A practical guide to the language behind your home network
In this article, we'll explain some common networking terms in a way most common users can understand.
When using Firewalla, many of these terms show up in features such as Devices, Flows, Rules, Segmentation, VPN, and activity monitoring.
1. Basic Terms
The most common concepts behind almost every home network.
- IP Address
- IP Subnet
- DNS
- Domain Name
- MAC Address
- Port
- Byte vs. Bit
- VPN
- A Few Other Basic Terms Consumers Often Run Into
IP Address
An IP address is the address used to identify a device on a network. Every device on your home network (e.g., phone, laptop, TV, printer, camera, game console) needs an IP address so data knows where to go.
A typical home IP address looks like this:
192.168.1.25
which usually means the device is inside your home network (private IP), not directly exposed to the public internet (public IP).
Example:
Your phone might be 192.168.1.10.
Your laptop might be 192.168.1.20.
Your TV might be 192.168.1.30.
When your laptop talks to your TV (maybe for streaming), it uses the TV’s IP address to reach it.
In Firewalla's Devices list, each device is typically shown with an IP address. This is the best way to tell between devices, especially when devices have vague names like “Unknown.”
Analogy: It's like the mailing address of a device on your network.
IP Subnet
A subnet defines which IP addresses belong to the same local network.
A common home network might look like this:
192.168.1.0/24
This means devices from 192.168.1.1 through 192.168.1.254 are on the same local subnet.
Devices in the same subnet can usually communicate more directly. Devices in different subnets often need a router or firewall rule in between.
Example:
Your personal devices live on 192.168.10.0/24.
Your smart devices live on 192.168.20.0/24.
Different subnets are useful for separating trusted devices (e.g., phones, laptops) from less-trusted devices (e.g., smart plugs, cameras).
Most users create separate networks for family devices, guests, and IoT devices.
Analogy: It's like the boundary of the neighborhood your devices live in.
DNS
DNS stands for Domain Name System. DNS translates human-friendly names into IP addresses.
Humans remember:
youtube.com
However, computers need an IP address to connect. When you type a website into your browser, DNS helps translate the website into an IP address.
Example:
You enter netflix.com in your browser.
Your device asks a DNS server, “What IP address belongs to netflix.com?”
The DNS server replies, and your device can connect.
If DNS is slow, websites may appear to load slowly. If DNS is compromised, a device could be sent to the wrong destination. If DNS filtering is enabled, certain domains can be blocked before a connection is made.
Firewalla's Features such as Family Protect, Safe Search, Ad Block, and domain-based filtering, rely heavily on DNS.
Analogy: DNS is the Internet’s address lookup system.
Domain Name
A domain name is the human-readable name of a website or online service, such as:
google.com
youtube.com
firewalla.com
A domain name is the name humans use, while DNS translates that name into an IP address that computers use.
Example:
Most users remember amazon.com, not a string of numbers.
Domain names make it easier for humans to recognize and remember sites.
When Firewalla shows flows by domain instead of IP address, it's easier to understand which site devices are accessing.
MAC Address
A MAC address is a hardware identifier assigned to a device’s network interface.
It usually looks something like this:
36-F2-DF-B7-88-7B
Unlike an IP address, which can change frequently depending on the network, MAC addresses are more unique and related to the hardware itself.
Analogy: IP address is where the device currently lives on the network, while the MAC address is the device’s hardware identity.
Example:
Your phone can get a different IP address tomorrow, but Firewalla can still recognize it as the same device because of its MAC address.
This is why Firewalla can consistently keep track of devices and apply rules to them more reliably than using the IP address alone.
Please note: Modern phones and laptops may offer private MAC addresses on Wi-Fi. This can randomize the MAC address to appear as something else, and change frequently, making it harder for Firewalla to detect it.
Port
A port is a logical endpoint used by software and services on a device. This is not to be confused with the physical Ethernet port on the back of a router.
