This is an older article about Firewalla's network segmentation feature. For the latest information about what Firewalla can show you about your network, please read our article on Building Network Segments.
Not all internet devices are the same, and sometimes treating them differently may increase the security and performance of your network. So, you can create many networks with network segmentation instead of having one big flat network at home/work. Each network can be governed by its own rules. This is just like adding rooms and doors (with locks) in the real world.
Use cases for network segmentation include:
- Creating a network for kids or employees with their own rules and policies. You can limit access to the Internet, filter content, monitor activity, and more.
- Creating a network for work-from-home access with VPN client enabled.
- Creating a secure guest network to apply high-level protection to your guests and manage their activities in real time.
- Isolating IoT devices into their own network to prevent unnecessary communication.
If you want to learn about the details of how to implement network segmentation, please see our article on Building Network Segments. Network Segmentation is only available on the Firewalla Gold and Firewall Purple.
Kids' or Employees' Network
At home, you can create a network segment for kids with parental control rules and features. Depending on the situation, you can configure it to be able to access other networks or restrict it from accessing other devices and resources.
If you use Firewalla in your office network, you can create a network to manage employees' network access. You can apply rules and features based on company policies. You can also monitor the network segment as a whole, including alarms and settings.
VPN Network for Working from Home
Firewalla's built-in VPN client makes it convenient to work remotely through a VPN. In this case, you can create a network with a VPN connection configured and only include devices that you need to use for work. This way your work communication is always protected and will not interfere with your other devices' activity.
Guest Network
You can also use network segmentation to create a secure guest network. You can apply features or rules just to your guest network segment, such as porn block or Family Protect. You can also block guest devices from talking to any local networks while allowing devices from local networks to talk to devices inside the guest network.
With New Device Quarantine turned on, all new devices joining the network will be automatically placed into a Quarantine Group, and an alarm will be generated. You can turn this feature on for specific networks to help you build a super-secure guest network segment for home and work.
IoT Network
For devices that only need access to specific services, such as some IoT devices, you can isolate their traffic from the rest of the network. This reduces your risk exposure in case your IoT devices get compromised. Once you set up an IoT network, you can restrict access by setting rules to:
- Block Traffic from & to the Internet.
- Block Traffic from & to all local networks.
- Allow access to ports required by specific services (IP addresses and ports).
Read our article on Building Network Segments for a full tutorial on how you can create and manage subnetworks.
Comments
20 comments
Is it possible to have unrecognized devices that join (wifi or ethernet) default to a certain segment ? Having an example of that would be great.
Not possible to a segment. But maybe possible to a group. (which you can add rules to the group to govern these devices). The adding new devices to a group feature is not yet done (6/10/2020), hopefully we get to it
Segments are physical, so it is hard to place devices. Groups are virtual, so it is a bit easier.
How do I move devices to the new VLAN?
@remotebloke this will depend on your setup. Here are three common examples.
I know that's a lot to take in if you have never done it. There are plenty of folks who can help if you ask specific questions.
@michael thanks for the info - really useful i helping me understand. I was hoping to have an isolated network for IoT devices and security cameras. I don't think I'll be able to do that with APs (Deco X90), there's no mention of VLAN SSID support. Unless I can do something with the guest network...
Premise: I'm still experimenting with the countless functions offered by the Firewalla, and my network knowledge is of an average level, so I understand a little more than the average user who puts everything automatically but obviously I don't understand too complicated technical terms.
1. I connected each of the 3 LAN networks of the Firewalla (1,2,3) to a switch, of which 1 and 3 are real switches while network 2 is connected to the old router that will act as a switch and WiFi AP (obviously only for 2 network devices), this is in turn connected to another WiFi AP (which has a WiFi bridge, which then extends the home WiFi to me, so same WiFi SSID and same password), Second you this structure can go? or can it create incompatibilities or conflicts?
(I attach network map for better understanding)
2. When I have finished making all the necessary configurations, will I have to put my main PC connected to the switch of network 2 and my two QNAP NAS connected to the switch of network 1, even if they are in different networks, is it possible to make them communicate by giving them specific rules?
I ask because I am having problems already now that they are both in network 1 I cannot get them to communicate with each other as I cannot access the NAS, and when I open the QNAP software (Qnap Finder) it sends me a message of error where it tells me that the devices are not in the same subnet, but how is it possible? they are both configured in DHCP and therefore have the same IP assignment class.
