Concept and Use Cases
Network Segmentation divides your network into physical or logical partitions with dynamic and static policies/rules. These subnetworks can be used to give you better security and in some cases help you to speed up the network. Network Segmentation is only available on the Firewalla Gold and Firewalla Purple.
Use cases for network segmentation include:
- Create a network segment for kids or employees with their own rules and policies. You can limit access to the internet, filter activities, and more.
- Isolate critical devices into their own network. For instance, only permit devices like security cameras to talk within their own network.
- Create a secure guest network, in order to apply high-level protection to your guests, and manage their activities in real-time.
Note: you will need a managed switch or AP that supports VLAN-SSID mapping to implement VLAN.
We will demonstrate with an example of how you can use network segmentation and VLAN features in the Firewalla Gold to create a really powerful guest network. We will be using a TPLink EAP225 as the WiFi Access Point (Amazon $60). The EAP225 is also VLAN aware and can create a mapping between SSID and VLAN ID.
When this access point is connected to the Firewalla Gold, it will be running in bridge mode, leaving all layer 3 (IP layer/routing/filtering) functions to the Firewalla. This will conserve CPU on the Access Point to focus more to provide better wifi.
1. Configure a physical LAN
Connect the TP-Link AP to port 3 on Firewalla Gold, tap on the "Network Manager" button, and configure a 10.0.1.x network from the Firewalla app:
After configuration, make sure you tap on "save" to commit the changes to your router.
2. Create a VLAN
Here, we will configure a couple of VLAN's via SSID mapping in TPLink EAP225. Login to the TPLink AP and configure VLAN to SSID mappings as the following.
Note: Please use the IP address of assigned by Firewalla to log in to the Access Point. If you are using a router that has been configured into bridge mode or AP mode, the previous IP address of the router may not work.
Here the main network is mapped to VLAN 33 and the guest network is mapped to VLAN 44.
- VLAN 33: SSID TPLINK5
- VLAN 44: SSID TPLINK5-GUEST
3. Create a guest network over VLAN
Now, let's go back to Firewalla App and tap on Network Manager. Using the Network Manager, we will create a VLAN 44 on port 3. (You can do the same for VLAN 33)
4. Apply policies to the guest network
After the guest network is created, you can apply features or rules just to this segment. For example, you can enable Family mode on the guest network. On the home screen, tap on Family Mode, and apply family mode only to TP-Link Guest 3.44.
Or you can tap on the rules button to create a rule like this one. Block the guest talking to any local networks ... but do allow devices from local networks to talk to devices inside the guest network.
After all of the above setup is completed, you can simply join your device to TPLINK-Guest SSID and it will be put in the guest network TP-Link GUEST 3.44.