Firewalla Gold: Network Segmentation Use Cases

Follow

Comments

15 comments

  • Avatar
    Michael Bierman

    Is it possible to have unrecognized devices that join (wifi or ethernet) default to a certain segment ? Having an example of that would be great. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Not possible to a segment.  But maybe possible to a group. (which you can add rules to the group to govern these devices).    The adding new devices to a group feature is not yet done (6/10/2020), hopefully we get to it

    Segments are physical, so it is hard to place devices.   Groups are virtual, so it is a bit easier.

    0
    Comment actions Permalink
  • Avatar
    remotebloke

    How do I move devices to the new VLAN?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @remotebloke this will depend on your setup. Here are three common examples. 

    1. Start with Firewalla Gold in Router mode. Configure firewalla so that a port is a VLAN. Go to Firewalla app and Network Manager > Edit Create Network. Choose Local Network and select a port (just not port 4 which is your WAN). Choose Type VLAN. Enter a number for the VLAN ID but don't use "0" but say "22" will be fine. Whatever you plugin to that port will be on that VLAN. If this is a computer, that may (or may not) be useful but it is the simplest use case. It is a good way to try it out. When you are done, the IP assigned to that computer should be in the IP range that you saw when you created the VLAN on firewalla not an IP in your LAN range. Nothing special has to be done to configure the computer if it is in DHCP mode.
    2. Follow above but instead of plugging in a computer to that configured port on Firewalla, plugin a managed switch. Configure the switch so that the port connecting to Firewalla is a Trunk port (it carries the vlan traffic and lan traffic) to firewalla.  Check the instructions for configuring the switch with the manufacturer of the switch. Then set a different port on the switch to the same VLAN iD you just set up on Firewalla. This will mean anything you plugin to that port will be on that VLAN and be able to talk through the trunk to Firewalla and other devices on the VLAN. Now you can plugin the switch to the port you set before on Firewalla. Any ports on the switch you don't configure will be on the LAN only.
    3. You can follow the directions above but connect a wifi AP instead of a switch. Note If you are talking about a VLAN on wifi your AP (Access Point) will have to support VLANs. Not all do. If your AP supports VLANs configure the VLAN similar to what you did on the switch. If you plug the AP directly into Firewalla, configure that port to the VLAN. If you plug the AP into a switch make sure it is a trunk (that is it can carry traffic on both LAN and VLAN) as needed. For example I have ui APs that have 3 wifi networks. 1 LAN and 2 different VLANs for IoT devices. Configure your AP according to the manufacturer instructions and connect that to Firewalla (or a switch) as a trunk.  Any device that connects to the AP with a VLAN network will be given an IP address and be in that VLAN. If it connects to a LAN network then it will be on your LAN. 

    I know that's a lot to take in if you have never done it. There are plenty of folks who can help if you ask specific questions. 

    0
    Comment actions Permalink
  • Avatar
    remotebloke

    @michael thanks for the info - really useful i helping me understand.  I was hoping to have an isolated network for IoT devices and security cameras.  I don't think I'll be able to do that with APs (Deco X90), there's no mention of VLAN SSID support.  Unless I can do something with the guest network...

    0
    Comment actions Permalink
  • Avatar
    Vincenzo Corsaro

    Premise: I'm still experimenting with the countless functions offered by the Firewalla, and my network knowledge is of an average level, so I understand a little more than the average user who puts everything automatically but obviously I don't understand too complicated technical terms.

    1. I connected each of the 3 LAN networks of the Firewalla (1,2,3) to a switch, of which 1 and 3 are real switches while network 2 is connected to the old router that will act as a switch and WiFi AP (obviously only for 2 network devices), this is in turn connected to another WiFi AP (which has a WiFi bridge, which then extends the home WiFi to me, so same WiFi SSID and same password), Second you this structure can go? or can it create incompatibilities or conflicts?
    (I attach network map for better understanding)

    2. When I have finished making all the necessary configurations, will I have to put my main PC connected to the switch of network 2 and my two QNAP NAS connected to the switch of network 1, even if they are in different networks, is it possible to make them communicate by giving them specific rules?

    I ask because I am having problems already now that they are both in network 1 I cannot get them to communicate with each other as I cannot access the NAS, and when I open the QNAP software (Qnap Finder) it sends me a message of error where it tells me that the devices are not in the same subnet, but how is it possible? they are both configured in DHCP and therefore have the same IP assignment class.

    At first I thought that perhaps in order to connect to each other (despite being on the same subnet) they needed an authorization from the Firewalla and in fact I tried to create rules that would allow them to communicate, but the rules that can be set are only to block the connections , maybe because they are open by default?

