Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

Groups, Segmentation, and Microsegmentation with Firewalla

Avatar
Firewalla CM
  • Updated
Follow

Firewalla supports multiple methods for segmenting networks or grouping devices together, and the type of segmentation chosen depends on your network design goals, hardware, and the level of control you want over isolation and routing.

When you first install your Firewalla, you’ll have a flat network. All devices on your Main LAN are ungrouped and can access other devices.

With Firewalla, you’ll be able to customize your network using different types of segmentation:

  • Groups + VqLAN
  • Port Segmentation
  • VLAN Segmentation
  • And a combination of the above!

 

For a quick overview, here are a few simple scenarios:

 

Scenario 1: A flat network with groups

The simplest way to begin segmenting your network is by using groups. You can have custom rules applied to each device in a group. On the Main LAN, you could create a group for personal devices, speakers, and kids.

This method doesn’t change how your network is physically connected. It simply gives you a way to manage and control devices as a set, regardless of the LAN, VLAN, or Wi-Fi they’re on.

Pros:

  • Great for parental controls, monitoring IoT, and organizing your network
  • Easiest segmentation method
  • No rewiring or network change required
  • Works across different network types (wired, wireless)
  • Can span multiple port-based or VLAN segments

Cons:

  • Devices are still in the same networks and can access other devices outside the group
  • With groups, you can only isolate their WAN access (normal groups can’t control LAN access)

Learn more about device groups and users.

 

Isolating device groups on the LAN with VqLAN

If you’d like to block a group of devices from accessing another device within your LAN network, you can enable VqLAN with the Firewalla AP7. This will block all local communication to and from devices outside the group, and only allow internet access. 

For example, enable VqLAN on your kids' devices and speakers to keep them isolated from your personal devices and other devices on your network. 

Pros:

  • Simple to implement – no need to reconfigure the network.
  • Blocks all devices in the group from accessing other devices on the same network.
  • Seamless integration with groups (for WAN control)

Cons:

  • Requires all devices to be directly connected to Firewalla or the AP7.
  • If any devices are connected to a switch, they can still communicate with each other internally through the switch, which may bypass VqLAN.

Learn more about VqLAN here.

 

Scenario 2: Port-segmented network

If you’d like to segment your network physically, you can use each port on Firewalla as a separate network. 

Instead of having one Main LAN, connect your devices to different ports of the Firewalla box, and create a LAN network for each port. For example, you could connect your personal devices and speakers to Port 1 for your Office, and have the kids' devices and speakers on Port 2 for your Kids’ rooms.

To connect multiple devices to a single port, you can connect a switch (managed or unmanaged) or access point. You can also use multiple Firewalla ports in a single LAN.

Pros:

  • Simple and intuitive setup
  • Clear physical boundaries between networks
  • Easy-to-use rules to manage traffic from both networks

Cons:

  • You may need a separate Wi-Fi AP (or network switch) per network
  • Devices moved into a different LAN will need new IP addresses
  • Devices must be physically connected to the correct port to be moved to a different network.

Learn more about port-based segmentation use case examples here

 

Isolating port segments

Assigning devices to different port-segmented networks doesn’t automatically block devices from accessing other networks. To isolate these segments, you’ll need to create rules to block traffic from & to all local networks. Learn more about segmenting your networks here

 

Scenario 3: VLAN-segmented network

Instead of being limited by the number of Ethernet ports on your Firewalla box, you can create multiple VLANs on a single port to group your devices into separate virtual networks. For example, you could use Port 1 and virtually separate it into an Office VLAN and a Kids VLAN. 

Additional hardware and configuration may be required to send devices to VLANs, such as a managed switch or VLAN-capable access point like the Firewalla AP7 (or both). 

The Firewalla AP7 can assign devices to a specific VLAN by:

  • Creating separate SSIDs (Wi-Fi Names) and passwords for each VLAN.
  • Using a single SSID and creating personal keys for each VLAN.

Learn more about VLAN segmentation with AP7 here.

Pros:

  • Scales easily and supports many networks on a single port
  • Can use the same managed switch or access point for multiple VLANs
  • Ideal for larger networks

Cons:

  • Requires VLAN-capable switches or access points
  • Complex to configure; proceed with caution if you're new to VLANs
  • Additional hardware may be more expensive
  • Devices moved into a VLAN will need new IP addresses
  • Devices may need to be manually assigned to the correct VLAN (via port settings on a switch, or specific VLAN-assigned SSIDs on an AP)
  • Some applications may require SSDP and mDNS Relay for using devices across segments. 

Learn more about VLAN-based segmentation use case examples here

 

Isolating VLAN segments

Similar to port-based segments, VLANs require additional rules to isolate inter-VLAN traffic, or traffic to and from other VLANs. To isolate these segments, you’ll need to create rules to block traffic from & to all local networks. Learn more about segmenting your VLANs here.

 

Scenario 4: Port/VLAN Segmentation with Groups + VqLAN

It’s best to use multiple layers of security to protect your network. Groups (and Users) can be mixed with different ports or VLANs together to control WAN access.

For example, you can group your personal devices, speakers, and kids’ devices so that you can still control each group’s access to the internet while keeping devices on different networks.

For further microsegmentation, if you have the Firewalla AP7, you can enable VqLAN to prevent communication among groups, even across different networks.

Note:

  • All devices in a VqLAN group should either be wired directly to the Firewalla box or AP7, or be wirelessly connected to the AP7.
  • The AP7 LAN should span all the ports where the VqLAN group’s devices are connected.
    • If devices in the same VqLAN span across Ports 1 and 2 of the Firewalla box, the AP7 LAN should include Ports 1 and 2 for VqLAN to work properly.

Learn more about VqLAN requirements here.

 

Advanced Segmentation + Microsegmentation

If you want to take your network to the next level, you can combine port-based segmentation, VLANs, groups, and VqLAN to build a fully segmented and microsegmented network. 

For more information, check out our dedicated articles for each feature:

For some best practices and examples, check out our Zero Trust articles:

Related articles

Comments

0 comments

Please sign in to leave a comment.