Products Firewalla Gold Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Blue Plus Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

How to Secure Your Network with Firewalla (Part 2): Control

Avatar
Firewalla Team
  • Updated
Follow

← PART 1: Visibility

→ PART 3: Protect

 

 

PART 2: Control

After gaining visibility to your network and devices, the next important step is to create "rules" or "policies" for your network. These "rules" are often specific to your environment and how you perceive risk. Ultimately, it is your network, and you make the rules to control it.  

 

 

Firewalla provides many ways to block, allow, and regulate traffic on your network. By controlling network traffic, you reduce the attack surface and risk exposure of your network.

 

Diagram of Work Network, IoT Network and Home Network

With Firewalla, you can:

  1. Block unwanted access with blocking rules
  2. Allow trusted networks with "allow" rules
  3. Block unrecognized or unused open ports
  4. Enable Family Mode for kids
  5. Isolate traffic with network segmentation
  6. Manage devices with Device Group
  7. Control traffic with routes
  8. Regulate traffic with Smart Queue
  9. Protect your privacy with Ad Block
  10. Control DNS traffic with DoH, Unbound, and DNS Rules
  11. Secure network access with Firewalla VPN
  12. Isolate new devices with New Device Quarantine

 

1. Block unwanted access with blocking rules

Blocking limits network access for one or more devices. Firewalla enables you to take action against unwanted network use through an array of blocking features, including:

1.1. Default Stateful Firewalls

1.2. Domain/IP/IP-Range Block Via the Rules Button

1.3. Block Via Alarms

1.4. Block Via Network Flows

1.5. Activity Category Block

1.6. Region Block (Geo-IP Filtering)

1.7. TLD Blocks

1.8. Application Block

 

1.1. Default Stateful Firewalls

If you are running your unit in router mode, Firewalla will by default insert a "stateful" firewall to block all ingress (from outside of your network to inside) traffic. Please do not delete or pause this rule.

Stateful Firewall Rule App Example

 

1.2. Domain/IP/IP-Range Block Via the Rules Button

You can block targets by using the "Rules" button. You can choose target(s) to allow/block based on one or a combination of the following items:

  • IP Address (and optional ports)
  • IP Address range (and optional ports)
  • Domain name (and optional ports)
  • Remote port (applies to any IP or Domain)
  • Region beta.jpg
  • Local Network (Gold and Purple running in Router mode only)
  • Internet (all internet sites)
  • Target Lists

Find out more about blocking capabilities here.

Rules1_Updated.png    Creating the target for a new rule to block a domain, IP, IP-range via the rules button    Place the matching component for a new rule to block a domain, IP, IP-range via the rules button

 

1.3. Block Via Alarms

Blocks can also be created from the alarm interface. For example, if you receive an alarm that one of your devices is accessing a malicious site, you can block the entire domain or IP from the alarm screen.  

The block button and the matching and on selections for blocking via alarms

 

1.4. Block Via Network Flows

While looking at your device's network flows, you can tap on its flow entries to get into the details screen. In the details screen, you can block flows (please note that not all flows can be blocked and your device may still maintain its functionality).

Highlighting the Work Air example in the Firewall App    Once the option is selected from the Work Air section this shows the details to route or block this network flow    Now that you have select the network and the block option you will now select the block button

 

1.5. Activity Category Block

For smart devices that function closer to a general-purpose computer, you should implement controls similar to those on your computers or smartphones. For example, if your kids are using the smart TV, you can use category blocking to ensure they don't access sites they're not supposed to. 

Firewall App Matching options to block activity by category      Rules option where you can add the category to block on a device within the network

 

1.6. Region Block (Geo-IP Filtering)

Firewalla allows you to create blocking rules to block connections from a geographic location. This feature is useful if you want to prevent your network from talking to IP addresses in specific countries. It can be an effective way to stop hackers from attacking your IoT devices. Learn more about Geo-IP filtering. Geo filtering is only available on the Firewalla Blue Plus and above.

  • Most of the time, these blocks are for egress. (your network out). Ingress traffic should already be blocked by the default stateful firewall. 

