Firewalla: Network Segmentation Use Cases

Follow

Comments

20 comments

  • Avatar
    Michael Bierman

    Is it possible to have unrecognized devices that join (wifi or ethernet) default to a certain segment ? Having an example of that would be great. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Not possible to a segment.  But maybe possible to a group. (which you can add rules to the group to govern these devices).    The adding new devices to a group feature is not yet done (6/10/2020), hopefully we get to it

    Segments are physical, so it is hard to place devices.   Groups are virtual, so it is a bit easier.

    0
    Comment actions Permalink
  • Avatar
    remotebloke

    How do I move devices to the new VLAN?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @remotebloke this will depend on your setup. Here are three common examples. 

    1. Start with Firewalla Gold in Router mode. Configure firewalla so that a port is a VLAN. Go to Firewalla app and Network Manager > Edit Create Network. Choose Local Network and select a port (just not port 4 which is your WAN). Choose Type VLAN. Enter a number for the VLAN ID but don't use "0" but say "22" will be fine. Whatever you plugin to that port will be on that VLAN. If this is a computer, that may (or may not) be useful but it is the simplest use case. It is a good way to try it out. When you are done, the IP assigned to that computer should be in the IP range that you saw when you created the VLAN on firewalla not an IP in your LAN range. Nothing special has to be done to configure the computer if it is in DHCP mode.
    2. Follow above but instead of plugging in a computer to that configured port on Firewalla, plugin a managed switch. Configure the switch so that the port connecting to Firewalla is a Trunk port (it carries the vlan traffic and lan traffic) to firewalla.  Check the instructions for configuring the switch with the manufacturer of the switch. Then set a different port on the switch to the same VLAN iD you just set up on Firewalla. This will mean anything you plugin to that port will be on that VLAN and be able to talk through the trunk to Firewalla and other devices on the VLAN. Now you can plugin the switch to the port you set before on Firewalla. Any ports on the switch you don't configure will be on the LAN only.
    3. You can follow the directions above but connect a wifi AP instead of a switch. Note If you are talking about a VLAN on wifi your AP (Access Point) will have to support VLANs. Not all do. If your AP supports VLANs configure the VLAN similar to what you did on the switch. If you plug the AP directly into Firewalla, configure that port to the VLAN. If you plug the AP into a switch make sure it is a trunk (that is it can carry traffic on both LAN and VLAN) as needed. For example I have ui APs that have 3 wifi networks. 1 LAN and 2 different VLANs for IoT devices. Configure your AP according to the manufacturer instructions and connect that to Firewalla (or a switch) as a trunk.  Any device that connects to the AP with a VLAN network will be given an IP address and be in that VLAN. If it connects to a LAN network then it will be on your LAN. 

    I know that's a lot to take in if you have never done it. There are plenty of folks who can help if you ask specific questions. 

    0
    Comment actions Permalink
  • Avatar
    remotebloke

    @michael thanks for the info - really useful i helping me understand.  I was hoping to have an isolated network for IoT devices and security cameras.  I don't think I'll be able to do that with APs (Deco X90), there's no mention of VLAN SSID support.  Unless I can do something with the guest network...

    0
    Comment actions Permalink
  • Avatar
    Vincenzo Corsaro

    Premise: I'm still experimenting with the countless functions offered by the Firewalla, and my network knowledge is of an average level, so I understand a little more than the average user who puts everything automatically but obviously I don't understand too complicated technical terms.

    1. I connected each of the 3 LAN networks of the Firewalla (1,2,3) to a switch, of which 1 and 3 are real switches while network 2 is connected to the old router that will act as a switch and WiFi AP (obviously only for 2 network devices), this is in turn connected to another WiFi AP (which has a WiFi bridge, which then extends the home WiFi to me, so same WiFi SSID and same password), Second you this structure can go? or can it create incompatibilities or conflicts?
    (I attach network map for better understanding)

    2. When I have finished making all the necessary configurations, will I have to put my main PC connected to the switch of network 2 and my two QNAP NAS connected to the switch of network 1, even if they are in different networks, is it possible to make them communicate by giving them specific rules?

    I ask because I am having problems already now that they are both in network 1 I cannot get them to communicate with each other as I cannot access the NAS, and when I open the QNAP software (Qnap Finder) it sends me a message of error where it tells me that the devices are not in the same subnet, but how is it possible? they are both configured in DHCP and therefore have the same IP assignment class.

    At first I thought that perhaps in order to connect to each other (despite being on the same subnet) they needed an authorization from the Firewalla and in fact I tried to create rules that would allow them to communicate, but the rules that can be set are only to block the connections , maybe because they are open by default?

