

  • VPN: In some cases, a VPN can be used to create a secure tunnel to a device on another VLAN. However, this typically requires specific server-side configuration and may not be suitable for all scenarios.
Remember: VLANs are designed to isolate network traffic. Only connect VLANs if you have a specific need and understand the security implications.
Click to expand...
Thank you C&P for future reference.

Ultimately I'd like to learn how to isolate a VLAN from the internet but allow it to access the lan. I have this sorta set up for my ip cams using a second NIC and a separate subnet for the cams. I can do this very easily in Windows but for some reason. Linux will not allow this.
 
Deadjasper said:
Thank you C&P for future reference.

Ultimately I'd like to learn how to isolate a VLAN from the internet but allow it to access the lan. I have this sorta set up for my ip cams using a second NIC and a separate subnet for the cams. I can do this very easily in Windows but for some reason. Linux will not allow this.
Click to expand...
So all the cams connect through the second NIC on your PC? You could just use iptables in Linux.
 
I always think of vlans in terms of physical lans--makes it easier to think through the logic.

If I have physically isolated a lan from another lan and I want traffic to flow between the two lans, then why did I separate the two lans to begin with? This is a common problem with people learning with vlans where they have like 5 different vlans and then have intervlan routes between all of them, thereby pretty much negating any use of having the vlans in the first place.

For your use case, I think you're doing it right--completely separate physical air-gapped network for those ww3 spybots that you can access from a particular system via a nic that puts that system on that same lan. No way for the cameras to really get out unless they want to break into your system or your system has some sort of bridging enabled between the two lans.

Now, a lot of times you can also isolate Internet access with creative routing. You simply don't route IPs above say 30 out to the Internet. So then you can still have a flat lan and still get the blocking you want at the router level vs the lan or vlan level. Functionally the same, but technically not as secure since it's all on the same lan.
 
SamirD said:
I always think of vlans in terms of physical lans--makes it easier to think through the logic.

If I have physically isolated a lan from another lan and I want traffic to flow between the two lans, then why did I separate the two lans to begin with? This is a common problem with people learning with vlans where they have like 5 different vlans and then have intervlan routes between all of them, thereby pretty much negating any use of having the vlans in the first place.

For your use case, I think you're doing it right--completely separate physical air-gapped network for those ww3 spybots that you can access from a particular system via a nic that puts that system on that same lan. No way for the cameras to really get out unless they want to break into your system or your system has some sort of bridging enabled between the two lans.

Now, a lot of times you can also isolate Internet access with creative routing. You simply don't route IPs above say 30 out to the Internet. So then you can still have a flat lan and still get the blocking you want at the router level vs the lan or vlan level. Functionally the same, but technically not as secure since it's all on the same lan.
Click to expand...

Yes sir. Controlling which device has access to the Internet and which do not and blocking devices from accessing local resources yet allowing them Internet access are the two holy grails of networking for me. I hope to learn and understand both before I leave this Earthly plane.
 
Deadjasper said:
Yes sir. Controlling which device has access to the Internet and which do not and blocking devices from accessing local resources yet allowing them Internet access are the two holy grails of networking for me. I hope to learn and understand both before I leave this Earthly plane.
Click to expand...
I can do these both very easily with an enterprise firewall since these are normal features for the enterprise. Enterprise firewalls are very cheap used.
 
SamirD said:
I can do these both very easily with an enterprise firewall since these are normal features for the enterprise. Enterprise firewalls are very cheap used.
Click to expand...

Last one I looked at required a boat load of subscriptions to get the goodies. was totally turned off by it. maybe I'll take another look.

Can you recommend one?
 
Deadjasper said:
Last one I looked at required a boat load of subscriptions to get the goodies. was totally turned off by it. maybe I'll take another look.
Click to expand...
Some brands require this for basic functions, but most don't so you get a lot of routing power and flexibility over anything consumer even in bone stock form.
 
Deadjasper said:
Just looked at a Watchbox M300 on eBay. 75w power consumption was a turnoff. :(
Click to expand...
I actually use one of these at a site--uses nowhere near that much power even with 2x wans and over 100 devices on the lan. Plus, implementing blocking per ip or subnet or whatever you want is gui easy. It's actually what I used to implement blocks for all our nas units that I only want to see the lan.
 
SamirD said:
I actually use one of these at a site--uses nowhere near that much power even with 2x wans and over 100 devices on the lan. Plus, implementing blocking per ip or subnet or whatever you want is gui easy. It's actually what I used to implement blocks for all our nas units that I only want to see the lan.
Click to expand...

Thanks. Just ordered one. What the heck, it was cheap.
 
Deadjasper said:
Controlling which device has access to the Internet and which do not and blocking devices from accessing local resources yet allowing them Internet access are the two holy grails of networking for me.
Click to expand...
I'm not familiar with WatchGuard. But generally the way I do something like would be make firewall rules for the network range / VLAN that just:
  1. Allow port 53 to DNS address
  2. Block all traffic to RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  3. Allow all
The order of these rules allows devices to get working DNS and access the Internet, but block it from doing anything locally. It's always nice blocking the total RFC 1918 ranges, because if you change your LAN IP scheme or add more VLANs or whatever, you don't have to go back and modify your rule if you just originally blocked that subnet you started with.
 
