This article will explain how to microsegment your Wi-Fi and common microsegmentation use cases.
-
Basics of Microsegmentation
- Using VqLAN to Microsegment the Network
- Using VLAN to Segment the Network
- FAQs
Other helpful resources for the Firewalla AP7:
- Building a Zero Trust Network with Firewalla
- Getting Started with Firewalla Access Point 7
- Firewalla Access Point 7 Installation Guide
- Firewalla Access Point 7 Troubleshooting Guide
- AP7 Community Page & Discussion Forum
1. Basics of Microsegmentation
If you are already using "Groups" or "Users" to manage devices, all you need to do is go to groups (or users) and turn on VqLAN. (With VqLAN on, your group/user will now be segmented from the rest of your devices).
- Use groups (or users) to identify the devices that need to be microsegmented. These devices will need to be on the same network.
- When VqLAN is on, your devices within the group/user can only talk to themselves and the internet. They will not be able to access devices within the same network (LAN), or other LAN network segments you created.
- You can further enhance this microsegment by turning on device isolation. This will isolate devices within the same group from talking to each other.
Group Membership
Static Group (or Users) Membership
For devices already part of your network, you can statically assign devices to groups, such as "IoT Group" or "Ring Group".
You can learn more about Device Groups and Users here.
Dynamic Groups (or Users) Membership
For any "new" devices, with the addition of the Firewalla AP7, you can now dynamically assign devices to a group:
- Turn on VqLAN + Device Isolation on the "Quarantine Group"
- With each SSID (Wi-Fi name) created, you can point them to a group/User.
- You can use the same SSID and use a personal key and point them to a group/User.
2. Using VqLAN to Microsegment the Network
VqLAN (virtual quarantine LAN) is Firewalla’s implementation of Layer 2 network microsegmentation. It functions somewhat like VLAN but within the same network. VqLAN is simple to set up and it doesn’t have issues working with multiple VLANs. It can operate within an existing VLAN or your main network without changing IP addresses. Microsegmentation using VqLAN complements segmentation done through ports or VLAN.
Example 1: A Simple Guest Network
Firewalla AP7 easily sets up a guest network at home. It creates a new SSID for guests, automatically assigns guest devices to the guest group, and microsegments guest traffic to protect your personal devices.
Here’s how to create a simple guest network:
- Create a Guest Group & Apply VqLAN, Device Isolation, and Rules
- Create Guest SSID
- Map SSID to Guest Group
1.1. Create a Guest Group & Apply VqLAN, Device Isolation, and Rules
On the box’s main page, tap Devices > Create Group to create a guest group. From the group detail page, scroll down and enable VqLAN. Once VqLAN is enabled, Device Isolation will appear and can be turned on.
- VqLAN will block all traffic to and from devices outside the group. Devices within the group can still talk to each other.
- Device Isolation will prevent each device in the group from communicating with other devices, including devices within the same group.
- Both features only apply to devices connected to Firewalla Access Points.
Add custom rules to the Guest group. For example, block all porn sites and all gambling sites.
1.2. Create Guest SSID
Create the Guest Wi-Fi. Set the Wi-Fi Name (SSID) to “Guest,” set a password, and select the main LAN for the network.
1.3. Map SSID to Guest Group
Go to the Guest Wi-Fi page. Tap Edit in the top right corner to change the User/Group to the Guest group.
New devices connected to the Guest SSID will now be automatically assigned to the Guest group and have rules applied to them.
Example 2: Manage IoT (Using Multiple SSIDs)
Firewalla AP7 can support multiple SSIDs, allowing each SSID + password to dynamically assign devices to groups like IoT devices or users such as kids.
Here’s how to manage IoT with multiple SSIDs:
- Create IoT Groups & Apply VqLAN and Device Isolation
- Create SSIDs for Each IoT Group
- Map SSIDs to Groups
2.1. Create IoT Groups & Apply VqLAN and Device Isolation
On the box’s main page, tap Devices > Create Group to create separate IoT groups, named “IoT1” and “IoT2”.
For both groups, scroll down from the group detail page and enable VqLAN to prevent traffic to and from devices outside the IoT group. Once VqLAN is enabled, you may turn on Device Isolation if your devices do not need to communicate with each other.
2.2. Create SSIDs for Each IoT Group
Create a separate Wi-Fi for each IoT group (box’s main page > Wi-Fi > Create Wi-Fi).