    It must be said, however, that I have not encountered this problem with other devices other than the two NAS, nor with the video surveillance DVR, nor with the HP network printer.

    I ask you for help because I am a bit confused.

    network map

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Vincenzo nice diagram!  Forgive me, but I don’t know if I understand your goal(s).

    Assuming the simple case that this topology is trying to create a single network are the switches managed or unmanaged? Are the APs in bridge mode or is DHCP active?

    If a single network is the goal, then no other DHCP servers should be active and FWG should be in Router mode. You would let FWG set all these in the same IP range for this scenario.

    It looks like you are manually setting up different subnets intentionally? If that is needed, then you need to use Routes to allow FWG to route traffic between subnets as you wish because by default traffic won’t be allowed. You can allow traffic in both directions or from one subnet to another but not the other way around. For example I have VLANs with IoT devices that I can see from my LAN but they can’t access my LAN. 

    However, if you are going to allow all traffic between two subnets then why have separate subnets? I’m assuming you might want something like A <-> B but no traffic between A and C for example? Anyway, Routes will allow you to connect traffic between subnets as you wish if they are really needed for whatever reason.

    Devices on the same subnet can’t be blocked from seeing each other  

    It doesn’t look like you are trying to set up VLANs but if you are, you need managed switches and then you configure them and FWG accordingly.

    I hope this helps. If not, feel free to ask more questions.

    1
    Comment actions Permalink
  • Avatar
    Vincenzo Corsaro

    So, actually I don't know if the choice of subnets is the best solution, after all I'm still in the process of understanding, I explain better what is the purpose of this segmentation.

    Recently my old QNAP NAS was attacked by a ransomware that made me lose all data, we leave out the level of security my network had because I had dangerous things activated like UPnP, for a long time I have not installed updates QNAP security, I did not backup, etc.

    Since then I had to rebuild my entire home network, I took the opportunity to make the appropriate investments in security, including the Firewalla Gold, and I also bought a second QNAP NAS, in order to use the new one as the main one and the old one as a NAS. backup.

    Here, the reason for the segmentation, that is to create watertight rooms inside my network in such a way as to prevent the infection of the entire network, limiting it to the most dangerous devices, that is precisely to IoT devices, which being always connected H24 risk plus, among which the QNAP Main NAS stands out.

     

     

    For this purpose I thought of fragmenting the network (making use of the functions of the FWG) as follows:

    Network 1: IoT
    (24/7 online devices, which represent a potential gateway for any malware that could infect the entire network, i.e. main QNAP NAS, HP network printer, video surveillance DVR, etc.)

    Network 2: Sandbox
    (Absolutely must-protect devices with the highest level of protection, almost as if they were protected by a Sandbox, QNAP backup NAS).

    Network 3: General
    (All other devices, PC, Tablet, Notebook, console, smartphone, Smart TV, etc.)

    P.S. Each of these networks has its own range of DHCP addresses

     

    To answer your questions:
    A) Network 1 and 2 switches are unmanaged, while Network 3 switch is my old Netgear modem / router, so I don't know how it should be considered, but I believe it is managed.

    B) The WiFi of the access points, I believe they are of the "bridge" type because they are all connected with an ethernet cable (as shown in the diagram), and they all have the same SSID and the same encryption keys, both for the network to be 2.4 Ghz and for both the 5 Ghz network.

     

     

    At this point, however, there are some things I don't understand.

    1. Why if my PC and both my NAS are on the same subnet, they are not reachable from the PC?

    "Unable to connect to the device. Check if the device and the computer are in the same subnet.
    Click OK to open the web browser and try to connect the device again or click Cancel to cancel"

    Obviously even if I try, the web page gives me the message:
    "Unable to reach this page
    192.168.x.x took too long to respond "

     

    2. To be able to backup the NAS, I will need a rule to be able to pass data from the main NAS (Network 1) to the backup NAS (Network 2), but I would need a rule that would filter out any malware if at that moment the primary NAS is under ransomware attack

    I hope I have clarified my purposes and needs, obviously I am ready for any kind of suggestion or clarification, also because as I have already said I am not an expert on the subject, so any advice will be welcome.

