VqLAN (virtual quarantine LAN) is Firewalla’s implementation of Layer 2 network microsegmentation. Functioning similarly to a VLAN, VqLAN provides isolation while operating within the same network. It’s also much easier to configure and integrates seamlessly with multiple VLANs.
Unlike traditional segmentation methods, VqLAN can be deployed within an existing VLAN or your main network without requiring IP address changes. By complementing VLAN and port-based segmentation, VqLAN strengthens network microsegmentation, offering a more flexible and efficient approach to network security.
VqLAN is NOT VLAN
VqLAN is a segmentation technology based on Layer 2 (Data Link Layer) access control lists, enabling more flexible and granular network isolation. For example, within a VqLAN group, devices A, B, and C can communicate with each other and access the internet while being restricted from interacting with devices outside the group.
Unlike VLANs, VqLAN operates without altering IP addresses or creating a separate broadcast domain. Device grouping is managed seamlessly through the Firewalla app, which tracks membership without modifying network configurations.
VqLAN:
- Segmentation via "access control lists". For example, block device A from talking to B but not C.
- Broadcast domain: regardless of which LAN the devices are on, device discovery is simple and easy.
- Only usable when all devices are managed by Firewalla.
- Perfect for small home and business networks.
VLAN:
- Segmentation via data link headers 802.1q.
- The broadcast domain is created using 802.1q and requires an IP subnet to be created.
- You must use mDNS reflection for IoT device discovery (which may not always work).
- Works across multiple network switches and APs.
- Perfect for larger networks across many different switches and APs from different vendors.
Why VqLAN is simpler
VqLAN grouping is done via the Firewalla app, so there’s no need to create a separate network or change your devices' IP addresses. To turn on VqLAN, navigate to the group and turn it on. Since VqLAN doesn't create its own broadcast domain like VLAN, you don't need to run mDNS forwarding to make IoT devices.
- VqLAN will not restrict broadcast and multicast traffic between VqLAN segments.
VqLAN inside a VLAN
Since VqLAN does not require changing address space, it can coexist within a VLAN. You can create a VLAN and then create VqLAN device groups within that network to control device access.
VqLAN Requirements
- A Firewalla Access Point 7 unit is required.
- VqLAN can be enabled on Device Groups and Users.
- To fully utilize the VqLAN, all devices in the Group or User must be connected to the Firewalla AP7. Any device that is not connected will have no benefit from VqLAN. Learn more about wired devices and VqLAN here.
- All devices in the VqLAN group must be on the same network.
Enable VqLAN
To turn on VqLAN, go to a Device Group or User page on the Firewalla app and toggle it on.
After VqLAN is enabled, devices that are part of the group and connected to the Firewalla AP7 will be microsegmented. They can talk to other devices within their group but not with devices outside *unless it is multicast or broadcast traffic.
Assign devices to a VqLAN Microsegment
Devices can be statically or dynamically sent to a VqLAN microsegment.
Assign a device statically to a microsegment by simply adding the device to the group with VqLAN enabled.
Assign any device dynamically to a microsegment by:
- Enabling VqLAN on a Group
- Mapping an SSID to the VqLAN-enabled group.
- Or, if you already have an SSID and want to share it with the new group, you can map the SSID + unique personal key to the VqLAN-enabled group.
You can see more examples of microsegmentation with AP7 here.
Device Isolation
With Device Isolation, devices can be blocked from communicating with each other completely and only allowed internet access.
When VqLAN is enabled, you can turn on Device Isolation for an entire group to prevent local traffic between devices. This is especially useful for guest networks, where you don’t want guest devices interacting.
You can also enable Device Isolation on devices connected to the Firewalla AP7. This blocks all local traffic to and from that device – great for IoT devices that only need internet access but shouldn’t interact with anything else on your network.
Allowed Devices
Allowed Devices act as an exception to the VqLAN and Device Isolation settings.
On any device, group, or user with VqLAN or Device Isolation, you can use Allowed Devices to select specific devices, groups, or users and allow bidirectional traffic.
For example, if VqLAN is enabled on your IoT group to block all inbound and outbound traffic, but you need to access a printer within the group to print files from your laptop, you can go to the printer’s device detail page, scroll down to Allowed Devices, and add your laptop to the list.
Firewalla will then allow bidirectional traffic between the printer and your laptop while keeping all other traffic blocked.
FAQs
- When to use VLAN-based Segmentation?
- When to use VqLAN-based Microsegmentation?
