Gold network segmentation - Use case help

Comments

5 comments

  • Avatar
    Firewalla

    Both groups and network segmentation will provide a way to control the internet. (block the internet, block activities ...). The difference is, network segmentation uses policies and rules to segment at Layer 2 (or LAN). 

    • With segmentation, you can say LAN devices on one segment can't talk to another LAN segment.
    • You can also say, some can talk to LAN segment, and some can't
    • (the talking part can be directional)

    As of LAN segmentation, see this https://help.firewalla.com/hc/en-us/articles/360046231493-Firewalla-Gold-Tutorial-Network-Segmentation-Example-with-VLAN

    Network segmentation is pretty much fixed, so you will have to configure them as the above example, pairing SSID with VLAN's.  

    0
    Comment actions Permalink
  • Avatar
    Robby

    Thanks. It's incredibly difficult to visualise the segment and VLAN functionality without access to a virtual Gold app and so can you clarify again for me please. For now let's simply refer to both Segments and VLAN's as 'network groups' (walled gardens with no visibility of devices outside of the network group other than interaction with permitted devices via rules etc). Imagine that there are two new devices in quarantine. Is it possible to choose to put one device into one network group and the other device into a different network group? So one device could go to a Guests network group (with access to no LAN devices whatsoever) and the other to an Admin network group (access to all LAN devices even if they cannot necessarily see it)?

    I suppose that what I'm essentially asking for is LAN level firewall wrappers around the groups on my Blue

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    No, since firewalla can't control VLAN's, it can not randomly place new devices into network groups and prevent layer 2 access.  the network groups in your description is layer 2 groups, I assume. 

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    Robby,

      The Red and Blue only contain a single physical port and cannot logically be connected to more than one network segment.  The Firewalla Gold can physically (multiple ports) and logically (VLAN support) be connected to more than one network segment.

      From an implementation perspective, this generally looks one of two ways.

    1) You connect multiple switches or access points (Layer 2 devices) to the individual ports on the Firewall Gold, which is functioning as your Firewall/Router (Layer 3 device).  In this instance, your physical network topology and your logical network topology look essentially the same.

    • firewall port 1 (192.168.1.1) > switch 1 > access point 1-1 [SSID: home]
                                                                    > access point 1-2 [SSID: home]
    • firewall port 2 (192.168.2.1) > switch 2 > access point 2-1 [SSID: home_iot]
                                                                    > access point 2-2 [SSID: home_iot]
    • firewall port 3 (192.168.3.1) > switch 3 > access point 3-1 [SSID: home_guest]
                                                                    > access point 3-2 [SSID: home_guest]

      In this scenario, you have three different switches, and two access points hanging off each switch to provide the necessary coverage in your multi-level home.  It's less 'complex', but it requires a lot of hardware.

    2) You create a physical topology consisting of a smart switch and one or more access points which support VLAN'ing.  Then you 'logically' overlay multiple network segments over this physical topology.  It may look something like this...

    Physical Topology

    • firewall > switch > access point 1
                                > access point 2

      Logical Topology

    • vlan1 (192.168.1.1): firewall (tagged) > switch (tagged) > access point (tagged) [SSID: home]
    • vlan2 (192.168.2.1): firewall (tagged) > switch (tagged) > access point (tagged) [SSID: home_iot]
    • vlan3 (192.168.3.1): firewall (tagged) > switch (tagged) > access point (tagged) [SSID: home_guest]

    VLAN Tagging allows you to run multiple logically isolated networks over the same physical topology, in the above scenario you might have a single cable from firewall to switch, and a single cable from switch to each of your two access points.  Logically, you have three different networks coming down from the firewall, through the switch, and up to your two access points.  On the Access Points, there are three wireless networks (home, home_iot, and home_guest), each wireless network is associated with one of the tagged networks.

    "What network your device ends up on" simply depends on which SSID you connect it to, or which VLAN the physical switch port is associated with.  (It's a good idea to put at least one port on each VLAN so that you can physically connect to a network for trouble shooting purposes..)

    Moving away from a single device that does "firewall/router/access point" to individual components will cost a little more up front, but you get a lot more flexibility in not only how you design your network, but what equipment you use.  Because your Firewall/Router component is independent of your Access Points, you can add / modify / replace your firewall/router, switch, or wireless access points, as needed to provide the get the capabilities (firewall), port density (switch) or coverage (wap) you need.  And swapping out those old A/C access points for A/X access points with not downtime is as simple as connecting the new access points to a few free ports on your switch, configuring the vlan tags, SSIDs, and unplugging your old APs.

     

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    Worth noting ...  

    With 2.4 Ghz wireless networks, you want to ensure 'your' the access points are using 'channels' that do not overlap, there are technically 11 channels, but you want to have at least four channels between two adjacent access points.  Generally speaking this looks something like this;

    1. Access Point 1 should be configured to use Channel 1
    2. Access Point 2 should be configured to use Channel 6
    3. Access Point 3 should be configured to use Channel 11

      These are also the channels 'everyone else' is using...

     

    With 5Ghz wireless networks, there are a lot more channels to choose from and overlap with neighbors is less of an issue.  But you still need to set each of your access points to use a different channel so that they are not stepping on each other.  How far apart your channels need to be depends on whether your APs are using 20mhz / 40mhz / 80mhz channel widths.


    0
    Comment actions Permalink

Please sign in to leave a comment.