     

     

     

    Thanks again in advance 👍🏻

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Great. So network 1 is a mix. Presumably you want to allow access to the printer from other subnets. But the IoT stuff possibly not. Subnets allow this when FWG Routes are applied, but the printer is open to any attacks from other devices on the same subnet. Maybe that’s a small concern. That’s up to you. You will need to use FWG Routes to allow devices on other subnets to access the printer (but I don’t think the printer needs to talk to other devices. Possible exceptions are if the printer is also a scanner or the printer queue reports errors back to the computer when you print. Worst case, allow traffic to go both to and from the printer but that also means malware on the printer could reach the PCs making the subnet pointless.Note if the printer supports AirPrint it means get not work with Routes. I have not tested this, but AirPrint wasn't designed to work across subnets so something to watch for. 

    network 2: presumably you want access to the NAS from other segments but you may want to keep any possible infection of the NAS from reaching other things. A Route can do this for you too.

    Sounds like Network 3 is unmanaged, but that is o.k. for your configuration.

    “B” none of that his definitive about DHCP. Login to the APs and make sure that DHCP is turned off. See https://help.firewalla.com/hc/en-us/articles/360048543713

    1. What are the PC and NAS addresses of each? You are right, they should be reachable. Also, be sure that you didn’t set a fixed up on the NAS. Sometimes people do that.

    2. this is tricky. Unless you have a special appliance that detects and blocks malware traffic between subnets. Some NAS’s have virus protection. You can use those to quarantine malware and then only backup the safe files. You can obviously allow traffic one way only between them if that helps. 

    As for the subnets you may want to consider VLANs. Those allow you to layer isolated networks over the same cables but your APs and switches will need to support VLANs.to get the full benefit. This allows you to have fewer wires and mix devices on different VLANs within say, the same room of the house. This takes a little more effort to set up but means less wires crisscrossing your house and in some ways, is simpler. Here’s a brief tutorial comparing them.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Update on the printer issue… you might be able to limit the printer’s ability to communicate with devices on the other subnet. If something isn’t working (say scanning on the printer) allow access and try again. Then look at the flows and see if there is a specific port or other characteristic that you could allow rather than opening up the subnet to all traffic.

    anyway, hope this helps.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    So I experimented with my network some more. I moved the Brother MFC printer to a WVLAN which has client isolation so it can’t see any other device on the subnet and that vlan can’t talk to my LAN or any other VLAN but there is a rule allowing the LAN a to talk to that VLAN. I can still print and scan from a device on the LAN but the printer is about as isolated as I think is possible.

    I also moved a homekit-enabled device to the same VLAN and it is able to work with the rest of homekit.

    When my iOS device is on the VLAN, I can AirPlay to AppleTV, but strangely the AppleTV remote on iOS doesn’t seem to work. I can live with that. Here’s my network diagram in case it is of any help.

     

    2
    Comment actions Permalink
  • Avatar
    mobius strip

    This is really basic security of course but can you configure the Firewalla Gold to restrict inter-VLAN traffic to specific ports and protocols?

    i.e. Can you create a rule allowing traffic from a device on one VLAN to a device on another VLAN restricted to a specific port(s) and specific protocol(s) and deny all other traffic in another rule by default?

    I do this routinely on my main router, and this is sort of really basic, but I can set up a default traffic rule to reject all traffic between all VLANs (those that have inter-VLAN routing enabled in the first place), and then create exceptions to this policy by creating one way traffic rules that has the ability to restrict to a certain port and protocol.

    So e.g. a rule can allow computer1 on VLAN 100 to reach a computer2 on VLAN 200 through port 22 using the TCP protocol only (e.g. computer 2 has a SSH server running on it.)

    And the default rule ensures that computer to cannot reach computer1 or anything else on VLAN 100. (These are non-stateful firewall inter-VLAN traffic rules as usual of course as well)

    The last I checked, and from what the Firewalla website shows in examples currently still, is that it looks like you can only specify ports in outgoing traffic rules associated with Internet/WAN. 

    And for LAN-to-LAN rules, the most granular level of control possible for the user configuring the app is limited to allowing all traffic from one specific device on one VLAN to another device on another VLAN on all ports and all protocols.

    Is this guide up to date?

    If this limitation is still the case, given that MAC addresses and ip addresses can be spoofed, I think it’s best to only allow traffic over specific ports for specific purposes….fitting in with the whole security concept of granting least privilege.

    I don’t have my Firewalla Gold in router mode right now so I can’t readily check again, but I’d appreciate it if someone can share if this limitation I encountered before when I was experimenting with the Firewalla Gold in router mode is still the case….

    Thanks!

    @Michael Bierman awesome diagram! what website or tool did you use to draw it?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @mobius

    I think you can achieve by doing this:

    • Create a blocking rules to block VLAN 100 from accessing VLAN 200
    • Create an allow rule to allow target 192.168.200.20:22 on device 192.168.100.10

    Note: assume computer 1 is 192.168.100.10 and computer 2 is 192.168.200.20. You can't specify protocol in rules yet, so both udp and tcp 22 will be allowed.

