Firewalla Tutorial: Network Segmentation Example with VLAN

Follow

Comments

21 comments

  • Avatar
    Rolando Nispiros

    I just picked up the TP-Link EAP225, which I am enjoying playing around with.  There is one feature I'd really like to use but for the life of me, can figure it out.  When I enable the VLAN in the EAP225 it locks me out of the admin interface and clients cannot connect to the device.  The only way for me to get back in is to do a factory reset.

    Setup - Step 1

    • The EAP225 is connected to my Firewalla Gold firewall port 2
    • In the Firewalla Gold I created a physical LAN on port 2, starting with IP 192.168.x.x.
    • In the EAP225 I created 3 SSIDS:
      • IOT Data in the 2.4GHz
      • IOT Media in the 5GHz
      • A hidden guest SSID in the 5GHz (using the wireless portal)
      • None of the SSIDs are using any advanced settings, radio, load balance, etc.

    VLAN - Step 2

    • In the EAP225 I tested using the following VLAN IDs (based on instructions from this article above)
      • IOT Data = VLAN ID 33 (only used for my IOT devices that only work on the 2.4GHz channel)
      • IOT Media = VLAN ID 44 (only used for IOT devices that can work on the 5GHz channel)
    • In the Firewalla Gold I configured VLANs also on port 2
      • VLAN 33 named IOT Data
      • VLAN 44 named IOT Media

    Testing - Step 3

    • When I hit save and try to test everything out I see the EAP225 is online, but refusing connections.

    Any advice?  Is there some sort of VLAN number convention I should be using instead of 33 or 44? I basically want to keep my IOT devices separated from my main LAN by using VLAN. In my Firewalla, I have a rule so that the EAP225 does not communicate with the main LAN, but if I could do it with the EAP as well, then I know this feature is working as intended.

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    Any advice?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Did you ever create a default VLAN (no VLAN ID) segment on port 2? Many of the managed switches uses the default to activate the management interface

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    I only created a new LAN on port 2 called 'TP-Link LAN', then two VLANs called 'IOT Data' with VLAN 33 and 'IOT Media' with VLAN 44.  So I should create another VLAN with no VLAN ID?

    I notice in the TP-Link EAP225 admin control panel there is a Management VLAN option.  Should I enable that?  If so, what VLAN ID should I use?

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    Sorry for my lack of VLAN technology, but is there something I need to do to trunk / tag port 2 on the FWG to the LAN / VLANs I created? If so, how?

    0
    Comment actions Permalink
  • Avatar
    mobius strip

    @Rolando Nispiros

    I’ll see if I can try to help you here…

    I’m pretty sure you have a few options for a solution. 

    Need more info:

    1.) What hardware version of the TP-Link EAP225 AP do you have? V3? (To make sure I’m looking at the right manual)

    2.) Does your Firewalla Gold show that it has assigned an IP address to the AP? Does the FWG show that is has assigned the AP an IP address both both before and after you can no longer access the AP’s admin interface/GUI?

    3.) How are you accessing its admin interface? By this I mean:

    • a.) Are you managing the AP using a web browser? If so, what URL are you using, an IP address, or something with a domain name like logintomytplinkap.com ?   (To keep things as simple as possible, I would not use the TP-Link phone apps or the AP controller management software for larger)
    • b.) How are you physically connecting to the AP’s web admin interface? I.E. Are you connecting to it directly over Wi-Fi? Or is your computer’s Ethernet port plugged into another Ethernet port on your FWG? Or is your computer’s Ethernet port plugged into a second Ethernet port on the AP itself, if the AP has multiple ethernet ports? 

    4.) Did you configure the AP to operate in “Standalone mode” as indicated in the manual?

    5.) Is the AP’s DHCP server enabled or disabled?


    There should be a few possible solutions, depending on:

    I.) the design of the AP: if VLANs are created in the AP’s interface, does it still allow its admin management web interface on an untagged LAN? It seems from the tutorial on this webpage that the answer is yes.  Otherwise, your only option is to enable Management VLAN (If you do this, a common recommendation is to change it from the universal default of VLAN ID 1 to something else for security). At first glance here, I think you can access it both with or without enabling a management VLAN.

    II.) How you want to physically connect to it:

    • If you want to be able to access it through your FWG (e.g another LAN port, and/or want to be able to configure the AP if you want to be able to do so remotely through your FWG’s VPN server).
    • Or if you want to access it via Wi-Fi from your computer when you are at home.
    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    Thanks for taking the time to help.  Really appreciate it.  In regards to your questions:

    1.) What hardware version of the TP-Link EAP225 AP do you have? V3? (To make sure I’m looking at the right manual)

    Yes I have V3k with this build - V3_5.0.5 Build 20210604

    2.) Does your Firewalla Gold show that it has assigned an IP address to the AP? Does the FWG show that is has assigned the AP an IP address both both before and after you can no longer access the AP’s admin interface/GUI?

    Yes, the FWG does assign an IP address to the AP, which I use to log on to the admin web interface.  After the enable the VLAN everything basically freezes/cannot logon to admin web interface anymore/refuses connections.

    3.) How are you accessing its admin interface?

    Via the IP address assigned by FWG - 192.168.181.96/index.html.  But after I enable the VLANs to the SSIDs in the AP, the web interface freezes/locks me out.

    I am not using an ethernet cable connected to the FWG to get to the AP.  I am / was connecting to the AP via wireless.

    As noted above, the AP is connected in Port 2 configured as a LAN in FWG.  Also in Port 2 I configured 2 VLANs for the AP in FWG. Per the instructions here I created the VLANs in the AP, then created the VLANs in FWG.  It's after this my connection is frozen/refused connection.  

