Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

Remodeling Your Big, Old Flat Network with Firewalla & Firewalla AP7

Avatar
Firewalla CM
  • Updated
Follow

Most people run their network flat, either because they’ve gradually added more and more IoT devices or because their current access points lack advanced functionality. Once the network becomes flat and outdated, there are a few problems:

  1. Every device can see everything else on the network.
  2. It becomes tedious to change the SSID/password on all your IoT devices.
  3. You’re limited to older Wi-Fi encryption, so legacy devices can still connect, even though many devices support newer standards like WPA2/WPA3.
  4. You can’t easily connect your Wi-Fi 7 devices because they require WPA3.

 

How do we make a large flat network more manageable and scalable? 

The key is to divide it into smaller segments. This not only makes device management easier over time, but also limits the lateral movement of threats across your network. This is where Firewalla and Firewalla AP7’s Zero Trust Network Architecture can help. 

In this article, we’ll walk through simple examples of how you can segment a large, flat network when migrating to the Firewalla AP7. This is just one approach—the possibilities are limitless!

 

Let’s Keep the Same Network

To make the initial migration simple, we’ll use microsegmentation and keep everything on a single Layer 3 (IP) network. This means all of your devices will keep the same IP addresses they had before. We’ll also assume that all devices are connected via Wi-Fi to the Firewalla AP7.

Advantages of staying in the same network:

  • No need to renumber devices, in case you have static IPs
  • No risk of devices losing connectivity across different IP networks
  • Easier and simpler to manage with microsegmentation

(You can also implement this using different IP addresses via VLAN or Network Ports; learn more about network segmentation.)

 

No More Reconfiguring Every Device

Changing Wi-Fi settings on every device can be a hassle, especially when moving to a new access point or upgrading your network. With the Firewalla AP7, you don't have to. As long as you reuse your previous SSID and password, your devices will reconnect automatically.

This makes moving to the AP7 simple, so your devices stay online and you can start applying segmentation and security rules without extra effort.

 

Define your Network Segment

Our strategy is to group devices based on their properties and apply different configurations to each group. These rules may include:

  • Wi-Fi Encryption: WPA/WPA2, WPA2/WPA3, or WPA3 Personal
  • VqLAN (microsegmentation)
  • Device Isolation
  • And other Firewalla features (e.g., NTP Intercept)

In this guide, we’ll organize our network as follows:

  1. Segment IoT Devices using the previous SSID/password and WPA/WPA2.
    1.1. Segment Newer IoT Devices that support WPA2/WPA3 with a new SSID. 
    1.2. Additional IoT Segmentation based on device types on unique SSIDs.
     
  2. Segment Personal Devices with a new SSID using Mixed Personal security.
    2.1. Segment Devices for Each Person (personal keys) that need WPA2 and 2.4/5 GHz.
    2.2. Segment Devices for Each Person (WPA3-Enterprise) that need WPA3 and 6 GHz.

 

1. Segment IoT Devices

For legacy devices that only support WPA/WPA2 Personal, you can keep them connected using your existing SSID and password. This way, they'll reconnect automatically without manual updates, while still benefiting from segmentation and isolation.

  1. First, create a group for these devices. Then, enable VqLAN to block all traffic from and to devices outside the group, and Device Isolation to prevent devices inside the group from talking to each other. 

  1. Enable NTP Intercept to ensure that time-sync requests are handled locally with Firewalla’s trusted NTP servers. 

  1. Create the Firewalla Wi-Fi, reusing your previous SSID and password

  1. For IoT devices that only support WPA/WPA2 Personal, choose this option for the Wi-Fi Security Type.

  1. Assign the Wi-Fi to the IoT group so that devices are automatically microsegmented when they connect to Wi-Fi. 

Now your devices will reconnect automatically and be microsegmented, without you needing to touch their Wi-Fi settings, and legacy IoT devices should connect with no issues with WPA/WPA2.

