VPNs, firewalls and VLANs for Home Automation – Part 3: Setting up the VLAN

Introduction

So far we have setup pfSense and connected up our WAP to it. This has formed the basics of our home network.

However it would be good if we could use multiple access points each running on their own network, but sharing the pfSense router, firewall and WAN. We also need to consider locking down the network to improve security.

In this post we will expand our network further to incorporate these items by:

  • Configuring VLANs in both pfSense and our VLAN compatible switch
  • Move our existing WAP to a VLAN.
  • Leave our LAN as Ethernet only with no AP attached

To start with we will do a little digging into how switches work to provide some context for when we later setup the VLANs.

Switches

A switch is a hardware tool (located at the Data Link Layer on the OSI-7 layer model) which is responsible for routing packets from one machine to another. A switch relies on knowledge of the networked machines MAC addresses.

Typically a hardware unit will consist of multiple Ethernet ports that devices can be plugged into. Our setup so far relies on using the WAP connected to a single Ethernet port to assign IP addresses to machines on the network. Once a machines has connected to the switch via the WAP, a record of its MAC/IP combo is stored on the pfSense appliance.

Switches were a replacement to what are known as Hubs (found at Layer 1 of OSI-7 Layer model). A Hub broadcasts messages out the whole network and any device connected to the Hub can read the packets. If a NIC was placed into promiscuous mode, then sniffing the packets and viewing the data was possible. A switch on the other hand only routes traffic to the target machine.

Of course this also mean your network speed is affected by the speed of the switch! A faster switch with the right Ethernet cable and newer NICs for the devices running on the network, improves overall speed.

If you cast your mind back to an earlier post you will remember we discussed the ARP protocol. One issue some switch configurations are susceptible to is what is known as ARP and IP spoofing.

Each machine on the network will keep a copy of the IP/MAC combo in their ARP cache. An attacker can therefore use its own copy of the ARP cache to try and eavesdrop on communications between machines.

The way this works is to send out a Gratuitous ARP message to the machines on the network and replace the portion of the MAC mapping, with the MAC of the attacker. The attackers machine then sits in the middle (man-in-the-middle) eavesdrops on incoming messages, and then forwards them on to the other party.

If you are interested in trying this out yourself then take a look at the dsniff tool.

At the switch level there is another issue we need to be aware of – MAC flooding.

The switch as you will remember contains a table mapping MAC’s to IPs. We can see this mapping in pfSense under the Diagnostics > ARP Table link.

A MAC flooding attack attempts to overwhelm the switch so that no new MAC/IP pairs can be generated (a DoS attack), or worst the switch reverts into acting like a hub, thus allowing eavesdropping.

Thankfully aspects of the 802.11 protocol defend against MAC flooding.  When a device associates with a WAP it is MAC-based.  Therefore the WAP bridges traffic coming only to/from known MACs.

Therefore if a MAC flooding attack is directed from a wireless device to the network, any 802.11 frames with a random MAC address in the source not associated with the WAP are discarded.

So now we have a little understanding of how switches work and some of the security considerations, let’s look at VLAN compatible switches.

VLAN Switches

For this portion of the post I will be referring to a Dell PowerConnect 2808 VLAN compatible switch. The 2800 series switches start at around $129.00 USD. If you are using a different device, then modify the instructions below as applicable.

VLAN stands for Virtual LAN. As it’s name may suggest, the concept behind it is to take one set of hardware i.e. ‘n’ machines and one switch and create multiple LANs from this. Each LAN being its own subnet. The traffic on each of these LANs is then tagged so we know which VLAN it belongs to.

pfSense allows us to configure VLAN interfaces and then assign DHCP servers to each of them. We therefore can use our VLAN switch as a method for connecting multiple AP’s (or wired devices) and let the configuration of the IP range etc. be handled by pfSense.

Configuring VLANs in pfSense

Our first task is going to be to move our WAP off the LAN interface on pfSense. Going forward we would like the LAN to only be accessible for devices connected directly to the switch.

We therefore need to come up with an IP range for WAP to use, since it will no longer using 192.168.1.0/24.

