Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Segregating VLAN Groups?

Follow
Avatar
Travis

I was surprised today to find I could ping devices between VLAN groups that I thought were isolated. Inter-VLAN routing for all groups is enabled by default according to this post: https://help.firewalla.com/hc/en-us/community/posts/5071238043027

Unless the post is incorrect and I have something wrong with my configuration, this seems like very poor design. The primary purpose of VLANs is segregating groups of devices, so inter-VLAN routing makes more sense as an exception than the default.

I have around 5-6 VLANs on each network I've set up with a Firewalla gold. To achieve isolation between groups it looks like I need to add the following rules:

Action: Block, Matching: Traffic from & to VLAN2, On: Network VLAN1
Action: Block, Matching: Traffic from & to VLAN3, On: Network VLAN1
Action: Block, Matching: Traffic from & to VLAN4, On: Network VLAN1
Action: Block, Matching: Traffic from & to VLAN5, On: Network VLAN1
Action: Block, Matching: Traffic from & to VLAN3, On: Network VLAN2
Action: Block, Matching: Traffic from & to VLAN4, On: Network VLAN2
Action: Block, Matching: Traffic from & to VLAN5, On: Network VLAN2
Action: Block, Matching: Traffic from & to VLAN4, On: Network VLAN3
Action: Block, Matching: Traffic from & to VLAN5, On: Network VLAN3
Action: Block, Matching: Traffic from & to VLAN5, On: Network VLAN4

Is this correct?

0

Comments

2 comments

Sort by Date Votes
  • Avatar
    Firewalla

    1. If you create the LAN (VLAN) using lockdown network mode, everything should be locked down, including WAN.

    2. If you create the LAN (VLAN) using a Local network, you just create a network. Here, you can add rules to block traffic from other VLANs. You can find more examples on rules here https://help.firewalla.com/hc/en-us/articles/4408644783123-Network-Segmentation

    0
    Comment actions Permalink
  • Avatar
    Travis

    After reading the article again the only specific rule I could find is under the "Single Ethernet Device" section. For my example this results in:

    Action: Block, Matching: Traffic from & to All Local Networks, On: Network VLAN1
    Action: Block, Matching: Traffic from & to All Local Networks, On: Network VLAN2
    Action: Block, Matching: Traffic from & to All Local Networks, On: Network VLAN3
    Action: Block, Matching: Traffic from & to All Local Networks, On: Network VLAN4
    Action: Block, Matching: Traffic from & to All Local Networks, On: Network VLAN5

    However, this seems to block communication between devices in the same VLAN. I had to also add the rules:

    Action: Allow, Matching: Traffic from & to VLAN1, On: Network VLAN1
    Action: Allow, Matching: Traffic from & to VLAN2, On: Network VLAN2
    Action: Allow, Matching: Traffic from & to VLAN3, On: Network VLAN3
    Action: Allow, Matching: Traffic from & to VLAN4, On: Network VLAN4
    Action: Allow, Matching: Traffic from & to VLAN5, On: Network VLAN5

    Is this the correct implementation? I've done some simple tests and it seems to be working as expected. I would prefer fewer rules if possible, but it is easier to read them now at least.

    I'm not sure if it would be cleaner to start with a lockdown network and build out from there for my use case: groups of devices that can communicate within their VLAN and to the internet, but not to other VLANs.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post