For example, we’ll set the Wi-Fi Name (SSID) to “SSID_IoT1”, set a password, and select the main LAN for the network. Repeat this process to create “SSID_IoT2” for the second group of IoT.
2.3. Map SSIDs to Groups
Navigate to the SSID_IoT1 Wi-Fi page. Tap Edit in the top right corner, change the User/Group to the IoT1 group, and save. Repeat this process on SSID_IoT2 to map it to the IoT2 group.
Now, each IoT group has its own Wi-Fi to connect to. When IoT devices connect to the SSID, they will be automatically mapped to the configured group with the rules applied.
Example 3: Managing Kids (Using Personal Keys)
Firewalla AP7 can create a new SSID for kids, microsegmented with personal keys. Each kid uses their key as the SSID password to connect devices to Wi-Fi, automatically mapping devices to their User profiles.
Here’s how to manage kids with personal keys:
3.1. Create Kid Users & Apply Parental Controls
If you already have User profiles created for each kid and have parental controls applied, you may skip this step.
On the box’s main page, tap on Users > Create User. Create Kid1 from scratch or an existing group, and save. Repeat this process to create Kid2. Learn more about creating users here.
Then, turn on Family Protect (box’s main page > Family > Family Protect). Choose Kid1 and Kid2 as the Users to apply it to and save. Learn more about Family Protect here.
3.2. Create Kids SSID
If you already have an existing SSID created, you may skip this step.
Create a new Wi-Fi for the kids (box’s main page > Wi-Fi > Create Wi-Fi). Set the Wi-Fi Name (SSID) to “kidsgroup,” set a password, and select the main LAN for the network.
3.3. Create Personal Keys for Each Kid
Navigate to the kids’ Wi-Fi page or the SSID you’d like to microsegment. Tap Add Microsegment to set a personal key and map it to User Kid1. Using a different personal key, add another microsegment for Kid2. Tap Save in the top right corner to save the microsegments.
Note: Microsegments with personal keys are only available on SSIDs with WPA2 security. The 6 GHz band will not be supported. If your security type is not WPA2, the app will ask you to update the security type, and 6 GHz will not be available.
Any devices that connect to the kidsgroup SSID with a personal key will be automatically mapped to the configured User, so you’ll always know which device belongs to whom.
3. Using VLAN to Segment the Network
Unlike VqLAN, VLAN can segment networks at layer 3 using a different network address space. You can learn more about VLAN and port-based segmentation in this article.
With the Firewalla AP7, you will have these two features
- SSID to VLAN mapping. Anyone logged in using one SSID will be mapped to a VLAN network.
- SSID + Personal Key to VLAN mapping. (This feature is experimental)
Example 1: A Simple Guest Network
Firewalla AP7 makes it simple to create a Guest VLAN. It can create a Guest Wi-Fi and automatically map devices to the VLAN, without complex steps to reconfigure your existing network.
Here’s how to create a simple guest network using VLAN:
- Create Guest VLAN and Apply Rules
- Create Guest SSID and Map to VLAN
- (Optional) Create Guest Group and Enable Device Isolation
1.1. Create Guest VLAN and Apply Rules
If you already have a Guest VLAN created and applied rules to the VLAN, you may skip this step.
On your box’s main page, navigate to Network > Create Network > Local Network. Create a VLAN network named “Guest VLAN” with VLAN ID 1003. Select the Ethernet Port to which the AP7 is connected on the Firewalla box. In this case, our AP7 is connected to our Firewalla Gold’s Port 2.
On your box’s main page, tap Rules > Add Rule to add custom rules to the Guest VLAN. For example, block traffic to all local networks on the Guest VLAN.
1.2. Create Guest SSID and Map to VLAN
Create the new Guest Wi-Fi (box’s main page > Wi-Fi > Create Wi-Fi). Set the Wi-Fi Name (SSID) and password. Select the Guest VLAN created in Step 1 for the network, then tap Create.
Alternatively, edit an existing SSID and select the Guest VLAN for the network.
Now, when a device connects to the Guest’s Wi-Fi, it will automatically be placed on the Guest VLAN with custom rules applied, separate from your main LAN.
1.3. (Optional) Create Guest Group and Enable Device Isolation
Automatic network-based isolation will be supported in a future Firewalla AP7 software release.
