Every device shares the same network in a typical home or small business. This means that each device can freely see and communicate with one another. However, not all devices are the same– for example, you may want to isolate IoT devices to reduce the risk of security breaches or apply an extra level of protection to guest devices. With network segmentation, you can split your devices among different networks to meet your performance and protection needs.
This article will cover the basics of network segmentation and how you can set it up.
- What Is Network Segmentation?
- Network Segmentation Use Cases
- Tutorial: Port-Based Segmentation (Gold only)
- Tutorial: VLAN-Based Segmentation (Gold & Purple)
- SSDP Relay and mDNS Relay: Using Devices Across Segments
- What Is The Difference Between Device Groups And Network Segmentation?
- Helpful Links
Network Segmentation is only available on the Firewalla Gold and Firewall Purple.
What Is Network Segmentation?
Network segmentation divides your network into partitions that can be used to give you better security and network performance. For example, you can split your main local network into 3 subnetworks: Network A, Network B, and Network C.
Separating some devices from the rest of your network ensures that they aren't covertly capturing information and only have access to the data and devices they need to function. Additionally, if a device on a subnetwork is compromised, your other network segments will remain safe.
Network Segmentation Use Cases
After your network is segmented, you can now apply rules and policies to each of your subnetworks. Subnetworks can fully see and talk to each other by default, so you may find it useful to restrict what parts of the local network they have access to by setting Block rules for traffic on other local networks.
Kids' or Employees' Network
At home, you can create a network segment for kids with parental control rules and features. Depending on the situation, you can configure it to be able to access other networks or restrict it from accessing other devices and resources.
If you use Firewalla in your office network, you can create a network to manage employees' network access. You can apply rules and features based on company policies. You can also monitor the network segment as a whole, including alarms and settings.
VPN Network for Working from Home
Firewalla's built-in VPN client makes it convenient to work remotely through a VPN. In this case, you can create a network with a VPN connection configured and only include devices that you need to use for work. This way your work communication is always protected and will not interfere with your other devices' activity.
Guest Network
You can also use network segmentation to create a secure guest network. You can apply features or rules just to your guest network segment, such as porn block or Family Protect. You can also block guest devices from talking to any local networks while allowing devices from local networks to talk to devices inside the guest network.
With New Device Quarantine turned on, all new devices joining the network will be automatically placed into a QuarantineGroup, and an alarm will be generated. You can turn this feature on for specific networks to help build a super-secure guest network segment for home and work.
IoT Network
For devices that only need access to specific services, such as some IoT devices, you can isolate their traffic from the rest of the network. This reduces your risk exposure in case your IoT devices get compromised. Once you set up an IoT network, you can restrict access by setting rules to:
- Block Traffic from & to the Internet.
- Block Traffic from & to all local networks.
- Allow access to ports required by specific services (IP addresses and ports).
- Allow access only from selected networks
Control Segment Traffic
After segments are created, you can also:
- Use the Smart Queue feature to prioritize traffic on certain segments.
- Use the route feature to specify how traffic moves over each segment.
Learn more about what you can do in our article on Creating a Better Network.
Port-Based Segmentation (Gold only)
One way to create a network segment is through port-based segmentation, which involves physically connecting a device to the Ethernet ports on your Firewalla.
For the purpose of these examples, let's assume that you already have Firewalla configured with a single LAN which includes ports 1-3 the Network IP range is 192.168.0.1 with a subnet mask of 255.255.255.0.
Example 1: A Single Ethernet Device
Say you have a security camera or baby monitor that you want to separate from the rest of your network. This camera connects via Ethernet.
- Connect the Camera to a port on Firewalla. Let's say Port 1.
- Go to the Firewalla Box main page > Network Manager > Create Network.
- Give the network a name.
- Leave the type as LAN.
- Select Port 1.
- Set the IP range to be different from the primary network. If you don't know what to pick, use Surprise Me.
- Save.
- If you are asked if you want to remove Port 1 from the existing LAN, tap Confirm.
- Now go to your box's main page and tap Devices. Find your camera and check that the IP address is in the range you set for your new network segment.
- In the same device screen, choose Rules. Make a rule that BLOCKS Traffic from & to All Local Networks. Now, devices on your new network segment will have full access to the Internet but will be unable to see (or be seen) by other devices on the rest of your network.
Note, on the Purple series you can use Wi-Fi to create a separate LAN from the ethernet LAN if needed.
Example 2: A Group of Ethernet Devices
Now let's say you have not one camera but a dozen. You still want to place them on a separate network segment, but you don't have enough ports on Firewalla Gold. No problem.
