- What is Network Segmentation?
- What is the Difference between device Groups and Network Segmentation
- Port-based Segmentation (Gold only)
- VLAN based Segmentation (Gold & Purple)
What is Network Segmentation?
Network segmentation is the idea that you may want to separate some devices from others. Say you wanted to create networks like this:
Use cases for network segmentation include:
- Create a network for kids or employees with their own rules and policies. You can limit access to the internet, filter activities, monitor, and more.
- Create a network for work-from-home access with VPN client enabled.
- Create a secure guest network, in order to apply high-level protection to your guests, and manage their activities in real-time.
- Quarantine new devices on any network into one group, with preset rules to block them from accessing the Internet or any certain sites.
- Isolate IoT devices into their own network. For instance, only permit devices like security cameras to talk within their own network.
In any of these cases, you may want to separate some devices from the rest of your network to ensure that:
- The devices aren't covertly capturing information that they should not be. In other words, you have concerns about the device itself.
- If a device was compromised by some hacker, that can not be unwittingly used to launch an attack on your network.
- Devices only have access to information and other devices that they need to have.
What is the difference between device Groups and Network Segmentation?
Firewalla’s Device groups allow you to apply Rules to any set of devices to control what they can or cannot access. These rules can only be applied to WAN facing (incoming and outgoing traffic).
- Groups will not be able to isolate LAN traffic.
- Members in a group can be across different network segments
- Members can only be within a physical port or VLAN. (not defined as groups)
- Rules can limit traffic between segments.
- Can be used to isolate devices on the LAN
Groups and Network segments can work nicely to control traffic.
Network Segmentation is supported on
Port-based Segmentation (Gold only)
The simplest way to secure a network is port-based segmentation. For the purpose of these examples, let's assume that you already have Firewalla configured with a single LAN which includes ports 1-3 the Network IP range is 192.168.0.1 with a subnet mask of 255.255.255.0.
Example 1: A Camera
For this example, we will assume that you have a security camera or baby monitor that may not be made by network security experts so you want to separate it from the rest of your network. This camera connects via ethernet and you have one or more open ports on Firewalla.
- Connect the Camera to a port on Firewalla (Let's say Port 1, and Port 4 is your WAN connection).
- Go to the Firewalla Box main page > Network Manager > Create Network.
Give this Network a name.
Leave the type as LAN.
Select Port 1.
Set the IP range to be different from the primary network. If you don't know what to pick, use Surprise Me.
- If you are asked if you want to remove Port 1 from the existing LAN, Confirm.
- Any device you plugin in now to Gold's Port 1 of will get an address in the range you selected.
- Now go to Firewalla Box main page > Devices and find the device you just plugged in and check that the IP address is 192.168.141.x range.
- In the same device screen, choose Rules. Make a rule that BLOCKS traffic from & to All Local Networks.
Now this device will have full access to the internet but will be unable to see (or be seen) by other devices on the rest of your network.
Example 2: IoT Ethernet Devices
Now let's say you have not one camera, but a dozen. But you don't have enough available ports on Firewalla Gold. No problem.
You can get any switch (unmanaged is fine and less expensive than even the least expensive managed switch) and connect it into Gold's port 1 and then plugin all your cameras to that switch. Now all those cameras will be able to see each other, but not have access to your Trusted LAN.
Example 3: IoT Wi-Fi Devices
Now say instead of cameras with ethernet connections, you have a set of smart smoke alarms that are Wi-Fi-based. You would rather keep them on a separate network as a best practice. Instead of plugging in a switch as in Example 2, use a separate Wi-Fi AP just for the smoke alarms. Again they are now isolated from the rest of your network. Connect a different AP for Wi-Fi for all your other devices.
You can repeat this process for each of the 3 ports on your Gold. You could have:
- One network for Trusted computers like your laptop where you do banking.
- One network for all IoT devices over Wi-Fi (or use the ports on your AP for IoT devices with ethernet).
- One network for security cameras.
VLAN-based Segmentation (Gold/Purple)
Since the method above is limited to the number of physical ethernet ports you have on Gold, VLANs (Virtual Local Networks) is another approach that will let you do segmentation beyond the number of physical ports. When looking for compatible equipment, look for the most common VLAN standard, 802.1Q. Any switch or Wi-Fi AP that is 802.1Q compatible will work with Firewalla Gold or Purple.
VLANs take a bit more configuration upfront and the additional hardware may be slightly more expensive, but it may also require fewer switches and access points so it could end up being less expensive in total. VLANs are the only option for network segmentation on Purple since it only has one LAN port.
We are using Purple in the next few examples, but everything that follows works for Gold as well.
Example 4: VLAN Networks for Ethernet Devices
Now let's say we are using Firewalla Purple which has just one LAN port, but we want to create three separate networks: a camera, a computer, and a separate network for kids' Wi-Fi devices (phones, tablets, Chromebooks, etc). What we are going to do is connect Purple's LAN port to port 1 on a managed switch.
A managed switch lets us create as many VLANs (Virtual Local Networks) as we like. (Note Gold does not have a limit on VLANs, but Purple is limited to 5).
