Network Segmentation
In a typical home or small business network, all devices can freely see and communicate with one another. However, not all devices are the same– with network segmentation, you can easily split your devices among different subnetworks to meet your performance and protection needs.
For example, you can use network segmentation to:
- Create a network just for kids or employees.
- Create a network for VPN work-from-home access.
- Isolate IoT devices into their own network.
Please note that this feature is only supported on Firewalla Gold products and Purple products.
Port-Based Segmentation
One way to segment your network is through port-based segmentation, which involves physically connecting a device, switch, or access point to the Ethernet ports on your Firewalla.
First, you'll need to set up a subnetwork on your Firewalla app. Go to your Firewalla box's main page, navigate to the Network Manager, tap Create Network, then tap Local Network. Give your new network a name, leave the type as LAN, select the port you intend to use, and set the IP range to be different from the primary network.
After your subnetwork is set up on the Firewalla app, you can start to wire your device(s). If you want to connect a single Ethernet device to your new network segment, your setup will look something like this:
If you want to connect a group of Ethernet devices to your new segment, you will need to use a switch. Your setup will look something like this:
And if you want to connect a group of Wi-Fi devices to your new subnetwork, you will need to use an access point. Your setup will look something like this:
VLAN-Based Segmentation
While port-based segmentation is limited by the number of physical Ethernet ports you have, VLANs (Virtual Local Networks) are another approach that let you create network segments beyond your physical ports. Firewalla Gold does not have a limit on VLANs, but Purple is limited to 5.
Like port-based segmentation, you'll first need to set up your new VLAN on your Firewalla app. Navigate to your Network Manager, tap Create Network, and then tap Local Network. Give your new network a name, set its type as VLAN, set a VLAN ID, choose the LAN port, and then set the IP range. You should see your main LAN alongside your new VLAN(s) on your Network Manager page.
If you want to connect Ethernet devices to your new VLAN(s), you will need to use a managed switch. Follow your managed switch's instructions to create the VLANs on the switch. Your setup will look something like this:
If you want to connect Wi-Fi devices to your new VLAN(s), you will need to use an access point that supports VLANs. Follow your AP's instructions to create the VLANs on the AP. Your setup will look something like this:
What Can I Do After Segmenting My Network?
After your network is segmented, you can now apply rules and policies to each of your subnetworks. Subnetworks can fully see and talk to each other by default, so you may find it useful to restrict what parts of the local network they have access to by setting Block rules for traffic on other local networks.
You can also:
- Use the Smart Queue feature to prioritize traffic on certain segments.
- Use the route feature to specify how traffic moves over each segment.
Learn more about what you can do in our article on Creating a Better Network.
Network Segmentation vs. Device Groups
While they may seem similar at a glance, Firewalla’s Device Group feature is fundamentally different from network segmentation. Device groups simply allow you to apply rules to incoming and outgoing traffic on a custom set of devices. On the other hand, network segmentation lets you completely isolate LAN traffic and control how subnetwork communicate with each other.
This is part of our Firewalla Weekly Newsletter. You can sign up here https://firewalla.com/weekly.
Comments
0 comments
Article is closed for comments.