This article will explain how to microsegment your Wi-Fi and common microsegmentation use cases.
-
Basics of Microsegmentation
- Using VqLAN to Microsegment the Network
- Using VLAN to Segment the Network
- FAQs
Other helpful resources for the Firewalla AP7:
- Firewalla Zero Trust Network Architecture
- Getting Started with Firewalla Access Point 7
- Firewalla Access Point 7 Installation Guide
- Firewalla Access Point 7 Troubleshooting Guide
- AP7 Community Page & Discussion Forum
1. Basics of Microsegmentation
If you are already using "Groups" or "Users" to manage devices, all you need to do is go to groups (or users) and turn on VqLAN. (With VqLAN on, your group/user will now be segmented from the rest of your devices).
- Use groups (or users) to identify the devices that need to be microsegmented. These devices will need to be on the same network.
- When VqLAN is on, your devices within the group/user can only talk to themselves and the internet. They will not be able to access devices within the same network (LAN), or other LAN network segments you created.
- You can further enhance this microsegment by turning on device isolation. This will isolate devices within the same group from talking to each other.
Group Membership
Static Group (or Users) Membership
For devices already part of your network, you can statically assign devices to groups, such as "IoT Group" or "Ring Group".
You can learn more about Device Groups and Users here.
Dynamic Groups (or Users) Membership
For any "new" devices, with the addition of the Firewalla AP7, you can now dynamically assign devices to a group:
- Turn on VqLAN + Device Isolation on the "Quarantine Group"
- With each SSID (Wi-Fi name) created, you can point them to a group/User.
- You can use the same SSID and use a personal key and point them to a group/User.
2. Using VqLAN to Microsegment the Network
VqLAN (virtual quarantine LAN) is Firewalla’s implementation of Layer 2 network microsegmentation. It functions somewhat like VLAN but within the same network. VqLAN is simple to set up and it doesn’t have issues working with multiple VLANs. It can operate within an existing VLAN or your main network without changing IP addresses. Microsegmentation using VqLAN complements segmentation done through ports or VLAN.
Example 1: A Simple Guest Network
Firewalla AP7 easily sets up a guest network at home. It creates a new SSID for guests, automatically assigns guest devices to the guest group, and microsegments guest traffic to protect your personal devices.
Here’s how to create a simple guest network:
- Create a Guest Group & Apply VqLAN, Device Isolation, and Rules
- Create Guest SSID
- Map SSID to Guest Group
1.1. Create a Guest Group & Apply VqLAN, Device Isolation, and Rules
On the box’s main page, tap Devices > Create Group to create a guest group. From the group detail page, scroll down and enable VqLAN. Once VqLAN is enabled, Device Isolation will appear and can be turned on.
- VqLAN will block all traffic to and from devices outside the group. Devices within the group can still talk to each other.
- Device Isolation will prevent each device in the group from communicating with other devices, including devices within the same group.
- Both features only apply to devices connected to Firewalla Access Points.
Add custom rules to the Guest group. For example, block all porn sites and all gambling sites.
1.2. Create Guest SSID
Create the Guest Wi-Fi. Set the Wi-Fi Name (SSID) to “Guest,” set a password, and select the main LAN for the network.
1.3. Map SSID to Guest Group
Go to the Guest Wi-Fi page. Tap Edit in the top right corner to change the User/Group to the Guest group.
New devices connected to the Guest SSID will now be automatically assigned to the Guest group and have rules applied to them.
Example 2: Manage IoT (Using Multiple SSIDs)
Firewalla AP7 can support multiple SSIDs, allowing each SSID + password to dynamically assign devices to groups like IoT devices or users such as kids.
Here’s how to manage IoT with multiple SSIDs:
- Create IoT Groups & Apply VqLAN and Device Isolation
- Create SSIDs for Each IoT Group
- Map SSIDs to Groups
2.1. Create IoT Groups & Apply VqLAN and Device Isolation
On the box’s main page, tap Devices > Create Group to create separate IoT groups, named “IoT1” and “IoT2”.
For both groups, scroll down from the group detail page and enable VqLAN to prevent traffic to and from devices outside the IoT group. Once VqLAN is enabled, you may turn on Device Isolation if your devices do not need to communicate with each other.
2.2. Create SSIDs for Each IoT Group
Create a separate Wi-Fi for each IoT group (box’s main page > Wi-Fi > Create Wi-Fi).
For example, we’ll set the Wi-Fi Name (SSID) to “SSID_IoT1”, set a password, and select the main LAN for the network. Repeat this process to create “SSID_IoT2” for the second group of IoT.
2.3. Map SSIDs to Groups
Navigate to the SSID_IoT1 Wi-Fi page. Tap Edit in the top right corner, change the User/Group to the IoT1 group, and save. Repeat this process on SSID_IoT2 to map it to the IoT2 group.
Now, each IoT group has its own Wi-Fi to connect to. When IoT devices connect to the SSID, they will be automatically mapped to the configured group with the rules applied.
