Products Firewalla Gold Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Blue Plus Firewalla Wi-Fi SD Product Comparison Product Reviews

FWG Force Device on VLAN

Follow
Avatar
Arne Vandeginste

On FWG - is it possible to force a device on a specific VLAN?
(Without the support of smart switches / wires APs.)

I have multiple devices that are linked to the same hardware ports on the FWG. I did introduce a separate VLAN linked to SSID for the wireless which works fine, but I also want segmentation between different devices that are linked by wire. I am able to define multiple VLANs on the same FWG ports, but I don't see how I could force a specific device/MAC on a specific VLAN. Since I can't make an IP reservation besides for the main LAN.

Or should I go about this differently and just make a group for these devices, as the main goal is to separate them through rules? Can I achieve the same with groups as I would with VLANs?

0

Comments

4 comments

Sort by Date Votes
  • Avatar
    Michael Bierman

    For Ethernet connected devices you can either: 

    1. Configure a managed switch so that a particular port is tied to a VLAN. Anything you plugin there will be on that VLAN. That could be a single device, or even another switch (managed or unmanaged are fine.)
    2. Some devices, like macOS, can be configured to a VLAN so you can plug them into a switch which is "untagged" and the device itself will do the tagging. 

    It really depends on what kinds of rules you want. If you are talking about rules related to the WAN, then Groups might do fine. If you want to enforce rules between devices on your LAN then you probably want VLANs or separate LANs (you can do up to 3 on Gold). 

    0
    Comment actions Permalink
  • Avatar
    Arne Vandeginste

    Thanks for the suggestion.
    I do want rules between devices on the LAN. However I can't connect them physically through different lan/vlan unless I buy an extra managed switch, which I'd rather avoid.

    I am quite new to VLAN and didn't know about the option of setting it on OS level. Apparently windows can do it too (which suffices for my case) through powershell 'Set-NetAdapter -Name Ethernet1 -VlanID 2' 
    At first this seems to work, I get a dhcp ip in the vlan range and connections work as expected. However, after about 10 minutes, I lose all connectivity and my pc can't find the gateway for that vlan anymore. If I switch back (vlan 0) and then back again, same behavior.... seems fine for about 10 minutes. Not sure if this is windows related or something else (same behavior after reboot).

    0
    Comment actions Permalink
  • Avatar
    Rich T.

    My guess would be that's a DNS issue. Try setting DNS servers on the windows machine to test.  

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman
    • Edited

    Arne if you are on Windows, configure something like this. https://www.quora.com/How-do-I-create-VLAN-in-a-Windows-version-OS Linux can do the same.

    If you end up plugging this device directly into Firewalla, you can simply set up a separate port based network. https://help.firewalla.com/hc/en-us/articles/4408644783123-Building-Network-Segments

    You don’t need a managed switch or a VLAN. Say port one is your trusted network (192.168.0.1/24) and port 2 is an IoT network (192.168.2.1/24) If you have multiple devices, you want on the same network, just get a an unmanaged switch into either of those and voilà. You can still make rules to control traffic between them. A > B but not B > A for example  

    That said, there are inexpensive managed switches that would give you more flexibility if you want to compare prices and then decide on your strategy.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post