Let’s start by plugging out laptop/PC directly into the  pfSense appliance, as the WiFI will shortly stop working. You can also power down the WAP for the moment.

We are going to use the range 192.168.3.0/24 for our new VLAN.

Let’s start by navigating to Interfaces > (assign)

On the screen that pops up select the VLANs option. You’ll now be presented with a list of VLANs which currently will probably be none.

Select the Add button from the bottom right.

The VLAN Configuration screen will now be presented. On this screen we can create our new VLAN and tag it.

From the Parent interface drop-down, select the LAN option.

Below this you will see the VLAN Tag input field

VLAN Tag

Set this value to an integer between 1 and 4094. I like to use a value derived from the subnet. So if the subnet is 192.168.3.0/24 I use the tag 3. Do not enter the value 1 however. This will become apparent why later.

You can ignore VLAN Priority for now. If you wish to add a Description now is your chance. For example “HomeAutomation”.

Return back to the Interface Assignments screen under Interfaces. This will be updated with an Available network ports drop-down. Listed here you will see your VLAN.

Select it and click the green Add button. Once added you will see it has a name similar to ‘Opt7’

Next navigate to the Interfaces drop-down. Your new VLAN interface with the Opt7 (or whatever was auto generated) will now appear.

Select this option to go to the interfaces configuration.

Interface config

We have now going to select the Enable interface checkbox.

Following this change the Opt7 value to something more intuitive e.g. HomeAutomation.

The IPv4 Configuration Type should be changed to Static IPv4.

Our final task is to scroll down the screen to the Static IPv4 Configuration.

Change the value of IPv4 Address to 192.168.3.1 and ensure the ‘/’ value is set at 24.

Save these values.

Now navigate to the Interfaces > Interface Assignments screen. Here you should see the new Interface HomeAutomation (or whatever you called it) and the Network port should be similar to: VLAN 3 on igb1 – lan (HomeAutomation) .

We now have an Interface setup for our VLAN. This will work over our LAN connection allowing us to run a virtual LAN with the 192.168.3.0 subnet.

Currently our WAP is setup however to use 192.168.1.0/24 so we will need to change this.

First let’s get the DHCP server running on the VLAN interface.

Navigate to Services > DHCP Server from the list of available interfaces, select the one corresponding to your VLAN e.g. HomeAutomation.

When this screen loads you will see some General Options.

Here you will need to do the following:

  1. Check the Enable checkbox
  2. Select the Range e.g. 192.168.3.60 to 192.168.3.199

Save these changes.

Now we are finally ready to update that static mapping we created before for our AP.

So navigate to Status > DHCP leases.

Next edit the Static mapping you added for the WAP. Change the IP address to a new one in the new subnet 192.168.3.0/24.

Make a note of the IP address you selected, as we now need to update the WAP.

Save the changes.

You can now unplug the laptop from the pfSense appliance, unplug the WAP from the LAN port and power up the WAP again.

Once it is up, login to the web interface and change the IP address for the AP to the one you selected above.

So we now have a VLAN configured on pfSense and the WAP configured with an IP address for the new VLAN. That leaves us with our final task – setting up the VLAN switch so we can plug our WAP back in.

Configuring the VLAN switch

Our final task is going to be to configure the VLAN switch. As mentioned for this I have selected a Dell PowerConnect 2808, so you will need to tweak the following instructions to your specific switch.

First we are going to plug the VLAN switch from LAN port 1 into the Ethernet port where the WAP was originally, then power up the VLAN switch. Also plug your laptop/PC into one of the other free ports on the pfSense appliance.

Once it has booted up, the LAN DHCP server will assign it an IP address in the 192.168.1.0/24 subnet. You can check on the DHCP leases screen in pfSense to find out what was assigned to it.

Navigate to the web console for your switch and log in. Remember after you login to change the username and password from the default values to something more secure.

Once logged in we need to configure a VLAN for our HomeAutomation interface.

Within the GUI located the VLAN configuration screen. In the Dell PowerConnect this is:

Switch > VLAN > VLAN Membership

Under this screen we can select an existing VLAN or configure a new one. By default you should need a VLAN tagged with 1 available. This acts as a the Trunk, that all traffic is sent over and is the configuration associated with the Ethernet port (1), you plugged the pfSense appliance into.

