Network Segmentation & Bandwidth restrictions

Comments

10 comments

  • Avatar
    Bob O'Hara

    Yes, most of the traffic, even internal to a single LAN is IP.

    The way most devices speaking IP work, though, is to first determine if they can talk directly with the destination, rather than needing to send their traffic through a router. They do this by asking the question “does anyone know who has the destination IP address?” Using a layer 2 broadcast message called an ARP (address resolution protocol) request.

    If the destination IP address is on the LAN, that destination device responds with a layer 2 ARP response that says “yes, I own that IP address, send that traffic directly to me.” This is how the router is not in the middle of layer 3 traffic that stays on the LAN.

    2
    Comment actions Permalink
  • Avatar
    Firewalla

    A router is a layer 3 device still ...  layer 3 devices usually don't see all the layer 2 traffic unless (segmentation, or WAN destined).   Again, your LAN traffic is layer 2.

    Example of a simplest case:

    You have 

    [Firewalla Gold in Router Mode]---[Wifi in AP mode]---[device: A,B]

    Now,

    1. If device A talks to the internet, device A traffic will go to Wifi then to Firewalla Gold.  Which all filtering will be applied.

    2. If device A talks to B, traffic will go to Wifi then to B ... Firewalla doesn't see the traffic, since the destination IP address is local.  

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    On the blue/red, you can group devices together, but those won't block local traffic.  For that you need physical interfaces like the Gold.

    Bandwidth restrictions only work if there is a real physical in/out the interface, and that is the Gold.  With the Gold you can do a fairly bit of traffic control.

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    I believe this is available to the gold only.

    The VLAN I think is available on red/blue but the priority is for gold only.

    0
    Comment actions Permalink
  • Avatar
    Daniel

    Why is it not possible to use firewall rules to block local traffic?

    Doesn't make sense to demand them to be on different VLANs.

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    The OP is not using gold which can act as a router, the VLAN are separate networks so that is a work around.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    LAN traffic does not always pass through firewalla ... unless the traffic is segmented either via physical ports of VLAN.   

    In networking, a firewall is a layer 3 device, while LAN communication usually happens at Layer 2, which doesn't involve the firewall. (unless segmentation or WAN traffic)

    0
    Comment actions Permalink
  • Avatar
    Daniel

    Even if it acts as an router?

    0
    Comment actions Permalink
  • Avatar
    Daniel

    Is it?
    I believe most devices talk IP which is layer 3.

    How does the block work in quarantine mode?

    0
    Comment actions Permalink
  • Avatar
    Daniel

    Then how does the quarantine feature work?

    -1
    Comment actions Permalink

Please sign in to leave a comment.