Products Firewalla Gold Firewalla Purple Firewalla Blue Plus Firewalla Gold Plus

Articles in this section

Building Network Segments

Avatar
Client Support
  • Updated
Follow

What is Network Segmentation?

Network segmentation is the idea that you may want to separate some devices from others. Say you wanted to create networks like this:

block_local_network.jpg

Use cases for network segmentation include:

In any of these cases, you may want to separate some devices from the rest of your network to ensure that:

  • The devices aren't covertly capturing information that they should not be. In other words, you have concerns about the device itself.
  • If a device was compromised by some hacker, that can not be unwittingly used to launch an attack on your network.
  • Devices only have access to information and other devices that they need to have.

 

What is the difference between device Groups and Network Segmentation?

Firewalla’s Device groups allow you to apply Rules to any set of devices to control what they can or cannot access. These rules can only be applied to WAN facing (incoming and outgoing traffic).

  • Groups will not be able to isolate LAN traffic. 
  • Members in a group can be across different network segments

Network Segmentation:

  • Members can only be within a physical port or VLAN. (not defined as groups)
  • Rules can limit traffic between segments. 
  • Can be used to isolate devices on the LAN

Groups and Network segments can work nicely to control traffic.

 

Network Segmentation is supported on

 

Port-based Segmentation (Gold only)

The simplest way to secure a network is port-based segmentation. For the purpose of these examples, let's assume that you already have Firewalla configured with a single LAN which includes ports 1-3 the Network IP range is 192.168.0.1 with a subnet mask of 255.255.255.0.

 

Example 1: A Camera

For this example, we will assume that you have a security camera or baby monitor that may not be made by network security experts so you want to separate it from the rest of your network. This camera connects via ethernet and you have one or more open ports on Firewalla.

segment_example_1.jpg

  1. Connect the Camera to a port on Firewalla (Let's say Port 1, and Port 4 is your WAN connection).
  2. Go to the Firewalla Box main page > Network Manager > Create Network.


    Screen_Shot_2021-10-18_at_6.22.43_PM.png

    Give this Network a name.
    Leave the type as LAN.
    Select Port 1.
    Set the IP range to be different from the primary network. If you don't know what to pick, use Surprise Me.
    Save.

  3. If you are asked if you want to remove Port 1 from the existing LAN, Confirm. 
  4. Any device you plugin in now to Gold's Port 1 of will get an address in the range you selected.
  5. Now go to Firewalla Box main page > Devices and find the device you just plugged in and check that the IP address is 192.168.141.x range.
  6. In the same device screen, choose Rules. Make a rule that BLOCKS traffic from & to All Local Networks.

Now this device will have full access to the internet but will be unable to see (or be seen) by other devices on the rest of your network.

 

Example 2: IoT Ethernet Devices

Now let's say you have not one camera, but a dozen. But you don't have enough available ports on Firewalla Gold. No problem.

segment_example_2.jpg

 

You can get any switch (unmanaged is fine and less expensive than even the least expensive managed switch) and connect it into Gold's port 1 and then plugin all your cameras to that switch. Now all those cameras will be able to see each other, but not have access to your Trusted LAN.

 

Example 3: IoT Wi-Fi Devices

Now say instead of cameras with ethernet connections, you have a set of smart smoke alarms that are Wi-Fi-based. You would rather keep them on a separate network as a best practice. Instead of plugging in a switch as in Example 2, use a separate Wi-Fi AP just for the smoke alarms. Again they are now isolated from the rest of your network. Connect a different AP for Wi-Fi for all your other devices.

segment_example_3.jpg

You can repeat this process for each of the 3 ports on your Gold. You could have: 

  • One network for Trusted computers like your laptop where you do banking. 
  • One network for all IoT devices over Wi-Fi (or use the ports on your AP for IoT devices with ethernet).
  • One network for security cameras.

 

VLAN-based Segmentation (Gold/Purple)

Since the method above is limited to the number of physical ethernet ports you have on Gold, VLANs (Virtual Local Networks) is another approach that will let you do segmentation beyond the number of physical ports. When looking for compatible equipment, look for the most common VLAN standard, 802.1Q. Any switch or Wi-Fi AP that is 802.1Q compatible will work with Firewalla Gold or Purple.

VLANs take a bit more configuration upfront and the additional hardware may be slightly more expensive, but it may also require fewer switches and access points so it could end up being less expensive in total. VLANs are the only option for network segmentation on Purple since it only has one LAN port.

We are using Purple in the next few examples, but everything that follows works for Gold as well.

 

Example 4: VLAN Networks for Ethernet Devices

Now let's say we are using Firewalla Purple which has just one LAN port, but we want to create three separate networks: a camera, a computer, and a separate network for kids' Wi-Fi devices (phones, tablets, Chromebooks, etc). What we are going to do is connect Purple's LAN port to port 1 on a managed switch.

A managed switch lets us create as many VLANs (Virtual Local Networks) as we like. (Note Gold does not have a limit on VLANs, but Purple is limited to 5).

segment_example_4.jpg

 

  1. Go to the Firewalla Box Main page > Network Manager > Create Network > Local Network.
    Give the network a name.
    Set Type to VLAN.
    Set a VLAN ID.
    Choose the LAN port.
    You can use Surprise Me for the IP settings but commonly people use the second to last filed in IP address as shown. (Note, by convention the second to last range in the IP is usually the same as the VLAN ID. for example, 192.68.66.1 if the VLAN is 66.)
    Save.