You can get any switch (unmanaged or managed) and connect it to Port 1, then plug in all your cameras to that switch. Follow the same steps to set up a network segment as if you were just configuring a segment for a single camera. Now, all your cameras will be able to see and talk to each other but not have access to your trusted main LAN.
Example 3: Wi-Fi Devices
Now say instead of cameras with Ethernet connections, you have a set of Wi-Fi-based smart smoke alarms that you'd like to keep on a separate network as a best practice. Instead of plugging in a switch as in Example 2, use a separate Wi-Fi access point (AP) just for the smoke alarms to isolate them from the rest of your network. Then, follow the steps from Example 1 to set up a network segment. Connect a different AP for your main LAN's Wi-Fi.
You can repeat this process for each of the 3 ports on your Gold. This means you could have:
- One network for trusted computers like your personal laptop and phone.
- One network for all your IoT devices over Wi-Fi (or, if your AP has available ports, you can connect your IoT devices with Ethernet).
- One network for security cameras.
VLAN-Based Segmentation (Gold or Purple only)
Port-based segmentation is limited by the number of physical Ethernet ports you have on Gold. VLANs (Virtual Local Networks) are another approach that let you do segmentation beyond the number of physical ports. VLANs take a bit more configuration up front, and the additional hardware may be slightly more expensive. When looking for compatible equipment, look for the most common VLAN standard, 802.1Q. Any switch or Wi-Fi AP that is 802.1Q compatible will work with Firewalla Gold or Purple.
VLANs are the only option for network segmentation on Purple since it only has one LAN port. We will use Purple in the next few examples, but everything that follows works for Gold as well. Note that Gold does not have a limit on VLANs, but Purple is limited to 5.
Example 4: Ethernet Devices
Let's say we are using a Purple to create three separate networks: one for your home, one for a camera, and another for your kids' Wi-Fi devices. To do that, we can connect Purple's LAN port to Port 1 on a managed switch.
A managed switch lets us create several VLANs (Virtual Local Networks).
- Go to the Firewalla Box Main page > Network Manager > Create Network > Local Network.
- Give the network a name (for example, "Cameras" or "Kids").
- Set Type to VLAN.
- Set a VLAN ID.
- Choose the LAN port.
- You can use Surprise Me for the IP settings, but by convention, the second to last range in the IP is usually the same as the VLAN ID. For example, a network's IP range is typically 192.68.66.xx if the VLAN ID is 66.
- Save.
- Repeat this step another time to create a total of 3 local networks.
- You will now see your original LAN and your new VLANs. Note that the port icons for all 3 networks are blue to indicate they share the LAN port. The LAN port on Purple is now a "trunk" port because it carries traffic for three LANs on the same port. You'll also notice that your main LAN has no VLAN ID. Any device connected to Firewalla that isn't tagged with a VLAN ID will be on the main LAN network.
- Now follow your managed switch's instructions to create the VLANs on the switch. See the section below on setting up VLANs with a switch for a specific example.
- Set the port connected to Firewalla as a trunk port (also known as a tagged port).
- Set port 2 on the switch to VLAN ID 66 and connect your camera to that port.
- Set port 3 on your switch to the third VLAN ID 77, and connect your kids' devices.
- You can now set any rules you'd like for each of your new VLANs. To do this, navigate to your box's main page > Devices > Networks > The VLAN you'd like to manage > Rules.
Now, all the traffic for your networks will flow from your Purple's LAN port to the switch, where it'll then be directed to the appropriate switch port.
Setting up VLANs with a Switch
If you're using a managed switch for your VLANs, you will need to:
- Create the VLANs on your switch (after creating them in the Firewalla app).
- Map your VLANs to the ports on your switch. In the screenshot below, VLAN 1 includes ports 1, 3, 4, 5, 6, 7, and 8, and VLAN 10 includes just ports 1 and 2. Port 1 is a member of multiple VLANs, meaning it is a "trunk" port.
- Choose which ports are tagged for each VLAN. Tagged ports will respond to VLAN tags, whereas untagged ports will not. VLAN tags specify over which VLAN a piece of traffic should be routed. Typically, trunk ports are tagged ports because they manage multiple VLANs. In our case, on VLAN 1, port 1 is tagged, while ports 3, 4, 5, 6, 7, and 8 are untagged.
- Specify the PVID for each port. Traffic that does not have a VLAN tag will default to the PVID. In this example, ports 3-8 will default to VLAN 1, while ports 1-2 will default to VLAN 10.
See this Netgear article for more detail. Other switches will work similarly.
Example 5: Wi-Fi Devices
Now let's say we have a bunch of Wi-Fi cameras that we want to put on a VLAN separated from the rest of our network. Instead of having a separate AP for the cameras, we can get a WVLAN (wireless VLAN) AP which can broadcast multiple SSIDs, one for each VLAN.