Select a region (Geo-IP) that you would like to block

 

1.7. TLD Blocks (Top Level Domain)

In addition to blocking full domains like firewalla.com and *.firewalla.com, Firewalla also supports blocking top-level domains, such as *.country, *.stream, *.download, etc.

Setting up a new rule to create a top level domain block    Select the domain option from the matching step in the new rule    Place the domain name and then save to block the top level domain

 

1.8 Application Block

If you want to manage access to a certain app (such as YouTube, TikTok, Instagram, etc.), you can use Firewalla's Rules to limit what apps a device or a group of devices may use. To do this, create a new block rule and set the rule target to the app you'd like to block.

Firewalla allows you to set up a new rule by select the matching option and then app you want to block

 

2. Allow trusted networks with "allow" rules

For devices that are very purpose-specific and only need access to certain services, you can configure rules to only allow trusted connections to come through. For example, on your Nest Thermostat or Ring devices, you can block all internet access, but only allow access to ports required by Ring's services (IP addresses and ports). Learn more about allow/whitelist rules.

App allows you to view the rules for your Allow and Block access on your network

 

3. Block unrecognized or unused open ports

In Part 1, we discussed open ports and how they can be a security risk. Check open ports on your network (Home -> Open Ports). If you don't recognize any ports, or if any ports were opened intentionally but should not be open anymore, you should block them.

The Firewalla App example highlighting opened and blocked ports

 

4. Enable Family Mode for kids

Firewalla's Family Mode contains services that automatically filter out inappropriate content for families (porn and violent materials). It includes:

  • Family Protect, which blocks access to websites with offensive content
    • Native Family Protect, a new feature that gives you full control over what to block right on the Firewalla box
  • Safe Search, which filters search results
  • Social Hour, which limits social network use. If you have kids at home, enable Family Mode on all computers and smart devices (like Apple TV) that your kids might have access to. 

Family feature app example that showcases the options in the mode and rule

 

5. Isolate traffic with network segmentation

You can use network segmentation to create multiple local networks in your home, and dedicate one for IoT devices. This way you can isolate IoT device traffic from the rest of the network, to reduce the risk exposure in case IoT devices get compromised.

Diagram showing Internet and network flows of allowed and blocked traffic

You can set up a network segment for your IoT devices by:

  • Creating a VLAN for your IoT devices
  • Creating a rule on the VLAN to block all outgoing traffic to other parts of your network

Select the Create Network option for your IoT devices  Choose the Local Network option for your IoT devices  Set up the specifics for this Local Network  Finish setting up your IoT network and rules

 

Network segmentation is very powerful. While it is impossible to separate traffic between devices on the same network segment, VLAN and port-based networks allow you to secure and separate devices that are less critical and possibly less rigorously tested. See Building Network Segments for a detailed article on this.

 

Network segmentation is only available on Firewalla Gold and Purple when running as your main router. Both support network segmentation through VLANs, and Gold supports up to 3 port-based LANs.

 

6. Manage devices with Device Group

A device group is a software-based segmentation. It is available on all products including Firewalla Blue Plus and Red. You can use Device Group to manage devices that share the same rules and policies. This can greatly simplify the daily management of devices and policies. Learn more about Device Group.

 

Here is an example of how you can use Device Group:

  • Create a device group for streaming devices
  • Add all your smart TVs, speakers, or set-top boxes to the group
  • Manage the group with consistent rules and policies across the whole network

Select streaming devices, manage the devices and controls for those devices

 

7. Control traffic with routes

In case you have multiple traffic terminations such as:

  • VPN Client (or many VPN clients) 
  • Secondary WAN
  • Site-to-Site VPN 

You can send any IoT device's network traffic to any of the destinations from above by using smart routing policies through Firewalla. Learn more about policy-based routing.

Select the routes option, add route selection and then save your new route

 

In the Firewalla 1.52 app release, you can also choose a Route Preference. For each route, you'll be given two options: 

  • Static: if the selected interface is not available, the traffic will be dropped. This is the default setting.
  • Preferred: if the selected interface is not available, allow traffic through an alternate route.

