Firewalla Gold with Linksys Velop - wireless network segmentation for IoT?
Hi -I'm hoping someone on here could assist with solving this conundrum without spending too large a sum.
After researching a lot of options, I'm looking at purchasing FW Gold for my home network. However, i am struggling to figure out how i would achieve network segmentation for my IoT devices.
I have 1Gb cable connection and own my own equipment. Cable Modem>Linksys MX5300 parent node>2 x MX5300 Child Nodes.
At present i run the linksys velop in its combined wireless mode - 1x2.4 and 2x5Ghz bands acting as one mesh network with a single SSID. Guest is also enabled with its own SSID but i am debating the long term use of that after reading some articles.
At present the IoT things i really dont trust are sitting on the guest network, somewhat riskily. There are many more i would like to add to an IoT dedicated segment.
As far as i can tell the linksys Velop does not support VLANs - which i am assuming means there is no way i can vlan tag. So with the following model i don't think i would be able to have new devices joining a specific SSID, and automatically be assigned to the right VLANs that i would set up on the FWGold.
CableModem>FirewallaGold>Velop MX5300 parent>MX5300 child nodes
Options:
1. Velop does allow me to separate the wireless into 3 different SSIDs, so i might be able to use the 2.4 for IoT and the 2 x 5Ghz for two other SSIDs. However, not sure how i could vlan tag those. Also questionable what kind of performance hit there would be for devices moving about the house and joining different nodes.
2. I could deploy simple mode where the firewalla gold would sit off the velop parent node and arp spoof to do its job leaving present network in tact, but i think i would not be able to acieve the goal of segmenting the IoT devices this way. Also not sure if in that mode there would be a performance hit to the network.
3. I could buy another linksys velop node, or perhaps something cheaper and run in 2.4Ghz mode and dedicate that to the IoT network. But this on top of the cost of the FWG would be the most expensive option, and its a bit clutterey. Investing in the velops was in part to clean things up.
Thoughts and suggestions welcome, as i don't want to push the button on buying the FWG without a clear plan to deploy it. Its going to be quite painful enough having to restructure the network for the large number of smart devices on my home network (not even sure of the number - dozens, which is a problem in and of itself (switches, plugs, bulbs, cameras, fridges, doorbells, heaters, HVAC, weather sensors, cooker etc.)
TIA
-
As far as i can tell the linksys Velop does not support VLANs
Correct.
You should look at https://help.firewalla.com/hc/en-us/articles/4411167832851-Firewalla-Router-Mode-Configuration-Guide- if you have not already.
Here are few of the easiest/best options:- Set up Gold in Router mode. Create port based network for IoT devices and connect an AP dedicated to each with a different CIDR block (IP range) and SSID; one for IoT, one for your primary LAN, etc. This will allow you to fully separate these devices from the network or provide some access (e.g. primary network can talk to IoT but not other way around. https://help.firewalla.com/hc/en-us/articles/4408644783123-Building-Network-Segments The downside of this approach is it uses up a Firewalla port. If you want more than 3 network segments, then you will be out of luck unless you also get a managed switch which then you could create as many separate networks as you like, each with separate APs. Then you would only be limited by the number of ports your managed switch has and how many APs you have. Managed switches aren't very expensive so this might be just fine. On the positive side, you can locate these IPs close to the devices that need them which could be different than where you really need you primary network.
- Don't use the Linksys APs. For about the same money you can buy APs that are VLAN ready and have fewer APs to clutter your house. Less energy, less to manage... etc. There are a bunch of great alternatives at reasonable prices. In this scenario you may or may not need a managed switch depending on your network topology.
-
I feel your pain @networker5,
Alas my velops dont have that VLAN feature as an option. I've been ruminating on what to do after reading Michael's thoughts - Thank You Michael :0).
For me its become a question of whats the most affordable way out of the predicament that doesn't involve writing off the velops. I'm coming to the conclusion that i have to spin up a second network and ensure that it has the reach to talk to a lot of IoT thingamies (of a switch, sensor, bulb ilk), most of which need 2.4Ghz wireless, though some of the newer ones do support, and use Thread).
