Device Groups versus VLAN
When you create a Device Group, you can create rules for the devices in that group such as no internet access or no network access. What is the benefit then of using a VLAN? What would be the difference in security between the two? They seems rather similar and Device groups seems easier to implement.
With only device groups, it is possible for devices on your LAN to talk directly with other devices on the LAN, using only your Ethernet switches and APs. The Firewalla may not ever see this traffic.
Using VLANs (and VLAN aware switches, separate SSIDs for each VLAN, and VLAN capable APs) the traffic for each VLAN is segregated from all other VLANs. This prevents devices on one VLAN from communicating with devices on other VLANs unless there is a rule that allows it in the Firewalla.
Using VLANs improves security inside your network if a device happens to get infected with malware, limiting the potential spread to other devices.
Thanks. So here is the situation. I have a media server that I have exposed to the outside world so I can connect externally. That server connects to a Shared path on a Synology server. I want to put the Media Server on a VLAN which is protected from my normal network where the synology sits. So I can create the VLAN for the Plex and the VLAN for my standard network. Is there a way to just allow SMB access between the VLAN's? Or am I de-securing my network by doing this? I have created a locked down user on the Synology that only has access to the 4 share folder as read only and nothing else.
Actually it's an good idea to seperate unsecure devices from your LAN. It's common to use a DMZ called network like you describe. Ofcoz it should be possible to allow SMB access, though i'm not sure how to do with firewalla. I'm using firewalla blue for private and watchguard firewall in office, so we proceed this way for different server. Our watchguard firewall also can set a rule with direction. I'm sure, firewalla will also be possible to set it like this.
Ofcoz each port opening / port forwarding will be security risk. But without DMZ and placing the server with port forwarding directly in your LAN, will be much more security issue.
I'd try to set a rule with fixed IPs instead of granting SMB access between VLAN. Meaning, you should set up a rule with media-server is allowed to access synology instead of VLAN DMZ is allowed to access SMB in default VLAN.
Please sign in to leave a comment.