Network Segmentation & Bandwidth restrictions
I'm wanting to segment my work computers & voip phone from the rest of the devices in my house. Can that be done with firewall rules on Firewalla Red/Blue or does segmentation require the Gold box?
Also, is it possible to do any type of bandwidth restrictions for certain devices or a segment? I would like to restrict all the other devices in my house to around 60-70% of my total bandwidth and allow my works machines/voip phone to have access to full 100% bandwidth on ISP.
Appreciate any suggestions or ideas on how to do this...
On the blue/red, you can group devices together, but those won't block local traffic. For that you need physical interfaces like the Gold.
Bandwidth restrictions only work if there is a real physical in/out the interface, and that is the Gold. With the Gold you can do a fairly bit of traffic control.
LAN traffic does not always pass through firewalla ... unless the traffic is segmented either via physical ports of VLAN.
In networking, a firewall is a layer 3 device, while LAN communication usually happens at Layer 2, which doesn't involve the firewall. (unless segmentation or WAN traffic)
A router is a layer 3 device still ... layer 3 devices usually don't see all the layer 2 traffic unless (segmentation, or WAN destined). Again, your LAN traffic is layer 2.
Example of a simplest case:
[Firewalla Gold in Router Mode]---[Wifi in AP mode]---[device: A,B]
1. If device A talks to the internet, device A traffic will go to Wifi then to Firewalla Gold. Which all filtering will be applied.
2. If device A talks to B, traffic will go to Wifi then to B ... Firewalla doesn't see the traffic, since the destination IP address is local.
Yes, most of the traffic, even internal to a single LAN is IP.
The way most devices speaking IP work, though, is to first determine if they can talk directly with the destination, rather than needing to send their traffic through a router. They do this by asking the question “does anyone know who has the destination IP address?” Using a layer 2 broadcast message called an ARP (address resolution protocol) request.
If the destination IP address is on the LAN, that destination device responds with a layer 2 ARP response that says “yes, I own that IP address, send that traffic directly to me.” This is how the router is not in the middle of layer 3 traffic that stays on the LAN.
Please sign in to leave a comment.