    It must be said, however, that I have not encountered this problem with other devices other than the two NAS, nor with the video surveillance DVR, nor with the HP network printer.

    I ask you for help because I am a bit confused.

    network map

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Vincenzo nice diagram!  Forgive me, but I don’t know if I understand your goal(s).

    Assuming the simple case that this topology is trying to create a single network are the switches managed or unmanaged? Are the APs in bridge mode or is DHCP active?

    If a single network is the goal, then no other DHCP servers should be active and FWG should be in Router mode. You would let FWG set all these in the same IP range for this scenario.

    It looks like you are manually setting up different subnets intentionally? If that is needed, then you need to use Routes to allow FWG to route traffic between subnets as you wish because by default traffic won’t be allowed. You can allow traffic in both directions or from one subnet to another but not the other way around. For example I have VLANs with IoT devices that I can see from my LAN but they can’t access my LAN. 

    However, if you are going to allow all traffic between two subnets then why have separate subnets? I’m assuming you might want something like A <-> B but no traffic between A and C for example? Anyway, Routes will allow you to connect traffic between subnets as you wish if they are really needed for whatever reason.

    Devices on the same subnet can’t be blocked from seeing each other  

    It doesn’t look like you are trying to set up VLANs but if you are, you need managed switches and then you configure them and FWG accordingly.

    I hope this helps. If not, feel free to ask more questions.

    1
    Comment actions Permalink
  • Avatar
    Vincenzo Corsaro

    So, actually I don't know if the choice of subnets is the best solution, after all I'm still in the process of understanding, I explain better what is the purpose of this segmentation.

    Recently my old QNAP NAS was attacked by a ransomware that made me lose all data, we leave out the level of security my network had because I had dangerous things activated like UPnP, for a long time I have not installed updates QNAP security, I did not backup, etc.

    Since then I had to rebuild my entire home network, I took the opportunity to make the appropriate investments in security, including the Firewalla Gold, and I also bought a second QNAP NAS, in order to use the new one as the main one and the old one as a NAS. backup.

    Here, the reason for the segmentation, that is to create watertight rooms inside my network in such a way as to prevent the infection of the entire network, limiting it to the most dangerous devices, that is precisely to IoT devices, which being always connected H24 risk plus, among which the QNAP Main NAS stands out.

     

     

    For this purpose I thought of fragmenting the network (making use of the functions of the FWG) as follows:

    Network 1: IoT
    (24/7 online devices, which represent a potential gateway for any malware that could infect the entire network, i.e. main QNAP NAS, HP network printer, video surveillance DVR, etc.)

    Network 2: Sandbox
    (Absolutely must-protect devices with the highest level of protection, almost as if they were protected by a Sandbox, QNAP backup NAS).

    Network 3: General
    (All other devices, PC, Tablet, Notebook, console, smartphone, Smart TV, etc.)

    P.S. Each of these networks has its own range of DHCP addresses

     

    To answer your questions:
    A) Network 1 and 2 switches are unmanaged, while Network 3 switch is my old Netgear modem / router, so I don't know how it should be considered, but I believe it is managed.

    B) The WiFi of the access points, I believe they are of the "bridge" type because they are all connected with an ethernet cable (as shown in the diagram), and they all have the same SSID and the same encryption keys, both for the network to be 2.4 Ghz and for both the 5 Ghz network.

     

     

    At this point, however, there are some things I don't understand.

    1. Why if my PC and both my NAS are on the same subnet, they are not reachable from the PC?

    "Unable to connect to the device. Check if the device and the computer are in the same subnet.
    Click OK to open the web browser and try to connect the device again or click Cancel to cancel"

    Obviously even if I try, the web page gives me the message:
    "Unable to reach this page
    192.168.x.x took too long to respond "

     

    2. To be able to backup the NAS, I will need a rule to be able to pass data from the main NAS (Network 1) to the backup NAS (Network 2), but I would need a rule that would filter out any malware if at that moment the primary NAS is under ransomware attack

    I hope I have clarified my purposes and needs, obviously I am ready for any kind of suggestion or clarification, also because as I have already said I am not an expert on the subject, so any advice will be welcome.

     

     

     

    Thanks again in advance 👍🏻

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Great. So network 1 is a mix. Presumably you want to allow access to the printer from other subnets. But the IoT stuff possibly not. Subnets allow this when FWG Routes are applied, but the printer is open to any attacks from other devices on the same subnet. Maybe that’s a small concern. That’s up to you. You will need to use FWG Routes to allow devices on other subnets to access the printer (but I don’t think the printer needs to talk to other devices. Possible exceptions are if the printer is also a scanner or the printer queue reports errors back to the computer when you print. Worst case, allow traffic to go both to and from the printer but that also means malware on the printer could reach the PCs making the subnet pointless.Note if the printer supports AirPrint it means get not work with Routes. I have not tested this, but AirPrint wasn't designed to work across subnets so something to watch for. 

    network 2: presumably you want access to the NAS from other segments but you may want to keep any possible infection of the NAS from reaching other things. A Route can do this for you too.

