Zyxel GS1900 VLAN isolation

Discussion in 'Networking' started by aag, May 12, 2018.

  1. aag

    aag New Member

    Joined:
    Jun 4, 2016
    Messages:
    25
    Likes Received:
    2
    I have gotten fiber internet recently, and I was wondering whether I can get rid of the ISP's box and attach directly my fiber to the switch. Is it possible to isolate one of the ports of the Zyxel GS1900-24 to obtain the topology depicted here? The idea is to dedicate a fiber and a cable port to the "DMZ", and attach the rest to the pfSense gateway. However, I do not know whether this is at all possible, and I have zero experience with VLANs.
    zyxel-switch.png
     
    #1
    Last edited: May 12, 2018
  2. maze

    maze Active Member

    Joined:
    Apr 27, 2013
    Messages:
    451
    Likes Received:
    61
    Yes. Do a WAN vlan, put that at untagged/pvid on the fiber port, then same on the port to your pfsense
     
    #2
  3. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    765
    Likes Received:
    570
    If you're talking about using the fiber coming directly from your ISP, I sincerely doubt this is going to work for several reasons

    Depending on where you live it's most likely a GPON provider and not active ethernet to each home, in which case you'll need GPON optics, and a switch/router with a port intended for GPON optics. You'll need to match the wavelength their GPON equipment is using, the wavelength density (eg how many individual customer wavelengths on one pair of fiber), - these are split up into "classes" If I remember right, eg class B+ gpon optics are 1480-1500nm transmit, 1260-1360nm receive

    GPON also does stuff like use time slots allocated by the OLT (headend) to dictate when the client (you) can transmit, TDMA for broadcast traffic etc, your device would need to understand all this (and if it's not a device intended for GPON use, it won't). the TLDR is GPON is not ethernet. It would be the equivalent of sticking fibre channel optics in your ethernet switch and hoping it can talk to fibre channel equipment

    Microtik supposedly makes an SFP that handles all this conversion inside the SFP and presents as a normal plain ethernet SFP to the switch, but I haven't seen any reports of it actually working with other FTTH providers (The headend OLT would have to be OK provisioning a dumb ethernet switch), and it also only works with microtik devices. Obviously if it's an active ethernet provider none of this applies, however that's quite rare given it's a couple orders of magnitude more expensive to deploy active vs GPON

    Second, and the real killer is (regardless if it's active or GPON): I would really hope their raw fiber isn't just handing off unrestricted and unencrypted access to their network. Generally at the very least it will not do anything until it sees a successful authentication via 802.1x (this is what their box does, along with provisioning things like network and access settings). Even if your switch supports 802.1x, you would have to somehow extract the private cert they use for authentication from their box. Some older/cheaper providers might still be using PPPoE instead of 802.1x, but that's pretty rare these days. Third, it's also probably looking for the MAC address of that box, at least I would hope - however compared to everything else, cloning a MAC is the least of your worries :p
     
    #3
    Last edited: May 12, 2018
  4. aag

    aag New Member

    Joined:
    Jun 4, 2016
    Messages:
    25
    Likes Received:
    2
    Thank you for your exhaustive and competent explanation. I have read posts in the provider's forum (Swisscom) claiming that they have accomplished that. However, you never know; it would be nice to achieve certainty before going on to buy the equipment!
     
    #4
  5. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    765
    Likes Received:
    570
    They must not be using any form of authentication or encryption (which is quite scary! Anyone could jump on their fiber). Good news for you though :)
     
    #5
  6. RTM

    RTM Active Member

    Joined:
    Jan 26, 2014
    Messages:
    331
    Likes Received:
    109
    As a security minded person, I would not recommend doing this, even if it might work.

    Typically switches are not intended to be put directly on the internet.
    An example of this would be that they broadcast stuff like firmware versions using LLDP (etc) and have management services on layer 2 (thanks for that Mikrotik). Of course you can disable most (if not all) of this, but you have to know to look for it.

    A bigger issue is whether the manufacturer can be trusted to make "secure" software.
    I have (don't use it anymore) a GS1900-24E (which is probably more or less identical software wise to what you have), and last I checked you can't even replace the certificate for the TLS, which means you can probably decrypt the HTTPS traffic between your PC and the webinterface, if you carve the TLS certificate from the firmware binary.
    While this does not matter directly with your issue, it does give a good indication of what level of security to expect from the device.

    In comparison, your pfsense firewall is designed for this exact use case, and will by design not expose too much by default.
    I don't know what device you are using, but if possible you could install a fiber NIC.
     
    #6

Share This Page