Forums › Forums › dLive Forums › dLive General Discussions › Onemix app across vlans
- This topic has 4 replies, 4 voices, and was last updated 10 months, 2 weeks ago by Chris.
-
AuthorPosts
-
2023/12/26 at 8:26 pm #117828AshParticipant
Hi,
At our church I have a corporate staff wifi vlan and a production wifi vlan.
I have a few users who normally connect to corporate wifi network and require onemix app when they play in the band. I have been getting them to switch to the production wifi. This works fine, but sometimes they forget to switch between wifi networks.
At present I have blocked intervlan routing between corporate and production vlans.
Is it possible for the onemix app to work between the corporate and production vlans?
If so, should I allow intervlan routing based on target IP of the mix rack?
And which ports should I also ensure are routed?Thank you.
Ash2023/12/27 at 12:59 pm #117847ScottParticipantIf you put an allow-all rule for the IP of the mixrack into your corporate VLAN’s firewall rules, it should be able to work. You could further limit this to only the protocols/ports needed by onemix, but you would need to find out what those are.
2023/12/27 at 1:46 pm #117848BrianParticipantObviously this is a “networking” question and the answer lies completely in the device (firewall/router or layer3 switch) that manages your VLAN setup.
As Scott mentioned, it could be a simple as creating an open “Allow All” rule to the Mixrack’s IP address, but I’m not sure that is the preferred way of handling it. I guess if you a secure login for all “users” in the DLive system then it wouldn’t be so bad. But the problem with the open “Allow All” rule is that you are literally giving everyone access to the MixRack. 99.999% of the time, it is probably fine, but you can’t put it past some curious attendee who might think it “cool” to connect to the system.
The most secure way to handle it is to create a group (“alias” group) that includes the reserved/static IP address of all your musician’s mobile devices. You can limit the “Allow All” rule to this particular group and therefore prevent any random attendee from being able to connect to the system.
2023/12/28 at 10:00 am #117876AshParticipantThank you Brian & Scott.
I’ll probably go with an allowed group of ip addresses for the iPads in the routing firewall rules.I should have clarified that my query was more for any known issues from the DLive/onemix working across vlans.
Thanks
2024/01/21 at 3:18 pm #118640ChrisParticipantSecurity nerd here. More than likely, the reason it was set up this way was for security purposes. To prevent cross contamination between networks. Allowing a group of ips to traverse those network goes against the model. I’m sure that there are multiple protocols and potentially multicast protocols and ports that will need to be allowed. Anyone with access to those ips will be allowed full access to BOTH networks. Hopefully all traffic on either network is solely traffic for employees and staff only but just know that if either network gets compromised, they both will. Just food for thought. Not looking for a debate as some could reply with, “what’s the big deal?”, but those folks have probably never fallen victim to an attack. Convenience is the enemy of security.
IMHO, switching networks is the best option.
-
AuthorPosts
- You must be logged in to reply to this topic.