Gold network segmentation - Use case help
I have a Blue and now I'm trying to decide on whether to upgrade to a Blue+ or a Gold. One factor is if I can make use of the Gold's segmentation feature. I've read through the guides and in particular this https://help.firewalla.com/hc/en-us/articles/360050707534-Firewalla-Gold-Network-Segmentation-Use-Cases but it's not really helping me, largely because I don't know what to expect.
Right now I have a plain Blue plugged into a tp-link AX20 router, and this works well. If I upgrade to a Gold then I'd run the router in AP mode and plug it into the Gold. What is not clear is how the segmentation options work. As an example right now I have multiple CCTV cameras all connected by WIFI to the router and so I'd like to be able to segment them. Can the Gold create a network segment from a group of chosen devices? All of my home devices are connected to the home LAN by WIFI and so I'd need to be able add a device to a segment in the same way that I currently add a device to a rules group, so that a segment is a logical group rather than physical group of devices connected to a network port. For example I'd need to be able to de-quaratine a device to a specific network segment
Thanks :)
PS it would be nice if there was a virtualised instance of the phone app available on the Firewalla site so that people could experience the app and see what options exist etc. Synology have one for DSM and tp-link have at least one for their routers :D
-
Both groups and network segmentation will provide a way to control the internet. (block the internet, block activities ...). The difference is, network segmentation uses policies and rules to segment at Layer 2 (or LAN).
- With segmentation, you can say LAN devices on one segment can't talk to another LAN segment.
- You can also say, some can talk to LAN segment, and some can't
- (the talking part can be directional)
As of LAN segmentation, see this https://help.firewalla.com/hc/en-us/articles/360046231493-Firewalla-Gold-Tutorial-Network-Segmentation-Example-with-VLAN
Network segmentation is pretty much fixed, so you will have to configure them as the above example, pairing SSID with VLAN's.
-
Thanks. It's incredibly difficult to visualise the segment and VLAN functionality without access to a virtual Gold app and so can you clarify again for me please. For now let's simply refer to both Segments and VLAN's as 'network groups' (walled gardens with no visibility of devices outside of the network group other than interaction with permitted devices via rules etc). Imagine that there are two new devices in quarantine. Is it possible to choose to put one device into one network group and the other device into a different network group? So one device could go to a Guests network group (with access to no LAN devices whatsoever) and the other to an Admin network group (access to all LAN devices even if they cannot necessarily see it)?
I suppose that what I'm essentially asking for is LAN level firewall wrappers around the groups on my Blue
-
Robby,
The Red and Blue only contain a single physical port and cannot logically be connected to more than one network segment. The Firewalla Gold can physically (multiple ports) and logically (VLAN support) be connected to more than one network segment.
From an implementation perspective, this generally looks one of two ways.
1) You connect multiple switches or access points (Layer 2 devices) to the individual ports on the Firewall Gold, which is functioning as your Firewall/Router (Layer 3 device). In this instance, your physical network topology and your logical network topology look essentially the same.
- firewall port 1 (192.168.1.1) > switch 1 > access point 1-1 [SSID: home]
> access point 1-2 [SSID: home] - firewall port 2 (192.168.2.1) > switch 2 > access point 2-1 [SSID: home_iot]
> access point 2-2 [SSID: home_iot] - firewall port 3 (192.168.3.1) > switch 3 > access point 3-1 [SSID: home_guest]
> access point 3-2 [SSID: home_guest]
In this scenario, you have three different switches, and two access points hanging off each switch to provide the necessary coverage in your multi-level home. It's less 'complex', but it requires a lot of hardware.
2) You create a physical topology consisting of a smart switch and one or more access points which support VLAN'ing. Then you 'logically' overlay multiple network segments over this physical topology. It may look something like this...
Physical Topology
- firewall > switch > access point 1
> access point 2
Logical Topology
- vlan1 (192.168.1.1): firewall (tagged) > switch (tagged) > access point (tagged) [SSID: home]
- vlan2 (192.168.2.1): firewall (tagged) > switch (tagged) > access point (tagged) [SSID: home_iot]
- vlan3 (192.168.3.1): firewall (tagged) > switch (tagged) > access point (tagged) [SSID: home_guest]
VLAN Tagging allows you to run multiple logically isolated networks over the same physical topology, in the above scenario you might have a single cable from firewall to switch, and a single cable from switch to each of your two access points. Logically, you have three different networks coming down from the firewall, through the switch, and up to your two access points. On the Access Points, there are three wireless networks (home, home_iot, and home_guest), each wireless network is associated with one of the tagged networks.
"What network your device ends up on" simply depends on which SSID you connect it to, or which VLAN the physical switch port is associated with. (It's a good idea to put at least one port on each VLAN so that you can physically connect to a network for trouble shooting purposes..)
Moving away from a single device that does "firewall/router/access point" to individual components will cost a little more up front, but you get a lot more flexibility in not only how you design your network, but what equipment you use. Because your Firewall/Router component is independent of your Access Points, you can add / modify / replace your firewall/router, switch, or wireless access points, as needed to provide the get the capabilities (firewall), port density (switch) or coverage (wap) you need. And swapping out those old A/C access points for A/X access points with not downtime is as simple as connecting the new access points to a few free ports on your switch, configuring the vlan tags, SSIDs, and unplugging your old APs.
- firewall port 1 (192.168.1.1) > switch 1 > access point 1-1 [SSID: home]
-
Worth noting ...
With 2.4 Ghz wireless networks, you want to ensure 'your' the access points are using 'channels' that do not overlap, there are technically 11 channels, but you want to have at least four channels between two adjacent access points. Generally speaking this looks something like this;
- Access Point 1 should be configured to use Channel 1
- Access Point 2 should be configured to use Channel 6
- Access Point 3 should be configured to use Channel 11
These are also the channels 'everyone else' is using...
With 5Ghz wireless networks, there are a lot more channels to choose from and overlap with neighbors is less of an issue. But you still need to set each of your access points to use a different channel so that they are not stepping on each other. How far apart your channels need to be depends on whether your APs are using 20mhz / 40mhz / 80mhz channel widths.
Please sign in to leave a comment.
Comments
5 comments