While an IP address identifies the device, a port helps identify the service on that device.
Common Ports:
80 = HTTP
443 = HTTPS
53 = DNS
22 = SSH
Example:
When you visit a secure website, your device usually connects to port 443 on the server.
These port numbers let you know what kind of service is involved. Devices constantly communicating on an unusual port may flag potentially malicious activity.
Analogy: The IP address gets you to the building, while the port gets you to the right room inside the building.
Byte vs. Bit
This is one of the most common consumer confusions.
A bit is a small unit of data.
A byte is 8 bits.
Internet speeds are usually advertised in bits per second, while file sizes are usually shown in bytes.
Example:
Your internet service says you have 1 Gbps.
That means 1 gigabit per second, not 1 gigabyte per second.
In ideal conditions:
1 Gbps ≈ 125 MB/s
So if you download a file at around 100 to 120 MB/s, that is actually close to full gigabit speed.
People often think their internet is underperforming because they expect 1 Gbps to mean 1,000 MB/s. The difference is simply bits vs. bytes.
VPN
A VPN stands for Virtual Private Network. A VPN creates an encrypted tunnel between your device and another trusted network or VPN server.
Common uses:
Securing traffic on public Wi-Fi
Accessing your home network while traveling
Routing traffic through a trusted connection
Adding privacy from the local network or ISP
Example:
You're at a hotel and want to access a device back at home. If you connect through a VPN running on your home network, your laptop can securely reach home resources as if you were there.
Firewalla's VPN Server helps you securely reach your home resources while you're away. And with multiple Firewalla Boxes, you can connect them using Site to Site or Remote Access VPN Client.
Note: A VPN improves privacy and security, but your traffic may still be seen by your VPN provider.
A Few Other Basic Terms Consumers Often Run Into
DHCP: The service that automatically assigns IP addresses to devices. Without it, IP addresses would need to be assigned to each device on your network (e.g., every phone, laptop, TV, etc).
NAT (Network Address Translation): Allows devices in your home to share one public internet IP address. This is why home devices are usually not directly reachable from the public internet unless you deliberately allow it.
2. Advanced Terms
These are still understandable for most users, but they may involve more thinking about structure, control, and security.
Ingress vs. Egress Firewall
A firewall controls which traffic is allowed or blocked. Ingress traffic is traffic coming into your network or device. Egress traffic is traffic going out of your network or device.
Simply put:
Ingress = what's allowed to come in
Egress = what's allowed to go out
Examples:
Someone on the internet tries to connect to something inside your house.
An ingress firewall rule decides whether that incoming connection is allowed.A smart device in your house tries to connect to a remote server on the internet.
An egress firewall rule decides whether that outgoing connection is allowed.
Most think security means stopping bad things from coming in. But in real-world security, outbound control also matters.
If a device is compromised, egress rules will stop it from sending data out or reaching untrusted sites.
That's why Firewalla Rules like “Block All Internet Traffic,” “Block Certain Countries,” or “Allow Specific Traffic” are important for handling your outbound traffic in a way that most basic routers do not.
Segmentation
Segmentation divides a network into separate groups or zones. Instead of putting every device into one giant flat network, you organize devices by role or trust level.
For Example, you might separate:
Family laptops and phones
Guests
Smart home devices
Work devices
Security cameras
Not every device deserves the same level of trust. Your work laptop may hold sensitive files. A smart plug may be cheap, rarely updated, and not especially secure. Putting them on the same unrestricted network is simple, but not ideal.
Many Firewalla users create separate networks or policies for IoT, guests, and more trusted personal devices.
Analogy: Segmentation is like putting devices into separate rooms instead of one giant room.
WPA2-Enterprise / WPA3-Enterprise
Most users know Wi-Fi as “type the password and connect.” This is usually WPA2 or WPA3-Personal.
Instead of one shared password for everyone, Enterprise Wi-Fi works differently, where each user or device can authenticate individually, often through a central server such as RADIUS.
