Ooh, would it be similar on other Linux distros/Unixes? I’m trying to decide between Debian, VyOS, Alpine and OpenBSD for my main firewall. All of them have strengths but I think it’ll be between VyOS and OpenBSD for me.

True, a commodity all-in-one-box running OpenWRT, or an SBC that supports it would work perfectly, except maybe for a lack of ports

Thank you. Now I just need to learn to do all of this on Linux/BSD lol

Ah, I see. Thanks

Sorry, I’m not sure what you mean by “ARP bridges L1 and L2”. I’ll have to read more about this. Other than that, I understand what you said.

Thank you so much for the explanation. I followed everything but:

Untagged (sometimes called Access) is something you apply on a switch port. For example, if you assign a port to Untagged VLAN 32, anything connected to that port will only be able to connect to port 32.

I couldn’t really understand what you meant here. Did you mean VLAN 32 in the last line?

Thanks, but isn’t ARP contained inside a subnet? I guess you could find everything if you inspected the MAC table of the main switch

I see, I was completely off-track lol. But isn’t this really for a setup where each computer is connected to an individual port of the switch? I.E. this won’t work if to one port of an L3 switch one were to attach a dumb 5 port switch and plug 4 computers in

Thank you. In theory, is there a mechanism which will prevent other hosts from tagging the interface with a VLAN ID common with another host and spoof traffic that way? Sorry, I need to study more about this stuff

Thank you for the great comment.

This line cleared it up for me:

802.1q aware switch and gateway to use VLANs effectively.

It is indeed as you say. VLANs on a trunk port wouldn’t really work for security either. This is making me reconsider my entire networking infrastructure since when I started I wasn’t very invested in such things. Thanks for giving me material to think about

I see. I didn’t know about this. I have saved your comment, I’ll come back to this in a bit

Thank you for the comment.

My threat model in brief is considering an attack on my internal networking infrastructure. Yes, I know that the argument of “if they’re in your network you have other problems to worry about” is valid, and I’m working on it.

I’m educating myself about Lynis, AuditD and OpenVAS, and I tend to use OpenSCAP when I can to harden the OS I use. I’ve recently started using OpenBSD and will use auditing tools on it too. I still need to figure out how to audit and possibly harden the Qubes OS base but that will come later.

Yes, I do realise that the dumb switch has an OS. And you raise a good point. I’m starting to feel uneasy with my existing netgear dumb switches too. Thank you for raising this, I think a whitebox router build might be the only way.

I’d like to mention that I would use VLANs if I could use them on hardware and software I feel comfortable with. But I cannot. Whitebox build it is, I suppose.

Thanks again for the comment and I’d like to hear any suggestions you have.

Ah, is that something like sticky ports?

Indeed, I would like to run a switch with a FOSS OS, and I don’t see any viable way of doing that. Unfortunate, but whitebox router + switch it is then

Hmm, I haven’t heard of that before. Could you explain?

Could you elaborate why the question of trust invalidates using just subnets?

Thanks, but to make that work I would need a managed switch running a proprietary OS can I cannot trust. If there was a switch running a FOSS OS then I would use that

Thanks, yes I realised that OpenWRT devices can do this

I use testing, prod and stale. Stale is simply one version behind prod in case I see something in prod I need to roll back

I’d either have to do it in the router (which would need a lot of PCIe network cards which can get expensive + difficult to accommodate enough physical PCIe lanes on consumer hardware) or run it on a switch running a proprietary OS that I can’t control and don’t know what it’s doing underneath.

Ah, sucks