1.1 Segment Newer IoT Devices

For newer IoT devices that support stronger encryption (like WPA2/WPA3), you can segment them separately to take advantage of improved security. You’ll need to update Wi-Fi settings manually on these devices, but they’ll gain stronger security and proper segmentation.

We can follow similar steps:

  1. Create a new Wi-Fi SSID and password.
  2. Set the Wi-Fi Security Type to WPA2/WPA3 Personal.
  3. Assign the SSID to the same IoT group. (Alternatively, create a separate group for New IoT devices.)

1.2 Additional IoT Segmentation (Optional)

If you have many IoT devices of the same type, such as cameras, sensors, or lights, you can further segment them for better organization and security. 

You can create separate SSIDs for each device category and assign them to different groups, or use one SSID for all your IoT devices and manually assign them to different groups using personal keys (learn more in 2.1: Segment Devices for Each Person). Either way, different types of IoT devices can be isolated in their own groups, managed by different sets of rules. 

This keeps your IoT devices organized while maintaining support for modern security standards like WPA2/WPA3. Learn more about using multiple SSIDs to manage IoT with the AP7.

 

2. Segment Personal Devices

Personal devices (like laptops and phones) should be isolated from IoT devices for both security and performance. Most of these devices support WPA3, and some even support Wi-Fi 7.

If you want to organize devices by household member, you can create Firewalla Users and assign devices to them automatically. This makes it easier to apply policies (like Family Protect or Time Limit rules) and track activity per person. 

 

By default, new SSIDs use Mixed Personal Security—WPA2 for 2.4/5 GHz bands and WPA3 for 6 GHz. 

To segment your personal devices:

  1. Create a Personal group or a User for yourself. Apply features like Ad Block, Safe Search, and more.
  2. Create a new Wi-Fi SSID and password.
  3. Assign the SSID to the Personal group.

Note: WPA3 Personal may cause connection issues since not all devices (even newer ones) support it. We highly recommend sticking with Mixed Personal Security, which is the most compatible option. 

2.1 Segment Devices for Each Person (Personal Keys)

While you can use multiple SSIDs like the previous examples, you can also use personal keys. Using a single SSID, create additional personal keys to use as the Wi-Fi password, and assign groups/Users to each key. Devices that use this key are automatically assigned to the group/User.

For example, you could create a “Kids” SSID, then assign each child their own personal key to use as the Wi-Fi password. This way, each device is microsegmented, even while sharing the same Wi-Fi name. Learn more about using personal keys to microsegment SSIDs.

Note: Using additional microsegments via personal keys will disable WPA3 and the 6 GHz band. If you need WPA3 and 6 GHz, consider using Enterprise Wi-Fi instead. See section 2.2 below.

2.2 Segment Devices for Each Person (WPA3 Enterprise)

If you work with a lot of sensitive data, require WPA3 for better Wi-Fi security, and need the 6 GHz for faster Wi-Fi performance, you can use WPA3 Enterprise. 

Enterprise Wi-Fi can help offer user-based authentication and the strongest security while still automatically assigning devices to users under a single SSID. Learn more about Enterprise Wi-Fi with Firewalla.

  1. Create a new Wi-Fi SSID and password.
  2. Set the Wi-Fi Security Type to WPA3 Enterprise.


     
  3. Set up Usernames & Passwords for each Firewalla User, so that devices can connect to Wi-Fi.

 

Note: Not all devices, like IoT devices, support Enterprise Wi-Fi. If you'd like to use a single SSID to assign incompatible devices, try using personal keys. See section 2.1 above.

 

Final Thoughts

With Firewalla and the AP7, segmentation becomes simple—no complex IP renumbering required. By grouping devices, applying policies, and assigning them to the correct segments, your network stays more secure, more manageable, and ready for the future. 

Learn more about segmentation:

Learn more about Zero Trust:

Learn more about Firewalla AP7:

Related articles

Comments

0 comments

Please sign in to leave a comment.