    Sounds like Network 3 is unmanaged, but that is o.k. for your configuration.

    “B” none of that his definitive about DHCP. Login to the APs and make sure that DHCP is turned off. See https://help.firewalla.com/hc/en-us/articles/360048543713

    1. What are the PC and NAS addresses of each? You are right, they should be reachable. Also, be sure that you didn’t set a fixed up on the NAS. Sometimes people do that.

    2. this is tricky. Unless you have a special appliance that detects and blocks malware traffic between subnets. Some NAS’s have virus protection. You can use those to quarantine malware and then only backup the safe files. You can obviously allow traffic one way only between them if that helps. 

    As for the subnets you may want to consider VLANs. Those allow you to layer isolated networks over the same cables but your APs and switches will need to support VLANs.to get the full benefit. This allows you to have fewer wires and mix devices on different VLANs within say, the same room of the house. This takes a little more effort to set up but means less wires crisscrossing your house and in some ways, is simpler. Here’s a brief tutorial comparing them.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Update on the printer issue… you might be able to limit the printer’s ability to communicate with devices on the other subnet. If something isn’t working (say scanning on the printer) allow access and try again. Then look at the flows and see if there is a specific port or other characteristic that you could allow rather than opening up the subnet to all traffic.

    anyway, hope this helps.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    So I experimented with my network some more. I moved the Brother MFC printer to a WVLAN which has client isolation so it can’t see any other device on the subnet and that vlan can’t talk to my LAN or any other VLAN but there is a rule allowing the LAN a to talk to that VLAN. I can still print and scan from a device on the LAN but the printer is about as isolated as I think is possible.

    I also moved a homekit-enabled device to the same VLAN and it is able to work with the rest of homekit.

    When my iOS device is on the VLAN, I can AirPlay to AppleTV, but strangely the AppleTV remote on iOS doesn’t seem to work. I can live with that. Here’s my network diagram in case it is of any help.

     

    2
    Comment actions Permalink
  • Avatar
    mobius strip

    This is really basic security of course but can you configure the Firewalla Gold to restrict inter-VLAN traffic to specific ports and protocols?

    i.e. Can you create a rule allowing traffic from a device on one VLAN to a device on another VLAN restricted to a specific port(s) and specific protocol(s) and deny all other traffic in another rule by default?

    I do this routinely on my main router, and this is sort of really basic, but I can set up a default traffic rule to reject all traffic between all VLANs (those that have inter-VLAN routing enabled in the first place), and then create exceptions to this policy by creating one way traffic rules that has the ability to restrict to a certain port and protocol.

    So e.g. a rule can allow computer1 on VLAN 100 to reach a computer2 on VLAN 200 through port 22 using the TCP protocol only (e.g. computer 2 has a SSH server running on it.)

    And the default rule ensures that computer to cannot reach computer1 or anything else on VLAN 100. (These are non-stateful firewall inter-VLAN traffic rules as usual of course as well)

    The last I checked, and from what the Firewalla website shows in examples currently still, is that it looks like you can only specify ports in outgoing traffic rules associated with Internet/WAN. 

    And for LAN-to-LAN rules, the most granular level of control possible for the user configuring the app is limited to allowing all traffic from one specific device on one VLAN to another device on another VLAN on all ports and all protocols.

    Is this guide up to date?

    If this limitation is still the case, given that MAC addresses and ip addresses can be spoofed, I think it’s best to only allow traffic over specific ports for specific purposes….fitting in with the whole security concept of granting least privilege.

    I don’t have my Firewalla Gold in router mode right now so I can’t readily check again, but I’d appreciate it if someone can share if this limitation I encountered before when I was experimenting with the Firewalla Gold in router mode is still the case….

    Thanks!

    @Michael Bierman awesome diagram! what website or tool did you use to draw it?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @mobius

    I think you can achieve by doing this:

    • Create a blocking rules to block VLAN 100 from accessing VLAN 200
    • Create an allow rule to allow target 192.168.200.20:22 on device 192.168.100.10

    Note: assume computer 1 is 192.168.100.10 and computer 2 is 192.168.200.20. You can't specify protocol in rules yet, so both udp and tcp 22 will be allowed.

    1
    Comment actions Permalink
  • Avatar
    mobius strip

    @Support Team
    That’s great! thanks for letting me know :)

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Thanks, @mobius. https://www.draw.io/index.html

    0
    Comment actions Permalink

Please sign in to leave a comment.