    1
    Comment actions Permalink
  • Avatar
    mobius strip

    @Support Team
    That’s great! thanks for letting me know :)

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Thanks, @mobius. https://www.draw.io/index.html

    0
    Comment actions Permalink
  • Avatar
    MattT

    Thanks for these great articles. Considering purchasing one of your products.

    I’m interested how / whether network segmentation works in combination with a standard home router eg Orbi RBK50 where:
    1. The majority of IoT gadgets connect via Wi-Fi
    2. We only have access to setting up a main Wi-Fi network and a guest Wi-Fi network (ie I can’t set up any new SSIDs)

    Is it possible to set up a secure segmented IoT network in this scenario?

    Do VLANs work in this scenario if the router allows VLAN tags? Or is it a requirement to have Wi-Fi hardware that supports the ability to set up multiple SSIDs for full segmentation?

    Thanks

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Hi MattT, I don't hae an Orbi myself, but the question comes down to it's capabilities. If it doesn't support wireless wireless VLANs (WVLANs) then the Wifi will either be on a Firewalla LAN or VLAN segment and all wifi devices would be on the same segment.You could set the wifi on one VLAN and your ethernet devices on another if you want to. But if you want to segment your wireless devices into different VLANs you have to confirm that the Orbis have WVLANs and from a quick look at their manual I don't think they do (but I could be wrong). 

    I have Unifi APs which support WVLAN so each SSID can be tagged with a specific VLAN so I have one for my nest devices, one for other IoT devices, etc. 

    Generally your guest wifi will provide pretty good isolation from the rest of the network so you are good there. 

    0
    Comment actions Permalink
  • Avatar
    MattT

    Hi Michael,
    Really appreciate your prompt reply. 

    Correct, the Orbi only seems to have Vlan tagging for the WAN.

    So... apart from replacing some good hardware with some very good hardware e.g. the Unifi APs....  Are you suggesting the next best thing to do is to set up IoT type devices on the guest network?

    And if I do this... won't I just have problems using them? e.g. Phone won't connect to IoT device unless I switch the phone onto the Guest network as it won't be able to see them.  That then seems to defeat the point of having them on an isolated network.

    Or can I:
    1) Put IoT on guest network
    2) Use Gold to segment that guest network by SSID
    3) Allow for some clever rules between main wifi network and guest wifi network to allow access to phone across both networks

    Am I getting lost here or going in the right direction?

    (Alternative? Just put Blue+ on local network, everything on same wifi and manage things as best I can from there?)

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @MattT There are some less expensive WVLAN alternatives that have been mentioned on the forums. https://help.firewalla.com/hc/en-us/articles/360046231493-Firewalla-Gold-Tutorial-Network-Segmentation-Example-with-VLAN .

    If you decide unifi is what you want, you can run the Unifi controller in docker (on Firewalla, a NAS, rpi, or a computer) so you don’t have to buy a UDM at all and the Unifi APs were not crazy expensive by themselves compared to other mid to high end alternatives.

    You are right, the disadvantage of using a guest wifi is you can’t route some traffic (e.g. mDNS for homekit or chromecast) between the primary LAN and the guest network where you can with VLANs. Some IoT devices really don’t need LAN access and so Guest might work just fine. It depends on your needs.

    Firewalla usually can’t relay traffic between vanilla guest wifi and the LAN because on a typical router they block the traffic. That’s the purpose of the guest network to isolate the LAN. You need WVLAN which sounds like different wifi in this case.

    Another alternative is to set up a separate wifi network for IoT on a different IP a range and allow traffic between the network segments but then you have more APs laying around so it is a little less elegant.

    Blue+ is very nice. You can’t do as much with it as with Gold, for sure. So this comes down to what you want to achieve and budget. I started with firewalla Blue (Blue Plus didn’t exist) and I wanted to separate my IoT devices because I was aware my cameras had been attacked. So I really wanted to separate them from everything else.

    1
    Comment actions Permalink
  • Avatar
    MattT

    @Michael thank you so much that’s enormously helpful 👍 had been going round in circles trying to think things through and also have something to help protect the kids as they grow up.

    Complicated by a large brick 100yr old house that can’t be easily wired for use with APs and electrics that don’t like powerline connectors (although haven’t tried new ones), so have been relying on orbi wireless backhaul to get Wi-Fi around which to be fair is very reliable.

    Was looking at the Dream Machine but was a bit concerned the firewall etc was a bit limited vs firewalla which looks more comprehensive.

    Thanks again for all your help.

    0
    Comment actions Permalink

Please sign in to leave a comment.