Network Segmentation
Hoping to get some help on this. I have the Firewalla Gold and it is in router mode. I have 2 PCs that I want to segment from the rest of my devices. One of the PCs is wired to the back of my Access Point (an Asus router in AP mode) which is wired to my Firewalla. The other PC is hanging off a Netgear GS308e Managed switch which is on another port off my Firewalla. I created a VLAN for my PC off of the Managed switch. Once I did this, the PC appeared on my new network in Firewalla with an appropriate IP address. At this point, I had no rules set up and according to the Segmentation help on Firewalla's site my PCs should still be able to ping and see each other:
Subnetworks can fully see and talk to each other by default, so you may find it useful to restrict what parts of the local network they have access to by setting Block rules for traffic on other local networks (https://help.firewalla.com/hc/en-us/articles/4408644783123)
However, they cannot. In fact the PC on the VLAN, has nothing showing in the Window's Network page. Funny thing is, I CAN ping other devices just not my other PC hanging off the ASUS AP.
Then I read this article (https://stevessmarthomeguide.com/vlans-home-networks/) which states that when you create a VLAN the devices within the specific VLAN can only communicate to other devices on that same VLAN. After reading that, I was confused about the statement above from the Firewalla help.
My managed switch VLAN settings are as follows:
VLAN ID 1 is using ports 1 (tagged), 2 (untagged) ,4-8 (untagged)
VLAN ID 2 is using ports 1 (tagged), 3 (untagged)
Port 1 is my trunk and port 3 is the port for my PC
My PVIDs are as follows:
Port 1, PVID 2 (Trunk)
Port 2, PVID 1
Port 3, PVID 2 (The PC)
Port 4, PVID 1
Port 5, PVID 1
Port 6, PVID 1
Port 7, PVID 1
Port 8, PVID 1
Keep in mind, that creating this first VLAN for the 1 PC is step 1 in what I'm trying to accomplish. I also want to create a segment for the Asus AP (which won't require a VLAN since it's a port off of the Firewalla) and add a 2nd AP off the managed switch. The end goal is that the 2 PCs and the Asus AP will be my private inner network and everything else will NOT have access to it, including the other wired devices off of the managed switch. Guests and wireless IoT devices can connect to the 2nd AP I add off of the managed switch.
Please help! Thank you for your time.
-
Just to check my understanding:
FW PORT? > AP > PC
FW PORT? > PCI created a VLAN for my PC off of the Managed switch. Once I did this, the PC appeared on my new network in Firewalla with an appropriate IP address.
I assume you checked the trunk configuration between the switch and Firewalla?
At this point, I had no rules set up and according to the Segmentation help on Firewalla's site my PCs should still be able to ping and see each other:
Does the ASUS router support VLANs? Are they configured?
-
My configuration is like this:
FW PORT? > AP (Asus) > PC #1
FW PORT? > Managed Switch > PC #2
Regarding the trunk configuration on Firewalla, if you mean did I select the correct FW Port that my managed switch is hanging off of, then yes. I did. FW Port #2 goes to my managed switch, which is the port I selected when creating the VLAN network on Firewalla.
The Asus router does NOT support VLANS but Firewalla is my router and the Asus Router is now just an AP.
After reading more about VLANS it sounds like if both PCs were on the same VLAN they would be able to see each other. So do I need to add another network in the Firewalla app using the same VLAN Id but for the FW Port that the AP is connected to for PC #1?
-
FW PORT? > AP (Asus) > PC #1
FW PORT? > Managed Switch > PC #2
I was asking for the port numbers for reference, but that's ok.
Regarding the trunk configuration on Firewalla, if you mean did I select the correct FW Port that my managed switch is hanging off of, then yes. I did.
The port that goes from the switch to Firewalla has to be configured as a trunk port or things aren't going to work right.
The Asus router does NOT support VLANS but Firewalla is my router and the Asus Router is now just an AP.
The problem then is probably that the second PC is on the default VLAN (or LAN). Is that what you intended?
After reading more about VLANS it sounds like if both PCs were on the same VLAN they would be able to see each other.
Yes, but it is fine to have devices separated. In fact, without adding any rules devices can see each other on VLANs with Firewalla.
So do I need to add another network in the Firewalla app using the same VLAN Id but for the FW Port that the AP is connected to for PC #1?
https://help.firewalla.com/hc/en-us/articles/4408644783123-Building-Network-Segments explains it pretty well.
You need to define all your VLANs and LANs on Fireawlla. You also need to configure the switch in between. For Ethernet devices, then connect devices to ports that you have defined as whatever VLAN you want the device on. For Wi-Fi devices the SSID is configured to be on a specific VLAN and all devices that join that SSID will be on that VLAN. -
FW PORT 3 > AP (Asus) > PC #1
FW PORT 2 > Managed Switch > PC #2
When you say configured as a trunk port, within my Netgear software for the switch, Port 1 is my trunk - it's tagged and is selected for both VLAN 1 and VLAN 2. I'm assuming that makes it then my trunk.
Yes, the PC (#1 above) is on the default LAN. That was intentional. My goal was to start this process by putting PC #2 on a VLAN and go from there. I was just surprised that PC #2 on the VLAN could not talk to PC #1 on the default LAN. And you confirmed for me that without adding any rules, devices should be seeing each other.
That article is great and I have been over it and over it. So my current config is two networks: a VLAN that is JUST PC #2 and the default LAN which is everything else. And based on what you are telling me, they should be talking since I don't have any rules established other than the default Firewalla rules. And again, my managed switch has 1 tagged port (port #1) which is the trunk and 2 defined VLANS,. The first VLAN being the primary with all ports except for the PC port. And a second VLAN for the connected PC which has 2 ports: the trunk (port #1) and the PC port (port #3).
-
Appreciate your assistance thus far, What did you mean by:
The problem then is probably that the second PC is on the default VLAN (or LAN).
Are you suggesting that something on the default LAN cannot communicate with something on the VLAN? If so, then your next statement seems to be suggest the opposite:
Yes, but it is fine to have devices separated. In fact, without adding any rules devices can see each other on VLANs with Firewalla.
Please help me understand. Thanks!
-
SOLVED!
Figured it out. I did have everything setup correctly. The issue is my Norton Firewall on both machines is blocking them from seeing each other since they are on different LANs. Now I just have to figure out how to adjust my settings to allow communication between the 2 machines. Thanks for all of the assistance.
Please sign in to leave a comment.
Comments
7 comments