I recently got a decent switch so I decided to setup a VLAN to separate the Wifi traffic from the rest of my network. I setup all packets coming to the port connected to the Access Point to join VLAN 10, which only allows access to the router port. All good, all wireless devices now cannot access the rest of my network.

Then I remembered, my printer is wireless. So I setup a MAC VLAN which gives my printer VLAN 1 when seen. This lets my whole network see the printer.

But both the VLAN ID and the MAC address are ethernet level information. This means that any Wifi client could possibly spoof the MAC address, and gain access to the rest of the network. Are MAC VLANs not intended to be used this way or I am missing something?

  • @flux
    link
    34 years ago

    They are intended to be used that way.

    But sometimes switches or routers have bugs.

    I have this one managed switch connected to a wifi access point with vlan 100 and to the central switch via a trunk port (all vlans). Normal lan activity is in vlan 10. I have configured that the management interface of the switch is only accessible over vlan 10, but the vlans 10 and 100 are bridged to each other in my router. Basically, this means lan and wlan seem like one network, except all traffic between them can be inspected in the router.

    Well, it turns out I cannot access the management interface over wifi. This should work because the management traffic arrives via vlan 10 to the managed switch (even if originated from the vlan 100 wifi ap). But it fails because (my theory) it also sees that the same mac is in another port with vlan 100. Quite a curious failure mode.

    At least this time it erred on the cautious side.

    • @donOP
      link
      24 years ago

      Interesting. Sounds like there is a race condition happening in assigning a VLAN ID to that MAC. Or it could simply be that this particular router gives precedence over specific VLAN traffic when trying to resolve conflicts.

      • @flux
        link
        14 years ago

        Btw, as you do note, your use case may not still be reliable, if you cannot enforce MAC-client mapping.

        For a secure setup I suggest you set up another WiFi SSID for only the printer and other similar class devices. You can then put that complete WiFi network to its own VLAN and configure other rules as you wish. Your WiFi AP should support multiple SSIDs and distinct VLANs for them and then your WiFi AP would be connected via a trunk link (or possibly a hybrid one).

        • @donOP
          link
          14 years ago

          Yeah, my AP is not so advanced so until I get a new one which has that capability I’ll just plug my printer to the wired network for now. Good tip to keep in mind though.