Inexpensive Budget Switch: TP Link TL-SG108E HW Rev. 3.0 With VLANS & pfsense Review

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in my YouTube comments someone had mentioned the tp-link maker of network equipment made an inexpensive managed switch and I thought you know I'll give it a try as I just you know threw it in the Amazon Kurt got it here and said I'm curious about this now if you're not fatigued link they make a lot of we'll call it lesser priced network equipment but you've used it in the past you've actually never had a problem with their equipment their switches and that generally worked really well but I've never tried any of their managed switches so I thought you know why not order one now this box if you can't notice is super shiny and I'm carefully touching it because I didn't want your fingerprints on it we even made a joke that we would only touch it wearing gloves that we would not sure why we have these what look like mine gloves here but this switch is got such a shiny box I'll put the gloves on real quick to touch it here that it's just super reflective and I don't know I mean 10 out of 10 on super shiny box but of course that's not what really matters you really want to know does it work well well I haven't opened it yet I think we took the outer plastic off and I'm just and I managed to fingerprint it up so let's open it up and see what's inside and then we'll get to the software testing that you know the real part but box wise 10 out of 10 definitely cool I mean I don't know why you say boxes I really keep them unless I plan to resell things so uh yeah we can take the clothes off now that was my yeah these super shiny and pretty box so this actually say kind of have you got an instruction manual one of those mini CDs hopefully I don't need that to install anything the 5/8 port gigabit Smart Switch I'm assuming that's manual for either the five or the Ortiz coming a couple varieties the switch itself is a nice metal that looks like it's got a Kensington lock and a mount over here so we got that going for it what else is in the box here probably now I do know they make a power to pili version of this as well so that's an that's an option so I like the fact that we have on the back here the screw hole mounts to mount it like on a flush mount and we also have D screws here there I'm sorry that screws the feet here so when you put it on the bottom so it doesn't slide around so you got some sticky feet a little basic power adapter a while that power brick is small that is really tiny but I guess it doesn't take a lot it must be super efficient this is only nine volt at point six amps so yeah wow that's it doesn't take much to run it before that is that is a intriguingly small adapter for this but obviously let's take a look inside and see how it looks inside and we'll actually get to the software part so only two screws here on the bottom and then it just slides apart here you can't get much more basic on the inside just a couple chips a heatsink it's completely passively cold not a lot in here a little reset switch so the reset switch is pretty easy access right there nice little quick quick switch to master reset this but yeah not much inside see it was that glue down good yeah there's no wiggle this so they use they use Google Ooty didn't use just like a sticky pad that might fall off later this seems really glued well to the board here but yeah not many circuits on here so I like the simple design so that we can move on from that and actually get into the software and does it route does it actually manage the VLANs properly so now that I have a switch hooked up I updated the firmware on it the default IP address for this is 192 168 0 dot one I have logged in and changed that I think that's kind of a dumb IP address it should be something I don't know let's say dot 20 at the end the reason I say that is if a lot of your networking and I think some of the networking devices from tp-link come at a default IP address of 192 168 0.14 like your routing devices it would immediately conflict so before plugging anything else into this I plugged my lab up in you said it static cuz this doesn't assign any addresses it does not have a DHCP server and/or really should it and set my IP to be in the same range change the IP address this is currently set to 192 168 1 dot 2 and my pfsense box over here is 192 168 1.1 and we're gonna walk through first the physical layer how we got to setup and I'll walk you through the software a little bit here I have on the first port here the purple goes into igb one on the PF sense so that is my land port and it's coming into port one on here and it's going to matter because this is going to have VLANs coming over it so that's really what we want to do is test the VLANs so this is a kind of like a trunk port which means all the trunks come in here all the VLANs are gonna come in here no matter which ones we create we're gonna create one for this demo so you get an idea of how the switch works and that it works and we're going to talk about little issues with the switch port 2 is my laptop and that is plugged in right now to the second port right on my laptop now my laptop's going to get an IP address assignment based on port 2 being tied to the mainland and we're going to leave ports seven and eight are open at the moment but we're going to move my laptop over there and I'll show you how to do an untagged port now we have another tagged port right here which is port 4 and we have a unified plugged in there because the goal is going to be to get the unify to pick up the two VLAN tag for both LAN and the second one we call crap LAN and that's going to pull over to there so we're gonna go through this is the physical layer so we have only one cable coming out of the pfsense box one physical cable going into port one and then we'll split out everything else to where it needs to go using VLANs and tagging on here and we'll try