- Can I use VqLAN with wired devices?
- When to use VqLAN, Device Isolation, or both?
- What if I have a smart home hub (HomeKit, Home Assistant, Google Home, etc.)?
When to use VLAN-based Segmentation?
- You want more complex rules between your device groups, such as controlling devices and ports.
- You already have multiple networks, and fully understanding network discovery (via SSDP or IGMP) may be difficult across VLAN segments.
- Your devices are connected to switches from different vendors, and devices needing control are not all under the AP7.
When to use VqLAN-based Microsegmentation?
- You don’t want to re-design the network and change device IP addresses.
- You have a single flat network.
- Devices needing control are all managed by the AP7.
- Your LAN device policy is simple, including practices such as grouping or isolating devices.
- You don't want to mess with SSDP or IGMP reflections.
Can I use VqLAN with wired devices?
Yes, but it depends on the network topology. For wired devices, the traffic must flow through either the Firewalla box or AP7.
- VqLAN does NOT work if wired devices are connected to a switch that directly links them together.
- In this case, the switch routes the traffic between wired devices internally, preventing the Firewalla box or AP7 from detecting or blocking it.
- For example, assume a1 and a2 are wireless devices and d1 and d2 are wired devices:
Box -> AP -> a1
-> a2
-> switch -> d1
-> d2 - VqLAN will NOT work if a1, a2, and d1 are in a VqLAN group, because d1 and d2 can still communicate through the switch without passing through the Firewalla box or AP7.
- VqLAN works when wired devices are connected:
- Directly to the AP7
Box -> AP1 -> a1
AP2 -> a2 - Directly to the Firewalla box
Box -> d1
-> d2 - To a switch that is connected directly to the AP7, as long as there are no other devices on that switch that are not part of the VqLAN group.
Box -> AP1 -> switch -> d1
-> AP2 -> switch -> d2
- Directly to the AP7
When to use VqLAN, Device Isolation, or both?
For groups:
-
VqLAN only: For groups of devices that need to talk with each other and access the internet.
- A group of smart devices like lights, plugs, thermostats, speakers, and a home hub (Apple Home Hub, Home Assistant, Google Home, etc) that need local communication.
- Kids’ devices may communicate with each other and access the internet but not other devices.
-
VqLAN + Device Isolation: For groups where each device only needs internet access and no local communication.
- A group of smart cameras, switches, and lights that connect only to cloud services with no home hub.
- A guest group where devices can access the internet but are blocked from local communication.
For individual devices:
Device Isolation: For individual devices that only need internet access and don’t need to communicate locally. Device Isolation cannot be enabled on a group without enabling VqLAN first.
- A smart camera that only uploads footage to the cloud, with no local access needed.
- A smart air filter that is controlled only through the cloud.
What if I have a smart home hub (HomeKit, Home Assistant, Google Home, etc.)?
Many smart home hubs need local communication with smart devices. We recommend grouping all smart devices and the home hub in a VqLAN.
For added security, place all smart devices in a separate VqLAN with Device Isolation enabled. Then, use the Allowed Devices feature to allow only the home hub to communicate with them.
Comments
11 comments
@Firewalla, I am wondering whether I can use Port Isolation on a managed switch with Firewalla Microsegmentation. On paper, it seems like Port Isolation mode on other manufacturer’s managed switches can be used to achieve full Firewalla Microsegmentation. For example, Cisco’s Port Isolation means all traffic through a particular port is forwarded through the switch to an upstream router or intermediate switch which in turn can also have Port Isolation. So, none of the downstream traffic is switched between Port Isolation device ports leaving Firewalla to handle switching/routing. In essence, a switch with Port Isolation enabled basically expands a Firewalla port to many other ports.
Port Isolation is easy to configure. Just mark each switch port as Isolated except the upstream port.
For example, let’s take a simple 5 port switch which is located several rooms from the Firewalla with 4 devices on it and Ethernet back to the Firewalla. In Port Isolation mode, the 4 devices cannot talk to each other through the switch. They can only talk to the Firewalla which may or may not switch/route traffic between the 4 devices depending on the Microsegmentation configuration. (Netgear calls this Protected Ports on their 5 port GS305EP.)
We can then use managed switches near our Firewalla router to extend the number of ports, or remotely with a small managed as in the example so we only have to run one Ethernet cable for multiple remote devices in a room.
