Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

VqLAN with Multiple APs

Follow
Avatar
Christopher Kowalski

After reading your excellent article:

https://help.firewalla.com/hc/en-us/articles/38425011667091-VqLAN-Firewalla-Microsegmentation

I think the answer will be yes to both questions but I wanted to verify

Will the following topology work properly:

Box -> Switch -> AP1 -> a1
              -> AP2 -> a2

I think the answer is yes since egress/ingress traffic from/to the clients goes through a Firewalla AP, but wanted to confirm. This would also let me use a PoE+ switch and only one Firewalla port. And if there was a single wired client on the switch that would also work since again traffic to any wireless client, or to other wired clients would have to traverse a firewall device.

 

Second want to confirm I can add the quarantine group to a VqLAN Microsegment so by default new/unknown wireless devices can be restricted to "internet only" and I can stop stressing about how many of my son's friends have our WIFI PW.

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Firewalla

    I am not getting the first question, are you asking if a1 and a2 will be VqLAN supported? if they are single devices, then yes, they will work perfectly.  It is only when you connect say a2.1 and a.2.2 to a switch connecting to AP2, then a2.1 to a2.2 traffic can't be managed.

    For new/unknown wireless devices, my advice is to use a new SSID + password for them. (or you can use SSID + PPSK/personal key) and then point it to the quarantine group. (or you can create your own group called guest)

    0
    Comment actions Permalink
  • Avatar
    Christopher Kowalski

    For the first question "a1" and "a2" are wireless clients. To put the question another way, if I have 2 (or more) Firewalla APs connected to a switch and no wired clients, the traffic between any and all wireless clients can be managed, correct? Or would the APs need to be connected directly back to the Firewalla box?

    You can ignore the part about a single wired client, it's not important.

    And understood about not being able to control the traffic between multiple wired clients connected to the same switch.

     

    Finally understood about a separate SSID being a best practice, I just wanted to verify I can fully isolate unknown/new wireless clients by default. My current APs don't support client isolation so a wireless client can access all other wireless clients connected to the same AP even if it's in the quarantine group. Only access to wired clients or wireless clients on another AP are blocked since they are connected directly to the Firewalla box.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Yes; as long as firewalla sees the devices, it will be able to manage them/block/allow/track

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post