Every device shares the same network in a typical home or small business. This means that each device can freely see and communicate with one another. However, not all devices are the same– for example, you may want to isolate IoT devices to reduce the risk of security breaches or apply an extra level of protection to guest devices. With network segmentation, you can split your devices among different networks to meet your performance and protection needs.
This article will cover the basics of network segmentation and how you can set it up.
- What Is Network Segmentation?
- What Is The Difference Between Device Groups And Network Segmentation?
- Tutorial: Port-Based Segmentation (Gold only)
- Tutorial: VLAN-Based Segmentation (Gold & Purple)
- What Can I Do After Segmenting My Network?
- Helpful Links
Network Segmentation is only available on the Firewalla Gold and Firewall Purple.
What Is Network Segmentation?
Network segmentation divides your network into partitions that can be used to give you better security and network performance. For example, you can split your main local network into 3 subnetworks: Network A, Network B, and Network C.
Separating some devices from the rest of your network ensures that they aren't covertly capturing information and only have access to the data and devices they need to function. Additionally, if a device on a subnetwork is compromised, your other network segments will remain safe.
Use cases for network segmentation include:
- Creating a network for kids or employees with their own rules and policies.
- Creating a network for work-from-home access with VPN client enabled.
- Creating a secure guest network in order to apply high-level protection to your guests.
- Isolating IoT devices into their own network to prevent unnecessary communication.
What Is The Difference Between Device Groups And Network Segmentation?
While they may seem similar at a glance, Firewalla’s Device Group feature is fundamentally different from network segmentation. Device groups simply allow you to apply rules to a custom set of devices. These rules can only be applied to incoming and/or outgoing traffic, which means that groups can't isolate LAN traffic as network segmentation can. Additionally, network segmentation gives you the option to limit subnetwork members from communicating outside of their own physical port or VLAN.
Members in a device group can belong to different network segments. Using groups and network segments together works nicely to control traffic.
Port-Based Segmentation (Gold only)
One way to create a network segment is through port-based segmentation, which involves physically connecting a device to the Ethernet ports on your Firewalla.
For the purpose of these examples, let's assume that you already have Firewalla configured with a single LAN which includes ports 1-3 the Network IP range is 192.168.0.1 with a subnet mask of 255.255.255.0.
Example 1: A Single Ethernet Device
Say you have a security camera or baby monitor that you want to separate from the rest of your network. This camera connects via Ethernet.
- Connect the Camera to a port on Firewalla. Let's say Port 1.
- Go to the Firewalla Box main page > Network Manager > Create Network.
- Give the network a name.
- Leave the type as LAN.
- Select Port 1.
- Set the IP range to be different from the primary network. If you don't know what to pick, use Surprise Me.
- Save.
- If you are asked if you want to remove Port 1 from the existing LAN, tap Confirm.
- Now go to your box's main page and tap Devices. Find your camera and check that the IP address is in the range you set for your new network segment.
- In the same device screen, choose Rules. Make a rule that BLOCKS Traffic from & to All Local Networks. Now, devices on your new network segment will have full access to the Internet but will be unable to see (or be seen) by other devices on the rest of your network.
Example 2: A Group of Ethernet Devices
Now let's say you have not one camera but a dozen. You still want to place them on a separate network segment, but you don't have enough ports on Firewalla Gold. No problem.
You can get any switch (unmanaged or managed) and connect it to Port 1, then plug in all your cameras to that switch. Follow the same steps to set up a network segment as if you were just configuring a segment for a single camera. Now, all your cameras will be able to see and talk to each other but not have access to your trusted main LAN.
Example 3: Wi-Fi Devices
Now say instead of cameras with Ethernet connections, you have a set of Wi-Fi-based smart smoke alarms that you'd like to keep on a separate network as a best practice. Instead of plugging in a switch as in Example 2, use a separate Wi-Fi access point (AP) just for the smoke alarms to isolate them from the rest of your network. Then, follow the steps from Example 1 to set up a network segment. Connect a different AP for your main LAN's Wi-Fi.
You can repeat this process for each of the 3 ports on your Gold. This means you could have:
- One network for trusted computers like your personal laptop and phone.
- One network for all your IoT devices over Wi-Fi (or, if your AP has available ports, you can connect your IoT devices with Ethernet).
- One network for security cameras.
VLAN-Based Segmentation (Gold or Purple only)
Port-based segmentation is limited by the number of physical Ethernet ports you have on Gold. VLANs (Virtual Local Networks) are another approach that let you do segmentation beyond the number of physical ports. VLANs take a bit more configuration up front, and the additional hardware may be slightly more expensive. When looking for compatible equipment, look for the most common VLAN standard, 802.1Q. Any switch or Wi-Fi AP that is 802.1Q compatible will work with Firewalla Gold or Purple.
VLANs are the only option for network segmentation on Purple since it only has one LAN port. We will use Purple in the next few examples, but everything that follows works for Gold as well. Note that Gold does not have a limit on VLANs, but Purple is limited to 5.
Example 4: Ethernet Devices
Let's say we are using a Purple to create three separate networks: one for your home, one for a camera, and another for your kids' Wi-Fi devices. To do that, we can connect Purple's LAN port to Port 1 on a managed switch.
A managed switch lets us create several VLANs (Virtual Local Networks).
- Go to the Firewalla Box Main page > Network Manager > Create Network > Local Network.
- Give the network a name (for example, "Cameras" or "Kids").
- Set Type to VLAN.
- Set a VLAN ID.
- Choose the LAN port.