to hop the VLAN to that's part of the demo here is that something to switch shouldn't let you do and that's an important aspect and something we're going to talk about ok we're going to start at the PF sent side so you can see what is feeding into this switch so right here we have the VLAN we have the VLAN IDs edit it real quick I've covered other videos on how to do the villians and pfSense so IG b1 we have a to the land VLAN tag of 30 VLAN 34 craptastic devices interfaces assignments there's our land 30 which is the craptastic VLAN for devices once again like I said tied to IG b1 to the same as a LAN it has an assignment of one 92168 30.1 and we're gonna go to your services DHCP server so our land being the 192 168 1 1 and LAN 30 is 192 168 30.1 and both of these are being pushed out of that purple cable and into the tp-link so that's all the configuration we really need to do on the pfSense side to have two separate lands and just so you know in terms of the firewall rules I do have what rules I do have the land and land 30 allowed to talk to each other so I have not set up a restriction between them that's just for the demo of this because I'm also I want to show you that the VLAN tags come through and it assigns the proper DHCP ranges toward for them so we're gonna go over here into our switch now this is the assignment I said about the boxes one 92168 0.1 and we change it to 1.2 this is the TLS g10 8e it's got the harbor revision of 3.0 and the firmware is 2017 twelve fourteen this is the latest firmware and it's weird because it starts - 2017 when you go the website it says it was released in January of 2018 it was a release date maybe was just a weird numbering scheme they have I don't know but I did update it to the latest firmware IP settings are pretty straightforward it does support DHCP but you may not may or may not want to do that so here I have the IP address set pretty straightforward there user account by default it's admin and admin but you can change both the user name and password which is great because you may have noticed a connection is not secure that's because this doesn't support HTTPS I found that to be interesting it doesn't for whatever reason even have an option to switch to it so definitely a concern there backup restore system reboot save config on reboot and let's talk about how this switch works now this is common with a lot of your commercial switches any effect anything you change will apply but may not apply on restart there is a running config and a REIT any config on restart and what that means is anytime you make changes you want to go over here to see if config are you sure you want to see it again fig config successfully saved so even though you may change it all these are running now but if you lose power to this without having clicked that save this system will lose those settings and this has caused confusion before were some switches I've run into this for people who I thought I had set up great and had a power outage and it all went wrong what did I do and I'm like well you probably didn't save the running config you had configured to work right this also will save you from oopss if you accidentally are plugged into a port and you tagged that port wrong so you can't access it anymore then unpowered our back in and because you weren't as long as you didn't save that setting it'll just reboot and how the last known working config so save often so as you're doing things and once you verify that thing you're doing is working go ahead and save switching port settings we'll go through this real quick it does have options for status duplex and flow control so you can force things to certain settings on here so config actual config to actual for the flow control supports igmp snooping if you know what it is go ahead and read about it I didn't want to test this because I have time but it does support lag which is cool so it'll create up to to lag groups so that's a link aggregation for ports that's kind of novel and what this will allow you to do a time place I'm not gonna actually apply it you can aggregate ports together and as long as you have something and we're going to talk like say FreeNAS does it be an example that supports it actually so does pfSense and you can tie the ports together to act as one almost like one physical port and it's a good it's a bandwidth enhancement so I can only get a gigabit if I have a gigabit card but it has two ports on there I can take both of those gigabit ones plug it into the lag interface lag them together and now we have a two gigabit connection and then I can have another if I have another computer that's ports lag I can tie that together and it has a two gig connection or four gig if you have four ports enabled and so on and so forth so that is a supported feature in here which is pretty cool like I said I didn't test it but I'm sure it works monitoring port statistics so if there's bad packets transmitted receive good packet bad packet so if there's any problems it does let you know and it has a couple bad packets under receipt because it's doing some testing with it port mirroring this is a popular feature if you want to just listen on a port and what a port mirror is is you take one port and you just say replicate all the data that goes to this port to this other port sometimes that's used when you're doing like movies while you're using a tool like Wireshark to do packet sniffing and things like that you want a mirror port so the same data comes over here and maybe you want it for logging purposes and things like that now this is weird this I thought was an odd feature this is cable testing and it doesn't just support cable testing it supports you know I don't like moving things so let's show you real quick I took a screenshot of when I plugged in a hundred foot cable well a 31 meter cable thirty point five meters to be exact it just rounds up a dozen do decimals if you have an open-ended