Since switching to FTTP I've had some noticeable issues with data rate quality (latency, throughput) as a talked about in my previous blog post. A good network connection benefits from:
Bypassing various components has allowed me to zero in on the pile of networking gear at the core my network as a potential contributor to lag spikes and lack of high-quality data transfer. Not using this equipment has the potential to simplify the configuration and allow consistent packet delivery with minimal packet loss and can also deliver a cost saving (more on that in a moment).
The USG is also end of life and something of a legacy product in the Unifi product line. Having to disable many of the security features within the device to gain an acceptable throughput as I wrote about in my previous blog post, albeit with the limitations, raises the question as to why its needed.
With that in mind, I decided to set about implementing a comprehensive 802.1Q-based network with 802.1P support, with the aim of removing a lot of the equipment in the chain between end devices and the Vodafone FTTP infrastructure. This is something that has been on my todo list for some time.
In the mix I have a Unifi Access Point, still in support, that I’m keen to retain solely for its ability to beam WiFi over a relatively large distance due to its design.
It’s fairly common in enterprise environments to use VLANs, and some organisations I’ve seen have very elaborate VLAN designs in their network infrastructure. They are the most common method of achieving network segmentation.
This image (Source: Cisco) shows a typical enterprise VLAN deployment.
In the above diagram, each floor in the building supports three VLANs, and these are applied by the three managed switches feeding into a single router.
The first benefit of using a VLAN is performance. At the access layer, networks by default will sit within their own broadcast domains. In more complex networks this can lead to excessive impacts on performance as each device can and usually does at some point talk to any other. A VLAN can reduce this by grouping devices into their own broadcast domains, leading to higher levels of performance.
The second benefit is a reasonable dose of security (though not perfect). The creation of separate broadcast domains is a by-product of the primary benefit of VLANs: logical network segmentation. Each VLAN is considered a separate logical network, which flows into how packets are forwarded around the network. Packets not belonging to a VLAN are not forwarded to it, and conversely packets that do belong are forwarded. There are some limitations and potential attacks that can be directed at VLAN networks (such as a double tagging attack), so the security benefit is not absolute. In practice for sensitive networks, VLANs can be insufficient and further measures are often required (encryption, firewalls, routing instances, etc.) The fundamental factor in effective VLAN security implementation is, rather obviously, the correctness of the implementation, as we're using the same physical infrastructure for all of them.
By logically splitting up the network, it becomes possible to apply access and security policies (controls) targeting those segments. Sensitive data held in one VLAN is to an extent separated from other elements and can be accessed under defined rules.
The other benefits of VLANs are cost reduction (VLANs avoid the need for separate physical infrastructure), and ease of management. This a boon for a home, as cable running is tiresome and in some cases hazardous. There are some operational benefits--you could, for instance, remove a VLAN from being accessible relatively easily through software as opposed to the only alternative (physically disconnecting devices).
The side effect of eliminating a lot of infrastructure also allows me to remove the Vodafone router, which has a not insignificant power draw of around 14 watts. The quoted power draw of the SWG is 40 watts, so a potential energy saving of 55 watts or so by eliminating both of these devices. This is around 1.32kWh or about 38 pence a day (£138 a year). The capital run costs of all of this is another saving, probably about £100 year (£238 total). Using BEIS rates, this equates to 0.273 kg of CO2e per day (just shy of 100 kg a year or about 50,000 fire extinguishers). This all counts these days.
The idea is to consolidate all of the VLAN functionality on a Draytek router, supplemented by a group of managed switches with 802.1Q support.
"Documentation is a love letter to yourself in the future" as the saying attributed to Damian Conway goes. A VLAN deployment requires effective documentation, as particularly with Draytek’s management model, there are multiple dimensions to manage that quickly grow in complexity even for a simple network.
A good VLAN plan is beneficial, containing for instance:
Plus:
Although simple the above was a really useful exercise to keep track of VLAN expansion and build out.
If you’re intending to achieve some logical segmentation between VLANs, human error is the biggest risk factor that can lead to a security vulnerability, so documentation matters a lot.