As a workaround to implement this, you will need to create a group for the VLAN, enable VqLAN and Device Isolation for the group, and set it as the User/Group on the SSID (like VqLAN Example 1).
For example, we’ll assign a Guest group for the User/Group on the Guest Wi-Fi.
When devices connect to the Guest Wi-Fi, they will be mapped to the Guest VLAN and the Guest VLAN group with Device Isolation applied.
Example 2: Dynamic VLAN (IoT VLANs)
** Dynamic VLAN is experimental
Dynamic VLAN can help simplify IoT device management. Firewalla AP7 can create multiple microsegments with personal keys and map them to each VLAN, all within the same SSID.
Here’s how to create Dynamic VLANs for separate IoT networks:
2.1. Create IoT VLANs and Apply Rules
If you already have multiple VLANs created and custom rules applied, you may skip this step.
Create the new IoT VLANs (box’s main page > Network > Create Network > Local Network).
Name the first network “IoT,” set the type to VLAN, and use VLAN ID 1004. Repeat this process for another VLAN called IoT2 with VLAN ID 1005. Ensure the Ethernet Port is set to the port the AP7 is connected to on the Firewalla box.
Some IoT devices might require different access rules within your network. Custom rules can be added to each IoT VLAN (box’s main page > Rules > Add Rule). Learn more about Network Segmentation use cases here.
2.2. Create IoT SSID
Create a new SSID (box’s main page > Wi-Fi > Create Wi-Fi). Set the Wi-Fi Name (SSID), set a password, and select the main network.
2.3. Create Personal Keys for Each IoT VLAN
Navigate to the IoT Wi-Fi page. Tap Add Microsegment to set up a personal key. Under the new personal key, tap Network and select the IoT VLAN. Then, add another microsegment, create a different personal key, and select the IoT2 VLAN for the network. Tap Save in the top right corner.
Now, when IoT devices are connected to the Wi-Fi using their specific personal keys, they are automatically mapped to the respective VLAN and have VLAN-specific rules applied to them.
4. FAQs
When to Use VLAN-based Segmentation?
- You want more complex rules between your device groups, such as controlling devices and ports.
- You already have multiple networks, and fully understanding network discovery (via SSDP or IGMP) may be difficult across VLAN segments.
- Your devices are connected to switches from different vendors, and devices needing control are not all under the AP7
When to Use VqLAN-based Microsegmentation?
- You don’t want to re-design the network and change device IP addresses
- You have a single flat network
- Devices needing control are all managed by the AP7
- Your LAN device policy is simple, including practices such as:
- Grouping devices together
- Isolating devices
- You don't want to mess with SSDP or IGMP reflections
When should multiple SSIDs be used to assign devices to groups dynamically? Vs using personal keys?
If you plan to use a few SSIDs (4 or 5) in your network and/or need to use WPA3, using multiple SSIDs is a good solution.
If you need to map to many groups and don't care about WPA3, a personal key is much more scalable. (Since the personal key is fairly new, if you have a few dynamic groups, use multiple SSIDs first)
Can I use WPA3 security on SSIDs with microsegments?
If you can create multiple SSIDs to dynamically manage group (microsegment) membership, you can use any WPAx; there is no restriction. Check out Example 3 (Managing IoT) for a way to do this.
If you need to dynamically manage a group (microsegment) membership using the same SSID and personal keys, then only WPA2 is supported.
If you do not need to dynamically manage a group (microsegment) membership, and you know your devices already, you can use any WPAx
Comments
3 comments
Since VqLAN comes at the loss of the 6GHz band, maybe create a comparative VqLAN vs VLAN table, pros and cons of each, what you can and cannot do one vs the other.
Other than the option to leave MAC randomization turned on, I do not yet see a clear advantage to use VqLAN vs VLAN.
It’s not vqlan that you lose 6ghz, it’s personal key which you also lose wpa3, but this is due to the specifications not a firewalla issue, Ubiquity and other vendors are the same from what I can tell when googling.
vqlan is good if you do not want to bother with a VLAN allowing some to keep the network flat and simple.
@Andy is correct. VqLAN is a group access control function, and Personal Key is a group assignment function (people log in using personal ID x, assign to the guest group, or guest VLAN).
If you don't want to lose the 6ghz, using a separate SSID will do the same.
Please sign in to leave a comment.