[dormando]

Did this earlier in the year with an rpi4 and a netgear managed switch. It can route 780mbit down/up (nftables)! Can probably get closer to 900mbit with some overclocking, and reduce latency slightly by pinning the rpi's clock but haven't really cared to.

The hard part was finding a cheap managed switch which does _not_ expose the management interface on every vlan. This is a specific product feature (wtf?) and often the only difference between two product lines.

Ended up with a netgear GS308T - the internet is full of rage at the device requiring you to log into netgear and register it, but I can confirm that I didn't have to do anything. I set it up with it connected directly to a laptop and have never signed up for a netgear account, though they may lock this down in the future. I was even able to upgrade the firmware. Would've preferred a model with ssh access but tp-link wasn't selling them at the time?

Wanted to be able to mix multiple ISP's together (but ended up only having one for now), which would've been 2+ USB NICs and not great for perf.

The other reason why I ended up here is because OpenWRT/etc support for wifi6 routers wasn't/isn't coming, and I want to be able to place my WAP in a different location than the router and main switch... so the WAP is a wifi6 thing running stock firmware but in "WAP mode" which turns everything off.

Anyway, works fine. Image your SD card when you're done configuring it. I need to go back and put it in read-only mode but haven't cared.

[swinglock]

Indeed, the TL-SG105E/TL-SG108E is cheap because it's trash.

* The proprietary management interface listens to all VLANs no matter what.

* The VLAN separation is fake, multicast leaks freely across segments.

* The proprietary management protocol is obfuscated by a hard coded XOR string.

* Administrating the switch sends the admin password, "encrypted" only by the very same obfuscation.

* This most bizarre proprietary management protocol uses only broadcast for all communications, even though the switch has an IP assigned.

You do the math putting the above together... it's a mess bordering on genius, but there's more.

The switch will spew out various arcane, undocumented, probably providing more backdoors, not even IP protocols, including some Realtek proprietary protocol (0x8899), something used for HomePlug (0x893a) and TIPC (0x88ca), which sounds like the last thing you'd want a device of this caliber to use searching for more friends to talk to.

God knows what this monstrosity of a firmware hides and its reasons. It's just what I remember by heart, I have not had it powered up for some time. Still, this is just the surface and it's already a tire fire, it must be chock full of vulnerabilities, bugs and design flaws. It's the managed Ethernet switch which doesn't fulfill correct management nor implements actual Ethernet switching.

[oaf357]

Great... I just re-did my whole network with these.

[guestjts]

Any other models you'd recommend that are more sane?

[swinglock]

I have no idea, for all I know this could be better than other cheap switches, though I really hope not. The quality of home networking equipment and IoT in general is extremely low.

[louwrentius]

Regarding the management interface being exposed on every interface: I think this might be true for the TP-LINK device I linked in my article.

However, in this particular setup/context, I think the risk of this is minimal, as the actual interface should be using a private-IP address on your home network.

[dormando]

Hope that works :) I have this set up to an AT&T fiber gateway trashcan in pass-thru mode, so technically the RPI's vlan port has a public IP address. Otherwise I couldn't get upnp/etc to work when I wanted to.

I also want to be able to set up a DMZ'ed VLAN to hook up an old NUC to host something like a valheim/minecraft/whatever server if I wanted. So having the VLAN be safe was a goal for me.

[louwrentius]

Frankly, the more I think about it, the more I fail to seen actual way to attack the management interface.

Because the interface listens on a private IP-address on your home network. And if you want to be able to talk to that IP-address, you need some device that you control (as an attacker) connected to the switch, and be able to add an IP-address in the same range as your home network and then attack the managment interface?

The most likely scenario would indeed be the DMZ machine as a stepping-stone.

[dormando]

It's not really realistic, you're right. For my own goals it's "defense in depth" - just because I can't think of a scenario now doesn't mean it's impossible to do. Access also makes it easier to accidentally configure it in a way that is in fact easy to blow up.

From a practical standpoint, I just don't want any not-me traffic hitting the management interface for any reason (intentional or not), as I assume they're poorly written and can easily be crashed or even bricked. I've locked myself out of very expensive enterprise switches in past lives by ssh'ing to them too many times.

So if IE someone can poke my management VLAN by sending an ICMP packet with a spoofed return address and my RPI doesn't filter that right because I did something wrong... I'm happier if that can't tickle the management interface at all.

[mrmattyboy]

The only way I could see is if there is a malicious device on the WAN side (as in, actually on the same network as the WAN interface) that is configured on the same subnet as the internal network and it communicates with the management interface over the WAN VLAN - but very unlikely (and probably have to be an untrustworthy ISP, which sounds like a problem in itself :) ).

[ArchOversight]

AFAIK the TP-Link in your article only runs a DHCP client on VLAN 1 to get an IP address. It is not addressable on other VLANs.

[bentcorner]

I did this as well on a small laptop. I had trouble reaching gigE speeds (with cake qos). Took a bit of learning and careful configuration of the managed switch beforehand, otherwise it worked fine.

[mrmattyboy]

I cannot over-exaggerate how good the GS308T is for this... such good features for a low-cost, low-power, small 8-port device :) :) :)

[dormando]

fwiw when I bought it, it was on sale for ~$50 too. couldn't find a 2.5g switch that I liked in my price range, so went cheap as possible and will swap it when a 2.5g hits all my requirements :)