At first I thought that perhaps in order to connect to each other (despite being on the same subnet) they needed an authorization from the Firewalla and in fact I tried to create rules that would allow them to communicate, but the rules that can be set are only to block the connections , maybe because they are open by default?
It must be said, however, that I have not encountered this problem with other devices other than the two NAS, nor with the video surveillance DVR, nor with the HP network printer.
I ask you for help because I am a bit confused.
network map
@Vincenzo nice diagram! Forgive me, but I don’t know if I understand your goal(s).
Assuming the simple case that this topology is trying to create a single network are the switches managed or unmanaged? Are the APs in bridge mode or is DHCP active?
If a single network is the goal, then no other DHCP servers should be active and FWG should be in Router mode. You would let FWG set all these in the same IP range for this scenario.
It looks like you are manually setting up different subnets intentionally? If that is needed, then you need to use Routes to allow FWG to route traffic between subnets as you wish because by default traffic won’t be allowed. You can allow traffic in both directions or from one subnet to another but not the other way around. For example I have VLANs with IoT devices that I can see from my LAN but they can’t access my LAN.
However, if you are going to allow all traffic between two subnets then why have separate subnets? I’m assuming you might want something like A <-> B but no traffic between A and C for example? Anyway, Routes will allow you to connect traffic between subnets as you wish if they are really needed for whatever reason.
Devices on the same subnet can’t be blocked from seeing each other
It doesn’t look like you are trying to set up VLANs but if you are, you need managed switches and then you configure them and FWG accordingly.
I hope this helps. If not, feel free to ask more questions.
So, actually I don't know if the choice of subnets is the best solution, after all I'm still in the process of understanding, I explain better what is the purpose of this segmentation.
Recently my old QNAP NAS was attacked by a ransomware that made me lose all data, we leave out the level of security my network had because I had dangerous things activated like UPnP, for a long time I have not installed updates QNAP security, I did not backup, etc.
Since then I had to rebuild my entire home network, I took the opportunity to make the appropriate investments in security, including the Firewalla Gold, and I also bought a second QNAP NAS, in order to use the new one as the main one and the old one as a NAS. backup.
Here, the reason for the segmentation, that is to create watertight rooms inside my network in such a way as to prevent the infection of the entire network, limiting it to the most dangerous devices, that is precisely to IoT devices, which being always connected H24 risk plus, among which the QNAP Main NAS stands out.
For this purpose I thought of fragmenting the network (making use of the functions of the FWG) as follows:
Network 1: IoT
(24/7 online devices, which represent a potential gateway for any malware that could infect the entire network, i.e. main QNAP NAS, HP network printer, video surveillance DVR, etc.)
Network 2: Sandbox
(Absolutely must-protect devices with the highest level of protection, almost as if they were protected by a Sandbox, QNAP backup NAS).
Network 3: General
(All other devices, PC, Tablet, Notebook, console, smartphone, Smart TV, etc.)
P.S. Each of these networks has its own range of DHCP addresses
To answer your questions:
A) Network 1 and 2 switches are unmanaged, while Network 3 switch is my old Netgear modem / router, so I don't know how it should be considered, but I believe it is managed.
B) The WiFi of the access points, I believe they are of the "bridge" type because they are all connected with an ethernet cable (as shown in the diagram), and they all have the same SSID and the same encryption keys, both for the network to be 2.4 Ghz and for both the 5 Ghz network.
At this point, however, there are some things I don't understand.
1. Why if my PC and both my NAS are on the same subnet, they are not reachable from the PC?
"Unable to connect to the device. Check if the device and the computer are in the same subnet.
Click OK to open the web browser and try to connect the device again or click Cancel to cancel"
Obviously even if I try, the web page gives me the message:
"Unable to reach this page
192.168.x.x took too long to respond "
2. To be able to backup the NAS, I will need a rule to be able to pass data from the main NAS (Network 1) to the backup NAS (Network 2), but I would need a rule that would filter out any malware if at that moment the primary NAS is under ransomware attack
I hope I have clarified my purposes and needs, obviously I am ready for any kind of suggestion or clarification, also because as I have already said I am not an expert on the subject, so any advice will be welcome.