The Dell switch comes preconfigured with the VLAN tagged as 1 and will not allow you to edit any of the details here. This configuration is needed in order for the switch to communicate with a router etc. once plugged in.

VLAN default

Use the Add button to load up the screen for configuring a new VLAN.

Add VLAN

Let’s enter the tag value we set in pfSense for the VLAN ID. I recommended using 3 earlier, but this can whichever value you chose.

For the name enter HomeAutomation, or whatever you decided upon when setting up the VLAN interface.

You can leave the final value as is and click the Apply Changes button.

Back on the VLAN Membership screen select the Show VLAN drop-down and select VLAN 3 (or whatever you chose).

You’ll see a small table now appear which is called Ports.

Clicking on a square will insert a character (this is on the Dell machine, other switches will have a different interface).

Select the square for port 3 (this is where we will plug the WAP into) and click it until a U appears. Port 1 should show a T, if it doesn’t click it until a T appears.

On other models of switches you will need set port 1 as the Trunk where the tagged data passes over, and associate the physical Ethernet port you will plug your WAP into with the VLAN.

Save/Apply these changes.

Our final task is going to be to update the Port settings. On the Dell PowerConnect 2808 switch these settings can be reached via Switch > VLAN > Port Settings.

Select the relevant Ethernet port, in our case 3. Make sure the PVID is tagged as 3 and finally make sure the Frame Type is Admit All.

Save these changes.

Our VLAN switched is now configured so that Ethernet port 3 can be used for the WAP and all traffic running over it through the Dell switch to pfSense will be on VLAN 3 with IP addresses assigned from 192.168.3.0/24 subnet.

Let’s now power everything down.

Hook the WAP to Ethernet port 3 on the VLAN switch. Next make sure that the VLAN switch Ethernet port 1 is connected to the LAN on the pfSense appliance.

Now let’s start everything up.

Once booted, connect your laptop/PC to the WiFi SSID and bingo you should now have an Internet connection.

If you log into pfSense and check the DHCP leases – your laptop/PC should appear in the list.

Next Steps – Add another WAP

To add a second WAP and VLAN to your network, repeat the steps above and this time use a VLAN tag of 4 (or other acceptable value from the range). Associate this VLAN with the 192.168.4.0/24 subnet and assign the WAP a static IP from this subnet.

You absolutely must assign a different VLAN tag and subnet for this to work. If you encounter problems with VLAN not working with the second WAP ensure that:

  1. DHCP is disabled on the WAP and configured correctly for your new AP in pfSense
  2. The VLAN is configured in pfSense
  3. The Interface is configured correctly in pfSense
  4. That the DHCP server is running on the new Interface with a different subnet to the other interfaces
  5. That the VLAN is configured correctly in the Dell switch
  6. That the port in the Dell switch is set with the correct tag
  7. That the device is connected to the correct Ethernet port

 Summary

In this post we hooked up our VLAN compatible switch. In addition to this, we connected up our existing WAP and saw how we could add a second one by following the steps for configuring the first.

We now have a home network with:

  • pfSense firewall appliance
  • A Dell (or similar) VLAN switch
  • Two wireless access points

In the next post we will look at the WAPs in a little more detail and discuss security.

 

A hiatus

Everyone,

The blog has been on a hiatus for the best part of a year. This has allowed me to concentrate on wrapping up my current degree and finish up my fourth Raspberry Pi book.

Internet Of Things @ Home will be re-launched this spring with a new look, new feel and a lot more articles.

Watch this space for more details.

2nd edition of Raspberry Pi Home Automation with Arduino

Everyone,

I’m glad to announce that a second edition of Raspberry Pi Home Automation with Arduino is being planned for release next year.

There will be a major overhaul of some chapters. Based upon the excellent feedback I received you can expect to see:

1.) More home automation projects

2.) Inclusion of projects using the Arduino Uno shield

3.) A look at the Arduino YUN

4.) Revised content on the Raspberry Pi 

5.) An update to the code based upon Cooking Hacks latest ArduPi library 

Keep your eyes on this space for updates on progress!