Example 3: Managing Kids (Using Personal Keys)
Firewalla AP7 can create a new SSID for kids, microsegmented with personal keys. Each kid uses their key as the SSID password to connect devices to Wi-Fi, automatically mapping devices to their User profiles.
Here’s how to manage kids with personal keys:
3.1. Create Kid Users & Apply Parental Controls
If you already have User profiles created for each kid and have parental controls applied, you may skip this step.
On the box’s main page, tap on Users > Create User. Create Kid1 from scratch or an existing group, and save. Repeat this process to create Kid2. Learn more about creating users here.
Then, turn on Family Protect (box’s main page > Family > Family Protect). Choose Kid1 and Kid2 as the Users to apply it to and save. Learn more about Family Protect here.
3.2. Create Kids SSID
If you already have an existing SSID created, you may skip this step.
Create a new Wi-Fi for the kids (box’s main page > Wi-Fi > Create Wi-Fi). Set the Wi-Fi Name (SSID) to “kidsgroup,” set a password, and select the main LAN for the network.
3.3. Create Personal Keys for Each Kid
Navigate to the kids’ Wi-Fi page or the SSID you’d like to microsegment. Tap Add Additional Microsegment to set a personal key and map it to User Kid1. Using a different personal key, add another additional microsegment for Kid2. Tap Save in the top right corner to save the microsegments.
Note: additional microsegments with personal keys will disable the 6 GHz band and are not supported on WPA3 security types.
Any devices that connect to the kidsgroup SSID with a personal key will be automatically mapped to the configured User, so you’ll always know which device belongs to whom.
Note: iOS devices may share Wi-Fi settings across devices using the same iCloud account. This can cause personal key-based microsegmentation to behave unexpectedly. Learn more here.
3. Using VLAN to Segment the Network
Unlike VqLAN, VLAN can segment networks at layer 3 using a different network address space. You can learn more about VLAN and port-based segmentation in this article.
With the Firewalla AP7, you will have these two features:
- SSID to VLAN mapping. Anyone logged in using one SSID will be mapped to a VLAN network.
- SSID + Personal Key to VLAN mapping. (This feature is experimental)
Example 1: A Simple Guest Network
Firewalla AP7 makes it simple to create a Guest VLAN. It can create a Guest Wi-Fi and automatically map devices to the VLAN, without complex steps to reconfigure your existing network.
Here’s how to create a simple guest network using VLAN:
- Create Guest VLAN and Apply Rules
- Create Guest SSID and Map to VLAN
- (Optional) Create Guest Group and Enable Device Isolation
1.1. Create Guest VLAN and Apply Rules
If you already have a Guest VLAN created and applied rules to the VLAN, you may skip this step.
On your box’s main page, navigate to Network > Create Network > Local Network. Create a VLAN network named “Guest VLAN” with VLAN ID 1003.
Select the same ports that your AP7 LAN is configured to. In this case, our AP7 is connected to Port 1 of our Firewalla Gold, but the LAN is configured for both Ports 1 and 2, so our Guest VLAN must also be configured for Ports 1 and 2.
On your box’s main page, tap Rules > Add Rule to add custom rules to the Guest VLAN. For example, block traffic to all local networks on the Guest VLAN.
1.2. Create Guest SSID and Map to VLAN
Create the new Guest Wi-Fi (box’s main page > Wi-Fi > Create Wi-Fi). Set the Wi-Fi Name (SSID) and password. Select the Guest VLAN created in Step 1 for the network, then tap Create.
Alternatively, edit an existing SSID and select the Guest VLAN for the network.
Now, when a device connects to the Guest’s Wi-Fi, it will automatically be placed on the Guest VLAN with custom rules applied, separate from your main LAN.
1.3. (Optional) Create Guest Group and Enable Device Isolation
Automatic network-based isolation will be supported in a future Firewalla AP7 software release.
As a workaround to implement this, you will need to create a group for the VLAN, enable VqLAN and Device Isolation for the group, and set it as the User/Group on the SSID (like VqLAN Example 1).
For example, we’ll assign a Guest group for the User/Group on the Guest Wi-Fi.
When devices connect to the Guest Wi-Fi, they will be mapped to the Guest VLAN and the Guest VLAN group with Device Isolation applied.
Example 2: Dynamic VLAN (IoT VLANs)
** Dynamic VLAN is experimental
Dynamic VLAN can help simplify IoT device management. Firewalla AP7 can create multiple microsegments with personal keys and map them to each VLAN, all within the same SSID.
Here’s how to create Dynamic VLANs for separate IoT networks:
2.1. Create IoT VLANs and Apply Rules
If you already have multiple VLANs created and custom rules applied, you may skip this step.
Create the new IoT VLANs (box’s main page > Network > Create Network > Local Network).
Name the first network “IoT,” set the type to VLAN, and use VLAN ID 1004. Make sure to select the same ports as the AP7 LAN. For example, if our AP7 LAN is configured for Ports 1 and 2, the IoT VLAN must be configured the same way.