cable and you plug it in it'll tell you the length of the cable odd feature I think for being inside of a switch the fact that it has that it seems to not understand the cable length if it's plugged in though so it only works when the cable is open-ended so if you plug an open-ended cable in it will display the length of that cable I don't I didn't test exactly how I record but it didn't measure my hundred foot one quite well it measured it to the be the hundred foot or thirty point five meters for the rest of us who aren't inside the US so that is a interesting feature that it does support so you can see that and it's showing right now cable fault distance of one and zero so we let you know which ports are open which ports are normal as inning use so count a novel loop prevention and it's off by default but loop prevention is spanning tree protocol but they've just called a loop and if you're not fit with that that means don't plug a loop into a network lookup spanning tree protocol and now here's the VLANs now it supports a couple things is for it's the the multi-tenant VLAN which is this I'm not as familiar with that it creates its own VLANs if you use port B's feel and where you can just say Cygnet these ports in these ports so you can kind of divide it into a couple logical switches it's got that so if you don't have a managed or a router like PF sense that supports VLANs you can just create your own network segments with it which is kind of neat we're gonna use 801 to queue VLANs on here and show you how that works last couple features it does is bandwidth control so you can individually set the ingress and egress rates of each port and it does support storm control as well so kind of neat that it has that and some real basic QoS I didn't really test any of this I don't know how great the QoS is going to be but you can't set some priorities in this so neat that it has it so let's focus though because this is what a lot of people ask is you know what's an inexpensive router for doing VLANs and let's show how this works this is a little bit weird I found to set up so we have here VLAN ID one once you enable 8oq 802 one cue VLAN enable it it creates this one here and you can't do anything with it VLAN tag one is the default VLAN on here I seen some people complaining about this by the way each one of these if we switch over to like an MTU VLAN or a port based VLAN it disables the other options so MTU each one of these is exclusive and to use exclusive port valine or 802 1qv land each one are exclusive and disable the others when you turn them on so if we go here to one and this is what this is what I said about being a little weird it's not as intuitive we put the one here and it fills in and you can now start messing with all the ports and changing things so we're gonna leave the port one at default and we're going to put 30 here now when I type it in it pulls over what we had so this is how this works and like I said this is maybe a little confusing the tagged kourt's mean allow all the VLAN traffic to come through so port one is plugged into our PF sense and that's where the VLAN traffic comes from so we have to tag that port for port 30 to work we have port 2 and port 3 they're ignoring anything VLAN 30 I just just for testing purposes I did that you can change it port 4 is where we have the P though unified plugged in so we want that to pull the tags and bring them over to here and send them out then we have port 7 and 8 now what we're gonna do with 7 & 8 is we want them part of the members so as it is a member but it's an untagged member what that means is we strip off the VLAN tag and forward over so if I plug in a my laptop and we'll do this in the demo here to port 7 or 8 untagged my laptop will get an IP address because it's going to come in here it's going to have the tag of 30 and it's gonna get an IP address from port 7 or 8 of the one 92168 30 Network versus when I plug it in here because everything else is a member of this network the other ports will get that now there's one more step to being able to do that and also if you want to create a new port let's say if we had another VLAN you actually just type it in and hit add and it shows up down here kind of weird how that works but to make the port's work you have to go over here then and then assign a PB ID setting now this is a port VLAN ID and what we're doing here these ports all have the default of one but we took porch 7 & 8 and assign them of 30 and with that that is the final follow through so ports 7 & 8 will get 2.30 address so it's kind of weird cuz they should I think this could be done in 1 menu but they've chose to do it in 2 so we're gonna go here we put in 30 we have an untagged port up here because we want the tags removed because we want physical devices plugged into those LAN ports versus when you have a tagged here that's because we want both VLANs the main VLAN the mainland and then the VLAN 30 to be forward to the unify so we have to have this one tag but these are the untagged ones because if these are tagged that means they could switch back and forth 3 either so you only want to plug in device is that are smart enough to delegate VLANs where they're supposed to go to be on a tag board and on tech part is for dumb devices that are just going to get an IP address based on the VLAN tag so there's our setup for 7 at 30 port 8 at 30 so they're going to pull the 192 168 30 Network so pretty straightforward I have tested the unifying we'll pull that up real quick here just to show you the unify settings so here's that unify plugged in it's at 192 168 102 we're gonna go over here to settings where Ellis networks here's our crap Wi-Fi p.m. 30 and I've covered this before in other videos you just create it pull that same VLAN and now the tagged port brings over all the VLANs and I've just this it works perfectly fine so if I kept to the crap things it gets that but this is where I found kind of a