Firewalla Gold with Linksys Velop - wireless network segmentation for IoT?

Comments

22 comments

  • Avatar
    Michael Bierman

    As far as i can tell the linksys Velop does not support VLANs 

    Correct.

    You should look at https://help.firewalla.com/hc/en-us/articles/4411167832851-Firewalla-Router-Mode-Configuration-Guide- if you have not already. 

    Here are few of the easiest/best options: 

    1. Set up Gold in Router mode. Create port based network for IoT devices and connect an AP dedicated to each with a different CIDR block (IP range) and SSID; one for IoT, one for your primary LAN, etc. This will allow you to fully separate these devices from the network or provide some access (e.g. primary network can talk to IoT but not other way around. https://help.firewalla.com/hc/en-us/articles/4408644783123-Building-Network-Segments The downside of this approach is it uses up a Firewalla port. If you want more than 3 network segments, then you will be out of luck unless you also get a managed switch which then you could create as many separate networks as you like, each with separate APs. Then you would only be limited by the number of ports your managed switch has and how many APs you have. Managed switches aren't very expensive so this might be just fine. On the positive side, you can locate these IPs close to the devices that need them which could be different than where you really need you primary network. 
    2. Don't use the Linksys APs. For about the same money you can buy APs that are VLAN ready and have fewer APs to clutter your house. Less energy, less to manage... etc. There are a bunch of great alternatives at reasonable prices. In this scenario you may or may not need a managed switch depending on your network topology.

    See also
    https://help.firewalla.com/hc/en-us/articles/360046231493-Firewalla-Tutorial-Network-Segmentation-Example-with-VLAN

    2
    Comment actions Permalink
  • Avatar
    Chem Chance

    I feel your pain @networker5,

    Alas my velops dont have that VLAN feature as an option. I've been ruminating on what to do after reading Michael's thoughts - Thank You Michael :0).

    For me its become a question of whats the most affordable way out of the predicament that doesn't involve writing off the velops. I'm coming to the conclusion that i have to spin up a second network and ensure that it has the reach to talk to a lot of IoT thingamies (of a switch, sensor, bulb ilk), most of which need 2.4Ghz wireless, though some of the newer ones do support, and use Thread).

    Then there are the media things (TVs, appleTv, and several homepods I've been collecting the last few years). So i use HomeKit quite extensively to manage all of that. I would probably put these in a different network segment to the very basic stuff as it is well supported and patched. So notionally less risky.

    After that there are the laptops, PCs, iphones/ipads etc. This falls into i guess the most trusted category and would be what remains on current velop mesh network.

    Lastly is the work & school IT, which currently runs out of guest, but could have its own VLAN in a future state.

    So the new network would likely run 3 VLANs. Though it could be 2 if i decide that i may as well trust the appleTV/Homepods on the main network - they get patched along the same cadence as the macs/phones/ipads so possibly not worth splitting hairs over the relative risks.

    The challenge then might be controlling all of those devices from the homekit app given they will be on separate networks. Some seem to work fine when i restrict then them the current guest network, my iphone connected to main still can see/control them (not talking about the thread supporting ones). Others though will not play.

    So my best option as Michael suggested could be getting a couple of APs to cover the house, that support multi VLAN/SSIDs. And probably want those APs to mesh themselves so i only have to hook one of them up to the FWG as i dont fancy doing a long ethernet cable run through the basement on top of everything else.

    Cable Modem<>

    Firewalla Gold<>

    1.Velop Mesh Network

    Home SSID

     

     

    2. New AP mesh network

    VLAN1 - IoT

    VLAN2 - Work

    VLAN3 - Media

     

    1
    Comment actions Permalink
  • Avatar
    David Vaughan

    Clem Chance & networker5,

    Michael is right. I have a Velop which was formerly a router and is now bridged so that a Gold manages the separate home and IoT networks through its LAN ports. A second AP talks to the IoT devices (in fact I repurposed an old TG789 router now also in bridge mode).

    As Clem implies, the Velop Guest network is an insecure option. A second hand AP of sufficient range should be quite cheap and will give you a much more powerfully controlled setup thanks to using the Gold's features, rather than limiting the Gold to meet the limitations of something else.

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Not quite, @James. Rules for Groups don't limit access to devices on the same subnet. That isn't possible because devices don't have to talk through the router if they are on the same subnet. 

    1
    Comment actions Permalink
  • Avatar
    David Rothenberger

    @Michael Do any of those brands also have tri-band radios with one band dedicated to the backhaul, so the 2.4 and 5 GHz bands are free for clients?

