Firewalla Gold with Linksys Velop - wireless network segmentation for IoT?

Comments

8 comments

  • Avatar
    Michael Bierman

    As far as i can tell the linksys Velop does not support VLANs 

    Correct.

    You should look at https://help.firewalla.com/hc/en-us/articles/4411167832851-Firewalla-Router-Mode-Configuration-Guide- if you have not already. 

    Here are few of the easiest/best options: 

    1. Set up Gold in Router mode. Create port based network for IoT devices and connect an AP dedicated to each with a different CIDR block (IP range) and SSID; one for IoT, one for your primary LAN, etc. This will allow you to fully separate these devices from the network or provide some access (e.g. primary network can talk to IoT but not other way around. https://help.firewalla.com/hc/en-us/articles/4408644783123-Building-Network-Segments The downside of this approach is it uses up a Firewalla port. If you want more than 3 network segments, then you will be out of luck unless you also get a managed switch which then you could create as many separate networks as you like, each with separate APs. Then you would only be limited by the number of ports your managed switch has and how many APs you have. Managed switches aren't very expensive so this might be just fine. On the positive side, you can locate these IPs close to the devices that need them which could be different than where you really need you primary network. 
    2. Don't use the Linksys APs. For about the same money you can buy APs that are VLAN ready and have fewer APs to clutter your house. Less energy, less to manage... etc. There are a bunch of great alternatives at reasonable prices. In this scenario you may or may not need a managed switch depending on your network topology.

    See also
    https://help.firewalla.com/hc/en-us/articles/360046231493-Firewalla-Tutorial-Network-Segmentation-Example-with-VLAN

    1
    Comment actions Permalink
  • Avatar
    networker5

    I'm in the same boat.  Using physical ports or a dedicated AP is not an option for a mesh network. 

    This looks like it is supposed to work: https://www.linksys.com/ca/support-article?articleNum=205502

    HOWEVER - since I'm using Firewalla as my primary router, I have to use Bridge mode which definitely does not support VLAN.

    If I do not use bridge mode, then Firewalla sees the entire network as a single device.

    There must be a better way :)

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    There is a better way. But it involves using APs that are not also routers and possibly a managed switch. 

    It isn’t always possible to get the best configuration trying to force existing equipment together because they were designed to work on different configurations. It can be done sometimes, but not as elegantly. Kind of like trying to force puzzle pieces together that don’t fit.

    0
    Comment actions Permalink
  • Avatar
    Chem Chance

    I feel your pain @networker5,

    Alas my velops dont have that VLAN feature as an option. I've been ruminating on what to do after reading Michael's thoughts - Thank You Michael :0).

    For me its become a question of whats the most affordable way out of the predicament that doesn't involve writing off the velops. I'm coming to the conclusion that i have to spin up a second network and ensure that it has the reach to talk to a lot of IoT thingamies (of a switch, sensor, bulb ilk), most of which need 2.4Ghz wireless, though some of the newer ones do support, and use Thread).

    Then there are the media things (TVs, appleTv, and several homepods I've been collecting the last few years). So i use HomeKit quite extensively to manage all of that. I would probably put these in a different network segment to the very basic stuff as it is well supported and patched. So notionally less risky.

    After that there are the laptops, PCs, iphones/ipads etc. This falls into i guess the most trusted category and would be what remains on current velop mesh network.

    Lastly is the work & school IT, which currently runs out of guest, but could have its own VLAN in a future state.

    So the new network would likely run 3 VLANs. Though it could be 2 if i decide that i may as well trust the appleTV/Homepods on the main network - they get patched along the same cadence as the macs/phones/ipads so possibly not worth splitting hairs over the relative risks.

    The challenge then might be controlling all of those devices from the homekit app given they will be on separate networks. Some seem to work fine when i restrict then them the current guest network, my iphone connected to main still can see/control them (not talking about the thread supporting ones). Others though will not play.

    So my best option as Michael suggested could be getting a couple of APs to cover the house, that support multi VLAN/SSIDs. And probably want those APs to mesh themselves so i only have to hook one of them up to the FWG as i dont fancy doing a long ethernet cable run through the basement on top of everything else.

    Cable Modem<>

    Firewalla Gold<>

    1.Velop Mesh Network

    Home SSID

     

     

    2. New AP mesh network

    VLAN1 - IoT

    VLAN2 - Work

    VLAN3 - Media

     

    0
    Comment actions Permalink
  • Avatar
    David Vaughan

    Clem Chance & networker5,

    Michael is right. I have a Velop which was formerly a router and is now bridged so that a Gold manages the separate home and IoT networks through its LAN ports. A second AP talks to the IoT devices (in fact I repurposed an old TG789 router now also in bridge mode).

    As Clem implies, the Velop Guest network is an insecure option. A second hand AP of sufficient range should be quite cheap and will give you a much more powerfully controlled setup thanks to using the Gold's features, rather than limiting the Gold to meet the limitations of something else.

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    Not ideal as they are still on the same "Network" but you can add the IoT devices as a "Group" and then put block rules on that group to not allow them to talk with the rest of the devices ..... Might be a solution until you get something different.

    0
    Comment actions Permalink
  • Avatar
    Chem Chance

    Agreed David, and thanks James, that's a good tip to add some defense in depth.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Not quite, @James. Rules for Groups don't limit access to devices on the same subnet. That isn't possible because devices don't have to talk through the router if they are on the same subnet. 

    0
    Comment actions Permalink

Please sign in to leave a comment.