    Is this the recommended sequence in your opinion?  How do I tag/truck the FWG VLAN port to match the AP?  I just don't see any other obvious mapping between the two devices or maybe I am supposed to use a specific naming convention other than the VLAN ID?

    I did not check the box in the AP for Management VLAN.  Maybe I should enable it, use a different VLAN number other than 1, then try again?

    0
    Comment actions Permalink
  • Avatar
    mobius strip

    @Rolando
    Here’s one possible solution:

    If you are configuring your AP through a web browser and you are connecting to it directly  over Wi-Fi,  The simplest thing you should be able to do is:

    • Reset AP to factory defaults and connect the AP via Ethernet to your FWG’s Ethernet port 2
    • Turn off Wi-Fi on your phone and use the Firewalla app Connect to your FWG using your cell phone. Reserve the TP-Link AP’s IP address in the DHCP section, so e.g. 192.168.1.101. Also make sure that the network type is Type: LAN as shown in the screenshot in this tutorial.
    • On your computer, connect to a factory default SSID of your TP-Link AP. Open web browser and in the URL field type the IP address you reserved for the AP on your FWG…e.g. 192.168.1.101 (and not by typing gotomytplinkap.com or whatever the instructions manual offers)
    • Before creating your two SSID’s that you assign your VLAN ID’s 33 and 44:  Change the name of the Wi-Fi SSID you just connected to, to e.g. “RolandoUntagged”. This SSID will be exclusively dedicated to untagged traffic (so leave the VLAN ID field blank for this SSID). Connect to this SSID each time you want to configure your AP.
    • Save your changes
    • Now create your two SSID’s that you assign your VLAN ID’s 33 and 44

    Try this and let us know whether or not you are able to get it working this way.


    In case you’re curious, Another method you  should be able to do for additional security that is slightly more complicated is if you:  enable the Management VLAN ID (change it from the default of 1 to anything else, like 22), create a management SSID exclusively for managing your AP, tag it with VLAN ID 22. You’ll first need to create this VLAN 22 and assign it to port 2 with a new corresponding IP range on your FWG (eg 192.168.22.1), and reserve the AP’s IP (or create a static IP in the AP’s admin interface) e.g . 192.168.22.101. 

    But try the simpler way first, and let us know.

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    Awesome, thank you for the tips, I will definitely give this a try after everyone is asleep or this weekend.  Ah so that what it means for untagged traffic, sorry I'm such a VLAN noob.  This new option gives me hope.

    1
    Comment actions Permalink
  • Avatar
    mobius strip

    @Rolando 

    I forgot to mention you can try just enabling the Management VLAN ID and set it to be the same VLAN ID as you set on one of your two SSID’s that you assigned VLAN ID’s to, and manage your AP when connected to that SSID with your computer…but then everything else connected to that network e.g. on the ‘IOT Data’ network Will be able to see everything you’re doing while you’re configuring your AP, including what username and password you enter in order to login to it because the management interface is http and not https.

    So a compromised IOT device automatically scanning for administrative traffic of networking devices can intercept all this, which is a risk I assumed you did not want to take.

    For security I think it’s a lot better to have a separate network for administrating networking devices (Whether it’s for untagged traffic or if you create one with a dedicated VLAN and set the management VLAN ID for that) so that’s why I recommended you have a separate SSID for that purpose instead of simply enabling management VLAN for one of your IOT networks.

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    Understood, thank you.  Yes I want to isolate IOT data, but will keep this in mind.

    0
    Comment actions Permalink
  • Avatar
    mobius strip
    sorry I'm such a VLAN noob.  This new option gives me hope.

    No worries! We all start learning somewhere :) 

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    Yes for sure! I'm a learn as you go person.

    1
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    @mobius strip - thank you for helping me and for the recommendations!  It all worked.  I think creating a separate SSID not on a VLAN / not tagged did the trick for me.  I was able to get into the web admin console without any problems and I can see from the client list that the IOT devices have picked up their new IPs.  Can't thank you enough!

    1
    Comment actions Permalink
  • Avatar
    mobius strip

    @Rolando Nispiros
    That’s great! I’m glad to know that you have a successfully working solution :)

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    Yes really enjoying me set up now, thank you!

    0
    Comment actions Permalink
  • Avatar
    Justin Sharp

    Question - I just purchased FW Gold. I intend to use EAP-610 (TpLink) with VLAN tagging on the various SSID's I configure for my IoT devices.  The 610 has PoE.  I intend to connect the 610 to a TPLink PoE Switch (which supports vlan tagging as well), and connect that to the FW Gold.

    Since the Gold seems to require port driven tagging, do I also need to tag the port that has the switch, or will the frames from the 610 automatically be recognized as their respective VLAN's and thereby segmented by the rules I create in the Gold?  Any suggestions or guidance is greatly appreciated.

    0
    Comment actions Permalink
  • Avatar
    Derly M Gutierrez Iii

    I created a few VLANs under LAN 1.  How do I assign devices to that VLANs to practice micro-segmentation?  For example, I have an entertainment VLAN and a PC VLAN - I do not want the nodes within those VLANs to communicate with each other.

    0
    Comment actions Permalink
  • Avatar
    Paul Smedley

    Awesome, now to work out how to determine/set a blank with an Asus router in AP mode :)

    0
    Comment actions Permalink
  • Avatar
    Steve

    Your comparison sheet shows a difference in the feature set between the Purple and the Gold. What will i miss here if I go to the Purple?

    0
    Comment actions Permalink
  • Avatar
    Don Gilfillan-Jones

    I have a gold. If I create a VLAN on port 3 can I configure it without a quarantine group? I have a multi tenant office space and setting up one office with groups, rules, and a quarantine to prevent access, but the other tenant will be open. I am separating them via separate switches, but using one modem and one firewall gold.

    0
    Comment actions Permalink

Please sign in to leave a comment.