- Follow steps 1 and 2 from Example 4 to create your VLANs in Firewalla.
- Connect Firewalla to an AP with WVLAN support.
- Follow the instructions for your AP to set up the VLANs. Read the section below on setting up VLANs with an AP to learn more.
- Once the VLANs are defined, assign each SSID to a particular VLAN.
- Have devices join the correct SSID to assign them to the correct VLAN.
Setting up VLANs with an AP
If you're using an AP for your VLANs, you will need to configure it so that your VLANs map to their different SSIDs. Here's an example of how you might do this using a TP-Link EAP225.
After creating a VLAN on your Firewalla (see steps 1 and 2 from Example 4 above), you'll need to log into your TP-Link AP using the IP address assigned to your AP by your Firewalla. Once you've logged in, use the TP-Link web interface to map your VLANs to the appropriate SSIDs.
In the image below, the Cameras network is mapped to VLAN 66, and the Kid's network is mapped to VLAN 77.
SSDP Relay and mDNS Relay: Using Devices Across Segments
mDNS Relay and SSDP Relay are different protocols that allow some devices (such as Sonos speakers or Roku) to discover each other across networks.
For example, if you have a smart speaker on LAN 1 and you want it to be discoverable by your phone on different networks, you can enable SSDP and mDNS Replay on LAN 1. It's possible that, in some cases, the app (like your phone) initiates the connection, not necessarily the device (such as the smart speaker). To make sure the phone can communicate with the device on a different LAN, you could also enable SSDP and mDNS Relay on the network to which the phone is connected.
To enable one or both of them, tap on a LAN, tap Edit, and then toggle mDNS Relay and/or SSDP Relay on.
- If SSDP Relay is enabled on one network, SSDP broadcast queries sent from the network will be relayed to all the other networks.
- SSDP is a discovery protocol; once devices find each other, they can communicate without an SSDP Relay. To make sure devices in different networks stop talking to each other, we recommend you reboot the device or reconnect it to your network after turning off SSDP Relay.
- SSDP Relay is only supported in Router Mode on all local networks.
- SSDP Relay is not supported on VPN networks (OpenVPN and WireGuard)
Note that mDNS Relay was previously called mDNS Reflector and was located on the Configurations page. mDNS Relay is the exact same feature as mDNS Reflector; it's just been moved.
What Is The Difference Between Device Groups And Network Segmentation?
While they may seem similar at a glance, Firewalla’s Device Group feature is fundamentally different from network segmentation. Device groups simply allow you to apply rules to a custom set of devices. These rules can only be applied to incoming and/or outgoing traffic, which means that groups can't isolate LAN traffic as network segmentation can. Additionally, network segmentation gives you the option to limit subnetwork members from communicating outside of their own physical port or VLAN.
Members in a device group can belong to different network segments. Using groups and network segments together works nicely to control traffic.
Helpful Links
- Firewalla Network Segmentation Use Cases
- How to block a device from accessing other devices in the same LAN network?
- Network Segmentation
- Firewalla Gold: When my network is segmented, will I be able to use AirPlay and Chromecast across networks?
- Working from Home Smarter & More Secure
- Firewalla Tutorial: Network Segmentation Example with VLAN
- Manage Rules
User Contributed
Comments
2 comments
I've been trying to setup a VLAN on my Netgear 48 port managed switch, but Netgear's terminology just perplexes me.
So, I have a WAP that I have setup with 3 SSIDs. Right now, all set to VLAN 0, which I think means untagged. I'd like to set one of the SSID's to tag VLAN 20 and then have the Firewalla make a subnet for that VLAN. Those two steps I've been able to do. What i've NOT been able to do is get the Netgear switch to pass the VLAN tags along.
With my WAP attached to Port 44 on the Netgear Switch, how do I setup the switch?
I don't believe I want to set the PVID on 44 because I don't want the untagged traffic (from the other SSIDS) to get tagged. Correct? OR am I required to set a PVID on that port, in which case I probably need to set the other two SSIDs to have a VLAN tag and then create a another VLAN network on the Firewalla for them?
And then what do I do for VLAN membership? Set 44 to be tagged and all the other ports untagged?
Or am I just getting it all completely wrong?
I'd like to be able to segment logical groups of devices from one another. Example: Group A is blocked from inbound/outbound/both communications from/to Group B. I can't use VLANs in this use case because there are a variety of wireless and LAN devices across the network in different groups. Example: I'd like the Entertainment Group to only be able to communicate with the (Media) Server Group and the Internet, but be blocked from communicating with the IoT and Workstations Groups.
You've almost got what is necessary - you'd just need to add "Groups" to the Target list in Rules.
Please sign in to leave a comment.