All About SUBNETTING your Networks! IPv6, IPv4, and VLAN

Openvpn? Thanks Bro

Please do a Zero Trust IoT show. With IoT devices now having the ability to have substantial internal memory with virtually no additional cost to manufacture. There is a risk that closed source firmware can have built-in hacking algorithms that perhaps only run rarely.

What ways are there to prevent the device from using techniques such as probing the WiFI or network traffic, or using WiFi Direct or other network broadcast methods to directly access other IoT devices (presumably from the same or similar manufacturer)? In order for the IoT device to break out of its network jail such as:

A) log a list of other IoT device's MAC addresses and connection information.

B) watch for times when those connections drop off the network.

C) analyzing the logged connection information to look for, for example, common passwords sent with basic auth (common for cameras) and common SSID passphrases (if WiFi Direct was able to get the info directly from a device (likely from the same or related manufacturer).

D) Use that information to break out of their network jail and call home and provide their home with one or more backdoor into your network.

Without a managed switch that applies VLAN IDs to the port, Is the only way to be really, really, sure, with ethernet only IoT devices be to have a tiny NAT device with firmware you control that the IoT device directly connects to so that it's connection to your network can't be masqueraded? I'd assume that after a small quantity of such NAT devices, it might be cheaper to just buy a managed switch that do the VLANs. But are there the managed switches and routers that are fully, FULLY, open source (OPNSense is technically not fully open source since it relies on the BIOS on the machine it's running on, and that is not open source so offshore BIOSs can be a vector).

Also, is there a WiFi way to do this, again with Zero Trust of the IoT device? Is there a device or set of devices that can be installed in your local internet that look for and report unusual WiFi activity (like monitoring the WiFi connection strength and triangulate the device's physical location in your home and report an attempt from a location that is not expected?

So, I chose to hand my prefixes out to my devices using prefix delegation on DHCPv6. On IPv4 I am not touching subnetting (the type you are talking about beginning in 22:00) because the switches are usually preconfigured as home switches with firewall etc. and hence always produce issues which lead to a big waste of time.

I currently do not need VLANs, especially since my switches do not support it. (Those that support it are too few and lie on the shelf because they are power wasting PoE devices), yet I am considering it.

Actually, I do not like to use VLANs for security, but only maybe for logical separation, because I do not want to move parts of my configuration to the switch. You need a MAC adress registry to auto select the ports, or you have to configure them manually. But then you must always plug each device into the same port. But now, MAC addresses can be spoofed. That'll lead to you needing RADIUS or even Kerberos. And then your managed switch doesn't support it, because it is only consumer grade. So yeah, VLANs not a ideal thing for consumers in my point of view.

A direct alternative to VLANs would be GRE tunneling and a more realistic alternative Wireguard tunneling. But try that on crappy IOT devices. Or try routing subnets through it. It should work, but I'm the only guy trying to use them. There is no documentation on building a home lab with VPNs instead of VLANs.

One slightly annyoing thing with VLANs on OPNsense is btw, that for bridged ports, unlike the way it is with proxmox, you have to add the VLAN to each PHY and then you have to create a bridge with each VLAN interface, hence you end up with a seperate bridge for each VLAN. On proxmox you can just add a VLAN to the bridge. Yet it all works fine, and that's all we need.

super accurate and useful, thank you😊

Really great content about opnsense and ipv6. Love it. ❤

Hey love the content. I am curious what you think of the new Proxmox SDN feature? I am mostly wondering if it is possible to migrate my Ceph storage network over to SDN? If I recall, that is how I had set up VSAN in the past.

I don't have a managed switch but I want to put my servers on their own subnet. Worried about locking myself out so I haven't done it yet.