Local Area Network Block Rule
Any downsides to Local Area Network Block Rule for isolating IOT? In the past, I used guest wifi on my Eero to isolate IOT devices and prohibit their access to other devices on my network. But since adding Firewalla Gold, I don't see traffic from those devices in Firewalla(I think because Eero Guest Wifi does Mac filtering?). I thought about moving them to my main wifi SSID, and applying a LAN block on that group in Firewalla. I figure then I can monitor their outbound WAN traffic, but also block them from snooping my network. Am I right in that logic? I'm not ready to go out and buy another set of wifi AP's and vlan them for IOT or guest.
-
The guest network in many of the home routers is pretty much virtual networks hidden inside the home routers. With the exception of a few, these virtual networks are NOT visible to anyone from the outside.
- This behavior is good if you want o isolate devices.
- This behavior is bad if you want to have visibility and control of devices.
This is where the network segmentation part of the Gold can be much better. The Gold can do isolation and also give you visibility and control together. Segmentation in the Gold does require some type of network access. So you will need some type of wifi or directly connect your device (via ethernet) to the Gold.
You really don't need a super-fast/expensive access point for IoT devices...
Here is an example we did with a $60 AP https://help.firewalla.com/hc/en-us/articles/360046231493-Firewalla-Gold-Tutorial-Network-Segmentation-Example-with-VLAN
-
@Mark I am doing both.
- Like you, I am using the Guest network on my eero for some IOT devices because it not only isolates the LAN but the devices can't see each other. When guests come they can safely use the guest network too.
- For other IoT devices like nest that must talk to each other, I am using a VLAN in Gold. I have a separate AP serving IoT devices and I block access to the LAN by that VLAN that connects to the AP. My AP doesn't support VLANs so I can't configure individual devices, but it is connected to a switch that does support VLANs. As Firewalla already said, this allows me to manage the AP from the LAN but prevents the VLAN from seeing the LAN.
-
Thank you. So I take it LAN block rule in Firewalla cannot block a device from talking to other devices on same LAN? The reason I wondered this was that you have the choice to block "All Local Networks". I was hopeful that this would mean devices with such a block rule would only be able to route outbound(basically, block to/from same subnet). That would have made my life easier, since I didn't want to run another cat6 line out to a central location where I could put another AP serving just IoT on a separate vlan. I plan to keep the guest network Eero going to respect privacy of guests, where I don't wish to capture data.
-
My understanding is that Firewalla can only block between segments (vlans). Firewalla can correct me if I'm wrong about this. I agree the UI is a little confusing on this point. Perhaps they can find a way to make it more clear that you can't block access unless it is on a different segment.
The eero guest network doesn't allow any device to see any other device so your guests already have privacy. -
Yes, you are right, firewalla can not block on the LAN side. In fact, it barely can see the LAN traffic. The reason is, the Gold is a layer 3 device (operating at the IP layer).
This means, when two LAN devices talking to each other, it does not always go through Firewalla. Most of the traffic will be resolved locally, and there is no need to pass the traffic to a router. (Firewalla)
The segmentation networks, on the other hand, break down the LAN into pieces when that happens, the LAN segment talking to LAN segment will need a router in between, hence the traffic all go to Firewalla.
Please sign in to leave a comment.
Comments
6 comments