  2. You will now see your original LAN and your VLAN. Note that both LAN and Cameras are blue to indicate they share the LAN port. The LAN port on Purple is now a "trunk" port because it carries traffic for two LANs on the same port.
    Screen_Shot_2021-10-18_at_6.28.33_PM.png

  3. Repeat the steps above for the other VLANs you want to set up.
    Note LAN has no VLAN ID. Any device connected to Firewalla that isn't tagged with a VLAN will be on the LAN network. In most cases, the managed switch is going to tag the VLAN traffic for you. We will set that up next.
  4. Now follow your managed switch's instructions to create the VLANs on the switch. Different switches will do this slightly differently.
  5. Set the port connected to Firewalla, port 1, as a Trunk port (or some call it tagged port). That includes the default LAN, VLAN ID 66, and VLAN 77. You can see an example of this in this article under the AP/Switch configuration instructions.
  6. Now set port 2 on the switch to VLAN ID 66 and connect the Camera device to that port. 
  7. Then configure port 3 on your switch to the third VLAN ID 77, and connect your kid's computer. 
  8. You can now go to Firewalla Box main page > Devices > Networks > Cameras > Rules. Now you can set any rules you like for the devices on this VLAN relative to the other networks you have defined. See Firewalla: Network Segmentation Use Cases for more examples of rules you can set.

Now all the traffic for all the networks will flow from the LAN of Purple on the same, cable to the switch and then be directed to the appropriate switch port. 

 

 

Example 5: VLAN Networks for Wi-Fi Devices

segment_example_5.jpg

Now let's say we have a bunch of Wi-Fi cameras that we want to put on a VLAN separated from the rest of our network. Instead of having a separate AP for the cameras, we can get a WVLAN (wireless VLAN) capable AP which can broadcast multiple SSIDs: one for each VLAN.

  1. Follow steps 1 and 2 from Example 4 to create your VLANs in Firewalla.
  2. Connect Firewalla to an AP with WVLAN support.
  3. Follow the instructions for your AP to associate the VLANs. 
  4. Once the VLANs are defined, assign each SSID to a particular VLAN. 
  5. Have devices join the correct SSID and they will be assigned to the correct VLAN.

Example: VLAN with TP-LINK

Here's an example using a TP-Link EAP225. 

  1. Create a VLAN.

    Here, we will configure a couple of VLAN's via SSID mapping in TPLink EAP225. Login to the TPLink AP and configure VLAN to SSID mappings as the following.

    Note: Please use the IP address assigned by Firewalla to log in to the Access Point. If you are using a router that has been configured into bridge mode or AP mode, the previous IP address of the router may not work.

Here the main network is mapped to VLAN 33 and the guest network is mapped to VLAN 44.

  • VLAN 66: SSID Cameras
  • VLAN 77: SSID Kid's Wi-Fi 

TPLink.png

Example: VLAN with Netgear

Most routers allow you to set the default VLAN ID (sometimes called PVID) for each port. For example, in the following example, there are two VLANs defined. VLAN 1 includes all ports except 2 and VLAN 10 includes ports 1 and 2. This is going to allow port 2 will be dedicated to VLAN 10, ports 3-8 will be dedicated to VLAN 1 and port 1 will be a "trunk" connected to Firewalla carrying both VLANs. The trunk must be a member of both VLANs.

mceclip0.png

In this scenario, port 2 cannot be a member of VLAN 1 tagged or untagged. It is only a member of VLAN 10 just as ports 3-8 are only members of VLAN 1. 

In VLAN 1, ports 3-8 are untagged meaning that any device plugged in that doesn't itself provide VLAN tagging will be part of VLAN 1. This is because of the PVID described later. Port 1 is also a member of VLAN 1 but must be Tagged.

mceclip4.png

In VLAN 10, ports 1 and 2 have a PVID of 10 meaning the default traffic for these ports is VLAN 10. Again, we Tag port 1 but we can leave port 2 untagged.

mceclip5.png

See how the PVID is defined below. Again, this means that untagged traffic defaults to the PVID for each port. In this example, ports 3-8 will default to VLAN ID 1 but ports 1 and 2 will default to VLAN 10.

mceclip3.png

See this Netgear article for more detail. Other switches will work similarly. 

 

After Segmentation

After your network is segmented, you can now treat each of them differently.

  • Use the Firewalla Rules feature to apply different policies to each segment. Or prevent segments from talking to each other.
  • Use the Smart Queue feature to prioritize traffic on the segment. 
  • Use the route feature to route traffic based on the segment. 

Learn more about Creating a Better Network.

 

Screen_Shot_2021-10-20_at_12.00.54_PM.png

 

Related Links

Articles from our customers

Other articles

Related articles

Comments

1 comment

Sort by Date Votes
  • Avatar
    Arlo Miller

    I've been trying to setup a VLAN on my Netgear 48 port managed switch, but Netgear's terminology just perplexes me. 

    So, I have a WAP that I have setup with 3 SSIDs.  Right now, all set to VLAN 0, which I think means untagged.  I'd like to set one of the SSID's to tag VLAN 20 and then have the Firewalla make a subnet for that VLAN.  Those two steps I've been able to do.  What i've NOT been able to do is get the Netgear switch to pass the VLAN tags along. 

    With my WAP attached to Port 44 on the Netgear Switch, how do I setup the switch? 

    I don't believe I want to set the PVID on 44 because I don't want the untagged traffic (from the other SSIDS) to get tagged.  Correct?  OR am I required to set a PVID on that port, in which case I probably need to set the other two SSIDs to have a VLAN tag and then create a another VLAN network on the Firewalla for them?

    And then what do I do for VLAN membership?  Set 44 to be tagged and all the other ports untagged?

    Or am I just getting it all completely wrong?

    0
    Comment actions Permalink

Please sign in to leave a comment.