Network security question for someone who knows :-)

I’ll admit up front to being a little afraid about network security. This is based not on paranoia but on the old adage that a little knowledge is a dangerous thing.

I have a little knowledge.

So, I have a Unifi USG which has two LAN ports. The second one can be configured as a separate VLAN.

Am I right in thinking that with a single rule in the firewall prohibiting VLAN 1 from talking to VLAN 2 they would be as isolated from each other as is possible without an ‘air gap’?

I’m thinking that this second VLAN could be used for a single sever that I could open to the internet and could host things such as a Jitsi server.

That way my concerns could be removed reduced, knowing that anything ‘important’ like my HA server is protected.

Or am I being naive here?

Yes. Although the firewall probably rule should point in both directions, depending on what connectivity you need. But in general a VLAN can be seen as a separate physical LAN even though it shares the same physical medium to transport the data.

1 Like

The two LAN ports on the USG are routed, not switched. If you did want to pass traffic between them at a later date, the performance is not great.

1 Like

Can I infer from this then that I don’t even need to use the second port? Any VLAN provides the same level of separation?

Yes. On Wikipedia they say:

…creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

1 Like