 

 

A brief introduction to BreakfastSerial

Introduction

In my post on Y-Hack I touched upon a Python based technology called BreakfastSerial. Some of you Arduino fans out there may already be familiar with it, but for those who are not I have provided  short guide below.

BreakfastSerial is a Python based library that allows you to write Python code that can be run on the Ardunio.

The technology

The library runs on top of a technology called Firmata.

Firmata is a generic protocol for communicating with Microcontrollers from software running on a host computer.

You can read more about the Arduino implementation of Firmata at the Arduino.cc website:

http://arduino.cc/en/Reference/Firmata

BreakfastSerial works by allowing you to interact with Firmata loaded onto your Arduino by writing Python code.

You simply upload Firmata to your Arduino board, and then can start writing Python applications that use it.

We will look at an example next.

Setting up Firmata

In this post I will only be covering the steps for the older boards such as the Uno. There is a separate post in the works for the YUN. I will also be assuming you are using a Linux like environment (Ubuntu, Mac terminal window, Cygwin etc.)

To start with you will need to open up the Arduino IDE sketch pad, if you haven’t download it already you can find it at:

http://arduino.cc/en/Main/Software

Note, that depending on your Arduino model (e.g. Uno versus YUN) there are different versions of the IDE.

Once you have the IDE installed, you can find the Firmata software under:

File -> Examples -> Firmata -> StandardFirmata

Next connect your board up to your computers USB port and upload the sketch.

Once uploaded you can then move onto the testing out BreakfastSerial.

Installing BreakfastSerial

Open a terminal window on your machine and using pip grab the latest version of BreakfastSerial from PyPi
pip install BreakfastSerial
I tend to work in a virtual environment when using Python. If you wish to do the same, you can create a virtual environment as follows
virtualenv --system-site-packages Ardunio
This will create a new directory called Arduino with a Python virtual environment in. From within this, you can activate it using
./bin/activate

If you don’t have virtualenv on your machine you can grab it using pip:

pip install virtualenv

Next we can create a test project using Python. Before we do this though, take an LED and attach it to digital Pin 13 and Ground on your Arduino – yes you guessed it we are going to make the LED blink.

Once you have your hardware hooked up, create a new Python file called blink.py for example:

vim blink.py

Inside this file we are going to add the following code:
from BreakfastSerial import Arduino, Led
Here we are importing Arduino and Led from the BreakfastSerial library.

Next let’s add the following code:
board = Arduino()
pin = 13
led = Led(board, pin)

This sets up a variable board with an instantiation of Arduino and a
pin variable set to 13 (where you attached your LED). Finally the
led variable is declared with a copy of Led(), which we pass board
and pin to as arguments.

Once you have added the above, we can include the final piece of code that creates the blinking action:
led.blink(200)
the above is pretty self explanatory. The led is switched on, we wait two seconds and then it is switch off.

Save the file and exit.

We can now test our application. From the command line run:

python blink.py

You should now see your LED blink.

And that’s all there is too it really.

There are a host of examples you can try located on the BreakfastSerial site:

https://github.com/theycallmeswift/BreakfastSerial/tree/master/examples

have fun!

 

Site re-design

Just a quick update.

Things are been quiet on the blog posting front as I am working on a re-design of the blog layout and theme.

The site has grown and the topics are starting to reach beyond just heating systems. Therefore the blog name will be changing to Internet Of Things @ Home.

You will still be able to reach the site through the old URL and Intelligent Heating will form a subsection of the new larger site.

We also have a new URL to match the new name iothome.org which will come online soon!

Keep your eyes peeled for the update soon.

Quick update

Just a quick update:

Open home automation book

Marco from Open Home Automation net has sent me a copy of his new book to review. You can check his book out here:

http://openhomeautomation.net/home-automation-arduino/

Hadoop on the Raspberry Pi

I’ve set up a multi-node implementation of Hadoop using Raspberry Pi’s. More on this in coming posts.

Arduino YÚN

Arduino are releasing an exciting new board soon check it out on their website:

http://arduino.cc/en/Main/ArduinoYUN