Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

See more

How to Set Up Firewalla AP7 Using VLANs and Managed Switches

Avatar
Firewalla CM
  • Updated
Follow

This guide will walk you through an example of how to set up your Firewalla AP7 with VLANs and a managed switch. (Some parts of this article also work for non-Firewalla AP7 devices)

Using VLANs for network segmentation allows you to split your devices among different networks to reduce the risk of security breaches and have an extra layer of protection. A VLAN setup can be complex for novice users.

  • Before making changes, please ensure you are comfortable with VLANs. (If you do not know what a managed switch is, it may be easier to use VqLAN instead.)
  • A managed switch is not required to assign devices to different VLANs using AP7 Wi-Fi. You can also use an unmanaged switch or no switch at all, and VLANs will still work the same. See our unmanaged switch and no switch configuration here.
  • With Firewalla + Firewalla AP7, we provide a simpler way to microsegment your devices. For example, VqLAN can block communication between different groups, without requiring VLANs or switches. Learn more about VqLAN here.

A few important facts:

  • Firewalla and Firewalla AP7 ports are all trunk (tagged) ports; They should be connected to a trunk (tagged) port.
  • A default VLAN (untagged VLAN, or VLAN 1) is required on the AP7’s uplink port for management traffic. This is how the AP7 connects to your Firewalla box for configuration and control.

In this article, we will be going through examples of how to configure the Firewalla AP7, Firewalla box, and a third-party managed switch (Ubiquiti, NETGEAR, MikroTik). 

 

STEP 1: Design the Wi-Fi network 

 In our example, we have the following network configured:

  • Firewalla LAN configured to Ports 1, 2, and 3
  • Guest VLAN configured to Ports 1, 2, and 3 with VLAN ID 1003
  • IoT VLAN configured to Ports 1, 2, and 3 with VLAN ID 168
  • Computers VLAN configured to Port 1 with VLAN ID 97

For our tutorial, our managed switch has the following connections: 

  • Switch port 1 is connected to Port 1 of our Firewalla box.
  • Switch port 8 will connect to the Firewalla AP7. 

In this case, the Firewalla LAN can be used as the default VLAN for management traffic. Wi-Fi can be created on the Firewalla LAN, Guest VLAN, and IoT VLAN, as they share the same set of ports as the management LAN. 

Note that Computers VLAN is not set to the same ports as the Firewalla LAN, so it is not available for creating Wi-Fi.

Now, let’s set up the switch. 

 

STEP 2: Configure the managed switch

If you don't have a managed switch, there is no additional hardware configuration needed. Simply plug in the AP7 directly to the Firewalla Box or to an unmanaged switch to begin segmenting with VLANs. 

If you do have a managed switch, the ports connected to the Firewalla Box and the AP7s must be trunk ports, carrying all LAN and VLAN traffic. 

We have a few examples using different switch vendors:

 

Ubiquiti UniFi

If you need help setting up VLANs with Ubiquiti UniFi, please consult their full guide: https://help.ui.com/hc/en-us/articles/9761080275607-Creating-Virtual-Networks-VLANs 

On a UniFi switch, we created the Guest and IoT VLANs and set the VLAN IDs to 1003 and 168, like in Firewalla. The default VLAN already has VLAN ID 1.

Then, we selected Port 1 and Port 8 on the UniFi switch’s Port Manager and set the “Tagged VLAN Management” to Allow All. Ensure that the Native VLAN/Network is set to the default VLAN. If we were to add another AP7 to the same switch on a different port, we would configure that port the same way.

If you only want specific VLAN traffic to be passed through the AP7, specify the VLAN IDs instead.

 

NETGEAR 

If you need help setting up VLANs with NETGEAR, please consult their full guide: https://kb.netgear.com/31026/How-to-configure-a-VLAN-on-a-NETGEAR-managed-switch 

On a NETGEAR switch, create the IoT and Guest VLAN, setting the same VLAN ID as in Firewalla. The default VLAN should have VLAN ID 1.

Each VLAN will need to specify the port membership. In our switch, we tagged Ports 1 and 8 for the IoT VLAN and Guest VLAN. The default VLAN remains untagged.

Note that if we added another AP7 to the same switch on a different port, we would need to tag that additional port for each VLAN ID.

Under VLAN Status, the native VLAN (default), IoT VLAN, and Guest VLAN should have Ports 1 and 8 as Member Ports.

Similarly, the port configuration should reflect the same settings, with the PVID as the default (untagged) VLAN.

 

MikroTik 

If you need help setting up VLANs with MikroTik, please consult their full guide: https://help.mikrotik.com/docs/spaces/ROS/pages/88014957/VLAN 

On a MikroTik switch, we created a new bridge, AP7bridge, and set Ports 1 and 8 to the AP7bridge. If another AP7 is added to a different port on the switch, we would include that port in the AP7bridge.

Enable VLAN Filtering on the AP7bridge and set PVID 1, so that the default VLAN ID will be 1 (for the default VLAN or untagged VLAN).

Then, create the default VLAN, IoT VLAN, and Guest VLAN. The default VLAN should be untagged, and the IoT and Guest VLAN should be tagged for Ports 1 and 8. If we added another AP7 to the same switch, we’d include that port to be tagged as well.

 

Unmanaged Switch & No Switch

An unmanaged switch will work with the AP7 with VLANs configured. (Please ensure your unmanaged switch will transparently pass VLAN tags on all ports.)

You can also connect the Firewalla AP7 directly to a Firewalla port, and VLANs should also work.

no switch ap7 (1).png

 

 

STEP 3: Install and configure the Firewalla AP7

Now that the switch is configured, we can install and configure the Firewalla AP7. We connected our AP7 to Port 8 of our managed switch and paired the AP7 with the Firewalla box (for pairing instructions, see our AP7 Installation Guide here). On the Wi-Fi creation page, we can now create Wi-Fi using the Firewalla LAN, Guest VLAN, and IoT VLAN. 

 

FAQs

Can I use an unmanaged switch instead?

Yes. If you only plan to segment Wi-Fi devices and you're not worried about someone sniffing traffic at the switch, an unmanaged switch can work just fine. You can still segment your network using VqLAN or VLAN, without needing additional switch configurations.

  • Make sure your switch is truly a "dumb switch," meaning it will simply pass the VLAN traffic.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.