From the description of the feature it is not entirely clear whether VqLAN can be enabled independently of having an AP7 or not (for wired devices, resp. for traffic flowing through Firewalla). From the fact that I don’t see the options in the (Beta) App in Groups, I take that an AP7 is probably mandatory for the feature to become visible. Which is obviously a shame since even with other AP‘s and wired (isolated) devices this feature makes tremendous sense.
VqLAN is a firewalla invention, so it really not possible to have it running on none firewalla products.
Yes but you state that traffic that flows through the Firewalla from „wired devices“ can be micro-segmented. Which means if a mechanism like port isolation on a switch or some other form of routing all traffic upstream to Firewalla exists I should in principle and according to this documentation be able to use micro segmentation „for wired devices“?!
VqLAN is a layer 2 or LAN function. So, if all of your devices are connected to the firewalla directly (no switch / AP's) in the middle, then yes, it is possible to make it work. But this is not practical. (if devices not connecting to the firewalla directly, and via a none Firewalla AP for example, firewalla can not control / manage traffic internal to the none Firewalla AP)
Thanks. Which then leads me back to my original question: can this be enabled if I don’t have an AP7 in my network at all - as I can’t see the option in my Firewalla App (Beta/Early Access Gold Pro).
Edit: I now see the requirement for AP7 on this page. Must have missed it beforehand. Apologies and thanks.
I respectfully disagree with @Firewalla. Isolated Port configuration on a switch will force all device traffic upstream, preventing any device to device traffic. Thus if the managed switch with Isolated port functionality is hooked up to the Firewalla router (or to another switch with Isolated Port configuration which is in turn hooked up to the Firewalla router), then the Firewalla will see ALL traffic and can manage it. (Isolated is Cisco terminology. Netgear uses Protected port terminology.).
I second the request for VqLAN functionality to be enabled in Firewalla routers!!! Please.
Are you talking about having firewalla directly controls these switches and pushes the policies down? It may be not be possible, even possible, having your firewalla adopting to different devices is not going to be cheap. (Some of these devices are not that programmable.)
Also, VqLAN can be a group, so "isolation" or "port isolation" really doesn't work that well since they limit device-to-device communication, whereas VqLAN allows members in the group to talk.
I appreciate your response. To clarify, I'm not suggesting that Firewalla starts controlling third party network hardware like Switches or AP. I'm just suggesting that VqLAN functionality could be enabled on the Firewalla router itself for wired traffic that already flows through it (independent of the presence of an AP7 in the network).
When switches with port isolation are configured properly, they force all traffic upstream to the router. The Firewalla would see this traffic at Layer 2 and could apply the same microsegmentation rules as the AP7.
(To a certain extent, a feature like “local flows” faces the same problem: “local flows” and traffic can only be analysed properly if all traffic flows through the Firewalla, and by enabling this feature, you alredy confirmed that apparently, you trust your users to be able to use it properly in more complex network environments).
No, I am not suggesting that Firewalla configure a Cisco, Netgear or other managed switch with Port Isolation/Protection. While that would be nice to do on our behalf, it is simple and straightforward for us to configure a switch with N ports to have N-1 of those ports with Port Isolation/Protect enabled, leaving the final port for the upstream connection to a Firewalla router port. Of course you can also daisy chain these switches too. This will cause all device traffic to be delivered to the Firewalla router.
The Firewalla router has all of the VqLAN rules and would decide whether or not to forward a packet from one device to another device. If the packet is to be forwarded, it will go out the appropriate Firewalla port, just like a packet arriving from the WAN, to the destination device.
In many ways, this is similar to a Firewalla router that has enough physical ports to connect every device in your house. Of course, this requires more CPU processing in the Firewalla router than offloading to a switch. But lots of us have enough CPU (I have a Gold Plus with a 1Gb WAN). And if not, we can always upgrade to the Gold Pro!
Even when Firewalla introduces a N port switch, this will be useful. For example, I have 5 port switches in a lot of rooms. I don’t want to replace them with much more expensive Firewalla switches. And I don’t want to run more Ethernet cables back to a central Firewalla switch. I do want the Firewalla switch be smart enough so that we can plug in our switches configured with Port isolation/Protection and have the Firewalla switch handle all LAN to LAN traffic internally without passing any of it back to the Firewalla router unless it is going to another LAN port on the Firewalla router.
Not a networking expert but this sounds like a very logical approach to tunnel thru a network from an endpoint switch (commingled inputs) and deliver the data intact to the FW router. Just like being a home run to the router. It would be fantastic if a solution could be enabled to accomplish this option
Please sign in to leave a comment.