AP7 vqlan and microsegmentation Ethernet

Andy

January 07, 2025 00:28

Looking over AP7 documentation, will we be able to use vqlan and microsegmentation on devices connected to firewalla through a managed switch? Example: laptop WiFi that is assigned to a vqlan on vlan 1 through AP7, same laptop now plugged into a port assigned to vlan 1, can that laptop Ethernet mac be managed in the vqlan?

Comments

9 comments

Firewalla

January 07, 2025 00:36

Edited
VqLAN microsegmentation only works with device traffic that is terminated inside the AP. In your case, your switch traffic is completely outside of what the firewalla can see.
0

Comment actions Permalink
Jonathan

January 07, 2025 01:39
Do you anticipate that coming to fruition once you come out with switches? I noticed in the survey there were questions leading to that possibility.
2

Comment actions Permalink
Andy

January 07, 2025 02:34
@firewalla so is it correct to say a wired device will not be able to talk to devices in guest group that devices is only on WiFi that has vqlan enabled?
0

Comment actions Permalink
Firewalla

January 07, 2025 03:23
@Andy, yes; vqlan can put barriers up inside the AP
0

Comment actions Permalink
DanM

February 13, 2025 14:57
Hello Firewalla, can you provide more information or clarity on how or when home run connections to a switch will be able to be included in a microsegmentation group? @Jonathan asked the same or similar question and it appears still not answered. You have provided very recent updates which clarify more about this potential issue: VqLAN: Firewalla Microsegmentation – Firewalla.

I'm sure I misinterpreted the full functionality of FW's microsegmentation as it applies to direct connections to a same switch. I thought all devices in a FW router AP7 infrastructure would be able to take advantage of this powerful opportunity.

It almost implies we need an AP7 with additional RJ45 ports to provide home runs into a more resilient ecosystem. I currently have a core switch which connects to each AP7 and will connect to each FW ceiling AP (CAP7?). My core switch is a managed Omada switch, home runs to my core switch come from a few PC's and other endpoint switches which connect to devices in a fringe area of my house (e.g. TV area connecting a TV and a Roku directly vs using Wi-Fi).

As this is really new information for myself, which makes sense. I am now rethinking about the FW switch surveys and the appropriate switch should have managed capabilities to allow for home run connection controls. Probably means fewer port 2.5 Gb switches so they can be used as end point switches vs a core switch application.

Maybe this post should be in the above referenced link: VqLAN: Firewalla Microsegmentation – Firewalla.
0

Comment actions Permalink
Firewalla Team

February 14, 2025 08:51
@DanM, what matters is if the traffic goes through Firewalla. If two devices connect to the same switch, they can talk directly. That's also the reason why we want to build switches to give us possiblility to see traffic from wired devices.
0

Comment actions Permalink
DanM

February 14, 2025 09:56
@Firewalla Team, Excellent. This is really the question I was asking and hoping for. I would assume it would be considered a version of a managed switch. It doesn’t seem to be clear in the thread soliciting switch design feedback. Maybe I didn’t connect the dots. Thank you
0

Comment actions Permalink
Arty Martinez

February 25, 2025 06:36
@firewalla - you mentioned that:
“ VqLAN microsegmentation only works with device traffic that is terminated inside the AP”

What about VLANs that are terminated on Firewalla? In other words, I have a L3 managed switch but let Firewalla handle the routing (set next hop, default GW, to Firewalla) not the smart switch. Will VqLAN work in this scenario?
0

Comment actions Permalink
Firewalla Team

February 25, 2025 10:29
@Arty If your devices talk to each other across VLANs, a rule to block local traffic should block them.
0

Comment actions Permalink

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?