flaw in the switch so we're gonna take my laptop and open up terminal so here's my adapter that plugged into the network and right here is my 192 168 1 dot 100 unlike I said this is plugged into port 2 on this so if we look at what port 2 is set at port 2 carries all the traffic and gives me the one 92168 one and then we're gonna go switch or 2 port 8 here which carry which should change my IP address to match the dot 30 network and now we look and I've got a 30 dot 100 address so it does work but that's only part of it let's talk about VLAN hopping real quick so the question is and I'm not gonna do a full-blown attack there's lots of different attacks you can read about this for brevity here we're just gonna show that normally I should not be able to get back to the other VLAN without a firewall rule that allows me to do so and I do have a firewall rule enabled that does allow me to get back to the pfSense box but I shouldn't be able to hop this VLAN to a different IP address so by default I have via DHCP 192 is 6 8 30 dot 100 from plugged in there but let's go ahead and change my static IP address settings now what i'm doing here is assigning my system one 92168 1.9 believing it plugged into port 8 which is d 30 network now a smart switch should protect me from doing this and let's check it out here so I am at 192 169 I have forced my way onto the network and this is what an attack vector is to try different IP blocks and then I'm gonna try and ping Y to one state one dot one so this will be going into port 8 out through port 1 where that's located and I can't ping it so good I'm not jumping out of the VLAN now I likes I didn't try all kinds of different attack vectors I'm not gonna think that this switch is gonna really hold up to anything really scrutinies here but I will point out this I can ping the management interface and I should not be able to do that so I it would appear the management interface I can only speculate without having a design spec of this that the management interface is simply tied to the backplane as a virtual extra port on this and doesn't look through the villian rules before allowing me to get to it so by simply forcing my computer to be the same address as whatever the management address range is by putting myself in that same Network I'm able to get to it and I can prove that here so it does recognize me as a different IP address it doesn't make me log in again but I'm in so that's kind of interesting to me and I pointed this out to a security friend and he asked well how are you gonna threaten mitigate this I'm like I'm gonna tell people not to put 30.3 $9.00 switches in their corporate network but but if you want to get switched it's affordable and will get VLANs started or be able to do lag and port mirroring and especially if you're if you're into digging into how networks work great thing to start playing with I wish I'd had an SSH where I can get in behind the scenes and really start playing with it I didn't find anything open if I find anything later I'll update this but so far I didn't find I didn't spend a whole lot of time trying to hack it maybe there's someone out there who did if I do find that I will do a follow-up video on it but I would say this is not a bad for the price if you're a home user and you want to start understanding how VLANs work and start experimenting what networks it's still like I said I recommended by I would definitely you think is a great place to start if you plan to use it for your own little storage network and use some lag interfaces on there I may do some testing with that later I just don't have anything handy that I can take apart to do that way at the moment but I'm sure it would be good for that as well so like I said it may be you want to do a failover you need that kind of manage and set the lag on there might be fun it's a fun thing to play with the price is very reasonable on this but the security less unreasonable if you have a good password under it probably still could be brute-force then like I said it doesn't support any HTTPS it's 80 HTTP only they get to it so they don't even have a self-signed certificate in this thing but hopefully this was helpful and like I said it for I don't think it's bad for the price but it's certainly not an advanced piece of networking equipment and certainly don't install this in your corporate network it will probably cause some headache at some point down the road all right thanks thanks for watching if you like this video go ahead and click the thumbs up leave us some feedback below to let us know any details what you liked and didn't like as well because we love hearing a feedback or if you just want to say thanks leave a comment if you wanted to be notified of new videos as they come out go ahead and to subscribe and the bell icon that lets YouTube know that you're interested in notifications hopefully they send them as we've learned with YouTube anyways if you want to contract us for consulting services you go ahead and hit Lauren systems comm and you can reach out to us for all the projects that we can do and help you we work with a lot of small businesses IT companies even some large companies and you can farm different work out to us or just hire us as a consultant to help design your network also if you want to help the channel other ways we have a patreon we have affiliate links you'll find them in a description you'll also find recommendations to other affiliate links and things you can sign up for on Laurens systems comm once again thanks for watching and I'll see you in the next video

Info

Channel: Lawrence Systems

Views: 309,600

Rating: 4.8555665 out of 5

Keywords: virtual lan (invention), virtual networks, easy smart switch, pfsense, vlans, cheap vlan, router, netgear, vlan, switch, server, inexpensive vlan, networking, unifi, vlans pfsense

Id: 5ohLAFHnOHg

Channel Id: undefined

Length: 24min 23sec (1463 seconds)

Published: Tue May 22 2018