The VLAN laydown I opted for was more or less along the following lines:
The first port of call is the Unifi Access Point. Fortunately, this device is capable of outputting 802.1Q compliant tagged packets, and the configuration changes are fairly easy. It first requires defining the new VLANs in the LAN definition section, and then mapping each SSID to the corresponding VLAN. All straightforward. The AP presents the tagged packets through it’s uplink port.
The only tricky part here is that I moved the Unifi Controller to its own dedicated VLAN, which breaks the broadcast-based beaconing the Unifi AP and controller uses to establish mutual awareness, patching and configuration management. This required a manual setting for "inform host" on the AP to ensure it could reach out via IP to the controller.
The functionality in this product line is remarkable and Draytek offers an abundance of features, though they are not cheap and more advanced solutions in firewalls and routers from mainstream vendors can achieve a lot more. Deploying the VLAN design into the Draytek was fairly easy. The UI was not the easiest to navigate, but in all honesty, I’ve yet to come across a networking product that anything like an intuitive UX.
The first step is to enable support for additional LANs under LAN Setup. The addressing scheme is changeable for each of these, and it may be necessary to adjust it if there are pre-existing statically addressed devices. Generally, I start DHCP leases at a mid-point in the IP range to allow the lower part of the range to be used by statically addressed devices.
Once the LANs are enabled, the VLAN configuration screen can be used to assign each VLAN to the relevant ports. This is the key security decision, since the VLAN membership determines whether a port will be able to pass traffic for that VLAN. Documentation is crucial here. As a general principle you’d only want to pass traffic for a single VLAN by adding the port to it’s membership if (a) there are only devices in that sole group on the port (e.g. through an unmanaged switch), or (b) pass traffic for multiple VLANs if there is an 802.1Q compliant managed switch or router on the end of it.
While the Unifi equipment allows routing between VLANs by default (not that impressive), the Draytek prevents inter-VLAN routing to maintain segmentation of the network(much better).
To allow Inter-VLAN routing a manual adjustment to the configuration is needed. This can be achieved by adjusting the inter-VLAN routing again through the Draytek management interface. This has to be supplemented by further firewall rules, if unmanaged traffic is not desired.
On Quality of Service, I put in place some traffic prioritisation on specific networks to achieve the intended performance profile (particularly for the gaming network, and pushing IOT to the bottom). The data rate for the IOT network was heavily curtailed to 5kbps in both directions to guard against data exfil. I decided I wouldn't go for an elaborate QoS setup, since the FTTP line rate is, more or less, an overprovisioning strategy where QoS is less critical.
The Draytek can support 802.1P packet prioritisation, which allows a basic level of QoS to be achieved without IP header processing (working at the Ethernet frame level). Notably the Draytek prioritisation scheme is the reverse of 802.1P, with 0 being the highest priority. I also made use of the full range of priority values (8 in total) and put some thought into the boundary conditions in an attempt to cater for different queue implementations, though I’m unsure whether that really matters, as it's unlikely Vodafone honour these after the ONT (FTTP Modem).
I was able to leave the Draytek set to AUTO for hardware acceleration, however I did apply Draytek’s recommendations in terms of disabling other features to ensure HW acceleration took effect.
Much of the network defense settings could remain.
I defined IP Objects to represent specific LANs that were used in the VLAN configuration. This allowed me to apply traffic policies elsewhere in the Draytek configuration.
In the bandwidth limits section of the Draytek configuration, I set each user to a default limit of the maximum of the outbound line speed for TX/RX. I then used the IP Objects in the Limitation List to define specific TX/RX limits.
Finally I did a spring clean of functionality in the Draytek to remove any unnecessary services, including VPN.
So how did it all turn out? This took about 15 hours to fully overhaul the network design and implement it. I had to put a fair bit of time into ironing out performance issues and the Draytek needed reconfiguration to achieve an acceptable level of performance approaching the line speed of the FTTP line.
There are a few 'gotchas' in the Draytek configuration that can drastically reduce network performance, including leaving things like the real-time monitoring functions enabled.
The performance rates are good via the Unifi AP - 450Mbps down and 110Mbps up for a modern smartphone, and the 802.1P QoS seems to work adequately.
Most of the Draytek range supports a relatively low number of LANs - 8 in the vast majority of cases. Even for a home network this involved using up the entire quota, which is a bit of a limitation for any SME application.
July 10, 2024