Mixing wired/wireless on GREEN and BLUE

Hello,

I am designing a small network and I would like to know if what I am trying to achieve is possible with IPFire.

I would like to have three LANs:

  • GREEN with trusted devices: wired NAS, wired pihole, wireless laptop…
  • BLUE with untrusted devices: wireless Android phones that haven’t seen an update in three years, wired xbox, wireless guests…
  • ORANGE as a normal DMZ

From what I understand this breaks the IPFire convention of GREEN being trusted wired and BLUE being untrusted wireless. It looks like I could use MAC based VLANs but Google was not very helpful in finding compatible switches/access points.

Bonus question: I’d like to hosts virtual machines on my FreeNAS box that only has one interface. However FreeNAS seems to be able to put VLAN tags on traffic that comes from VMs. Can I use that to create an ORANGE network? If not I will use a USB to ethernet adapter for the VMs.

@cbrown I definitely plan to do that when being away but I’d like to not have to go through a VPN when I am physically at the office.

After researching a bit more, it seems that it could work with an AP broadcasting two SSIDs, each one mapping to a different VLAN. I could plug the AP to a managed switch, set the port to tagged/trunk and have a single interface in IPFire receiving data with a different tag for GREEN and BLUE.

The same would go for the FreeNAS box, one interface connected to the switch with VLAN tags for GREEN and ORANGE.

This link describes a similar concept.

Can someone more familiar with VLANs confirm? Does someone have a recommendation for a small switch and access point supporting these features? Thank you in advance.

You could make a hole in the firewall trough IP or Mac Addresses, which gives on explicit Mac/IP Address the complete access to green.
The thing is that its pretty easy to “hack” that:
https://linuxconfig.org/how-to-change-mac-address-using-macchanger-on-kali-linux

So if somebody knows that you made such exceptions, he could use it.

The safest way is to use VPN.

But I am not sure why you use such a complicated way. You could just connect a AP with Lan to green. Then every Devices which connects with it gets the IP and connection from Green.

And then you need another AP which is connected trough Lan with Blue. Both should have different SSIDs and different Passwords.
But yes, it is breaking somehow the concept.

Blockquote “https://wiki.ipfire.org/installation/step5” :
Green| … Private network, connected locally|
|Blue | WLAN … Wireless Network, A separate network for wireless clients|

Personally, I perceive these descriptions as being a little bit unfortunate,
because from a Firewall’s perspective, the main point in separating network areas
is a rating of trust, primarily.

My primary focus would be:
. . . Green| Private network, trusted clients, however connected
. . . Blue | Separated network for untrusted clients, however connected

and furthermore exploit the protection by

  • limiting access to known ethernet MACs of trusted HW only
    (should be a config option in every reliable AP),
  • even nail it to a fixed (green) IP,
  • do not publicly advertise your (green) SSID,
  • choose a sufficient Encryption Passphrase,
  • even temporarily de-activating access while the client is not in use.

Yes, with
. . . # macchanger -m v1:v2:v3:i1:i2:i3 eth0
an attacker could disguise himself under a different [ vendor | id ] ;
but:

  • he would furthermore have to know (at least one of) your approved MACs,
  • if your trusted device has already drawn its lease, this would result into a conflict.

Resume:
I wholeheartedly support Fabian’s recommendation “additional AP attached to Green”
for the demand described in @ Nicolas’ OP.

Yes, I scratched the whole MAC idea.

Instead I went with an AP (D-Link DAP-1665 B1) that allows to broadcast multiple SSIDs each in its own VLAN, which is pretty close to what you both recommend.