    I don't think Unifi supports that. If you use a wireless uplink, clients using the 5GHz channel will see lower bandwidth because that channel is also used for the uplink.

    1
    Comment actions Permalink
  • Avatar
    networker5

    I'm in the same boat.  Using physical ports or a dedicated AP is not an option for a mesh network. 

    This looks like it is supposed to work: https://www.linksys.com/ca/support-article?articleNum=205502

    HOWEVER - since I'm using Firewalla as my primary router, I have to use Bridge mode which definitely does not support VLAN.

    If I do not use bridge mode, then Firewalla sees the entire network as a single device.

    There must be a better way :)

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    There is a better way. But it involves using APs that are not also routers and possibly a managed switch. 

    It isn’t always possible to get the best configuration trying to force existing equipment together because they were designed to work on different configurations. It can be done sometimes, but not as elegantly. Kind of like trying to force puzzle pieces together that don’t fit.

    0
    Comment actions Permalink
  • Avatar
    Chem Chance

    Agreed David, and thanks James, that's a good tip to add some defense in depth.

    0
    Comment actions Permalink
  • Avatar
    Michael Turchin

    So, is there a way to successfully achieve network segmentation using VLAN’s with a mesh network? I’m not sure if any router allows VLAN in bridge mode. Are there AP’s (that are not also routers) that work together as a mesh network while using Gold in router mode? Or is this where managed switches come in? I do not know much about managed switches tbh.

    0
    Comment actions Permalink
  • Avatar
    Michael Turchin

    @Chem Chance look into running Homebridge in a Docker container on the FWG. It's easy to install and once you do so, and link it to HomeKit, you'll probably be able to control every IoT device with HomeKit (including the devices that are not compatible with HomeKit).

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Michael Turchin Sure. APs like Unifi and Aruba have VLAN capability. 

    0
    Comment actions Permalink
  • Avatar
    Michael Turchin

    @Michael Bierman can you create a wireless mesh network if buy multiple of those AP’s?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @michael turchin: yes, you can deploy them with a wireless backhaul or wired. Personally I prefer a wired backhaul whenever I can get it, but they will work fine either way. You want to find ones that support "WVLAN" or "VLAN". Google Wi-Fi and eero for example are mesh but do not support VLAN. 

    0
    Comment actions Permalink
  • Avatar
    Michael Turchin

    @michael Bierman thank you!
    Can any AP (AP, not router in bridge mode) that has WVLAN or VLAN, be set up as a mesh network or do I need to specifically find ones that say they can be run as a wireless mesh network?

    I would prefer wired as well, but I just don’t have the time to run all of that wire lol

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @michael Turchin mesh is not required to do VLANs. Anything that supports 802.1q will do. Depending on your deployment you may end up needing a managed switch too. 

    0
    Comment actions Permalink
  • Avatar
    Michael Turchin

    @michael Bierman I know that mesh is not required to do VLANs. I’m trying to figure out how to create a mesh network in my house with AP’s and VLANs. One AP will not cover the entire house.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @michael turchin There are lots of choices that will work. Aruba, unifi, TP-Link. Maybe I am not following what part you are looking for help with. Can you clarify? 

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    The Unifi APs support a wireless uplink, which they call a wireless mesh network. That term could also mean a tri-band mesh network, where the wireless uplink is on a separate channel from the main SSIDs. I don't believe any of the Unifi APs support a tri-band mesh set up.

    I'm not sure about Aruba or TP-Link. I would love to learn of an AP that supports this and VLANs, if anyone knows of one.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @David TP-Link's Omada line supports 801.1q for example. As far as I know, all Aruba APs support VLANs and of course Unifi which I find perform nicely, though my experience is limited to a wired backhaul. 

    0
    Comment actions Permalink
  • Avatar
    Michael Turchin

    @David are you basically asking if the wireless uplink is done on its own band leaving the 2.4GHz and both 5Ghz bands free? That’s what I am trying to figure out.

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    Yes, that was the point I was trying to make about the term "mesh network." I'm pretty sure none of the Unifi APs that support VLANs also do the uplink with a separate band.

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    Not ideal as they are still on the same "Network" but you can add the IoT devices as a "Group" and then put block rules on that group to not allow them to talk with the rest of the devices ..... Might be a solution until you get something different.

    -1
    Comment actions Permalink

Please sign in to leave a comment.