Products Firewalla Blue Firewalla Gold Firewalla Blue Plus Firewalla Red

Feature Request - Guest/Client isolation

Follow
Avatar
Larry

Hi.  VLAN support is great so far.  An added feature would be to prevent clients on a VLAN (guest) from seeing other clients on the same VLAN. I thought the rules to block from/to traffic for all local networks would fix this, but it seems this only works between different networks, not within the same network.  thanks

1

Comments

22 comments

Sort by Date Votes
  • Avatar
    Chris Dillard

    Agreed this would be a great addition to the firewalla. I'd love to be able to enable guest isolation on certain networks.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    If you mean blocking devices within the same subnet to see each other, it is not possible with Firewalla (or any router).  The reason is, firewalla is a layer 3 device (IP layer) and when devices are on the same subnet, they can access each other without going to the router  (Firewalla). 

    To make this, you will have to segment them via Firewalla Gold (VLAN or just a simple interface)

    0
    Comment actions Permalink
  • Avatar
    Larry

    Got it. I’ll use my AP/switches’ port isolation then. Thanks for the response.

    0
    Comment actions Permalink
  • Avatar
    Chris Dillard

    @Firewalla, I get that Firewalla is a layer 3 device and devices on the same network can talk to each other without traversing the Firewalla, but do you know how other devices are seemingly able to accomplish it? I know I've used consumer grade routers over the years that have supported isolating clients from being able to see each other on guest networks. I believe dd-wrt calls the feature "AP isolation" and obviously supports a ton of routers. I was pretty sure I had that feature enabled on some old wrt54g's back in the day. 

    I assumed it was done via some mac address magic or maybe some routing that forced all traffic to transparently flow through the gateway, but I have no idea. 

    0
    Comment actions Permalink
  • Avatar
    Chris Dillard

    In fact it kind of sounds like the new quarantine mode feature being released in 1.971, with the big difference being the devices would still need to have internet access. The release notes mention using the quarantine group as a simple guest network, and if internet access was enabled on the quarantine group that would basically be functionally equivalent to guest isolation mode. Am I understanding the new quarantine mode feature correctly?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The guest isolation on traditional routers is all going through wifi (at least majority of them), which is just emulating another network, or a much simpler segmentation. (You can see this just by looking at the IP address issued for both the home and the guest network).

    Firewalla Gold does the exact same; The Gold just doesn't have wifi to reach out to wireless devices.

    The quarantine mode only qurantines mostly internet access and not LAN access on the same segment. 

    0
    Comment actions Permalink
  • Avatar
    Chris Dillard

    Gotcha. Thanks for the explanation. Makes sense.

    Bummer about quarantine mode not isolating the quarantined devices from other devices on the same LAN. I was thinking that feature could be leveraged to prevent malicious/unwanted devices from accessing other devices on the network in the event of a breach, but doesn't sound like that's the use case it's targeting. 

    0
    Comment actions Permalink
  • Avatar
    Chris Cochran

    Now that I have 1.971 installed, how to you enable the device quarantine feature? 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @chris, I had the same use case. I have a wifi AP on a VLAN just for IoT devices like nest so that I can segment them from the rest of the network. Working quite nicely. 

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman
    • Edited

    @Chris Features > New Device Quarantine. 

    It will create a new device group called, "Quarantine". I made a rule there to allow traffic to & from Internet but block All Local Network traffic. You can choose what you want. 

    0
    Comment actions Permalink
  • Avatar
    Chris Cochran

    @Michael thanks for that.  I checked again and I don't have the quarantine option.  I suppose I'll try to downgrade and go back to Alpha to see if it shows up.  

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Chris, tap on + button on the main screen, see if you have a quarantine feature on, if not, turn it on. 

    The quarantine mode is off by default. 

    1
    Comment actions Permalink
  • Avatar
    Chris Cochran

    @Firewalla I still don't have the option to enable quarantine.  Followed these steps: Enabled Early Access (Alpha) and installed the test flight version of the Firewall app.  click on +button and do not see the option for quarantine. 

     

    Did I miss a step?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @chris, are you running beta or alpha?

    0
    Comment actions Permalink
  • Avatar
    Chris Cochran

    @Firewalla.  I'm running Alpha

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @chris, what double check your box version, it should be 1.971;  App versions should be: iOS 1.40 / Android 3.4 or above

     

    To activate, on the firewalla main screen, tap on +, then

    0
    Comment actions Permalink
  • Avatar
    Chris Cochran

    @Firewalla.  Looks like the problem is on the box version.  I have version 1.970 (g73f76cf).  How do I get to the right version.  here are a few screenshots of what I see:

    0
    Comment actions Permalink
  • Avatar
    Firewalla
    • Edited

    Opps, 1.971 early access is on the Gold only.  Blue/Red will happen after we promote the 1.970 to production.  Please just hold on a bit. 

    0
    Comment actions Permalink
  • Avatar
    Chris Cochran

    ok, no worries.  Still not sure why the quarantine is not showing up as an available option.  Here is the features screen:

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    It won't show up if your box doesn't support that feature. 

     

    0
    Comment actions Permalink
  • Avatar
    Jamie Coleman

    @Michael Bierman, you mentioned that you were able to create a rule to allow traffic to & from Internet but block All Local Network traffic. - is that only available in the Gold version?

    Do you know is there a hardware limit to this or just a licensing feature.

    it would make sense if firewalla released this option to other boxes. i have a Blue Plus and could really use this option to create a guest network.

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman
    • Edited

    Hi @Jamie Coleman

     is that only available in the Gold version?

    You can only block traffic between LANs and VLANs but not on the same LAN. Currently only Gold (and soon Purple) support Network segmentation.

    Do you know is there a hardware limit to this or just a licensing feature.

    I don't know for sure, but it seems that Firewalla usually enables features on as many models as possible if they can support a good experience. For example, they started with allowing just a few WireGuard connections and after testing for a while, they opened that restriction. 

    it would make sense if firewalla released this option to other boxes. i have a Blue Plus and could really use this option to create a guest network.

    I think to provide VLANs and network segmentation, Firewalla needs to be in router mode which means that for now at least, this is limited to Gold and Purple.

    I have not tried it, but I suppose if you put say a Red or Blue on different network segments maybe it is possible to block/allow access between LANs? But even if this works, at that cost, a Gold or Purple would be a better option and easier to manage.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post