Enterprise Wi-Fi can:
Assign separate credentials to each user
Remove one user without changing the password for everyone
Apply different access rights to different users or devices
Improve accountability and logging
Example:
In a business, employees might log in with individual credentials. Visitors can receive temporary access. A company laptop may automatically land on a more trusted network than a guest phone.
For most homes, this is unnecessary, but in advanced homes, labs, and small businesses, it can be very useful.
VLAN
A VLAN stands for Virtual Local Area Network, and lets you create separate networks on the same physical infrastructure. This allows one router, switch, or access point to carry traffic for several logically separate networks.
For example, you may have:
VLAN 10 = family devices
VLAN 20 = IoT devices
VLAN 30 = guests
Traffic may move through the same cables and hardware, but the network still separates each group.
VLANs are one of the main tools used to implement segmentation efficiently.
More technically:
VLAN traffic is usually separated using 802.1Q tags, which tell network equipment which virtual network a packet belongs to.
With Firewalla, managed switches and access points can keep networks separate without needing entirely separate hardware for each network.
ICMP
ICMP stands for Internet Control Message Protocol. It is used for basic network signaling and troubleshooting, not for normal browsing or streaming.
Common examples:
Ping
“Destination unreachable” messages
Parts of network diagnostics
Example:
If you “ping” a device, you are usually sending an ICMP echo request and waiting for an ICMP echo reply.
ICMP helps answer questions like, "Is the device reachable?" "Is the path working?" "Is there a routing or connectivity issue?"
Some people block ICMP entirely for security reasons, but that can also make troubleshooting harder. If a diagnostic tool says a host is unreachable, ICMP is often part of what is happening underneath.
3. Very Advanced Terms
These terms are important in modern security and started out mostly in business and enterprise environments.
Zero Trust
Zero Trust is a security model based on one core idea: Do not automatically trust anything, even if it is already inside your network.
Older networks often assume that once a device was inside the local network, it was trusted.
Zero Trust never assumes devices are trusted. Instead, devices, users, and services should only get the access they actually need.
Why it matters:
Homes now have many connected devices: phones, laptops, cameras, TVs, doorbells, smart speakers, thermostats, tablets, and gaming consoles.
Not all of them are equally trustworthy. Some receive frequent updates; some do not. Some may talk to many cloud services. Some may be poorly secured.
Zero Trust asks a simple question: Why should this device have access to everything?
Example:
A smart TV may need internet access for streaming. It probably does not need direct access to your work laptop, NAS, or private admin interfaces.
That kind of thinking is a big part of why Firewalla emphasizes visibility, control, and network-level policy rather than assuming every device inside the home is automatically safe.
Simple way to think about it:
Old model: “If you get into the house, you can go anywhere.”
Zero Trust: “Even if you are inside the house, you still only get access to the rooms you need.”
Microsegmentation
Microsegmentation is a more granular version of segmentation. Regular segmentation may separate devices into a few big groups. Microsegmentation goes further by creating much smaller boundaries between specific devices, services, or workloads.
Example:
Instead of saying all IoT devices are together, you may say:
The camera can talk only to its cloud service for storage
The TV can access the internet, but not your laptop
The printer can be reached by family devices but not by guests
The smart thermostat can reach its cloud service, but nothing else locally
Why it matters:
If one device is compromised, microsegmentation helps stop that problem from spreading sideways across your network.
This is sometimes called reducing lateral movement. In other words, even if one device is breached, the attacker cannot easily jump from that device to every other device.
Slightly technical explanation:
Microsegmentation is usually enforced with more precise network rules, policy engines, identity checks, or per-device restrictions instead of only using broad network-wide trust.
Firewalla users often start with ordinary segmentation and then move toward microsegmentation by applying more targeted rules to specific devices, groups, destinations, or traffic types.
Comments
0 comments
Please sign in to leave a comment.