- You can use Surprise Me for the IP settings, but by convention, the second to last range in the IP is usually the same as the VLAN ID. For example, a network's IP range is typically 192.68.66.xx if the VLAN ID is 66.
- Save.
- Repeat this step another time to create a total of 3 local networks.
- You will now see your original LAN and your new VLANs. Note that the port icons for all 3 networks are blue to indicate they share the LAN port. The LAN port on Purple is now a "trunk" port because it carries traffic for three LANs on the same port. You'll also notice that your main LAN has no VLAN ID. Any device connected to Firewalla that isn't tagged with a VLAN ID will be on the main LAN network.
- Now follow your managed switch's instructions to create the VLANs on the switch. See the section below on setting up VLANs with a switch for a specific example.
- Set the port connected to Firewalla as a trunk port (also known as a tagged port).
- Set port 2 on the switch to VLAN ID 66 and connect your camera to that port.
- Set port 3 on your switch to the third VLAN ID 77, and connect your kids' devices.
- You can now set any rules you'd like for each of your new VLANs. To do this, navigate to your box's main page > Devices > Networks > The VLAN you'd like to manage > Rules.
Now, all the traffic for your networks will flow from your Purple's LAN port to the switch, where it'll then be directed to the appropriate switch port.
Example 5: Wi-Fi Devices
Now let's say we have a bunch of Wi-Fi cameras that we want to put on a VLAN separated from the rest of our network. Instead of having a separate AP for the cameras, we can get a WVLAN (wireless VLAN) AP which can broadcast multiple SSIDs, one for each VLAN.
- Follow steps 1 and 2 from Example 4 to create your VLANs in Firewalla.
- Connect Firewalla to an AP with WVLAN support.
- Follow the instructions for your AP to set up the VLANs. Read the section below on setting up VLANs with an AP to learn more.
- Once the VLANs are defined, assign each SSID to a particular VLAN.
- Have devices join the correct SSID to assign them to the correct VLAN.
Setting up VLANs with a Switch
If you're using a managed switch for your VLANs, you will need to create the VLANs on your switch as well and then map them to the appropriate VLAN ID. Here's an example of how you might do this using a Netgear managed switch.
After creating a VLAN on your Firewalla (see steps 1 and 2 from Example 4 above), you will need to define which ports belong to which VLAN. For example, in the screenshot below, there are two VLANs defined. VLAN 1 includes all ports except 2, and VLAN 10 includes just ports 1 and 2. Port 1 will be a "trunk," meaning it is a member of all VLANs.
Then, you'll need to specify which ports are tagged and which aren't for each VLAN. In the image below, ports 3-8 are untagged, meaning that any device that gets plugged in that doesn't provide VLAN tagging will by default be part of VLAN 1. Port 1 is also a member of VLAN 1, but device traffic must be tagged. Port 2 is blank because it is only a member of VLAN 10.
In VLAN 10, we tag port 1 but we can leave port 2 untagged.
Finally, you'll need to specify the PVID for each port. Untagged traffic defaults to the PVID. In this example, ports 3-8 will default to VLAN ID 1, but ports 1 and 2 will default to VLAN 10.
See this Netgear article for more detail. Other switches will work similarly.
Setting up VLANs with an AP
If you're using an AP for your VLANs, you will need to configure it so that your VLANs map to their different SSIDs. Here's an example of how you might do this using a TP-Link EAP225.
After creating a VLAN on your Firewalla (see steps 1 and 2 from Example 4 above), you'll need to log into your TP-Link AP using the IP address assigned to your AP by your Firewalla. Once you've logged in, use the TP-Link web interface to map your VLANs to the appropriate SSIDs.
In the image below, the Cameras network is mapped to VLAN 66, and the Kid's network is mapped to VLAN 77.
What Can I Do After Segmenting My Network?
After your network is segmented, you can now apply rules and policies to each of your subnetworks. Subnetworks can fully see and talk to each other by default, so you may find it useful to restrict what parts of the local network they have access to by setting Block rules for traffic on other local networks.
You can also:
- Use the Smart Queue feature to prioritize traffic on certain segments.
- Use the route feature to specify how traffic moves over each segment.
Learn more about what you can do in our article on Creating a Better Network.
Helpful Links
- Firewalla Network Segmentation Use Cases
- How to block a device from accessing other devices in the same LAN network?
- Network Segmentation
- Firewalla Gold: When my network is segmented, will I be able to use AirPlay and Chromecast across networks?
- Working from Home Smarter & More Secure
- Firewalla Tutorial: Network Segmentation Example with VLAN
- Manage Rules
Comments
1 comment
I've been trying to setup a VLAN on my Netgear 48 port managed switch, but Netgear's terminology just perplexes me.
So, I have a WAP that I have setup with 3 SSIDs. Right now, all set to VLAN 0, which I think means untagged. I'd like to set one of the SSID's to tag VLAN 20 and then have the Firewalla make a subnet for that VLAN. Those two steps I've been able to do. What i've NOT been able to do is get the Netgear switch to pass the VLAN tags along.
With my WAP attached to Port 44 on the Netgear Switch, how do I setup the switch?
I don't believe I want to set the PVID on 44 because I don't want the untagged traffic (from the other SSIDS) to get tagged. Correct? OR am I required to set a PVID on that port, in which case I probably need to set the other two SSIDs to have a VLAN tag and then create a another VLAN network on the Firewalla for them?
And then what do I do for VLAN membership? Set 44 to be tagged and all the other ports untagged?
Or am I just getting it all completely wrong?
Please sign in to leave a comment.