Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Best way to block IoT & Guest devices from accessing Local networks?

Follow
Avatar
Michael Yuen

Goal: Block Internet of Things and Guest devices from accessing any Local network. They may ONLY go to the Internet.

References looked at:

Setup:

  • Firewalla Gold SE with WiFi SD used in Router mode
  • Flow: Internet <> Modem <> FW Gold SE <> Linksys Velop mesh WiFi (Port 1 on Gold)
  • 2 networks: "LAN Main" (10.1.1.0/24 set for Gold's 3 eth ports), "LAN Guest" (10.2.1.0/24 set for "WiFi" created with the WiFi SD add-on)
  • Linksys Velop I have does not support VLAN. When it was configured to Bridge mode, a lot of functionality became disabled

Device Groups:

  • Servers, printers, and trusted devices (family, friends) are put into trusted Device Groups (ie. "Servers", "Family Adults", "Family Kids") with Internet and LAN access. Assigned IPs from "LAN Main"
  • IoT devices (security cameras, automation devices, thermostat, etc) are put into restricted Device Groups (ie. "Cameras", "Home Automation") with Internet allowed and "Traffic to and from All Local Networks" blocked. Assigned IPs from "LAN Main". They connect through the Linksys Velop WiFi mesh
  • Guest devices are put into a restricted Device Group, "Guests", with Internet allowed and "Traffic to and from All Local Networks" blocked. Assigned IPs from "LAN Guest" via the WiFi SD add-on (there's an issue with this as detailed here that I haven't yet resolved)

Questions:

  • Based on the References I looked at, it appears that Device Groups CANNOT be used to control LAN/WAN access via the Rules configured for each Group.
  • For example, the IoT groups are set to block traffic to/from LAN. But because they are given IPs by "LAN Main" network, they actually ARE able to talk to devices in "Servers"  group (who are also given IPs by "LAN Main")... I haven't tested this yet, but the Referenced articles seem to indicate that to be true
  • With the above in mind, is there any way for me to block IoTs from talking to the LAN without installing a separate set of mesh WiFi system and hooking that up to an open eth port on the Gold?
0

Comments

4 comments

Sort by Date Votes
  • Avatar
    Michael Bierman

    Based on the References I looked at, it appears that Device Groups CANNOT be used to control LAN/WAN access via the Rules configured for each Group.

    Groups are only a way to more easily apply rules, look at data such as flows of a several devices in aggregate, etc.  Devices on the same LAN can't be prevented from sharing data with each other in groups or not. If you want to isolate devices then the Segmentation article is the approach you want to take. 

    With the above in mind, is there any way for me to block IoTs from talking to the LAN without installing a separate set of mesh WiFi system and hooking that up to an open eth port on the Gold?

    Well... 

    1. You can have multiple LANs (e.g. one for IoT and one for trusted devices) and have separate AP networks for each LAN. (each can have multiple APs of course). Likewise, you can have a switch dedicated to each network as well for ethernet.
      FWG port 1 {LAN 1} > switch 1 (if needed) > AP > AP (if needed)  .. all devices will be on one network.
      FWG port 2 {LAN 2} > switch 2 (if needed) > AP > AP (if needed) all devices will be on another network.

      For this scenario you could use and old router or nice mesh APs. The APs for each network don't need to match or interoperate. 
    2. You can set up VLANS and you can get switches and APs that support VLANs (802.1q). Then any given access point can have different SSIDs one for each VLAN. There is a lot less to manage here and fewer gadgets around the house.

      all of this is covered in the Segmentation article. 
    0
    Comment actions Permalink
  • Avatar
    Michael Yuen

    Groups are only a way to more easily apply rules, look at data such as flows of a several devices in aggregate, etc.  Devices on the same LAN can't be prevented from sharing data with each other in groups or not. If you want to isolate devices then the Segmentation article is the approach you want to take.

    Thanks for confirming that I understood that correctly. Looks like the best option for me is to split the 4 mesh APs into 2 separate networks. Either 3 APs for primary subnet + 1 AP for guest, or buy another AP for guest for a 3 primary + 2 guest configuration. Then I'll have to find a way to wire the guest AP's primary node from elsewhere in the house to the FWA G since putting 2 APs side-by-side probably would cause a high level of congestion and interference.

    Or... replace the Linksys Velop and look for another mesh system that supports VLANs for WiFi devices.

    Thanks again for confirming and telling me what I was hoping not to see :)

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Hi Michael, any of your proposed solutions should work. Segmenting the network gives you a lot of flexibility and hopefully peace of mind. 

    0
    Comment actions Permalink
  • Avatar
    Michael Yuen

    I have separated my 4-node mesh WiFi to two networks: 2 for the primary and 2 for the guest networks each connected to their own FWA port. This has worked well.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post