Firewalla gold and VLANs

Comments

4 comments

  • Avatar
    Firewalla

    First, you really don't need VLAN's to do segmentation.  The Firewalla Gold has 3 network interfaces (besides the WAN interface) that are fully routable.  This means, if you have old wifi routers, you can just plug them in each port, and you will be able to get 3 segments.  

    Now, VLAN is something that you may need if your network is based on it, it is a lot more complex to operate if you decide to create more segmentation.    

    The SSID to VLAN mapping example is just something we found is simple and fun to do.  The TP-Link router (I think we have the model number in that doc) was not expensive, and it really helped us to demonstrate the capability of the Gold unit without getting a managed router.

    So ...

    If you want to play with VLAN to SSID mapping as in that doc, you will need a router or access point that does SSID to VLAN mapping.   The one we used is by TPLink, costs around $60 on amazon; it is not perfect, the 5ghz range is not great ...  but enough for guests ...   For the main network, if you have a decent-sized home, get a mesh that can run in access point mode, and have it as your default network.   <== this is how one of our home networks look like.  (Eero Pro as main network and a TPLink AP in that example as guest + kid network)

    0
    Comment actions Permalink
  • Avatar
    Hartmut Drechsel

    Just a couple of days ago, I set out to experiment with VLAN, 1Q-tagging.

    Similar to your example, I have TP-Link APs (2) and TP-Link managed switches (3), all capable of handling VLAN tagging; with firewallA Gold, the last missing piece is in place.

    SSID to VLAN-tagging is set up for 3 VLANs, another two in the managed switches. 3 are following your template of guest-network (used two for separate IOT VLANs and a real guest-net), another two are following the template of lockdown-network, operating strictly LAN-internal. Adding some allow-rules, inter-VLAN traffic is possible, just as much as necessary, and all else remains blocked.

    I tested by log-in's into devices of allowed or forbidden VLANs, everything works perfectly correct.

    Thanks for the helpful instructions and templates.

    Only thing that needs some attention, but clearly beyond the range of FirewallA: Win10 (& win7) network neighbourhood browsing is not easily possible into different subnets. But addressing with explicit IPs of the different subnets is always possible.

    For compatibility questions: my cable-modem, upstream to FirewallA Gold, is NOT VLAN-capable, and does not need to be, either. FirewallA Gold is terminating the tagging towards upstream (into WAN).

    Downstream (into LAN), it cooperates seamlessly with the tagging-capable managed switches.

     

     

     

     

     

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    There is a feature that's kind of overlooked, which may help you with connecting segments.  Tap on devices, tap on any device, and scroll to the bottom, you will see this

     

    The local domain is something you can reference your devices without remembering their IP address.  So if do //mynas.lan, you will be able to get to the NAS without typing 192.....

    The local domain name can be changed just by tapping on it.

    0
    Comment actions Permalink
  • Avatar
    Hartmut Drechsel

    Thanks, you are right. You  have foreseen this inconveniency with subnets, and provided already a handy solution, works perfectly as everything else :-)

    0
    Comment actions Permalink

Please sign in to leave a comment.