Local Area Network Block Rule

Comments

6 comments

  • Avatar
    Firewalla

    The guest network in many of the home routers is pretty much virtual networks hidden inside the home routers.  With the exception of a few, these virtual networks are NOT visible to anyone from the outside.   

    • This behavior is good if you want o isolate devices. 
    • This behavior is bad if you want to have visibility and control of devices.

    This is where the network segmentation part of the Gold can be much better.   The Gold can do isolation and also give you visibility and control together.  Segmentation in the Gold does require some type of network access.  So you will need some type of wifi or directly connect your device (via ethernet) to the Gold. 

    You really don't need a super-fast/expensive access point for IoT devices... 

    Here is an example we did with a $60 AP https://help.firewalla.com/hc/en-us/articles/360046231493-Firewalla-Gold-Tutorial-Network-Segmentation-Example-with-VLAN

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Mark  I am doing both. 

    1. Like you, I am using the Guest network on my eero for some IOT devices because it not only isolates the LAN but the devices can't see each other. When guests come they can safely use the guest network too. 
    2. For other IoT devices like nest that must talk to each other, I am using a VLAN in Gold. I have a separate AP serving IoT devices and I block access to the LAN by that VLAN that connects to the AP. My AP doesn't support VLANs so I can't configure individual devices, but it is connected to a switch that does support VLANs. As Firewalla already said, this allows me to manage the AP from the LAN but prevents the VLAN from seeing the LAN. 
    0
    Comment actions Permalink
  • Avatar
    Mark van der wal

    Thank you. So I take it LAN block rule in Firewalla cannot block a device from talking to other devices on same LAN? The reason I wondered this was that you have the choice to block "All Local Networks". I was hopeful that this would mean devices with such a block rule would only be able to route outbound(basically, block to/from same subnet). That would have made my life easier, since I didn't want to run another cat6 line out to a central location where I could put another AP serving just IoT on a separate vlan. I plan to keep the guest network Eero going to respect privacy of guests, where I don't wish to capture data.

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    My understanding is that Firewalla can only block between segments (vlans). Firewalla can correct me if I'm wrong about this. I agree the UI is a little confusing on this point. Perhaps they can find a way to make it more clear that you can't block access unless it is on a different segment. 

    The eero guest network doesn't allow any device to see any other device so your guests already have privacy. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Yes, you are right, firewalla can not block on the LAN side.  In fact, it barely can see the LAN traffic.  The reason is, the Gold is a layer 3 device (operating at the IP layer). 

    This means, when two LAN devices talking to each other, it does not always go through Firewalla.  Most of the traffic will be resolved locally, and there is no need to pass the traffic to a router. (Firewalla)

    The segmentation networks, on the other hand, break down the LAN into pieces when that happens, the LAN segment talking to LAN segment will need a router in between, hence the traffic all go to Firewalla.

     

    1
    Comment actions Permalink
  • Avatar
    Mark van der wal

    That makes sense, thanks! I guess I'll need to look at installing another wireless AP in the house for the IoT I wish to monitor. Cheers!

    0
    Comment actions Permalink

Please sign in to leave a comment.