VLAN - Group - Device and Internet access management issue

Follow

Deepblue01

• July 25, 2021 22:03

Hello,

Recently purchased Firewalla Gold and so far quite happy exception to group and device rule management.

Setup:

=====

1. Have a VLAN20 where all internet to/from access is blocked. All devices are automatically part of this vlan. 

2. Have Groups like "Kids_group_1" where I have devices for kids.

 

Issue / Challenge:

=============

1. VLAN20 rules are inherited to all devices and stick applied to it, regardless of group inheritance (as per doc and in practice)

2. In order to enable internet access, I apply rule at "Kids_group" to enable traffic "To internet" that enables traffic to internet.

3. Now, If I need to just block Youtube access (while keeping rest of internet enabled) on "kids_group_1",  I apply a rule at Group level (clicking on block youtube on). Expecting result that youtube will be blocked while rest of internet would work. However this setup does not work. 

It seems that Group level access to internet that is inherited by device superseded any and all block rule applied at group rules. 

I have about 3 devices per kid and changing these at each device level across 4 kids is quite a bit of work in a day as each has different schedule. 

Looking for help, if this setup seems to be correct, what am I missing ?

0

• 

  Firewalla

  • July 25, 2021 22:16

  You should not need to explicitly add "allow to the internet" from VLAN or groups. Any reason you are doing this?  allow rules gives exceptions and not sure if that's your issue. try to remove it.

  0

  Comment actions Permalink
• 

  Deepblue01

  • July 25, 2021 22:53

  Actually VLAN has explicit block to/from internet.
  Yes, I am trying to track and explicitly give permission to certain devices to reach internet.

  0

  Comment actions Permalink
• 

  Firewalla

  • July 26, 2021 15:53

  If you have a block to the internet, then it is likely the "allow' to internet overrides that control. Try to allow just a special destination, not all internet.

  Since the internet is so connected, unless you are running deterministic applications, which you know where the app is going for sure, you should not block and then allow. 

  0

  Comment actions Permalink
• 

  Deepblue01

  • July 27, 2021 00:18

  Thank you for your help. 

  I realized that you have "New device quarantine" and it can be applied to specific VLAN. This actually addressed my need to block new devices as they show up on network.

  So I have removed VLAN based to/from internet block. Now I am able to apply rules at group level and getting results as expected.

  Thanks again for your help and quick response.

  0

  Comment actions Permalink

Please sign in to leave a comment.