- Go to the Firewalla Box Main page > Network Manager > Create Network > Local Network.
Give the network a name.
Set Type to VLAN.
Set a VLAN ID.
Choose the LAN port.
You can use Surprise Me for the IP settings but commonly people use the second to last filed in IP address as shown. (Note, by convention the second to last range in the IP is usually the same as the VLAN ID. for example, 22.214.171.124 if the VLAN is 66.)
- You will now see your original LAN and your VLAN. Note that both LAN and Cameras are blue to indicate they share the LAN port. The LAN port on Purple is now a "trunk" port because it carries traffic for two LANs on the same port.
- Repeat the steps above for the other VLANs you want to set up.
Note LAN has no VLAN ID. Any device connected to Firewalla that isn't tagged with a VLAN will be on the LAN network. In most cases, the managed switch is going to tag the VLAN traffic for you. We will set that up next.
- Now follow your managed switch's instructions to create the VLANs on the switch. Different switches will do this slightly differently.
- Set the port connected to Firewalla, port 1, as a Trunk port (or some call it tagged port). That includes the default LAN, VLAN ID 66, and VLAN 77. You can see an example of this in this article under the AP/Switch configuration instructions.
- Now set port 2 on the switch to VLAN ID 66 and connect the Camera device to that port.
- Then configure port 3 on your switch to the third VLAN ID 77, and connect your kid's computer.
- You can now go to Firewalla Box main page > Devices > Networks > Cameras > Rules. Now you can set any rules you like for the devices on this VLAN relative to the other networks you have defined. See Firewalla: Network Segmentation Use Cases for more examples of rules you can set.
Now all the traffic for all the networks will flow from the LAN of Purple on the same, cable to the switch and then be directed to the appropriate switch port.
Example 5: VLAN Networks for Wi-Fi Devices
Now let's say we have a bunch of Wi-Fi cameras that we want to put on a VLAN separated from the rest of our network. Instead of having a separate AP for the cameras, we can get a WVLAN (wireless VLAN) capable AP which can broadcast multiple SSIDs: one for each VLAN.
- Follow steps 1 and 2 from Example 4 to create your VLANs in Firewalla.
- Connect Firewalla to an AP with WVLAN support.
- Follow the instructions for your AP to associate the VLANs.
- Once the VLANs are defined, assign each SSID to a particular VLAN.
- Have devices join the correct SSID and they will be assigned to the correct VLAN.
Example: VLAN with TP-LINK
Here's an example using a TP-Link EAP225.
- Create a VLAN.
Here, we will configure a couple of VLAN's via SSID mapping in TPLink EAP225. Login to the TPLink AP and configure VLAN to SSID mappings as the following.
Note: Please use the IP address assigned by Firewalla to log in to the Access Point. If you are using a router that has been configured into bridge mode or AP mode, the previous IP address of the router may not work.
Here the main network is mapped to VLAN 33 and the guest network is mapped to VLAN 44.
- VLAN 66: SSID Cameras
- VLAN 77: SSID Kid's Wi-Fi
Example: VLAN with Netgear
Most routers allow you to set the default VLAN ID (sometimes called PVID) for each port. For example, in the following example, there are two VLANs defined. VLAN 1 includes all ports except 2 and VLAN 10 includes ports 1 and 2. This is going to allow port 2 will be dedicated to VLAN 10, ports 3-8 will be dedicated to VLAN 1 and port 1 will be a "trunk" connected to Firewalla carrying both VLANs. The trunk must be a member of both VLANs.
In this scenario, port 2 cannot be a member of VLAN 1 tagged or untagged. It is only a member of VLAN 10 just as ports 3-8 are only members of VLAN 1.
In VLAN 1, ports 3-8 are untagged meaning that any device plugged in that doesn't itself provide VLAN tagging will be part of VLAN 1. This is because of the PVID described later. Port 1 is also a member of VLAN 1 but must be Tagged.
In VLAN 10, ports 1 and 2 have a PVID of 10 meaning the default traffic for these ports is VLAN 10. Again, we Tag port 1 but we can leave port 2 untagged.
See how the PVID is defined below. Again, this means that untagged traffic defaults to the PVID for each port. In this example, ports 3-8 will default to VLAN ID 1 but ports 1 and 2 will default to VLAN 10.
See this Netgear article for more detail. Other switches will work similarly.
After your network is segmented, you can now treat each of them differently.
- Use the Firewalla Rules feature to apply different policies to each segment. Or prevent segments from talking to each other.
- Use the Smart Queue feature to prioritize traffic on the segment.
- Use the route feature to route traffic based on the segment.
Learn more about Creating a Better Network.
Articles from our customers
- Firewalla Network Segmentation Use Cases
- How to block a device from accessing other devices in the same LAN network?
- Network Segmentation
- Firewalla Gold: when network is segmented, will I be able to use AirPlay, and Chromecast cross networks?
- Working from Home, Better, Smarter & Secure
- Firewalla Tutorial: Network Segmentation Example with VLAN
- Manage Rules