Please note that in order to "lock" traffic to a selected VPN, you also need to ensure the VPN's Internet Kill Switch is enabled. Watch a video tutorial or read more about this feature in our 1.52 App Release Notes.

Setting up your route preference with static or preferred and finish setting up the route

 

8. Regulate traffic with Smart Queue

If you worry about your IoT devices consuming too much bandwidth, you can easily apply policies to limit traffic by either device or destination. Learn more about Firewalla Smart Queue.

IMG_3971.PNG    Add Smart Queue rule in the Firewalla app    Set up the target, device and other options for your smart queue

 

9. Protect your privacy with Ad Block

Ad Block is Firewalla's built-in ad blocker. It does more than just block ads-- it also protects your privacy by preventing ads from tracking your online behaviors. This is especially useful for smart devices that have general access to the internet but do not provide users with privacy settings or controls. Ad Block now also has Strict Mode, which blocks ads more aggressively, in addition to Default Mode. Turn on Ad Block on All Devices so your whole network is ad-free. Find out more about Ad Block.

Setting up the Ad Block feature    Turn the Ad Block option on within the Firewalla app    Choose the Default or Strict options and then save to complete the Ad Block set up

 

10. Control DNS traffic with DoH, Unbound, and DNS Rules

DNS over HTTPS (DoH) sends DNS requests encrypted over HTTPS, as opposed to the traditional DNS that sends the request in plain text over HTTP. It prevents third parties from spying on what websites, domains, and services your devices are accessing. By turning on DoH in Firewalla, all devices in your network will be protected, especially IoT devices that otherwise have no ability to configure this type of service. 

Select the DNS Service option    Choose the DNS service options within the Firewalla app    Select the Server options for the new server connection

 

In addition to DoH, Firewalla supports another DNS service: Unbound. It is a validating, recursive, caching DNS resolver that helps increase your online privacy and security and is installed locally on the Firewalla box. Unbound prevents a single public DNS server from having all your DNS records. For an extra layer of protection, you can also send your Unbound DNS requests over VPN instead of your ISP by enabling Unbound over VPN.Choose the control options and if it DNS over HTTPS or unbound for the DNS Service

With the Firewalla 1.52 app release, we've also introduced adding Custom DNS Entry Rules via the app. We used to have a guide on how to customize your DNS via the command line, but we brought this feature to the app UI to make it easier to manage. Watch a video tutorial or read more about this feature in our 1.52 App Release Notes.

Add custom DNS rules as need for your new DNS Service

 

11. Secure network access with Firewalla VPN

Firewalla has a built-in VPN client that makes it easy and free to tunnel all your home network traffic, including IoT traffic, through a VPN.

 

Site to Site VPN:

If you have multiple homes, you can use Site to Site VPN to connect your networks together over encrypted links. You can securely access shared devices such as file servers, printers, and video cameras bi-directionally between the sites.

Diagram of a Site to Site VPN connection between a Subsidiary and Headquarter network

 

3rd Party VPN:

If you are using a third-party VPN server to shield your data from your ISP or government, you can enable the Firewalla VPN Client and connect to the VPN Server. This will allow all your IoT devices to easily use the same VPN service.

Diagram of 3rd Party VPN connection between a Home network and 3rd-party VPN server

 

Firewalla has a built-in VPN Server as well. When you are traveling or using public Wi-Fi, you can connect back to the VPN Server at home and securely access your home devices, such as security cameras and home automation controllers.

This method is far more secure than using simple port forwarding on your router. The extra encryption both hides your traffic and provides authentication at the network layer at the same time.

Firewalla App highlighting four active VPN connections, VPN server specifics and details for each VPN connection

 

12. Isolate new devices with New Device Quarantine

You can enable New Device Quarantine in Firewalla to immediately place unrecognized devices into a separate Quarantine Group if they join your network. This way, you can have full visibility of unfamiliar devices and set special rules to control their access. You can release a device from the Quarantine Group whenever you want.

Select the new device quarantine, activate the new device quarantine option and apply to select networks

 

To learn more about how Firewalla protects your data from breaches and attacks, continue reading in Part 3: Protect.

 

→ PART 3: Protect

 

Related articles

Comments

0 comments

Please sign in to leave a comment.