Firewalla Tutorial: Microsegmentation and Segmentation with AP7

Follow

Comments

9 comments

  • Avatar
    MGJ

    Since VqLAN comes at the loss of the 6GHz band, maybe create a comparative VqLAN vs VLAN table, pros and cons of each, what you can and cannot do one vs the other.

    Other than the option to leave MAC randomization turned on, I do not yet see a clear advantage to use VqLAN vs VLAN.

    0
    Comment actions Permalink
  • Avatar
    Andy

    It’s not vqlan that you lose 6ghz, it’s personal key which you also lose wpa3, but this is due to the specifications not a firewalla issue, Ubiquity and other vendors are the same from what I can tell when googling.
    vqlan is good if you do not want to bother with a VLAN allowing some to keep the network flat and simple.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Andy is correct. VqLAN is a group access control function, and Personal Key is a group assignment function (people log in using personal ID x, assign to the guest group, or guest VLAN). 

    If you don't want to lose the 6ghz, using a separate SSID will do the same.

    0
    Comment actions Permalink
  • Avatar
    Sean Donner

    I’ve noticed all Apple Watches (family and overnight guests) will revert their MAC randomization settings from ‘Off’ to ‘Fixed’ whenever the watch loses full charge. This is super annoying as it throws it into my quarantine group. I like the fact that Personal Key negates the need to key off the MAC. Since the watches only support WiFi 4 (802.11n), losing 6ghz for these watch devices (and phones)is not a big issue. Just want to confirm that I can create a separate ‘Mobile Device’ SSID, apply personal keys to it (non-6Ghz) and connect my iPhones and Apple Watches to it, but also create another SSID for my work laptop and gaming consoles that *does* have 6Ghz support. Is that correct?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @sean, you can create SSID + password, (you really don't need personal keys), and have your watch just use that SSID instead.

    If you do want to use personal key, you can surely create a 2.4ghz SSID + personal key, it will work 

    0
    Comment actions Permalink
  • Avatar
    DanM

    I have same issues with my iPhones and Apple Watches. For each SSID, I have set phones to Private WiFi Off. They are frequently landing in quarantine when returning home or switching SSID’s. Annoying but trying to see if there is a pattern. Apologies but glad to hear I wasn’t the only one. Not using personal keys.

    0
    Comment actions Permalink
  • Avatar
    SiegeX

    @firewalla. Question, if I dont use pass keys but instead just use a separate “mobile” SSID, that only works if i apply a group policy of rules agasint the “mobile” SSID and not trying to apply device-level rules to the watches since Firewalla will not be able to distinguish them individually as their MAC’s keep rotating, is that correct?

    @DanM I only see this behavior with the WatchOS. Reading some forums, it appears the firmware has an issue with mesh networks that have multiple WAPs (with different MACs) advertising the same SSID. I have heard limited success resolving this via removing stored SSID passwords in the icloud “keychain” and forgetting the SSID on all apple devices that use your apple account, but apparently this requires a Mac to do.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @SiegX, yes you can use the normal SSID/Password to microsegment, in this case, all MAC randomized devices will get to the group that you can then apply policies as needed. I personally use this on my kids, all of their devices are in one bucket, so really doesn't matter what the MAC is

    0
    Comment actions Permalink
  • Avatar
    DanM

    @SiegeX, thank you. I will look into this.

    0
    Comment actions Permalink

Please sign in to leave a comment.