Thanks again in advance 👍🏻
Great. So network 1 is a mix. Presumably you want to allow access to the printer from other subnets. But the IoT stuff possibly not. Subnets allow this when FWG Routes are applied, but the printer is open to any attacks from other devices on the same subnet. Maybe that’s a small concern. That’s up to you. You will need to use FWG Routes to allow devices on other subnets to access the printer (but I don’t think the printer needs to talk to other devices. Possible exceptions are if the printer is also a scanner or the printer queue reports errors back to the computer when you print. Worst case, allow traffic to go both to and from the printer but that also means malware on the printer could reach the PCs making the subnet pointless.Note if the printer supports AirPrint it means get not work with Routes. I have not tested this, but AirPrint wasn't designed to work across subnets so something to watch for.
network 2: presumably you want access to the NAS from other segments but you may want to keep any possible infection of the NAS from reaching other things. A Route can do this for you too.
Sounds like Network 3 is unmanaged, but that is o.k. for your configuration.
“B” none of that his definitive about DHCP. Login to the APs and make sure that DHCP is turned off. See https://help.firewalla.com/hc/en-us/articles/360048543713
1. What are the PC and NAS addresses of each? You are right, they should be reachable. Also, be sure that you didn’t set a fixed up on the NAS. Sometimes people do that.
2. this is tricky. Unless you have a special appliance that detects and blocks malware traffic between subnets. Some NAS’s have virus protection. You can use those to quarantine malware and then only backup the safe files. You can obviously allow traffic one way only between them if that helps.
As for the subnets you may want to consider VLANs. Those allow you to layer isolated networks over the same cables but your APs and switches will need to support VLANs.to get the full benefit. This allows you to have fewer wires and mix devices on different VLANs within say, the same room of the house. This takes a little more effort to set up but means less wires crisscrossing your house and in some ways, is simpler. Here’s a brief tutorial comparing them.
Update on the printer issue… you might be able to limit the printer’s ability to communicate with devices on the other subnet. If something isn’t working (say scanning on the printer) allow access and try again. Then look at the flows and see if there is a specific port or other characteristic that you could allow rather than opening up the subnet to all traffic.
anyway, hope this helps.
So I experimented with my network some more. I moved the Brother MFC printer to a WVLAN which has client isolation so it can’t see any other device on the subnet and that vlan can’t talk to my LAN or any other VLAN but there is a rule allowing the LAN a to talk to that VLAN. I can still print and scan from a device on the LAN but the printer is about as isolated as I think is possible.
I also moved a homekit-enabled device to the same VLAN and it is able to work with the rest of homekit.
When my iOS device is on the VLAN, I can AirPlay to AppleTV, but strangely the AppleTV remote on iOS doesn’t seem to work. I can live with that. Here’s my network diagram in case it is of any help.
This is really basic security of course but can you configure the Firewalla Gold to restrict inter-VLAN traffic to specific ports and protocols?
i.e. Can you create a rule allowing traffic from a device on one VLAN to a device on another VLAN restricted to a specific port(s) and specific protocol(s) and deny all other traffic in another rule by default?
I do this routinely on my main router, and this is sort of really basic, but I can set up a default traffic rule to reject all traffic between all VLANs (those that have inter-VLAN routing enabled in the first place), and then create exceptions to this policy by creating one way traffic rules that has the ability to restrict to a certain port and protocol.
So e.g. a rule can allow computer1 on VLAN 100 to reach a computer2 on VLAN 200 through port 22 using the TCP protocol only (e.g. computer 2 has a SSH server running on it.)
And the default rule ensures that computer to cannot reach computer1 or anything else on VLAN 100. (These are non-stateful firewall inter-VLAN traffic rules as usual of course as well)
The last I checked, and from what the Firewalla website shows in examples currently still, is that it looks like you can only specify ports in outgoing traffic rules associated with Internet/WAN.
And for LAN-to-LAN rules, the most granular level of control possible for the user configuring the app is limited to allowing all traffic from one specific device on one VLAN to another device on another VLAN on all ports and all protocols.
Is this guide up to date?
If this limitation is still the case, given that MAC addresses and ip addresses can be spoofed, I think it’s best to only allow traffic over specific ports for specific purposes….fitting in with the whole security concept of granting least privilege.
I don’t have my Firewalla Gold in router mode right now so I can’t readily check again, but I’d appreciate it if someone can share if this limitation I encountered before when I was experimenting with the Firewalla Gold in router mode is still the case….
Thanks!
@Michael Bierman awesome diagram! what website or tool did you use to draw it?
