Network segmentation Gold & VLAN
I want to seperate my IOT (Part wired / part WiFi) devices from the main Lan using the VLAN approach. I have followed the Network Segmentation article (based on EXAMPLE 4), and have set up VLAN 66 & 77 on Firewalla using port 3 with a diferent subnets (...22.1/24 & ...33.1/24). I have also configured my Netgear GS716Tv3 switch with tags on the relevant ports (hopefully), so good to go. However I'm missing something?
Everything is on original LAN 1 and I cant find an obvious way to assign devices into each of the newly created VLANs? Thanks
-
It's hard to know for sure the config you have, but maybe a few things to check:
- For the wifi devices, how do you tag them ? Does you Wifi AP assigns tags for different SSID ?
- For the wired ones, you have to make sure the uplink port between firewalla and the switch tags your 2 VLANs (setup both on firewalla and the switch port). On the switch, you also have to untag the relevant vlan on the ports where your wired iot devices are connected
(sorry if it sounds basic, I just don't know how expert you are in this kind of setup)
-
Hi SebH,
Thanks for the reply. I'm a Security architect, CISSP and that stuff but never did hands on network stuff - so VLANs / Switch & FW config is all a bit new.
I haven’t setup the WiFi side yet but have made provision for it in the Firewalla by setting up VLAN 66 & VLAN 33. I then configured the Switch so that ports 2 -8 are tagged to VLAN ID 22 and (explicitly) untagged the other ports which the docs say should default to VLAN 1 the trunk port; These should map to LAN1 on the Firewalla. Basic set up here: -
Here is the Firewalla config.
My problem is that I can’t see a way to get the 3 IOT devices (in this case), which by default landed in the LAN 1 network re-assigned to IOT VLAN on the FWa. Maybe I have to do this with Groups or Routing on the Fwa?
-
When you say "ports 2-8 are tagged to VLAN ID 22", is that another VLAN ? or maybe you meant 66 ? (with .22 being the IP subnetwork)
If the plan is to connect the IoT devices on these ports, you should UNTAG the corresponding vlan on those (not tag). You only tag 33/66 on the uplink port #1 of the switch
Please sign in to leave a comment.
Comments
3 comments