Repeat this process for another VLAN called "IoT2" with VLAN ID 1005.
Some IoT devices might require different access rules within your network. Custom rules can be added to each IoT VLAN (box’s main page > Rules > Add Rule). Learn more about Network Segmentation use cases here.
2.2. Create IoT SSID
Create a new SSID (box’s main page > Wi-Fi > Create Wi-Fi). Set the Wi-Fi Name (SSID), set a password, and select the main network.
2.3. Create Personal Keys for Each IoT VLAN
Navigate to the IoT Wi-Fi page. Tap Add Additional Microsegment to set up a personal key. Under the new personal key, tap Network and select the IoT VLAN. Then, add another microsegment, create a different personal key, and select the IoT2 VLAN for the network. Tap Save in the top right corner.
Now, when IoT devices are connected to the Wi-Fi using their specific personal keys, they are automatically mapped to the respective VLAN and have VLAN-specific rules applied to them.
4. FAQs
When should multiple SSIDs be used to assign devices to groups dynamically? Vs using personal keys?
If you plan to use a few SSIDs (4 or 5) in your network and/or need to use WPA3, using multiple SSIDs is a good solution.
If you need to map to many groups and don't care about WPA3, a personal key is much more scalable. (Since the personal key is fairly new, if you have a few dynamic groups, use multiple SSIDs first)
Can I use WPA3 security on SSIDs with microsegments?
If you can create multiple SSIDs to dynamically manage group (microsegment) membership, you can use any WPAx; there is no restriction. Check out Example 3 (Managing IoT) for a way to do this.
If you need to dynamically manage a group (microsegment) membership using the same SSID and personal keys, then only WPA2 is supported.
If you do not need to dynamically manage a group (microsegment) membership, and you know your devices already, you can use any WPAx.
Why are my iOS devices in the wrong group/user/network?
iCloud Keychain may sync Wi-Fi credentials (SSID and password) across other iOS devices using the same iCloud account.
If you're have multiple devices using the same iCloud account, but would like to assign them to different microsegments using personal keys, we recommend turning off iCloud Keychain. This ensures Wi-Fi info is stored locally on each device and prevents incorrect group/user/network assignments.
Comments
9 comments
Since VqLAN comes at the loss of the 6GHz band, maybe create a comparative VqLAN vs VLAN table, pros and cons of each, what you can and cannot do one vs the other.
Other than the option to leave MAC randomization turned on, I do not yet see a clear advantage to use VqLAN vs VLAN.
It’s not vqlan that you lose 6ghz, it’s personal key which you also lose wpa3, but this is due to the specifications not a firewalla issue, Ubiquity and other vendors are the same from what I can tell when googling.
vqlan is good if you do not want to bother with a VLAN allowing some to keep the network flat and simple.
@Andy is correct. VqLAN is a group access control function, and Personal Key is a group assignment function (people log in using personal ID x, assign to the guest group, or guest VLAN).
If you don't want to lose the 6ghz, using a separate SSID will do the same.
I’ve noticed all Apple Watches (family and overnight guests) will revert their MAC randomization settings from ‘Off’ to ‘Fixed’ whenever the watch loses full charge. This is super annoying as it throws it into my quarantine group. I like the fact that Personal Key negates the need to key off the MAC. Since the watches only support WiFi 4 (802.11n), losing 6ghz for these watch devices (and phones)is not a big issue. Just want to confirm that I can create a separate ‘Mobile Device’ SSID, apply personal keys to it (non-6Ghz) and connect my iPhones and Apple Watches to it, but also create another SSID for my work laptop and gaming consoles that *does* have 6Ghz support. Is that correct?
@sean, you can create SSID + password, (you really don't need personal keys), and have your watch just use that SSID instead.
If you do want to use personal key, you can surely create a 2.4ghz SSID + personal key, it will work
I have same issues with my iPhones and Apple Watches. For each SSID, I have set phones to Private WiFi Off. They are frequently landing in quarantine when returning home or switching SSID’s. Annoying but trying to see if there is a pattern. Apologies but glad to hear I wasn’t the only one. Not using personal keys.
@firewalla. Question, if I dont use pass keys but instead just use a separate “mobile” SSID, that only works if i apply a group policy of rules agasint the “mobile” SSID and not trying to apply device-level rules to the watches since Firewalla will not be able to distinguish them individually as their MAC’s keep rotating, is that correct?
@DanM I only see this behavior with the WatchOS. Reading some forums, it appears the firmware has an issue with mesh networks that have multiple WAPs (with different MACs) advertising the same SSID. I have heard limited success resolving this via removing stored SSID passwords in the icloud “keychain” and forgetting the SSID on all apple devices that use your apple account, but apparently this requires a Mac to do.
@SiegX, yes you can use the normal SSID/Password to microsegment, in this case, all MAC randomized devices will get to the group that you can then apply policies as needed. I personally use this on my kids, all of their devices are in one bucket, so really doesn't matter what the MAC is
@SiegeX, thank you. I will look into this.
Please sign in to leave a comment.