@mobius
I think you can achieve by doing this:
Note: assume computer 1 is 192.168.100.10 and computer 2 is 192.168.200.20. You can't specify protocol in rules yet, so both udp and tcp 22 will be allowed.
@Support Team
That’s great! thanks for letting me know :)
Thanks, @mobius. https://www.draw.io/index.html
Thanks for these great articles. Considering purchasing one of your products.
I’m interested how / whether network segmentation works in combination with a standard home router eg Orbi RBK50 where:
1. The majority of IoT gadgets connect via Wi-Fi
2. We only have access to setting up a main Wi-Fi network and a guest Wi-Fi network (ie I can’t set up any new SSIDs)
Is it possible to set up a secure segmented IoT network in this scenario?
Do VLANs work in this scenario if the router allows VLAN tags? Or is it a requirement to have Wi-Fi hardware that supports the ability to set up multiple SSIDs for full segmentation?
Thanks
Hi MattT, I don't hae an Orbi myself, but the question comes down to it's capabilities. If it doesn't support wireless wireless VLANs (WVLANs) then the Wifi will either be on a Firewalla LAN or VLAN segment and all wifi devices would be on the same segment.You could set the wifi on one VLAN and your ethernet devices on another if you want to. But if you want to segment your wireless devices into different VLANs you have to confirm that the Orbis have WVLANs and from a quick look at their manual I don't think they do (but I could be wrong).
I have Unifi APs which support WVLAN so each SSID can be tagged with a specific VLAN so I have one for my nest devices, one for other IoT devices, etc.
Generally your guest wifi will provide pretty good isolation from the rest of the network so you are good there.
Hi Michael,
Really appreciate your prompt reply.
Correct, the Orbi only seems to have Vlan tagging for the WAN.
So... apart from replacing some good hardware with some very good hardware e.g. the Unifi APs.... Are you suggesting the next best thing to do is to set up IoT type devices on the guest network?
And if I do this... won't I just have problems using them? e.g. Phone won't connect to IoT device unless I switch the phone onto the Guest network as it won't be able to see them. That then seems to defeat the point of having them on an isolated network.
Or can I:
1) Put IoT on guest network
2) Use Gold to segment that guest network by SSID
3) Allow for some clever rules between main wifi network and guest wifi network to allow access to phone across both networks
Am I getting lost here or going in the right direction?
(Alternative? Just put Blue+ on local network, everything on same wifi and manage things as best I can from there?)
@MattT There are some less expensive WVLAN alternatives that have been mentioned on the forums. https://help.firewalla.com/hc/en-us/articles/360046231493-Firewalla-Gold-Tutorial-Network-Segmentation-Example-with-VLAN .
If you decide unifi is what you want, you can run the Unifi controller in docker (on Firewalla, a NAS, rpi, or a computer) so you don’t have to buy a UDM at all and the Unifi APs were not crazy expensive by themselves compared to other mid to high end alternatives.
You are right, the disadvantage of using a guest wifi is you can’t route some traffic (e.g. mDNS for homekit or chromecast) between the primary LAN and the guest network where you can with VLANs. Some IoT devices really don’t need LAN access and so Guest might work just fine. It depends on your needs.
Firewalla usually can’t relay traffic between vanilla guest wifi and the LAN because on a typical router they block the traffic. That’s the purpose of the guest network to isolate the LAN. You need WVLAN which sounds like different wifi in this case.
Another alternative is to set up a separate wifi network for IoT on a different IP a range and allow traffic between the network segments but then you have more APs laying around so it is a little less elegant.
Blue+ is very nice. You can’t do as much with it as with Gold, for sure. So this comes down to what you want to achieve and budget. I started with firewalla Blue (Blue Plus didn’t exist) and I wanted to separate my IoT devices because I was aware my cameras had been attacked. So I really wanted to separate them from everything else.
@Michael thank you so much that’s enormously helpful 👍 had been going round in circles trying to think things through and also have something to help protect the kids as they grow up.
Complicated by a large brick 100yr old house that can’t be easily wired for use with APs and electrics that don’t like powerline connectors (although haven’t tried new ones), so have been relying on orbi wireless backhaul to get Wi-Fi around which to be fair is very reliable.
Was looking at the Dream Machine but was a bit concerned the firewall etc was a bit limited vs firewalla which looks more comprehensive.
Thanks again for all your help.
Please sign in to leave a comment.