Feature Request - Guest/Client isolation
Hi. VLAN support is great so far. An added feature would be to prevent clients on a VLAN (guest) from seeing other clients on the same VLAN. I thought the rules to block from/to traffic for all local networks would fix this, but it seems this only works between different networks, not within the same network. thanks
-
If you mean blocking devices within the same subnet to see each other, it is not possible with Firewalla (or any router). The reason is, firewalla is a layer 3 device (IP layer) and when devices are on the same subnet, they can access each other without going to the router (Firewalla).
To make this, you will have to segment them via Firewalla Gold (VLAN or just a simple interface)
-
@Firewalla, I get that Firewalla is a layer 3 device and devices on the same network can talk to each other without traversing the Firewalla, but do you know how other devices are seemingly able to accomplish it? I know I've used consumer grade routers over the years that have supported isolating clients from being able to see each other on guest networks. I believe dd-wrt calls the feature "AP isolation" and obviously supports a ton of routers. I was pretty sure I had that feature enabled on some old wrt54g's back in the day.
I assumed it was done via some mac address magic or maybe some routing that forced all traffic to transparently flow through the gateway, but I have no idea.
-
In fact it kind of sounds like the new quarantine mode feature being released in 1.971, with the big difference being the devices would still need to have internet access. The release notes mention using the quarantine group as a simple guest network, and if internet access was enabled on the quarantine group that would basically be functionally equivalent to guest isolation mode. Am I understanding the new quarantine mode feature correctly?
-
The guest isolation on traditional routers is all going through wifi (at least majority of them), which is just emulating another network, or a much simpler segmentation. (You can see this just by looking at the IP address issued for both the home and the guest network).
Firewalla Gold does the exact same; The Gold just doesn't have wifi to reach out to wireless devices.
The quarantine mode only qurantines mostly internet access and not LAN access on the same segment.
-
Gotcha. Thanks for the explanation. Makes sense.
Bummer about quarantine mode not isolating the quarantined devices from other devices on the same LAN. I was thinking that feature could be leveraged to prevent malicious/unwanted devices from accessing other devices on the network in the event of a breach, but doesn't sound like that's the use case it's targeting.
-
@Michael Bierman, you mentioned that you were able to create a rule to allow traffic to & from Internet but block All Local Network traffic. - is that only available in the Gold version?
- Block Traffic from & to All Local Networks (Gold Only) Firewalla: New Device Quarantine – Firewalla
Do you know is there a hardware limit to this or just a licensing feature.
it would make sense if firewalla released this option to other boxes. i have a Blue Plus and could really use this option to create a guest network.
-
Hi @Jamie Coleman
is that only available in the Gold version?
You can only block traffic between LANs and VLANs but not on the same LAN. Currently only Gold (and soon Purple) support Network segmentation.
Do you know is there a hardware limit to this or just a licensing feature.
I don't know for sure, but it seems that Firewalla usually enables features on as many models as possible if they can support a good experience. For example, they started with allowing just a few WireGuard connections and after testing for a while, they opened that restriction.
it would make sense if firewalla released this option to other boxes. i have a Blue Plus and could really use this option to create a guest network.
I think to provide VLANs and network segmentation, Firewalla needs to be in router mode which means that for now at least, this is limited to Gold and Purple.
I have not tried it, but I suppose if you put say a Red or Blue on different network segments maybe it is possible to block/allow access between LANs? But even if this works, at that cost, a Gold or Purple would be a better option and easier to manage.
Please sign in to leave a comment.
Comments
22 comments