Deadjasper said:
Thanks. Just ordered one. What the heck, it was cheap.
Click to expand...
Yeah they are solid bang for buck. I've even been tempted to pick up a spare or two since our original M200 hardware is on the fritz. I've got some spare parts to fix it, but haven't had the time.

Just keep all the ports closed (like you would for any consumer router) and it should be fine. It also can do ipsec vpn tunnels and multi-wan right out of the box, so there's that too.
 
Dopamin3 said:
I'm not familiar with WatchGuard. But generally the way I do something like would be make firewall rules for the network range / VLAN that just:
  1. Allow port 53 to DNS address
  2. Block all traffic to RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  3. Allow all
The order of these rules allows devices to get working DNS and access the Internet, but block it from doing anything locally. It's always nice blocking the total RFC 1918 ranges, because if you change your LAN IP scheme or add more VLANs or whatever, you don't have to go back and modify your rule if you just originally blocked that subnet you started with.
Click to expand...
When I was first messing with the old foritgate 60c that I have, I couldn't get anything to reach the outside. Until I realized that unlike consumer 'all open' defaults, this is 'all closed'.
 
Last edited:
Deadjasper said:
Last one I looked at required a boat load of subscriptions to get the goodies. was totally turned off by it. maybe I'll take another look.

Can you recommend one?
Click to expand...
PFSense on an old i3/i5 SFF with built in video and use the PCIe slot to throw in a 4 port intel NIC or something, done, all the enterprise features you need, tie that in with a used Brocade ICX switch off ebay even and do your VLANs and rules on the switch instead.
 
Dopamin3 said:
I'm not familiar with WatchGuard. But generally the way I do something like would be make firewall rules for the network range / VLAN that just:
  1. Allow port 53 to DNS address
  2. Block all traffic to RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  3. Allow all
The order of these rules allows devices to get working DNS and access the Internet, but block it from doing anything locally. It's always nice blocking the total RFC 1918 ranges, because if you change your LAN IP scheme or add more VLANs or whatever, you don't have to go back and modify your rule if you just originally blocked that subnet you started with.
Click to expand...
Rule order
1. Block all outbound
2. Allow DNS only to your DNS servers (whether AD or your perimeter device) - then set your perimeter device to use secured DNS out to cloudflare or another external DNS provider (screw you ISP!)
3. Allow lists for traffic require from sources you want to allow.
4. Apply across VLAN's as needed to control inter-vlan access.


#3 is not hard when it is your own network, you will see the requests and what is trying to go out, your standard http/https - allow those and then some apps and what ever special ports they want.

Done.
 
MrGuvernment said:
#3 is not hard when it is your own network, you will see the requests and what is trying to go out, your standard http/https - allow those and then some apps and what ever special ports they want.
Click to expand...
And most everything is over http now days, so unless you're using some legacy stuff like telnet or ftp, you won't see many other ports being used.
 
SamirD said:
And most everything is over http now days, so unless you're using some legacy stuff like telnet or ftp, you won't see many other ports being used.
Click to expand...
Exactly, and doing a default "block all" outbound and locking down DNS can stop many exploits dead in their tracks! Tie it in with geo based rules to help a little more (not as much as these days malicious actors have services all around the world) you set yourself up pretty good for some solid security.

It is how i found out my Wyze camera's I had bought years ago when they came out, were trying to reach out to servers in China on ports not listed on Wyze's own site on what it required...of course their support stopped responding when I kept asking about it and why...
 
MrGuvernment said:
Rule order
1. Block all outbound
2. Allow DNS only to your DNS servers (whether AD or your perimeter device) - then set your perimeter device to use secured DNS out to cloudflare or another external DNS provider (screw you ISP!)
3. Allow lists for traffic require from sources you want to allow.
4. Apply across VLAN's as needed to control inter-vlan access.


#3 is not hard when it is your own network, you will see the requests and what is trying to go out, your standard http/https - allow those and then some apps and what ever special ports they want.

Done.
Click to expand...
Generally speaking on most firewalling devices once a packet is dropped the firewall is done with it. There is no additional processing. You generally start by denying traffic to known malicious destinations and/or geographies then drop specific traffic ordered by volume highest to lowest. Once that is done you begin permitting traffic again preferably by volume highest to lowest. There is zero reason to try to match a traffic pattern that matches 1% of your volume to 99% of your traffic flow. At the end you drop and log all unpermitted traffic. Most real firewalls will do this automatically with an implicit rule that may or may not log. It is best to do this with an explicit rule. As previously stated it would be ideal to redirect all internal clients to an internal DNS server that is hopefully doing some filtering and only that server to use outbound DNS preferably over 853/DoT. Nothing else is permitted to use external DNS and every effort is made to block all known DoH servers.
 
You must log in or register to reply here.
Back
Top