Then there are the media things (TVs, appleTv, and several homepods I've been collecting the last few years). So i use HomeKit quite extensively to manage all of that. I would probably put these in a different network segment to the very basic stuff as it is well supported and patched. So notionally less risky.
After that there are the laptops, PCs, iphones/ipads etc. This falls into i guess the most trusted category and would be what remains on current velop mesh network.
Lastly is the work & school IT, which currently runs out of guest, but could have its own VLAN in a future state.
So the new network would likely run 3 VLANs. Though it could be 2 if i decide that i may as well trust the appleTV/Homepods on the main network - they get patched along the same cadence as the macs/phones/ipads so possibly not worth splitting hairs over the relative risks.
The challenge then might be controlling all of those devices from the homekit app given they will be on separate networks. Some seem to work fine when i restrict then them the current guest network, my iphone connected to main still can see/control them (not talking about the thread supporting ones). Others though will not play.
So my best option as Michael suggested could be getting a couple of APs to cover the house, that support multi VLAN/SSIDs. And probably want those APs to mesh themselves so i only have to hook one of them up to the FWG as i dont fancy doing a long ethernet cable run through the basement on top of everything else.
Cable Modem<>
Firewalla Gold<>
1.Velop Mesh Network
Home SSID
2. New AP mesh network
VLAN1 - IoT
VLAN2 - Work
VLAN3 - Media
-
Clem Chance & networker5,
Michael is right. I have a Velop which was formerly a router and is now bridged so that a Gold manages the separate home and IoT networks through its LAN ports. A second AP talks to the IoT devices (in fact I repurposed an old TG789 router now also in bridge mode).
As Clem implies, the Velop Guest network is an insecure option. A second hand AP of sufficient range should be quite cheap and will give you a much more powerfully controlled setup thanks to using the Gold's features, rather than limiting the Gold to meet the limitations of something else.
-
@Michael Do any of those brands also have tri-band radios with one band dedicated to the backhaul, so the 2.4 and 5 GHz bands are free for clients?
I don't think Unifi supports that. If you use a wireless uplink, clients using the 5GHz channel will see lower bandwidth because that channel is also used for the uplink.
-
I'm in the same boat. Using physical ports or a dedicated AP is not an option for a mesh network.
This looks like it is supposed to work: https://www.linksys.com/ca/support-article?articleNum=205502
HOWEVER - since I'm using Firewalla as my primary router, I have to use Bridge mode which definitely does not support VLAN.
If I do not use bridge mode, then Firewalla sees the entire network as a single device.
There must be a better way :)
-
There is a better way. But it involves using APs that are not also routers and possibly a managed switch.
It isn’t always possible to get the best configuration trying to force existing equipment together because they were designed to work on different configurations. It can be done sometimes, but not as elegantly. Kind of like trying to force puzzle pieces together that don’t fit.
-
So, is there a way to successfully achieve network segmentation using VLAN’s with a mesh network? I’m not sure if any router allows VLAN in bridge mode. Are there AP’s (that are not also routers) that work together as a mesh network while using Gold in router mode? Or is this where managed switches come in? I do not know much about managed switches tbh.
-
@michael turchin: yes, you can deploy them with a wireless backhaul or wired. Personally I prefer a wired backhaul whenever I can get it, but they will work fine either way. You want to find ones that support "WVLAN" or "VLAN". Google Wi-Fi and eero for example are mesh but do not support VLAN.
-
@michael Bierman thank you!
Can any AP (AP, not router in bridge mode) that has WVLAN or VLAN, be set up as a mesh network or do I need to specifically find ones that say they can be run as a wireless mesh network?I would prefer wired as well, but I just don’t have the time to run all of that wire lol
-
The Unifi APs support a wireless uplink, which they call a wireless mesh network. That term could also mean a tri-band mesh network, where the wireless uplink is on a separate channel from the main SSIDs. I don't believe any of the Unifi APs support a tri-band mesh set up.
I'm not sure about Aruba or TP-Link. I would love to learn of an AP that supports this and VLANs, if anyone knows of one.
Please sign in to leave a comment.
Comments
22 comments